Get Started
INTUNE DEPLOYMENT

Microsoft Intune:
Done Properly,
Not Just Switched On

Business Premium includes Intune. Most tenants ship with it on and nothing configured. We do the configuration: Autopilot, Conditional Access, compliance policies, and the app packaging that makes it stick.

Book an Intune Assessment → See What's in Business Premium
Microsoft Intune Deployment & Management
< 10 min
Autopilot zero-touch enrolment
R0
Extra licence cost on Business Premium
100%
Device visibility post-rollout
1 click
Remote wipe from Intune console
Accreditations & partnerships
Microsoft 365
CSP Partner
Business Premium
Intune included
E3 / E5
Intune included
Autopilot
Zero-touch ready
BYOD / MAM
App protection
Founded 2001
24 years trading
Conditional Access design + deployment
ZAR billing · local invoicing
Sandton-based · SA-only clients
Not Microsoft support, a real Intune engineer
Direct line · no ticket queue
WHAT WE DELIVER

What We Deploy with Intune

Windows Autopilot
Devices ship from Dell, Lenovo, HP, or Microsoft Surface with their hardware hash pre-registered. User signs in once. Everything else configures itself. No imaging, no MDT.
Conditional Access
Policy engine that evaluates who is signing in, from what device, from where, and to what app, then decides whether to allow, challenge with MFA, or block. The killer Intune feature.
Compliance Policies
Encryption enforced, OS minimum version set, jailbroken devices flagged, non-compliant devices denied mailbox access. Written carefully, piloted, then deployed.
MAM for BYOD
App protection policies on personal phones without touching the rest of the device. Outlook and Teams run in a managed container; personal apps are invisible to Intune.
App Packaging & Deployment
Win32 apps via Intune Management Extension with detection rules and uninstall scripts. Microsoft Store apps for the easy stuff. macOS PKG and iOS App Store deployment.
BitLocker Key Escrow
Intune enforces BitLocker on Windows and escrows the recovery key to Entra ID automatically. One place for keys, clear audit trail, no spreadsheet of recovery keys in SharePoint.
HOW IT WORKS

How an Intune Deployment Runs

01
Licence & Tenant Audit

Which M365 SKUs are in play, what's already configured, what Conditional Access policies exist (if any), what the device inventory looks like. Most tenants have surprises.

02
Enrolment Method Decision

Autopilot for new Windows devices, Apple Business Manager for corporate Apple, Android Enterprise zero-touch for supported OEMs, MAM-only for BYOD phones. Sometimes all four.

03
Policy & App Design

Compliance policies, security baselines, app packaging, Conditional Access rules: designed together so they don't fight each other. Written down before anything is deployed.

04
Pilot, Then Phased Rollout

Compliance policies on a test group first. Enrolment at 95%+ before blocking policies go live. Legacy auth blocked only after Outlook is confirmed on every phone.

Intune vs Hexnode

When to pick Intune over Hexnode

Both are real options. The right one depends on where your identity layer sits and how much of the Microsoft stack you already run. Three places Intune pulls ahead.

01 · M365 integration

One identity, one policy graph

Conditional Access, App Protection Policies, Compliance Policies, and Defender for Endpoint all evaluate the same Entra ID signal. The device state feeds Conditional Access directly. Hexnode federates with Entra ID but can't reach into the same policy graph.

Pick Intune if you already run Conditional Access and want device compliance feeding into the same decisions.

02 · Bundled licensing

Free with the licence you already bought

If you're on Microsoft 365 Business Premium, E3, or E5, Intune is bundled. No additional per-device charge, no separate vendor. Hexnode is a parallel subscription with its own seat count and renewal.

Pick Intune if you've already committed to a M365 SKU that includes it. Ours is local CSP, billed in ZAR.

03 · Windows depth

Autopilot, Defender, and the Windows config catalog

Windows Autopilot zero-touch enrolment, the Windows configuration catalog (thousands of settings, not the lowest-common-denominator policies), and direct Defender for Endpoint integration are all native. Hexnode covers Windows; Intune dominates it.

