Microsoft 365 · Microsoft Intune
Cloud-based endpoint management for Windows, macOS, iOS and Android — with device enrollment, app protection, Conditional Access and automated onboarding via Autopilot. We license the right way (Plan 1, Plan 2, Intune Suite), build the concept and put it into production.
What is Intune (MDM/MAM)
Microsoft Intune is the cloud-based endpoint management platform from the Microsoft 365 / Entra stack. It combines Mobile Device Management (MDM) for entire devices with Mobile Application Management (MAM) for individual Microsoft apps — the choice depends on ownership (company vs employee) and data sensitivity.
License tiers
Plan 1 fully covers the standard needs of most mid-market customers. Plan 2 is only worthwhile when specialized devices, Linux management or advanced MAM are on the table.
| Feature | Plan 1 | Plan 2 |
|---|---|---|
| Standard MDM (Windows, macOS, iOS, Android) | included | included |
| App protection policies (MAM without enrollment) | included | included |
| Compliance policies, Conditional Access integration | included | included |
| Windows Autopilot | included | included |
| Linux management (Ubuntu Desktop, RHEL) | — | extended |
| Specialized devices (HoloLens, Surface Hub, Apple TV extended) | limited | extended |
| Advanced MAM (context-aware app policies) | — | included |
Rule of thumb: Plan 1 fully covers the classic Windows / Mac / iOS / Android estate. Plan 2 as an add-on only when Linux or specialized device management is an actual topic. Premium features such as Remote Help and Endpoint Privilege Management are not in Plan 2 but in the Intune Suite.
Intune in Microsoft 365 plans
Whether Intune needs to be licensed additionally depends on the chosen Microsoft 365 plan. The following overview makes it compact.
Typical constellation: office staff on Business Premium or E3/E5 (Intune Plan 1 included) plus production / frontline workers on F3 (Intune Plan 1 also included) — no separate Intune purchase needed.
Intune Suite
The Microsoft Intune Suite bundles Plan 1 with five premium building blocks — relevant if you currently buy remote support tools, privilege management or context-aware app policies separately.
Microsoft-native remote support with Entra ID authentication and compliance context — the helpdesk connects to the device without a third-party tool, sessions are audited. An alternative to TeamViewer, AnyDesk & co.
Temporary admin rights for defined actions — the user installs software under “Run with elevated access” without being a permanent local admin. Reduces attack surface without keeping the service desk busy daily.
VPN tunnel straight out of the Microsoft app — without the device having to be enrolled. This makes on-premises web apps safely usable on BYOD devices.
Detailed telemetry on boot performance, app crashes, device-score distribution — a data foundation for endpoint consolidation and lifecycle decisions.
Extended management of HoloLens, Apple TV, Android special-purpose devices and kiosk modes — beyond what Plan 1 offers by default.
Around €10 per user and month as an add-on on top of an existing Intune license. Often economical as soon as Remote Help or Privilege Management become concrete topics.
Intune add-ons individually bookable
Microsoft offers the premium building blocks of the Intune Suite individually as well — useful when you only need a specific function (for example only Remote Help or only Endpoint Privilege Management) and the suite price doesn't pay off. A structured license advisory runs both variants against each other.
| Add-on | What it delivers | List price (indicative) |
|---|---|---|
| Remote Help | Microsoft-native remote control with Entra ID authentication and compliance context | approx. EUR 3.50 / user / month |
| Endpoint Privilege Management (EPM) | Just-in-time admin rights without permanent local-admin privilege | approx. EUR 3.30 / user / month |
| Advanced Endpoint Analytics | Telemetry on boot performance, app crashes, device score distribution for lifecycle decisions | approx. EUR 9.30 / user / month |
| Microsoft Tunnel for MAM | VPN tunnel from inside the Microsoft app, also for BYOD devices without enrollment | Part of the suite — currently not bookable individually |
| Specialized Device Management | Extended management of HoloLens, Apple TV, Android special-purpose devices, kiosk modes | Part of the suite |
| Intune Storage Add-on | Additional cloud storage beyond the standard quota — for app packages and Win32 deployments | approx. EUR 0.90 per 100 GB / month |
Indicative list prices — rounded, billed annually. Source: microsoft.com/en-us/security/business/microsoft-intune-pricing — as of May 2026.
arades implementation
An Intune rollout is more than just buying licenses. We provide the concept, build profiles and policies, automate device onboarding, and make sure Conditional Access doesn't become a roadblock.
Realistic frame: for a mid-market customer with 50–300 endpoints we plan 4–10 weeks for a clean Intune rollout with Autopilot onboarding and Conditional Access bring-up — depending on OS mix, legacy tools (ConfigMgr co-management), and the desired depth in compliance and app protection.
