Consider for a few moments these questions:
- When does a cellphone become more than a cellphone?
- What does Bring Your Own Device (BYOD) really mean for end users?
- What is Enterprise Mobility Management (EMM)?
- Why does EMM only cover cellphones or tablets that cooperate?
- What is the point of EMM?
These are just a few of the dozens of questions I field daily when asked about Mobile Device Management (MDM). Of particular interest is the fact that, up until now, no one really thought to make the leap from the need to manage a cellphone to "something else." Windows 10 introduces a brand new, radical concept: all devices are mobile and should therefore be managed.
When you think about it, why should IT care whether you have a personal cell or a corporate issued laptop? Or a corporate issued tablet and a personal desktop at home? Or, like me, all of the above? The begets the last of the questions above: what is the point of EMM? Secure. The. Data.
Wherever your corporate data is, regardless of device, the device must be secure or you can't possibly expect to secure the data. By introducing the revolutionary concept of applying EMM strategies to ALL devices, you can now manage and secure the device and therefore the data. And that, my friends, is really all IT cares about. So, how does this work? As with many things in Windows 10, it all starts with Azure.
Azure Active Directory is a comprehensive identity and access management cloud solution that provides a robust set of capabilities to manage users and groups and help secure access to on-premises and cloud applications including Microsoft online services like Office 365 and a world of non-Microsoft SaaS applications.
Okay, that's a neat demonstration of Derek's ability to Bing something - but what does that mean for devices? Azure AD is the underpinning of Microsoft's service to provide global, non-domain joined connectivity and management of all mobile devices (like phones, tablets, PCs, etc) using open standards and protocols. Initially, it is wired up to Microsoft's Intune EMM solution, but as I mentioned, it uses open protocols so others, including Microsoft's competitors, can take advantage of the functionality to manage and control devices.
For IT, the capabilities are rich and compelling:
- Ability to manage non-corporate (personal) or non-domain joined corporate owned devices of any type (Windows, iOS, Android). "If you access corporate data with this device, I get to control certain things about that device."
- Provides for the "split brain" personality for devices - personal side and business side. "You leave the company or do something against the rules, I as IT get to wipe the business portion brain of your device and your Angry Bird scores and photos of your puppy remain."
- Enforce policies. "By touching corporate data and therefore enrolling this device, I can say you have to have a PIN to unlock your computer, you have to not be jailbroken (iOS/Android), you have to have up to date malware prevention and the device must be encrypted." This is just an example of the many types of policies you can set. Note: the breadth of policies available is rapidly expanding, but it is not currently Microsoft's intention to replicate Domain Joined GPO level control over devices.
- Install apps (automatically or offer to let users install them) via the Company Portal. "By joining this device to Azure AD and gaining access to corporate data, I am also publishing corporate applications to you (Universal only for now) that you can access."
- Monitor a device's location and lock/wipe/reset. "Yes, I can see where your device is." (Like all other policies and settings, that's optional).
- Multi-Factor authentication enrollment and enforcement for Windows Login (if configured/acquired)!
For the end user, the capabilities are equally compelling:
- Auto configuration of applications like email, calendaring, contacts
- OneDrive for Business (if enrolled via Office 365) provisioned
- Access to internal resources like corporate intranet, file servers and printers
- Access to company apps (including apps that sit behind the firewall) WITHOUT THE NEED FOR A VPN!!!! (if configured - more on this VERY exciting feature in later articles).
- Single Sign On at the device level with Azure AD integrated apps. Out of the box, there are some 2700 apps and growing every day like WorkDay, SalesForce, heck, even Google is in there! Also, if IT does a few tricks, that SSO can be extended to ANY application that your organization wants.
This is big stuff folks - every device can be managed like a mobile device. A reminder from our security discussion: protect the device and protect the data - wherever it may live. Next time, we'll be discussing how you set this thing up.
General note: many of these features require your organization to be enrolled in Enterprise Mobility Suite (EMS) which provides Azure AD Premium, Microsoft Intune and Azure Rights Management.