Why (and how) you should manage Windows PCs like iPhones

The days of Microsoft’s System Center may be numbered. With the introduction of Windows 10, Microsoft has begun championing a different approach to systems management — the same approach that Apple created for the iPad and iPhone, and Google later adopted for Android. Organizations adopting Windows 10 can take advantage of this new approach, allowing IT to manage all client devices — Windows 10 PCs (as older Windows versions are retired), Macs, iOS devices, and Android devices — from the same consoles, using the same policy-driven technology in what is called an omnidevice strategy.

That’s the theory, but the practice is more complex.  

Here we take a closer look at what an omnidevice strategy entails, detailing the tools, implementation, and current caveats to show how your organization can take advantage of this strategy as it evolves.

The reasons to manage PCs like iPads

Tablets today increasingly resemble computers, in both functionality and use, and computers are increasingly taking on tabletlike features. Microsoft, Apple, and Google all recognize that convergence in the form of their “tabtop” devices: the Surface Pro, iPad Pro, and Pixel-C, respectively. IT should too, by moving away from deploying two sets of management tools: one for computers and one for mobile devices, an increasingly meaningless distinction.

But the big motivation for doing so is cost savings. The methods and tools for managing capabilities and security for iOS and Android devices are far more labor-efficient than those used to manage traditional PCs. That’s largely because the self-enrollment, policy-based approach of managing mobile devices was a necessary outgrowth of the BYOD movement. Most mobile devices weren’t initially provisioned by IT, and because IT couldn’t touch all devices, as it had long done for PCs, a new management methodology was essential. Soon, enterprise mobility management (EMM) arose to fill the void.

Ojas Rege, chief strategy officer at EMM provider MobileIron, says adopting the mobile model for PC management should shed between half and three-quarters of the cost of managing those PCs, after factoring out the client licensing costs for EMM tools.

Organizations leveraging EMM typically require only two to four admins to support 10,000 devices, notes Tony Kueh, vice president of research and development at VMware’s AirWatch unit, also an EMM provider. Managing PCs is more complex, mainly because customization in Windows applications results in greater variety than what Apple allows for iOS, but Kueh nonetheless expects the EMM approach to greatly reduce the cost of Windows management.

Couple these significant TCO benefits with the consistency of a common platform that reduces possible security and compliance gaps, and you can see the appeal of the omnidevice strategy.

MobileIron and VMware have high expectations for Windows 10 management through its traditionally mobile-and-Mac management tools, as you’d expect, as do other major EMM providers such as Soti and IBM’s Maas360 unit. Gartner is also bullish on the approach, predicting that in two years 40 percent of IT shops will manage at least some Windows PCs using omnidevice-savvy EMM tools.

Current Windows management tools find their roots in the 1980s approach to computing, in which IT owns the devices and manually provisions them. Over time, that provisioning has been increasingly automated, using tools like Microsoft’s System Center, MicroFocus ZenWorks, LANdesk, and Symantec IT Management Suite (formerly Altiris), but the basic approach of direct IT management has remained.

That approach does scale to thousands of computers, as long as they are pretty much all Windows PCs (Mac support came recently for some, though usually for a subset of capabilities), but it is a labor-intensive, slower-to-market approach that puts IT at the center of almost every decision.

The EMM approach, on the other hand, assumes little admin labor, in large part because in the early days of mobile, before EMM, IT shops refused to devote resources to supporting mobile devices, forcing vendors to establish a different method to satisfy IT objections around management and security.

Another factor in limiting the TCO of EMM’s approach is what it obviates, MobileIron’s Rege says.

“You won’t need bolt-on app sandboxing; there’s less need for antimalware and less need for traditional agent-based DLP” because the sandboxing model of EMM doesn’t let outside apps and agents into the app sandboxes, whether to inspect or infect, he says. Sandboxing is a key foundation of the mobile security model now brought to computers. Data loss prevention (DLP) is still an important measure, Rege notes, but it becomes policy-driven and absorbed by EMM, not handled by software agents’ direct inspection of apps. 

In other words, a lot of the security superstructure required for today’s totally exposed Windows applications goes away when they’re natively protected. That also reduces support and operations costs, he adds.

In 2011, Apple realized this approach would work as well for computers as it does for mobile devices, so it engineered OS X Lion to adopt many of the same policy-based, self-enrollment management protocols as iOS — policies it made enterprise-grade in 2011’s iOS 7 as well. Suddenly, IT could set policies that it distributed via profile files that both configured some OS-level features and checked user-controlled settings to ensure compliance: No compliance, no access.

Microsoft adopted the same approach in 2015’s Windows 10 and expanded it in the various 2016 updates. Windows 10 is starting to get serious IT attention for broad rollout, so Microsoft has been starting to promote the EMM approach while also supporting System Center for the years of PC management legacy.

