The Microsoft Windows Intune cloud service allows IT managers to monitor PCs and apply policies and updates, even if you don't run your own Active Directory. For a low monthly price you get PC and mobile device management plus anti-malware software you can manage centrally instead of the hotch-potch that came with the PCs you bought for employees; for a little extra you can get more management tools and licences for the latest version of Windows - which now means Windows 8.
Keep PCs in tune
You don't need every PC to be running the same version of Windows; Intune works with any of the business versions of Windows from XP SP3 onwards. You don't have to wait for remote or mobile users to log in to a VPN to apply policies; the management agent checks for new policies and re-applies existing ones once a day.
You can check anti-malware protection remotely, set policies for the Windows Firewall, force an update to install or reboot a problematic PC, deploy or audit Microsoft and third-party applications, manage Microsoft and third-party licence agreements, get alerts and reports on anything you're tracking (like PCs running out of disk space) and run remote support sessions – (almost) all in the web portal. Additionally, there are recommended policies for things like mobile security and Windows Firewall to get you started quickly.
The new version of Intune adds management and app hosting for mobile devices (Android and iOS) through a new portal that you can customise as a support centre, plus improvements to software asset management and the reports that tell you what's happening on the PCs you manage.
You can do your management from any PC because you do it all in the browser (although it does need to be a browser that runs Silverlight, so IE 7, Firefox 5 and Chrome 15 or later). If you've looked at previous versions of Intune, the administrator interface is much improved; it's far easier to find the reports you want, to see which alerts are important and to get rid of the ones you don't need to deal with.
However managing mobile devices, including a handy report that shows you exactly which phones and tablets are collecting company email, is only available if you have an on-premise version of Exchange 2010 SP1.
If you use Office 365 you already have the same mobile device management options because Intune uses EAS policies for enforcing password complexity or encryption and performing remote block or wipe, but you can't yet do it all in the same place.
Distribute apps and applications
You can host mobile apps wherever your Exchange runs, because they show up on the self-service portal alongside the Windows programs you mange through Intune; this also has tools for users to add their own PC to Intune, turn off email on their phone or wipe it remotely, or contact your support team (if you fill in the details for them).
They can't request remote assistance from the portal, just the Intune software on their PC – just in case they're accessing it from something other than their normal PC –but you can set up email alerts so you don't miss any requests.
To distribute software you need the .APK files for Android apps or the .IPA files (plus manifests) for iOS apps; you can't link to apps that are already in app stores, so this is for software that you've either developed yourself or that you've licenced and have the source code for.
Microsoft updates (for Windows and other Microsoft software) show up automatically in Intune and you can decide which groups to approve these for (or even push them to), so you don't have to rely on users leaving Windows Update turned on to be sure their PCs are up to date. You can also host updates for third-party software the same way you do complete Windows applications, whether they're EXE or MSI installers, or Windows Installer patches (.MSP files). And you can choose groups of users that can install them.