The Future of Mobile Device Managementby OMA | Wednesday, June 12, 2013
Windows IT Pro, Mary Paul Thurrott, June 11, 2013
This year’s TechEd conference was notable for a number of reasons, including a rowdier than usual keynote address that I think should be the model for this show going forward. But my big takeaway this year is that everything is changing, and the sheer amount of information that Microsoft communicated about its upcoming products and services is almost overwhelming. I’m having a hard time keeping up.
For at least the next few weeks, I suspect—when it will start all over again with Microsoft’s next conference, Build—I’ll be poring over the TechEd 2013 materials looking for gems about coming products, services, and updates. I recommend you do the same, if possible: A great starting point is the TechEd North America 2013 page at Channel 9, where every single session from the show is now available in streaming or downloadable video form, often with a presentation deck download as well. This is an amazing resource for IT pros, and shouldn’t be missed, whether you were at the show or not.
For this week, I’d like to focus on something that’s at the top of my bit stack, a topic that I’ve been a bit obsessed with over the past few years: mobile device management.
In the good old days (two years ago?), mobile device management was an afterthought and the granular manageability of PCs presented a secure, well-understood corporate platform. But with the proliferation of smart computing devices, primarily smartphones and tablets, everything has changed.
For starters, users have woken up, dispelling any notions about controlling them with Matrix-like feeding tubes. They’ve discovered that tablets, in particular, are powerful enough to complete many of the daily computing tasks they perform, and are much simpler than PCs. Many can even get away with using only a smartphone, which is an astonishing turn of events considering the state of phone technology circa PI (2006, or “pre-iPhone”).
These same users are now expecting, even demanding, these capabilities at work. And as I’ve written in the past, a new generation of users is coming out of college with even higher expectations, not just around devices but also with regard to cloud services and the ability to mix and match their personal technology with what was previously a walled garden of corporate computing resources.
I have to be honest. These trends—the consumerization of IT, Bring Your Own Device (to work)—were initially repellant to me, and I’ve been sort of amazed by how quickly Microsoft has embraced them with its own platforms. However, it’s now pretty clear that the firm was right to do so and that this movement to smart computing devices as the primary computing platform for many users is simply unavoidable. It’s happening whether we like it or not.
Over the years, Microsoft’s approach to mobile device management has evolved pretty quickly. Most of you are probably at least passingly familiar with Exchange ActiveSync (EAS), which, as its name suggests, got started with Exchange, the low-hanging fruit of the mobile devices adoption curve. By delivering EAS policies to a mobile device, you can ensure that that device meets certain common-sense corporate standards—requiring a PIN sign-in, for starters, and device encryption—and can be wiped out remotely if lost or stolen.
EAS is delivered to these devices through an email client, which is kind of strange when you think about it. So even with modern mobile platforms such as Windows 8/RT and Windows Phone, the way that these policies are applied to the device is that the user tries to sign into his or her corporate email account. EAS checks on-device compliance with the user’s EAS policies and, finding it lacking, explains that the device needs to be configured differently before the user can continue.
EAS works well for what it does, but what it doesn’t do is open the corporate kimono to the non-email (and contacts, calendar, and tasks) data that users also need to get work done. So the gap between an EAS-connected device and a full-powered PC that’s controlled via Active Directory and Group Policy is pretty great indeed.
To bridge this gap, Microsoft created a simple new management infrastructure that first debuted in Windows Intune, its cloud-based PC (and, later, device) management service. Originally a proprietary solution, this management infrastructure can apply simple, linear device policies to smart connected devices. On the client side, this is built into Windows Phone 8 and Windows RT, and you can also manage Windows 8 PCs and devices this way if desired. (In addition, you can utilize EAS to manage other device types such as iPhone, iPad, and Android.)
Going forward, however, the Intune-developed management infrastructure is being opened up to be made compatible with something called OMA-DM (Open Mobile Alliance Device Management), enabling third-party solutions to also manage smart devices built on Microsoft’s new mobile platforms. Windows 8.1, a free update, will add this capability to Windows 8 and RT, and my understanding is that OMA-DM support is available in Windows Phone 8 already.
What this means is that these devices will work with third-party management solutions, if you use those. Intune has already been pulled into the System Center group at Microsoft and with the existing version of SCCM you can already manage both PCs and mobile devices from a single interface. And the next version, SCCM 2012 R2, will increase this integration.
From a management perspective, what OMA-DM and a coming generation of Microsoft mobile platform updates gives you is automatic connectivity with no client install and, in Windows 8.1 (and RT 8.1) and Windows Phone 8, no need for the user to first configure an email client to apply policies. You can side-load Metro-style apps on Windows 8/RT 8.1 via a custom portal, push third-party VPN configurations (for compatible VPNs including F5, Dell SonicWALL, Check Point, and Juniper; sadly this will not include Cisco), enforce an ever-widening set of EAS-type policies, and perform such things as selective wipe, where only corporate data is removed when a user decommissions his or her own device. On Windows 8.1-based Windows 8 and RT PCs, you’ll also be able to let users access corporate Work Folders, including SkyDrive-type syncing capabilities for offline use.
Ultimately, this new management infrastructure will still sit logically between EAS and AD/GP, although it’s getting more powerful with each passing year. But in the evolving world of BYOD, OMA-DM and the improved SCCM and Intune are both simpler than AD/GP and more applicable to the needs of this market. With employees increasingly using their own smartphones and tablets, this compatibility means that you can protect your corporate data while letting users still get work done fairly effortlessly.
I’m looking forward to testing this stuff in coming preview versions of SCCM 2012 R2 and Intune (although I’m not sure the latter will be available until the public version hits later this year), and with the Windows 8.1 Preview, which will ship for both Windows and RT on June 26. With the gap closing in this space between EAS and AD/GP, things are suddenly getting very interesting indeed.