Free Microsoft 365 trial guidance
arades sets up a test tenant for 3 users, trains your key users, runs weekly office hours — and tells you honestly at the end whether Microsoft 365 is the right fit. Free of charge.
30 min introductory call
In 30 minutes we clarify whether Intune Plan 1 is enough or the Suite makes sense, what the migration path away from third-party MDM looks like — and how we put Conditional Access into production without driving users mad with lockouts.
Accompanying services
Engineering projects rarely stand alone — license logic, architecture clarification, quality gates, knowledge transfer and follow-on operations usually run in parallel. Here are the most common accompanying services we add into discovery spikes, sprint fixed-price packages or Application Care contracts.
Before · Architecture
Before implementation: tenant structure, data model, security concept, integration map. The deliverable is an architecture document any engineering team can build from — including teams other than ours.
Read more →
Before · Licensing
Which license bundles for which users, which add-on SKUs are necessary, where you are over- or under-licensed. Procured via arades as a Microsoft licensing partner — with the option to use the partner relationship only as a control without margin maximization.
Read more →
During · Quality Gate
Independent second opinion during an ongoing implementation project — whether we run it ourselves or another partner does. CMMI-based quality gates, risk reviews, fixed price per gate.
During · Adoption
Not the classic two-day workshop forgotten a week later — a dynamic learning programme over 4–6 weeks with initial training, application phases and follow-up sessions. A training matrix per role and topic.
Read more →
After · Operations
After go-live: a predictable Application Care contract on a monthly flat rate, SLA-based. Includes releases, hotfixes, extensions, tenant hardening — continuous accompaniment instead of mere ticket reaction.
Read more →
After · Knowledge
When the original developers are gone, the previous partner is no longer reachable, or the documentation is out of date — reverse engineering of the existing solution with a documented result: code map, data model, customizing inventory.
Read more →
Frequently asked questions
Microsoft Intune is the cloud-based endpoint management platform for Windows, macOS, iOS, Android and Linux. MDM (Mobile Device Management) manages entire devices — enrollment, configuration profiles, apps, compliance status. MAM (Mobile Application Management) manages only the Microsoft apps on a device without enrolling the device itself — useful for BYOD scenarios. Intune integrates seamlessly with Microsoft Entra ID, Microsoft Defender and Conditional Access.
Intune Plan 1 is the standard MDM/MAM feature set — included in all relevant Microsoft 365 plans (Business Premium, E3, E5, F3). Intune Plan 2 adds advanced features such as Remote Help, Mobile Application Management Advanced and the management of specialized devices (Linux, Apple VPP extended). Plan 2 is licensed as an add-on (around €4 per user and month) or part of the Intune Suite.
The Microsoft Intune Suite bundles Intune Plan 1 plus several premium extensions: Remote Help (Microsoft-native remote support), Endpoint Privilege Management (controlled temporary admin rights), Microsoft Tunnel for MAM (VPN tunnel without device enrollment), Advanced Endpoint Analytics and Specialized Device Management. Price: around €10 per user and month as an add-on on top of existing Intune licenses.
Intune Plan 1 is included in: Microsoft 365 Business Premium, Microsoft 365 E3, Microsoft 365 E5, Microsoft 365 F3 as well as Enterprise Mobility + Security (EMS) E3 and E5. Microsoft 365 Business Basic, Business Standard, E1 and F1 do not include Intune. If you need Intune but are on one of those plans, you can add Intune Plan 1 as a standalone license (around €7 per user and month).
Windows Autopilot is the Microsoft process by which a new Windows device is enrolled into the corporate tenant directly out of the box — without IT having to apply an image upfront. The user turns the device on, signs in with an Entra ID account, and Intune deploys configuration, apps and security profiles automatically. We set up Autopilot with device hash import, deployment profiles, enrollment status page and Win32 app delivery.
Conditional Access is the policy engine in Microsoft Entra ID. For every sign-in attempt it decides — based on signals (location, device state, user role, app) — whether access is allowed, MFA is required or it is blocked. Intune provides the most important signal: device compliance. A typical policy: “Access to Microsoft 365 only from Intune-compliant devices” — combining MFA, device compliance and app protection.
We start with an audit of the existing endpoint landscape — which devices, which operating systems, which apps, which licensing position. Then we build the Intune concept: enrollment strategy, configuration profiles, app delivery, compliance rules and matching Conditional Access policies. Rollout phases run piloted. Training for users and admins, optional handover into Application Care for ongoing operations.