Not all Windows 10 EMM pieces are in place

Microsoft has a very convincing diagram of Windows 10 management via EMM, one that suggests all the pieces are in place. But they’re not.

Certainly, the basics are in place, such as enforcing password and encryption policies. Self-enrollment is also available, via Azure Active Directory (AAD) or a third-party EMM suite. Perhaps most critical, core Windows technologies — system updates, network management (such as required VPN use and Wi-Fi access point binding), and Azure Active Directory join — are good to go.

But Microsoft has only recently enabled full app provisioning. That means IT can now deploy Win32 apps via .msi packages, not the barely used Universal Windows Platform (UWP) .appx apps, via Windows 10 EMM. (“Universal” is a misnomer, as it means “universal to Windows 8.1 and Windows 10.”)

The arrival of Windows Information Protection brings to Windows 10 Anniversary Update or later the ability to manage corporate-provisioned apps separately from user-installed ones, similar to managed apps in iOS and the Google for Work and Samsung Knox containers for Android. That’s a key enabler for the low-touch approach of EMM.

Another area that is incomplete is the mapping of group policy objects (GPOs) that are so central to Windows systems management to equivalent EMM policies. Such mapping would greatly help IT admins transition to EMM with full assurance that their finely honed policies remain in place.

So far, such mappings represent only a subset of GPOs. That’s not necessarily bad. After all, when Apple debuted iOS policies, many in IT called them inadequate because they were fewer in number than the 450 that BlackBerry had. But time showed that most of those policies were actually unnecessary, and today that complaint has faded — even BlackBerry hasn’t bothered to replicate those 450 policies for its Android devices in its mobile management suite. Still, the transition from GPOs to EMM policies will not be seamless.

That doesn’t mean you should stick with GPOs because the GPO-to-EMM mapping is incomplete. They’re fairly heavyweight and usually require a validated connection that can be difficult to maintain as people travel from airport to Starbucks to home to cellular networks, notes Tomas Vetrovsky, senior director of Windows product management at MobileIron. It’s better to use EMM policies where you can and reserve GPO use for what EMM policies can’t do. Often, that means applying the GPO policies as needed, not all up front.

Sorting out encryption

For years, we’ve all heard the advice that PCs should be encrypted in case they are lost or stolen. Yet few organizations do so widely, because it’s very difficult to accomplish and even harder to manage — how do you recover the contents of an encrypted drive or backup, for example? You need those keys.

It doesn’t work that way in iOS, the model for EMM. Encryption is simply there, so it can be assumed. The keys are tied to the device itself, so if data is moved elsewhere, having the key itself isn’t sufficient — that’s great for protecting sensitive data but could keep IT from getting to the on-device data if the user doesn’t help. (Ask the FBI.) Security-savvy Android devices, like Samsung’s S and Note series, have a similar mechanism.

But you don’t need the device to get to the data if that data is provisioned by an EMM server — the server is the owner, not the user, and the data is available from the back end, whether it’s SharePoint, OneDrive, Dropbox, Box, or something else.

That’s the key for thinking about encryption on Windows 10 PCs, says MobileIron’s Vetrovsky: In the modern app model, while there is always data resident on the device, that data is always also synced to a back-end service IT manages.

Thus, there’s no need to get the local copy on the encrypted PC, such as a backup. You don’t need to decrypt the user’s device if you have the master data elsewhere; you simply need to make sure someone else can’t access that data via the user’s device, which is what EMM policies do.

Microsoft’s Endpoint Data Protection, when used with July 2016’s Windows 10 Anniversary Update or later, gives you even greater encryption sophistication: It lets you auto-encrypt corporate-provided data on devices, and it manages those keys for IT. Thus, you get extra security for the local copies of data on those devices beyond the standard disk-wide encryption, with key storage and management included.

However, many enterprise apps are anything but modern, and they store data locally rather than in IT-managed storage services. If a Windows 10 PC is encrypted and IT doesn’t have the key, it can’t access that local data. Currently, there’s no tool for IT to store and manage Window’s BitLocker keys automatically across user systems to get that siloed data. Until there is, you’ll need to have users provide their keys as they enable encryption on their PCs themselves if they’re using the old-style applications.

Note that Windows 10 doesn’t currently let IT turn on encryption remotely through EMM policies, a limitation that MacOS and Android also share. But EMM policies can detect whether encryption is enabled and deny access to devices where it is not turned on. That limits the opportunity for data to go onto an unprotected device.

The ball and chain that is your Windows app portfolio

What about all those old Windows apps that your organization relies on? Rewriting them as or replacing them with UWP apps is at best a long-term project. But there is another transition path from the old-style Win32 apps to the new UWP versions.

