Microsoft Intune Deployment and Device Enrolment — Konve IT

Konve IT / Endpoint Management

One-time project  ·  Per device  ·  Milestone payment

Microsoft Intune
Deployment and
Device Enrolment

Every device your staff use to access client data — enrolled, governed, encrypted, and remotely wipeable. Microsoft Intune is already included in your Business Premium licence. This engagement deploys what you are already paying for.

Windows, iOS, Android, macOS BitLocker encryption enforced Remote wipe from day one
Get a quote How it works

Indicative Pricing

Base fee (up to 10 devices) £1,200 Exclusive of VAT
Per device above 10 — standard £45 / device
Per device above 10 — volume (25+) £41 / device 10% discount at 25+ devices

Example: 20 devices — £1,200 + (10 × £45) = £1,650 + VAT

Payment: 50% on commencement · 50% on completion

Licence: Intune Plan 1 is included in Microsoft 365 Business Premium at no additional cost

Why you are already paying for this

Microsoft 365 Business Premium includes Intune. Most firms are not using it.

Microsoft Intune Plan 1 is included in every Microsoft 365 Business Premium licence. It is not an add-on. It is not an upgrade. It is already in your subscription — and for the vast majority of professional services firms on Business Premium, it has never been deployed.

The result is a gap that is not theoretical. Every device accessing your Microsoft 365 tenant — every laptop checking email, every phone reading client documents — is doing so without device compliance verification, without encryption enforcement, without the ability to remotely wipe corporate data if the device is lost or stolen.

For a law firm, that is an SRA Code of Conduct exposure. For an accountancy practice, it is a GDPR risk. For any professional services firm pursuing Cyber Essentials, it is a barrier to certification — the scheme requires that all devices accessing your data are managed and compliant. This engagement closes that gap.

What Business Premium includes that most firms are not using

Capability
Business Premium
Business Standard
Microsoft Intune Plan 1
Device compliance policies
Remote wipe capability
BitLocker management
Autopilot provisioning
Conditional Access enforcement
Microsoft Defender for Business

If you are on Business Premium, every capability above is already included in your licence. This engagement deploys them.

Scope of work

Intune deployed, configured, and all devices enrolled.

The engagement covers two distinct workstreams — the Intune environment itself, and the enrolment of every device within scope. Both must be complete before the engagement closes.

Workstream 01

Intune Environment Setup

  • Microsoft Intune environment configuration and integration with Microsoft Entra ID
  • Device compliance policy design — minimum security requirements a device must meet to access Microsoft 365
  • Conditional Access policy configuration to enforce compliance — non-compliant devices blocked until remediated
  • Microsoft Autopilot configuration for Windows devices where applicable — zero-touch provisioning for new devices
  • BitLocker encryption enforcement for all Windows devices — recovery keys escrowed to Microsoft Entra ID
  • Application deployment and management policy configuration
  • Remote wipe capability for all enrolled devices
  • Device configuration profiles — security settings appropriate to your environment and regulatory obligations
Workstream 02

Device Enrolment

  • Windows devices — enrolled via Microsoft Autopilot or manual enrolment, as confirmed in the Statement of Work
  • iOS and iPadOS devices — enrolled via Apple Business Manager or manual enrolment
  • Android devices — enrolled via Android Enterprise or manual enrolment
  • macOS devices — enrolled where confirmed in scope
  • BYOD devices — enrolled using app-only management (MAM without full device enrolment) where personally owned devices are within scope, protecting personal content while governing work data
  • Compliance verification for every enrolled device — confirmed compliant before the engagement closes
  • Remote enrolment via remote session for devices that cannot be physically accessed
Supported device types
Windows 10 / 11 iOS and iPadOS Android macOS
What you receive

Every device enrolled and verified. Everything documented.

Completion is the point at which all in-scope devices have been enrolled and confirmed as compliant. Konve IT notifies you in writing when that point is reached.

Intune Configuration Document

Delivered in PDF on completion. Confirms the device compliance policies configured, Conditional Access policies implemented, enrolment method for each device type, the number of devices enrolled and verified as compliant, any devices that could not be enrolled and the reason, and administrator instructions for ongoing device management and new device onboarding.

All Devices Enrolled and Compliant

Not a configuration exercise — every device in scope is enrolled and verified as compliant with the defined policies before handover. Compliance verification is a condition of completion, not a recommendation.

Administrator Handover Session

A sixty-minute remote session with your nominated administrator covering the Intune configuration, how to manage enrolled devices, how to onboard new devices, and how to initiate a remote wipe.

Who this is for

Any organisation whose devices are not currently enrolled in a management platform.

