A guide to Intune Suite licensing for endpoint management

What is the new Microsoft Intune Suite?

Intune Suite is a collection of advanced endpoint management and security services that Microsoft offers as an add-on to its core Intune platform. Intune Suite bundles these services into a unified, centrally managed platform that builds on and expands the basic platform.

Microsoft promotes Intune as a unified endpoint management (UEM) platform for managing, assessing and protecting devices and their apps. IT teams carry out their administrative tasks through a centralized administrative console, which is now called the Microsoft Intune admin center.

Organizations can use the admin center to manage and monitor a range of endpoint devices, including laptops, desktops, servers, smartphones, tablets and virtual machines. To this end, Intune supports Windows, macOS, Linux, iOS, iPadOS and Android devices.

The basic Intune service includes the following core capabilities:

• Cross-platform endpoint management for on-premises, cloud, mobile, desktop and virtual endpoint systems.
• Reduced endpoint security risks through automatic threat detection and endpoint device remediation.
• Mobile application management (MAM) without requiring device enrollment or interfering with user productivity.
• Endpoint analytics that provide device and app health scores and data-driven recommendations for improving productivity and user experience.
• Support for specialty and shared devices through features such as maintenance windows, shared device mode and specialty device management.

Intune Suite expands on these core capabilities by adding a set of advanced endpoint management and security tools. Intune Suite also offers better support for remote workers and for users accessing on-premises resources. To provide these capabilities, Intune Suite includes the following five services:

• Advanced endpoint analytics. Provides IT administrators with data-driven insights and metrics about their endpoint devices, helping them to better understand and improve the user experience.
• Endpoint Privilege Management. Enables IT administrators to provide Windows standard users with controlled security elevation so they can carry out their tasks and stay productive, while still enabling administrators to apply least privileged access to the broader user base.
• Remote Help. Enables helpdesk personnel to establish secure connections with their users to provide remote assistance and troubleshoot managed devices.
• Specialty device management. Offers IT teams a set of device management and protection features for specialized devices such as conference room meeting equipment, AR/VR headsets or large smart-screen devices.
• Tunnel for Mobile Application Management. Provides organizations with a micro-VPN that lets users access corporate resources from their personal iOS, iPadOS or Android devices, without requiring device enrollment.

Microsoft is also planning to add advanced app management to Intune Suite, although no dates have been confirmed. The new service is slated to include an enterprise app catalog and controls for discovering, deploying and automatically updating out-of-date apps.

What happened to Microsoft Endpoint Manager?

The products and services that fell under the MEM umbrella have not gone away. Rather, they now come under the Intune brand. This might be confusing to some because it seems that Intune can now refer to either the cloud service itself or the entire product family, and Microsoft's marketing doesn't help clarify this issue. For the most part, however, the term Intune continues to be used to refer to the online service.

When Intune was first released, it was called Windows Intune, which offered a cloud-based service for managing Windows PCs. Microsoft eventually renamed the service to Microsoft Intune and expanded it to include other device types. During this evolution, Intune became known as a mobile device management (MDM) and MAM platform.

While all this was going on, Endpoint Configuration Manager continued to chug away as a separate, on-premises counterpart to Intune. Then, in 2019, Microsoft announced a new brand called Microsoft Endpoint Manager, which the company billed as a "unified, integrated management platform for managing all your endpoints." The new platform brought together Intune and Endpoint Configuration under a single product family, along with several other services.

Endpoint Manager also came with important changes to Configuration Manager and Intune licensing, including more licensing options. Endpoint Manager promised to make it easier for IT teams to use the two products together. For example, administrators could work with both products from the same admin console. Unfortunately, these changes also brought with them a fair amount of confusion about how licensing worked, despite Microsoft's overtures about simplifying the management process.

To derive real benefit from MEM, customers needed to license Configuration Manager, Intune or both. The exact formula depended on the types of devices they managed. They might also need to license other Endpoint Manager products, such as Azure Active Directory (Azure AD) for co-management. Despite the initial confusion, customers seemed to eventually make peace with MEM and were able to get back to business.

Then Microsoft decided to mix things up again. At Microsoft Ignite 2022, the company announced that it was overhauling its endpoint management products once again. This time, it was retiring the Endpoint Manager brand and replacing it with Microsoft Intune as the new product umbrella, which supposedly covered all things related to endpoint management.

