Merk
Tilgang til denne siden krever autorisasjon. Du kan prøve å logge på eller endre kataloger.
Tilgang til denne siden krever autorisasjon. Du kan prøve å endre kataloger.
This article describes the architecture of a Microsoft Intune deployment: the cloud and on-premises components and the Microsoft and third-party products Intune integrates with.
For an introduction to what Intune does, see What is Microsoft Intune?. For a conceptual walkthrough of how Intune manages identities, devices, and apps, see Microsoft Intune core concepts.
The diagram organizes a typical Intune deployment into seven tiers:
- Cloud control plane: Microsoft-hosted Intune services.
- Managed endpoints: devices that Intune manages.
- Endpoint family services: Microsoft products whose primary purpose is endpoint management.
- Connectors and extensions: cloud-based external services Intune integrates with.
- Peer integrations: other Microsoft products that integrate with Intune.
- Partner ecosystem: third-party products and services that integrate with Intune.
- On-premises services: customer-operated infrastructure that integrates with the Intune cloud.
Each tier is described in the following sections.
Cloud control plane
The cloud control plane is the set of Microsoft-hosted services that constitute the Intune tenant. They store configurations, deliver policy, expose programmatic interfaces, and surface the admin and user experiences.
| Component | Role |
|---|---|
| Microsoft Intune service | The cloud control plane that stores configurations and orchestrates policy delivery. |
| Microsoft Intune admin center | Web console for administrators. |
| Microsoft Graph API | Public programming interface. Every admin center action is backed by a Graph API call. |
| Microsoft Intune Company Portal app and website | User-facing surface that enrolls devices, surfaces required apps, and shows compliance status. |
Managed endpoints
Intune supports the following platforms: Android, iOS, iPadOS, Linux, macOS, tvOS, visionOS, and Windows. Specialty scenarios include kiosks, frontline devices, and rugged hardware managed through platform-specific enrollment paths.
Devices come under management through several modes:
- Mobile device management (MDM): typical for organization-owned devices; Intune manages the entire device.
- Mobile application management (MAM): typical for personal (BYOD) devices; Intune manages only work apps and data.
- Automated enrollment for organization-owned hardware: Windows Autopilot, Apple Automated Device Enrollment, and Android Enterprise.
For the full supported-OS matrix, see Supported operating systems and browsers for Intune.
Endpoint family services
Endpoint family services are Microsoft products whose primary purpose is endpoint management. Each specializes in a specific aspect of the endpoint lifecycle.
| Service | What it does | When to use |
|---|---|---|
| Windows Autopilot | Cloud-based provisioning for new and existing Windows devices, with options for user-driven, self-deploying (zero-touch), pre-provisioning, and reset | Shipping devices directly from OEM to end users, or repurposing existing devices at scale |
| Windows 365 | Cloud-hosted Windows desktops (Cloud PCs) | Remote workers, BYOD, contractors, regulated workloads |
| Windows Autopatch | Managed update service for Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, Microsoft Teams, and device drivers and firmware | Reducing manual update administration |
| Endpoint analytics | Telemetry and recommendations on device health and performance | Identifying performance issues and reducing help-desk volume |
Connectors and extensions
Connectors and extensions are cloud-based external services that Intune integrates with. They have no on-premises footprint. Intune communicates with them over the internet.
| Connector | Role |
|---|---|
| Microsoft Cloud PKI | Cloud-hosted PKI that issues, renews, and revokes SCEP certificates for Intune-managed devices without requiring on-premises AD CS, NDES, or the certificate connector. Supports a fully cloud-hosted hierarchy or anchoring to your existing private root (BYOCA). |
| Apple Business / VPP | Token-based integration for Apple app delivery. |
| Apple Push Notification service (APNs) | Required for Apple device management. |
| Managed Google Play | Android Enterprise app catalog. |
| Microsoft Store | Built-in catalog for Windows apps. |
Peer integrations
Peer integrations are Microsoft products that work alongside Intune. They have their own primary purpose; integration with Intune is one of many uses.
| Product | Role |
|---|---|
| Microsoft 365 apps | Deployed to managed endpoints via Intune. |
| Endpoint security in Microsoft Defender | Feeds real-time device risk signals into Intune compliance evaluation and Conditional Access decisions. Also serves as a mobile threat defense (MTD) source for iOS, iPadOS and Android. |
| Copilot in Intune | Microsoft Security Copilot capabilities surfaced inside the Microsoft Intune admin center. |
| Microsoft Purview | Sensitivity labels and endpoint data loss prevention (DLP) policies that apply to data on Intune-managed devices. |
Partner ecosystem
The partner ecosystem includes third-party products and services that integrate with Intune through documented APIs, connectors, or configuration patterns.
| Category | Description and examples |
|---|---|
| Mobile threat defense (MTD) partners | Third-party services that feed device risk signals into Intune. Examples: Lookout, Zimperium, Check Point. Endpoint security in Microsoft Defender is also an MTD source: see Peer integrations. |
| Device compliance partners | Non-Intune MDMs that become the MDM authority for assigned user groups and report device compliance state into Microsoft Entra ID for Intune Conditional Access. Supported on Android, iOS, iPadOS, and macOS. Examples: Jamf Pro, Ivanti EPMM, BlackBerry UEM, Omnissa Workspace ONE, Kandji, SOTI MobiControl. |
| IT service management (ITSM) partners | Incident and asset integration. Examples: ServiceNow, Jira. |
| Remote support partners | Remote control and assistance. Example: TeamViewer. |
| Device vendor portals | Vendor-specific management for specialty hardware. Examples: Surface Management Portal, Lenovo, Intel vPro. |
| Network access control (NAC) partners | Network-tier access enforcement. Examples: Cisco ISE, Aruba ClearPass. |
On-premises services
On-premises services are customer-operated infrastructure that runs on your network and integrates with the Intune cloud control plane.
| Component | Role |
|---|---|
| Microsoft Tunnel Gateway | VPN gateway for iOS, iPadOS and Android Enterprise devices and apps. Runs in a container on Linux. |
| Certificate Connector for Microsoft Intune | Bridges Intune to your on-premises certificate services to issue SCEP and PKCS certificates, import PFX certificates for S/MIME, and revoke certificates. |
| Microsoft Configuration Manager | On-premises peer to Intune for Windows clients and servers. Integrates with Intune through co-management and tenant attach. See Co-management and tenant attach. |
Co-management and tenant attach
Microsoft Configuration Manager is the on-premises peer to Intune for Windows clients and servers. It manages desktops, Windows servers, and laptops on your network or connected over the internet via cloud management gateway. Configuration Manager and Intune integrate through:
- Co-management: lets Configuration Manager and Intune both manage Windows clients. You move workloads to the cloud at your own pace.
- Tenant attach: brings Configuration Manager-managed devices into the Intune admin center for visibility, remote actions, cloud-based reporting, endpoint security policy authoring (Antivirus, ASR), CMPivot, PowerShell scripts, application installs, and a unified device timeline.
By using co-management and tenant attach, organizations that already run Configuration Manager can add Intune capabilities without rebuilding their environment.