Pick Intune if Windows is the majority of your fleet and Autopilot or Defender are on the roadmap.

Get Intune Actually Configured

If you're on Business Premium and Intune is switched on but not set up, that's the conversation to have. 60 minutes, we look at your current state, and you leave with a clear picture of what's missing and what it takes to fix it.

Book an assessment → Email us directly
QUESTIONS

Intune Questions

Yes. Microsoft 365 Business Premium includes Intune (rebranded as Microsoft Intune in Endpoint Manager). So does E3 and E5. The licence is already paid for. What you’re typically missing is the configuration: Autopilot profiles, compliance policies, Conditional Access rules, app packaging. That’s the work we do.

MDM (Mobile Device Management) means the whole device is enrolled and managed. Good for corporate-owned devices. MAM (Mobile Application Management) means only the apps are managed, typically via app protection policies. MAM-without-enrolment is the right approach for BYOD phones: Outlook and Teams run inside an Intune-managed container, personal data is untouched, and the device never fully enrolls. Most deployments use MDM for corporate devices and MAM for personal ones.

Windows Autopilot is a zero-touch provisioning system. The OEM (Dell, Lenovo, HP, Surface) pre-registers each device’s hardware hash with your Microsoft tenant. When the user signs in at first boot, Windows pulls the Autopilot profile, joins Entra ID, enrolls in Intune, and deploys apps and policies automatically. The user walks away with a fully configured, compliant device without IT ever touching the hardware.

Conditional Access is a policy engine in Entra ID (Azure Active Directory) that controls access to Microsoft 365 apps based on conditions: user identity, device compliance state, network location, app being accessed, and sign-in risk. It’s what lets you say ‘if the device isn’t encrypted and on the minimum OS version, block access to Exchange’ and have it enforced automatically. It’s the feature that makes Intune genuinely powerful rather than just an enrolment tool.

If it’s deployed carelessly, yes. We’ve cleaned this up multiple times: a compliance policy written for Windows accidentally targeting all platforms, locking the IT admin’s Mac out of the Intune console at 2am. The mitigations are: pilot on a test group before touching production, always exclude at least one break-glass account from every Conditional Access policy, and test the MacBook and iPhone before rolling out to the fleet.

Win32 apps (any traditional installer: EXEs, MSIs, MSIXs) via the Intune Management Extension with detection rules, requirement rules, and uninstall scripts. Microsoft Store apps for things like Teams, Edge, Power BI Desktop. Web clip shortcuts pinned to Start. Line-of-business apps from your own repository. App packaging is real work. Detection rules in particular require careful writing. But once it’s done, new devices get everything automatically.

Yes, via the Company Portal app and an MDM profile. FileVault enforcement, OS update policies, app deployment via PKG/DMG, compliance policies. Intune’s Mac support is capable but trails Hexnode for Apple-heavy fleets. If Macs are more than 30% of your estate and you don’t have a compelling reason to stay inside Microsoft’s ecosystem, the Hexnode comparison is worth reading.

For a 50-seat shop on Business Premium: four to six weeks calendar time, of which two weeks is hands-on engineering. Autopilot profiles, compliance policies, app packaging, Conditional Access rules, pilot, phased rollout. Bigger fleets stretch longer because app packaging volume scales with the number of distinct applications in the environment.

Get Intune Actually Configured

If you're on Business Premium and Intune is switched on but not set up, that's the conversation to have. 60 minutes, we look at your current state, and you leave with a clear picture of what's missing and what it takes to fix it.

Email us directly support@osh.co.za

Get in touch

Related services
When Hexnode is the right call instead Mixed Apple, Windows, Android and ChromeOS fleets. GravityZone alongside Defender One agent across Windows, macOS and Linux with EDR and patching. The tenant your Intune policies sit on Build, harden, manage.