Why Manage Non-Standard Devices?

Managing devices, even those that aren’t considered “standard,” is crucial for organizations aiming to keep their digital environments secure and streamlined. Non-standard devices, such as purpose-built tablets or devices without Google Mobile Services (GMS), are often designed for specialized tasks, like note-taking (e.g., Remarkable), or kiosks in retail spaces. Though they may not follow the same management protocols as typical laptops or smartphones, ensuring they comply with corporate policies is vital. These devices still access sensitive data and need to be secured and managed like any other endpoint.

Non-standard devices pose unique challenges because they might not natively integrate into existing management frameworks like Microsoft Intune. That said, they can still be brought under control with the right strategies, allowing for enforcement of policies, security standards, and efficient oversight.

Intune’s Role in Managing Non-Standard Devices

Microsoft Intune provides a broad range of device management solutions, primarily for Windows, Android, and iOS devices. However, non-standard devices—such as those without full mobile services or specialty use cases—can still be managed in many cases through various features in Intune.

Intune allows administrators to create compliance policies, push security configurations, and enforce company rules across most managed devices. For non-standard devices, certain management techniques (such as managing BYOD or corporate-owned devices with limited functionality) may need to be adopted. These approaches ensure that even non-compliant or unconventional devices adhere to minimum security and access standards.

Device Types Supported by Intune

• Fully managed corporate devices: Devices solely dedicated to work, with complete control over configurations.

• Dedicated devices (like kiosks): Devices intended for specific tasks, such as public-facing displays.

• BYOD (Bring Your Own Device): Personal devices where work-related data is isolated through profiles.

• Non-standard devices (e.g., without Google Mobile Services): These devices require workarounds or special enrollment techniques.

Approach to Enrolling Non-Standard Devices

Leveraging BYOD and Non-Compliant Device Policies

One of the most effective ways to manage non-standard devices that don’t follow traditional enrollment protocols is to treat them as BYOD or non-compliant devices. This can be useful for devices like Remarkable or other specialty devices that may not support all the features required for full enrollment.

By treating the device as "unmanaged," you can still create policies that require conditional access for things like email or other company resources. This provides a layer of security and control, without the need for full device enrollment.

Using Device Administrator for Android Devices

For Android-based devices that lack Google Mobile Services (GMS), Intune supports Device Administrator mode. This allows you to manage key aspects of the device, like app policies and security configurations, even though the device isn't fully integrated into Google’s Android ecosystem. While this approach doesn't give you full control, it allows for enough oversight to ensure that the device remains compliant with essential security policies.

Security Considerations and Best Practices

Setting Up Conditional Access and App Protection Policies

Ensuring non-standard devices remain secure involves setting up conditional access policies. These policies restrict access to company resources unless the device meets specific security standards. For example, devices can be blocked from accessing email unless they are up-to-date with security patches.

App protection policies are also vital. These policies ensure that even on non-compliant devices, sensitive company data stays secure. By requiring encryption, remote wipe capabilities, and restricted access, you can help safeguard critical data—even if the device itself isn’t fully compliant.

Using Microsoft Defender for Endpoint

For organizations that need deeper security measures, integrating Microsoft Defender for Endpoint with Intune can provide additional layers of protection. By managing device security directly through Defender, you can apply antivirus policies and endpoint detection even on non-standard devices, giving you peace of mind about security breaches.

Custom Configuration for Specialty Devices

Workarounds for Non-Compliant Devices

For non-compliant devices, Intune allows administrators to set up specific configurations to bring these devices into a manageable state. For instance, the Device Enrollment Manager (DEM) account can be used to handle devices like kiosks or digital signage systems, allowing for essential management features without tying the device to a specific user.

One effective workaround is to enroll these devices under non-compliance policies, allowing access but restricting certain functions until they meet specific conditions. These strategies ensure that the devices, although unconventional, still adhere to your organization’s security guidelines.

Device-Specific Settings and Limitations

Devices like Remarkable tablets or specialized Android devices may have certain limitations when it comes to device management. For example, some of these devices do not support full compliance checks, so you might need to tailor your Intune policies specifically to the needs and capabilities of that device.

Automation and Bulk Enrollment Strategies

Zero-Touch Enrollment and Autopilot

One key strategy for enrolling and managing a large fleet of non-standard or unconventional devices is to use Microsoft’s Zero-Touch Enrollment or Autopilot for Windows devices. This allows you to automate the process of enrolling new devices, saving significant time when rolling out hardware at scale. This approach is particularly beneficial for shared devices like kiosks, where manual enrollment can be cumbersome.

Using this method, devices can be automatically provisioned with the right configurations as soon as they’re powered on. This not only saves time but ensures that security and compliance policies are in place from the moment the device is active.

Automatic Cleanup and Removal of Inactive Devices

Managing a large fleet of non-standard devices can be complicated, and inactive or outdated devices can clutter your system. Intune provides features to automatically detect and remove inactive devices, keeping your inventory streamlined and reducing potential security risks from devices that are no longer in use. Configuring automatic cleanup rules helps ensure that only active, compliant devices remain in your environment.

Preparing for Future Changes in Device Management

End of Support for Android Device Administrator

With Google’s planned phase-out of Android’s Device Administrator mode, organizations will need to look toward other methods like Android Enterprise for managing non-standard devices. Intune administrators should begin planning to transition to Android Enterprise management for future Android devices, especially those running newer versions of the operating system.

What’s Next in Device Management?

As technology continues to evolve, so too do the methods for managing devices. Looking ahead, we can expect to see new strategies for handling non-standard devices, such as more robust integration with cloud services and AI-powered security tools. Staying ahead of these changes is crucial for maintaining a secure, efficient environment.

At ECS LEAD, we understand the challenges businesses face when managing a diverse range of devices. We specialize in helping organizations navigate the complexities of modern device management, offering tailored solutions to ensure every device—whether standard or non-standard—is secure and compliant. Our team is here to guide you through implementing best practices, ensuring that your devices are effectively managed with Microsoft Intune, no matter how unique your device landscape may be.

Let us help you future-proof your device management strategies today!