The days of Microsoft's System Center may be numbered. With the introduction of Windows 10, Microsoft has begun championing a different approach to systems management -- the same approach that Apple created for the iPad and iPhone, and Google later adopted for Android. Organizations adopting Windows 10 can take advantage of this new approach, allowing IT to manage all client devices -- Windows 10 PCs (as older Windows versions are retired), Macs, iOS devices, and Android devices -- from the same consoles, using the same policy-driven technology in what is called an omnidevice strategy.
That's the theory, but the practice is more complex.
Here we take a closer look at what an omnidevice strategy entails, detailing the tools, implementation, and current caveats to show how your organization can take advantage of this strategy as it evolves.
The reasons to manage PCs like iPads
Tablets today increasingly resemble computers, in both functionality and use, and computers are increasingly taking on tabletlike features. Microsoft, Apple, and Google all recognize that convergence in the form of their "tabtop" devices: the Surface Pro, iPad Pro, and Pixel-C, respectively. IT should too, by moving away from deploying two sets of management tools: one for computers and one for mobile devices, an increasingly meaningless distinction.
But the big motivation for doing so is cost savings. The methods and tools for managing capabilities and security for iOS and Android devices are far more labor-efficient than those used to manage traditional PCs. That's largely because the self-enrollment, policy-based approach of managing mobile devices was a necessary outgrowth of the BYOD movement. Most mobile devices weren't initially provisioned by IT, and because IT couldn't touch all devices, as it had long done for PCs, a new management methodology was essential. Soon, enterprise mobility management (EMM) arose to fill the void.
Ojas Rege, chief strategy officer at EMM provider MobileIron, says adopting the mobile model for PC management should shed between half and three-quarters of the cost of managing those PCs, after factoring out the client licensing costs for EMM tools.
Organizations leveraging EMM typically require only two to four admins to support 10,000 devices, notes Tony Kueh, vice president of research and development at VMware's AirWatch unit, also an EMM provider. Managing PCs is more complex, mainly because customization in Windows applications results in greater variety than what Apple allows for iOS, but Kueh nonetheless expects the EMM approach to greatly reduce the cost of Windows management.
Couple these significant TCO benefits with the consistency of a common platform that reduces possible security and compliance gaps, and you can see the appeal of the omnidevice strategy.
MobileIron and VMware have high expectations for Windows 10 management through its traditionally mobile-and-Mac management tools, as you'd expect, as do other major EMM providers such as Soti and IBM's Maas360 unit. Gartner is also bullish on the approach, predicting that in two years 40 percent of IT shops will manage at least some Windows PCs using omnidevice-savvy EMM tools.
Current Windows management tools find their roots in the 1980s approach to computing, in which IT owns the devices and manually provisions them. Over time, that provisioning has been increasingly automated, using tools like Microsoft's System Center, MicroFocus ZenWorks, LANdesk, and Symantec IT Management Suite (formerly Altiris), but the basic approach of direct IT management has remained.
That approach does scale to thousands of computers, as long as they are pretty much all Windows PCs (Mac support came recently for some, though usually for a subset of capabilities), but it is a labor-intensive, slower-to-market approach that puts IT at the center of almost every decision.
The EMM approach, on the other hand, assumes little admin labor, in large part because in the early days of mobile, before EMM, IT shops refused to devote resources to supporting mobile devices, forcing vendors to establish a different method to satisfy IT objections around management and security.
Another factor in limiting the TCO of EMM's approach is what it obviates, MobileIron's Rege says.
"You won’t need bolt-on app sandboxing; there's less need for antimalware and less need for traditional agent-based DLP" because the sandboxing model of EMM doesn't let outside apps and agents into the app sandboxes, whether to inspect or infect, he says. Sandboxing is a key foundation of the mobile security model now brought to computers. Data loss prevention (DLP) is still an important measure, Rege notes, but it becomes policy-driven and absorbed by EMM, not handled by software agents' direct inspection of apps.
In other words, a lot of the security superstructure required for today's totally exposed Windows applications goes away when they're natively protected. That also reduces support and operations costs, he adds.
In 2011, Apple realized this approach would work as well for computers as it does for mobile devices, so it engineered OS X Lion to adopt many of the same policy-based, self-enrollment management protocols as iOS -- policies it made enterprise-grade in 2011's iOS 7 as well. Suddenly, IT could set policies that it distributed via profile files that both configured some OS-level features and checked user-controlled settings to ensure compliance: No compliance, no access.
Microsoft adopted the same approach in 2015's Windows 10 and expanded it in the various 2016 updates. Windows 10 is starting to get serious IT attention for broad rollout, so Microsoft has been starting to promote the EMM approach while also supporting System Center for the years of PC management legacy.
Not all Windows 10 EMM pieces are in place
Microsoft has a very convincing diagram of Windows 10 management via EMM, one that suggests all the pieces are in place. But they're not.
Microsoft
Microsoft's vision of using EMM approaches to manage Windows 10 PCs, not only mobile devices.
Certainly, the basics are in place, such as enforcing password and encryption policies. Self-enrollment is also available, via Azure Active Directory (AAD) or a third-party EMM suite. Perhaps most critical, core Windows technologies -- system updates, network management (such as required VPN use and Wi-Fi access point binding), and Azure Active Directory join -- are good to go.
But Microsoft has only recently enabled full app provisioning. That means IT can now deploy Win32 apps via .msi packages, not the barely used Universal Windows Platform (UWP) .appx apps, via Windows 10 EMM. ("Universal" is a misnomer, as it means "universal to Windows 8.1 and Windows 10.")
