Microsoft is making a pitch for supplying customers with mobile device management (MDM), based on System Center 2012 supplemented by InTune, its cloud management software.
As more users access corporate systems through smartphones and tablets -- and increasingly using non-Windows devices -- it is critical for Microsoft to retain some control over those devices to maintain its presence in corporate IT infrastructure. But critics say the supplier is late to this particular game, with rival offerings already proving popular to support bring your own device (BYOD) policies.
On paper, Microsoft's offering looks promising -- management of a broad range of devices including iOS and Android, Windows Mobile, Windows Phone and Windows RT, with features covering device encryption, data protection, software deployment and remote wipe.
Dig into the detail though, and there are gaps and inconsistencies which suggest that Microsoft's device management is not yet fully mature, though integration with System Center and Active Directory is a significant benefit.
There are several parts to Microsoft's mobile device management story. The old and familiar one, from which Microsoft is now moving away, is the widely supported Exchange ActiveSync (EAS).
Download a Computer Weekly buyer's guide to MDM
The trend for consumerisation and employees using their own devices for work comes as concerns over data security mount. In this 11-page buyer's guide, Computer Weekly examines how to formulate a strategic policy for mobile device management (MDM) with a look at how the London Borough of Brent is migrating to a fleet of iPads and iPhones, and how to choose the right MDM approach and product portfolio for your organisation, staff and mobile devices.
- Click here to download the buyer's guide to mobile device management
EAS is a protocol for accessing email, calendar, contacts and tasks, but it becomes a device management tool via the ability to set security policies. If the user does not accept the security policies, they cannot connect. These policies cover passwords, device encryption and remote wipe. System Center Configuration Manager -- the PC and device management part of the suite -- has a connector for EAS that enables device management within that console.
EAS is effective but limited, so Microsoft is now focusing on calling device-specific application programming interfaces (APIs) instead.
"With inTune we've gone beyond EAS. We've added depth management which takes advantage of the APIs in the device," says Microsoft's Andrew Conway, product manager for enterprise client.
This is a new role for InTune, which was originally conceived as a simplified, cloud-based version of System Center aimed at smaller organisations.
The reason for using InTune, rather than extending the mobile device management features already present in Configuration Manager, is that a cloud-based offering makes more sense for mobile.
"If you have a mobile device, it is a lot more often connected to the internet than it is your corporate intranet," says Conway. That said, an InTune Connector for Configuration Manager means that administrators can continue to use System Center for management, with InTune working as a kind of back-end service.
When you configure InTune for MDM, you choose between System Center integration or InTune web management -- a choice which apparently cannot be changed thereafter.
There is a downside to using native device APIs -- each device is different and more work is needed before a new device can be supported. It also depends on the APIs offered by the mobile platform, and Microsoft says that Android is behind iOS in this respect. The consequence is that device support is rather a patchwork at present, covering:
- Windows Mobile 6.5 and earlier: System Center Configuration Manager
- Windows Phone 7.5 and earlier: Exchange ActiveSync
- Windows Phone 8: InTune
- Windows RT: InTune
- Apple iOS: InTune
- Android: Mostly Exchange ActiveSync
- Blackberry: Exchange ActiveSync/not officially supported
In cases where EAS is the solution, you can use the EAS connector for either InTune or System Center.
The requirements for enrolling devices vary according to the device. For Windows Phone 8, you will need to purchase an Enterprise ID from Microsoft and a code-signing certificate from Symantec. Windows RT requires purchase of side-loading keys, to enable corporate app deployment, and a code-signing certificate. Apple iOS requires purchase of an Apple Push Notification certificate from Apple.
Microsoft's mobile device management is not just about security. There is also a focus on application deployment, based on the concept of company portals. This is one area where Android 2.1 or higher is supported, along with iOS, Windows Phone 8 and Windows RT. You can either publish in-house apps directly, or link to apps in a public app store.
Active Directory and InTune
The heart of Microsoft's management infrastructure is Active Directory (AD), and this remains the case with device management, since the company takes the line that device management should be user-focused. InTune is a cloud service that uses Azure Active Directory, so how does this work with an organisation's on-premise Active Directory?
The answer is that for smooth administration you need to use both directory synchronisation, which maintains cloud AD accounts in sync with on-premise AD, and ADFS (Active Directory Federation Services), which lets users authenticate against the corporate AD and use single-sign-on (SSO) when logging into InTune.
If you use only synchronisation, without ADFS, you lose both SSO and also single password management, since passwords are not synchronised. Once both directory synchronisation and ADFS are in place, you can do all directory management on-premise.
The foremost mobile security concern for most enterprises is how data that arrives on mobile devices is protected. Device encryption is a starting point, but Microsoft argues this is insufficient on its own since data may be copied from the device to unprotected storage. Two features of Windows Server may assist with this.
Read more on mobile device management
- Shore up your organisation's fleet with the right MDM
- Ovum urges CIOs to review MDM policies to support BYOD practices
- What to consider when choosing an MDM system
- As enterprise MDM software evolves, advanced features emerge
- Exploring SMB and enterprise MDM options
- Five MDM products for managing mobile devices in corporate environments
- BMI Healthcare assesses mobile devices for hospital consultants
One is Dynamic Access Control, new in Server 2012, which lets you classify documents either manually or automatically, based on tags and keywords, and apply policies such as which users can access them and which devices they can access them from. Dynamic Access Control is based on evaluating expressions, rather than simply checking group membership.
The other feature is Information Rights Management, which encrypts documents and applies rules about how they can be used. This is integrated with Dynamic Access Control, so that rights management can be automatically applied to documents that meet specified conditions.
Pros and cons
The advantage of Microsoft's approach to device management is that it integrates smoothly with both Active Directory and System Center. When fully implemented, it covers a range of concerns including data protection, compliance and app deployment.
The downside is the complexity of setting up the infrastructure, which -- while not a burden for large enterprises -- does make it less appealing for smaller organisations. Another issue is that you need the latest version of Windows Server and System Center. Much of this support is new in System Center 2012 Service Pack 1.
Finally, Android support is limited at present, while other devices such the new BlackBerry 10 are not yet supported. Microsoft's iOS support is strong though, covering the most popular choice for enterprises supporting mobile devices.
There is detailed information on setting up mobile device management for System Center and InTune in Microsoft Management Summit sessions, available online here.