Here, Microsoft’s Desktop Application Converter (aka Project Centennial) is key. This tool represents Microsoft’s effort to containerize old, .Net-based Windows apps to gain the EMM management support of UWP apps. Once those old Win32 .msi apps have been containerized, they become part of your EMM strategy. 

IT can subject containerized Win32 apps to application management policies that will help IT ensure that corporate data stays within corporate assets. Moreover, IT can impose stricter authentication requirements for those apps and enforce the use of VPNs and the like to further protect application data. The adoption of such technologies in iOS and, to a lesser extent, in Android has cleared a major IT objection to mobile devices being of use for “real work.”

“Desktop Application Converter is a step in the right direction because it can take Win32 apps and convert them to UWP for ease of management,” MobileIron’s Rege says. “But we don’t know yet whether it fully addresses all Win32 apps. The long-term answer is to modernize apps, not just convert them to a new format [UWP’s .appx].”

After reviewing Desktop Application Converter’s actual capabilities, IT departments will have to decide in each case whether they need to rewrite to UWP and/or mobile versions, get by with containerized versions, port to the cloud or web, or abandon existing apps.

VMware’s Kueh suspects that the cost of refactoring will usually be less than the cost of maintaining the legacy, helping IT finally reduce its software debt rather than continuing to drag it along. And, he says, VDI can handle those old apps that can’t be rewritten (perhaps because they came from a now defunct vendor) without blocking the use of modern EMM approaches.

Rege adds, “There’s probably only a small percentage you actually need of that old software. If the others went away, would users notice?”

The confusion around Microsoft’s EMS and Intune

A few years ago, Microsoft came out with its own EMM tool, Intune. It managed iOS and Android devices, as well as Windows Mobile ones — but not Macs — using the same policies as any EMM tool had.

Then Microsoft created information management APIs for Office 365 and tied them to Intune, in what was clearly an anticompetitive act of tying to force IT to adopt Intune instead of their existing EMM tools if they wanted to manage devices using both the standard EMM APIs and the special Microsoft Office information management APIs.

That was then. Today, Intune is a part of Microsoft’s Enterprise Management Suite (EMS), which also includes Azure Active Directory Premium, Azure Rights Management, and Advanced Threat Analytics. And IT no longer has to choose Intune over an existing EMM tool to take advantage of those special Office 365 APIs.

Those information management APIs remain proprietary to Microsoft Office, but Microsoft has decoupled the management of those proprietary APIs from EMS’s device enrollment and management capabilities.

As a result, enterprises can keep their existing EMM provider for device and app management and use the two EMS components — the Azure console with Intune — as the policy manager for setting the proprietary Office app configs. It’s no longer an either/or choice between an existing EMM provider and Office app configs. Both can now coexist.

Oh, and Intune now supports Macs for many of its policies, a change made this past summer. Plus, Microsoft announced last week that Intune will soon support Android for Work, Google’s enterprise-class application management capabilities. Clearly, Microsoft is starting to acknowledge the rest of the EMM world.

The only major tie-in that Microsoft still maintains is for its conditional-access policies for Office 365, which use AAD to manage access based on device context such as geolocation or IP address to deny otherwise permitted access due to heightened risk. Microsoft lets other EMM and identity-management providers use those policies for managing Windows 10 PCs, but not for other devices. The implication is that if you want conditional access for both your Windows 10 PCs and mobile devices, you must go with EMS.

But there are many non-Microsoft ways to set up conditional access on iOS and Android — EMM providers don’t need Microsoft technology for this capability. For example, Rege says his company’s MobileIron Access product handles non-Windows 10 conditional access by taking in the authentication request, then confirming device and app trust before passing it to the identity provider to confirm user trust. If the device or requesting app are untrusted, no access is given to Office 365 (or any other cloud service). Thus, IT gets the same conditional-access management model for all devices.

What about Macs?

Although Apple adopted the EMM approach for Macs four years before Microsoft did for Windows 10, you don’t hear a lot about EMM management of Macs. That’s largely because enterprises don’t really manage Macs the way they do PCs, even though they should. Macs are usually a nuisance for IT, which minimizes its involvement with them. It hasn’t helped that Apple’s EMM policies for MacOS are a subset of what’s available for iOS, though the new MacOS Sierra takes some good catchup steps.

Those companies that see Macs as real PCs tend to use Apple-savvy tools such as those from JAMF to manage those Macs, not Windows-centric tools.

Still, Macs have seen increased use in enterprises, and not only in traditional functions like design and software development. The Mac is likely to go along for the ride for companies that move to an omnidevice strategy.

VMware’s Kueh described such a scenario: He recently talked to an Asian company where millennial users want Macs, but the company doesn’t want to buy them. But instead of looking the other way or doing a minimal management approach such as using a backup and app-distribution tool like Code42, the company decided to manage Macs like iPads, iPhones, and Android devices: via EMM tools. It plans to do the same for Windows 10 PCs, for consistency and efficiency.