The arrival of Windows Information Protection brings to Windows 10 Anniversary Update or later the ability to manage corporate-provisioned apps separately from user-installed ones, similar to managed apps in iOS and the Google for Work and Samsung Knox containers for Android. That's a key enabler for the low-touch approach of EMM.
Another area that is incomplete is the mapping of group policy objects (GPOs) that are so central to Windows systems management to equivalent EMM policies. Such mapping would greatly help IT admins transition to EMM with full assurance that their finely honed policies remain in place.
So far, such mappings represent only a subset of GPOs. That's not necessarily bad. After all, when Apple debuted iOS policies, many in IT called them inadequate because they were fewer in number than the 450 that BlackBerry had. But time showed that most of those policies were actually unnecessary, and today that complaint has faded -- even BlackBerry hasn't bothered to replicate those 450 policies for its Android devices in its mobile management suite. Still, the transition from GPOs to EMM policies will not be seamless.
That doesn't mean you should stick with GPOs because the GPO-to-EMM mapping is incomplete. They're fairly heavyweight and usually require a validated connection that can be difficult to maintain as people travel from airport to Starbucks to home to cellular networks, notes Tomas Vetrovsky, senior director of Windows product management at MobileIron. It's better to use EMM policies where you can and reserve GPO use for what EMM policies can't do. Often, that means applying the GPO policies as needed, not all up front.
Sorting out encryption
For years, we've all heard the advice that PCs should be encrypted in case they are lost or stolen. Yet few organizations do so widely, because it's very difficult to accomplish and even harder to manage -- how do you recover the contents of an encrypted drive or backup, for example? You need those keys.
It doesn't work that way in iOS, the model for EMM. Encryption is simply there, so it can be assumed. The keys are tied to the device itself, so if data is moved elsewhere, having the key itself isn't sufficient -- that's great for protecting sensitive data but could keep IT from getting to the on-device data if the user doesn't help. (Ask the FBI.) Security-savvy Android devices, like Samsung's S and Note series, have a similar mechanism.
But you don't need the device to get to the data if that data is provisioned by an EMM server -- the server is the owner, not the user, and the data is available from the back end, whether it's SharePoint, OneDrive, Dropbox, Box, or something else.
That's the key for thinking about encryption on Windows 10 PCs, says MobileIron's Vetrovsky: In the modern app model, while there is always data resident on the device, that data is always also synced to a back-end service IT manages.
Thus, there's no need to get the local copy on the encrypted PC, such as a backup. You don't need to decrypt the user's device if you have the master data elsewhere; you simply need to make sure someone else can't access that data via the user's device, which is what EMM policies do.
Microsoft's Endpoint Data Protection, when used with July 2016's Windows 10 Anniversary Update or later, gives you even greater encryption sophistication: It lets you auto-encrypt corporate-provided data on devices, and it manages those keys for IT. Thus, you get extra security for the local copies of data on those devices beyond the standard disk-wide encryption, with key storage and management included.
However, many enterprise apps are anything but modern, and they store data locally rather than in IT-managed storage services. If a Windows 10 PC is encrypted and IT doesn't have the key, it can't access that local data. Currently, there's no tool for IT to store and manage Window's BitLocker keys automatically across user systems to get that siloed data. Until there is, you'll need to have users provide their keys as they enable encryption on their PCs themselves if they're using the old-style applications.
Note that Windows 10 doesn't currently let IT turn on encryption remotely through EMM policies, a limitation that MacOS and Android also share. But EMM policies can detect whether encryption is enabled and deny access to devices where it is not turned on. That limits the opportunity for data to go onto an unprotected device.
The ball and chain that is your Windows app portfolio
What about all those old Windows apps that your organization relies on? Rewriting them as or replacing them with UWP apps is at best a long-term project. But there is another transition path from the old-style Win32 apps to the new UWP versions.
Here, Microsoft's Desktop Application Converter (aka Project Centennial) is key. This tool represents Microsoft's effort to containerize old, .Net-based Windows apps to gain the EMM management support of UWP apps. Once those old Win32 .msi apps have been containerized, they become part of your EMM strategy.
IT can subject containerized Win32 apps to application management policies that will help IT ensure that corporate data stays within corporate assets. Moreover, IT can impose stricter authentication requirements for those apps and enforce the use of VPNs and the like to further protect application data. The adoption of such technologies in iOS and, to a lesser extent, in Android has cleared a major IT objection to mobile devices being of use for "real work."
"Desktop Application Converter is a step in the right direction because it can take Win32 apps and convert them to UWP for ease of management," MobileIron's Rege says. "But we don’t know yet whether it fully addresses all Win32 apps. The long-term answer is to modernize apps, not just convert them to a new format [UWP's .appx]."
After reviewing Desktop Application Converter's actual capabilities, IT departments will have to decide in each case whether they need to rewrite to UWP and/or mobile versions, get by with containerized versions, port to the cloud or web, or abandon existing apps.
VMware's Kueh suspects that the cost of refactoring will usually be less than the cost of maintaining the legacy, helping IT finally reduce its software debt rather than continuing to drag it along. And, he says, VDI can handle those old apps that can't be rewritten (perhaps because they came from a now defunct vendor) without blocking the use of modern EMM approaches.
Rege adds, "There's probably only a small percentage you actually need of that old software. If the others went away, would users notice?"