Finally, Windows Phone 8.1 has the mobile management features we’ve been promised for months. From selective remote wipe to distributing certificates for secure Wi-Fi connections, there’s plenty to be happy about. There are also new MDM settings in Windows 8.1, even for RT, which finally gets SSL VPN support. But Microsoft’s approach to device management is far more cross-platform than you might expect. Here’s what you need to know so far.
MDM in Intune
If you’re currently paying a per-device fee for MDM from other suppliers, you might save money by switching to Microsoft’s tools. The current offer for the Enterprise Mobility Suite is $4 per user, no matter how many devices they have. That includes Intune, which lets you manage any device from Windows desktops to tablets and any smartphone that supports MDM or Exchange Active Sync. Intune has support for Samsung Knox, for example, which lets you wipe apps remotely – something you can’t do in standard Android. Intune doesn’t currently manage BlackBerry devices, but it could in the future.
Intune already lets you manage desktop software, and whitelist or blacklist apps on devices, as well as pushing policies like requiring a PIN or turning off copy and paste. It tries to abstract the differences between platforms, so you don’t have to know what iOS calls a policy versus the Android equivalent. You can also pick which versions of different operating systems you want to manage, and see a warning if the policy you’re applying isn’t available on a specific OS.
Managed apps through Intune
The upcoming managed app feature will let you protect company information without locking devices down so much that users complain about the restrictions. You’ll be able to wrap your own apps for iOS and Android with a management policy run-time and distribute those via Intune. For iOS, you’ll still need to put those in the App Store rather than sideloading them.
The wrapper stores the files viewed in those apps in a secure container. You’ll be able to allow things like copy and paste between your own apps, but will have the ability to block copying into others, without disabling it for the whole device. This protects work information without making users unhappy enough to try and circumvent policies.
Microsoft will have Intune-managed versions of Office apps for iOS and Android including Word, Excel, PowerPoint and Outlook Web Access by the end of 2014, plus a protected browser for accessing company websites. When a user opens an attachment from an OWA email, for example, they’ll see Office as a viewing option or OneDrive for Business for saving – but not their Dropbox account. There will also be a managed app SDK, allowing mobile apps to have the management policy engine built in, so third-parties might offer Intune-managed apps too.
If you’re using System Center for management, Intune is integrated, and you get regular, optional updates to the configuration manager console to keep it up to date with the three monthly releases. That means you can create policies for all the devices you manage in the same place, rather than using multiple tools. Although, you will need to set up ADFS and directory services, and redirect the enrolment URL so users can access it seamlessly.
Security reports and cloud app discovery
EMS also includes Azure Rights Management Services (RMS lets you protect a document with policies like “do not forward” or “do not copy” and is supported by an increasing number of applications) and Azure Active Directory Premium. This already includes useful security reports that warn you of anomalies; a user who logs in from Romania two minutes after logging in from a US IP address has probably been hacked.
New reports will warn you if a user’s login pattern has changed, suggesting suspicious activity. Plus Microsoft is taking the information from its security group, which is involved in tracking and shutting down botnets worldwide. This gives it a list of IP addresses that are part of botnets, so it can warn you if affected devices are connecting to your network.
The cloud app discovery service is currently in preview, but will become part of Azure AD Premium soon. This feature scans PCs you manage to find connectable cloud services, giving you an anonymized dashboard of those that are in use, by how many people, and how much data they’re accessing. Soon you’ll be able to click through and see the names of users running particular services, assuming you give Microsoft permission to keep that information in the cloud. Microsoft is using a machine learning system to categorize the cloud apps it finds to give you a clear picture of what’s happening on your network.
For cloud apps you want in use, you can use Azure AD Premium to manage single sign-on. This makes it so that users never know the passwords for those services, so they can’t get phished for them, and you can control who has access to official accounts. You can use AD groups to assign specific roles on a service like Salesforce, or integrate with Servicenow to issue job tickets to employees by using Azure AD Premium as a pipeline. You can even manage Microsoft accounts here.
The extra services in Azure AD Premium are worth checking out, because they give you insights into the devices on your network that would be otherwise hard to obtain. If you’re a smaller company that doesn’t need those features, you can still get device-management through Intune.
Connecting cloud services for an easier life
If you’re going to use cloud services like Azure Active Directory Premium, keep an eye out for the Azure Active Directory Connect Tool, which will be in public preview in June. It’s a wizard that will download and set up the identity sync and federation features you need to connect your Active Directory to Azure AD. You can do that manually today, but this will save time and automate the deployment. If you have a complex AD setup with multiple forests or even multiple directories, you can expect to spend 10 to 14 days using the 104-page guide to configure Active Directory Sync; the connect tool is a wizard that doesn’t need much more information than your tenant Azure Active Directory credentials.
Another new service coming as a preview in June is a cloud version of the Web Application Proxy Gateway in Windows Server 2012 R2. Cloud-based Conditional Access Application Publishing lets you use Azure AD Premium to give users remote access to web applications on your intranet, with much less setup required in your data center.
The Web Application Proxy works with iOS, Windows and Windows RT to give users access to your published Work Folders, along with internal sites like SharePoint, which you make available externally to devices that have the Workplace Join certificates deployed. For Windows and RT that’s a setting in control panel; for iOS, use the Intune app. You can allow access by roles or even add multifactor authentication for extra security.
But setting all this up is quite involved; both Workplace Join and the proxy need ADFS set up with a relying party for each application you’re publishing, as well as an edge server with the Remote Access Role running the device registration service. Doing all of that as a service on Azure will make it faster and easier to deploy, and you won’t need to provision an additional server.
This is the same approach as Intune and Azure RemoteApp. You can get the same tools that you can run on your own servers in the cloud, but without having to run yet another workload – they’re available as services that are far easier to configure, as well as taking advantage of Azure’s redundancy, availability and fast network connections. Plus, as with Azure Active Directory Premium, you get extra services that are only feasible with the scale of the cloud and the information from many tenants, combined with the security information Microsoft has.
To put it simply, you don’t have to move everything into the cloud to take advantage of the new services, so you can offer users more options without disrupting what you’re already doing.