Best-practice Intune configuration for laptops and mobile devices

Gemeente Eemsdelta is a merged municipality in Groningen, created from the former municipalities of Appingedam, Delfzijl and Loppersum. As often happens after a merger, the IT landscape had grown in layers. The Intune environment was already live, but its configuration had evolved over time without a consistent best-practice approach.

That created a practical gap. The internal IT team could manage day to day operations, but did not have the specialist Intune knowledge needed to review the setup thoroughly, tighten security and make future rollouts more consistent.

The challenge
The municipality wanted its Intune environment for laptops, iPhones and iPads to be checked and reconfigured against current best practices. This included BitLocker, Secure Boot and TPM settings, USB restrictions and the removal of local admin rights. At the same time, the internal IT team had to be able to continue independently after the project ended.

Blackbear's role
Blackbear helped define the assignment with clear boundaries from the start. The focus was on improving the existing Intune environment, not rebuilding it completely or expanding into tooling outside the Microsoft ecosystem. Based on that scope, an Intune specialist was engaged with hands on experience in Autopilot White Glove pre provisioning, Apple DEP enrolment and endpoint security settings in comparable organisations. The work was organised in four phases: audit, reconfiguration, pilot testing and handover.

Result
The Intune environment was brought in line with current best practices, including stronger controls around user rights, device security and update management. The municipality now has clear documentation for consistent device rollout, while the internal IT team has the knowledge to manage and develop the setup further without external dependency.