If your staff use laptops, phones, or tablets to access Microsoft 365 data and those devices are not enrolled in a management platform, this engagement is for you.

Situation 01

You are on Microsoft 365 Business Premium and Intune has never been deployed.

The most common starting point. Business Premium includes Intune and most firms have never touched it. This engagement deploys the capability you have already paid for, across every device your staff use.

Situation 02

You are pursuing Cyber Essentials and device management is identified as a gap.

Cyber Essentials requires that all devices accessing your data are managed, encrypted, and receiving security updates. If your devices are unmanaged, you cannot achieve certification without addressing this. This engagement closes that gap directly.

Situation 03

A staff member's device has been lost or stolen and you had no way to remotely wipe corporate data.

The inability to remotely wipe a lost or stolen device is both a regulatory risk and a practical one for any firm holding client data. Intune enrolment means every device can be wiped remotely from the management console within minutes of a loss being reported.

Situation 04

You have hybrid and remote workers using unmanaged devices to access client data.

Remote working has expanded the device perimeter significantly. Staff using personal or unmanaged devices to access Microsoft 365 from home represent a governance gap. This engagement enrols those devices — using app-only management for personally owned devices where appropriate.

What this service does not include

Each of the following is available as a separate engagement or is beyond the scope of this project.

  • Enrolment of devices beyond the count confirmed in the Statement of Work
  • Devices running unsupported operating system versions
  • Microsoft 365 tenant configuration where this is required before Intune can be deployed
  • Procurement or payment of Microsoft 365 licences or Apple Business Manager fees
  • Configuration of hardware, on-premise servers, or networking equipment
  • End-user training beyond the administrator handover session
  • Helpdesk, end-user support, or break-fix
  • Ongoing management of the Intune environment following completion
Pricing

Base fee plus per-device above ten.

Pricing is calculated per device rather than per user, because the genuinely variable work in this engagement is device enrolment — not user configuration. A firm with 15 users and 30 devices pays based on 30 devices.

Microsoft Intune Deployment and Device Enrolment

Project fee structure Excl. VAT
Base feeCovers fixed overhead · includes up to 10 devices £1,200
Per device above 10 — standard rate £45 / device
Per device above 10 — volume rateApplies where 25 or more devices confirmed £41 / device
Example calculations Excl. VAT
10 devices £1,200
20 devices£1,200 + (10 × £45) £1,650
30 devices — volume rate£1,200 + (20 × £41) £2,020
50 devices — volume rate£1,200 + (40 × £41) £2,840
Volume rate: The 10% volume discount on the per-device increment applies automatically where 25 or more devices are confirmed in the Statement of Work.

Payment Milestones

Milestone 1
On commencement
50%

Due before work begins. Covers Intune environment setup and configuration.

Milestone 2
On completion
50%

Due when all in-scope devices are enrolled and verified as compliant, or within five working days of Konve IT confirming completion.

All fees
Exclusive of VAT. Invoices payable within 14 days.

Want ongoing management?

The Intune Managed Environment Retainer covers monthly policy management, new device onboarding, compliance monitoring, and monthly reporting.

from £4.00 / device / month View Managed Retainer
How to get started

Three steps from enquiry to enrolled devices.

The questionnaire for this engagement captures your device inventory by type and operating system version. Complete it as accurately as you can — devices running unsupported OS versions will need to be updated before enrolment, and it is better to know this before the engagement starts than during it.

01

Complete the onboarding form

Download and complete the Konve IT Client Onboarding Form. Captures your organisation details, contacts, and regulatory context.

02

Complete the service questionnaire

Download and complete the Intune Questionnaire. Captures device inventory by type and OS version, BYOD status, Apple Business Manager availability, and enrolment preferences.

03

Review and sign the Statement of Work

Konve IT issues a Statement of Work within two working days. On signature and receipt of the first instalment, the Intune environment setup begins. Device enrolment follows once the environment is configured.

Get started Back to Konve IT Or write to it@konvegroup.com
Services that work alongside Intune
Endpoint Management

Intune Managed Environment Retainer

Monthly policy management, new device onboarding, compliance monitoring, patch oversight, and monthly Device Compliance Report. From £4.00 per device per month.

 Cyber Essentials

Cyber Essentials Full Programme

Device management is a Cyber Essentials requirement. This deployment satisfies the device control and secure configuration controls — the Full Programme takes you to a valid certificate.

 Microsoft 365

Tenant Deployment and Hardening

Intune and Microsoft 365 are designed to work together. If your tenant is not yet properly configured, this is the natural companion engagement.
Scroll to Top