"The name Microsoft Endpoint Manager will no longer be used. Going forward, we'll refer to cloud management as Microsoft Intune and on-premises management as Microsoft Configuration Manager," Microsoft announced. For all practical purposes, Microsoft has eradicated the MEM brand from existence, but it still leaves some confusion about Intune's status as the UEM umbrella. Does Configuration Manager fall under that Intune brand or not?

Despite all the hoopla, the Intune service works much the same as it had before the rebranding, with operations carried out through the centralized admin center. As already noted, however, the admin center now carries the Intune label, as though Intune was promoted in name only. Even so, this promotion has led to two important changes: Microsoft has restructured Intune licensing, and the company now offers the Intune Suite add-on -- two transformations that go hand in hand.

How does Intune licensing work for Microsoft's endpoint management?

To understand how licensing works for Intune Suite, it's important to first understand how Intune licensing works in general. The new licensing structure consists of three plans:

• Intune Plan 1. Includes the platform's core capabilities, such as cross-platform endpoint management, mobile application management and built-in endpoint security. Endpoint Privilege Management and Remote Help are available as optional add-ons to this plan.
• Intune Plan 2. An add-on to Plan 1 that provides specialty device management and Tunnel for Mobile Application Management.
• Intune Suite. An add-on to Plan 1 that includes advanced endpoint analytics, Endpoint Privilege Management, Remote Help, specialty device management and Tunnel for Mobile Application Management. Intune Suite is also integrated with Microsoft Security and Microsoft 365, providing customers with data science and AI to increase automation.

Microsoft has announced that it will eventually be offering an advanced endpoint analytics add-on to Plan 1, as well as other add-ons that provide advanced features, as those add-ons become available, but these are not reflected in the current licensing options at the time this publishes.

Microsoft includes Intune Plan 1 with Microsoft 365 E3, E5, F1, F3 and Business Premium. The vendor also provides Plan 1 with Enterprise Mobility + Security (EMS) E3 and E5, Microsoft 365 Government G3 and G5, and Microsoft 365 Education A3 and A5. Customers that want to acquire Intune through one of these bundles should first evaluate the features and licensing for each applicable product:

• Enterprise Mobility + Security. EMS E3 and E5 include identity and access management, endpoint management, information protection and identity-driven security. EMS E5 offers additional features, such as risk-based conditional access, intelligent data classification and labeling, and Microsoft Defender for Cloud Apps. Current EMS E3 pricing is $10.60 per user, per month; EMS E5 pricing is $16.40 per user, per month.
• Microsoft 365. Microsoft 365 bundles can vary substantially and should be carefully assessed before choosing a plan. For example, Microsoft 365 E3 and E5 include Microsoft 365 apps, email and calendar, meetings and voice, device and app management, social and intranet support, access to files and content, work management, advanced analytics, identity and access management, threat protection, information protection, security management, and compliance management. Microsoft 365 E5 includes additional capabilities on top of these features, while Microsoft 365 F1, F2 and Business Premium provide only a subset of these features. Currently, the pricing for each service is on a per user, per month basis: E3 for $36, E5 for $57, F1 for $2.25, F3 for $8, and Business Premium for $22.

Most of the bundles that include Intune Plan 1 also grant the rights to use Microsoft Configuration Manager, although customers might still require Azure AD for co-management. Customers that don't subscribe to any of these bundles can get Plan 1 as a standalone license. In addition, Microsoft offers a standalone license for devices that are not tied to specific users, such as kiosks or shared computers.

Because Intune Plan 2 and Intune Suite are add-ons to Intune Plan 1, customers must already have Plan 1 before they can subscribe to Plan 2 or Intune Suite. The two add-ons come with additional subscription fees. Currently, the pricing for Plan 2 is $4 per user, per month and Intune Suite is $10 per user, per month.

Customers can acquire the Plan 2 add-on or Intune Suite add-on from any of the following sources:

• Microsoft 365 Admin Center.
• Microsoft Volume License Servicing Center.
• Microsoft partner or reseller.

According to Microsoft, each Intune add-on has its own requirements for how many licenses customers must purchase. For specifics about license minimums, volume discounts or other Intune licensing details, customers should contact Microsoft or a qualified partner or reseller.

Customers should also carefully evaluate which Intune features they need before deciding on a plan. For example, if Endpoint Privilege Management is the only capability they want in addition to the core services, they're usually better off paying for the add-on of $3 per user, per month than paying $10 for the entire Intune Suite. On the other hand, Intune Suite offers capabilities not available to Plan 1 or Plan 2, in which case, that plan might be the only option that can meet an organization's requirements.