The irony is that MacOS isn’t always as capable as Windows 10 when it comes to EMM-based management. Yes, if you compare the specific policies each OS supports, you’ll see that MacOS wins some and Windows 10 wins some, roughly balancing out. 

But comparing the protocols is only the first step. Despite its established strengths in protecting applications from malware (such as via Gatekeeper, an approach now adopted by Windows 10), MacOS currently lags Windows 10 (and iOS) in terms of file system security and key management. Even where policies are the same, their effectiveness may not be.

For example, innate file protection is stronger in Windows 10 than in MacOS. For whatever reasons, Apple has been slower to improve MacOS’s file system than it has iOS’s, while Microsoft has had to pay deeper attention in Windows 10 to these security issues because of the high cost to users and IT over the years of previous Windows versions’ inherent file-system vulnerabilities to malware.

For the omnidevice strategy, it’s Windows 10 or bust

As the Windows 10 EMM ecosystem matures over the next few months, there’s still an elephant in the room: Enterprises are barely thinking about adopting Windows 10; most are still finishing their Windows 7 rollouts. What is there to manage? After all, for EMM to become the norm for managing PCs, Windows 10 will have to be adopted.

Rege says the logical place to start managing Windows 10 PCs via EMM is the increasingly popular PC/tablet hybrid (aka tabtop) such as Microsoft’s Surface Pro and laptop hybrids such as HP’s Elite X2 and Lenovo’s various hybrids — rather than using System Center or other old-school Windows management tools for them. 

Another use case is employees’ home computers, which are more likely to run Windows 10 because there’s no version-rollback option for consumers as there is for enterprises.

Note that the available EMM management policies vary based on Windows 10 version, with Windows 10 Home having minimal support. Realistically, personal PCs should run Windows 10 Pro and corporate PCs should run Windows 10 Enterprise. (EMM suites can detect these versions and use them as criteria in policy application.)

But those are edge cases, which is why Gartner’s prediction that 40 percent of enterprises will use EMM to manage Windows 10 PCs by 2018 has the caveat that those enterprise will manage only some Windows 10 PCs that way. System Center and its alternatives won’t go away quickly, even as Microsoft begins to blur the traditional lines.

Still, I suspect enterprise Windows 10 adoption will be faster than in the past. The security capabilities in Windows 10 are far too compelling to ignore, especially given the heightened awareness around data theft and malware. And, frankly, Windows 7 is old and needs to be retired.

Many enterprises did nothing to update Windows because Windows 8 was so unusable and Microsoft’s plans were clearly in disarray — that both preserved XP’s use and delayed Windows 7 adoption as IT played wait-and-see. Windows 8.1 didn’t really help, especially because it was the last to get full support of Office 365, Microsoft’s major technology initiative these days.

In addition, PC makers have made the transition to Windows 10 difficult for consumers because of incompatible drivers they have not updated, causing a parade of issues that keeps my colleague Woody Leonhard fully occupied in detailing. The PC makers clearly would prefer people buy new PCs, since they need the money. That’s what will happen — for users, the choice is increasingly to run an old, less-secure PC or bite the bullet and get a new one.

Enterprises face the same choice, and I believe they’ll adopt Windows 10 because many of the new PCs use hardware that, ironically, Windows 7 doesn’t support.

Of course, the move to Windows 10 — and thus to Windows 10 EMM — also requires that those PCs be cleaned up. Drivers alone aren’t an issue; it’s all that old software with dependencies to specific versions of Java, ActiveX, and/or Internet Explorer. They force IT to vet every update and to loathe the automatic updates that are the norm in iOS, Android, MacOS, and cloud services — and that Microsoft needs to become the norm in Windows.

Maybe the benefits of EMM, coupled with the greater trends to cloud computing and mobile-first application development, will finally let IT cut loose all that technical debt that threatens to mire it in the past. It will need to, because operating systems, apps, and protocols are all moving targets that require periodic refreshing. Mobile management admins know that from the annual API updates from Apple and Google and the regular pace of OS and app updates. Desktop admins need to prepare for that reality as well.

Dropping legacy apps and too-old PCs will help make automatic updates safer. Until then, EMM policies for Windows 10 let IT control those updates, so they have time to test OS updates before releasing them via Windows Server Update Services (WSUS). EMM policies let you set a delay for such updates, as well as force updates you deem critical. Note that the Windows branch you are on determines the pace of the updates you receive from Microsoft — that’s true whether you use EMM, System Center, or another item to manage updates.

The good news is there’s time for IT to really try out the EMM approach to Windows management on those edge cases. When the day comes to switch to Windows 10 company-wide, the management switchover will be straightforward, too.