Microsoft is quietly embracing multi-platform mobile devices. Windows Azure Mobile Services does an equally good job providing back-end services for mobile apps developed for Windows, Android, and iOS. And last month it announced support for Android and iOS in its unified management environment for PCs. These developments prove that when Microsoft has a good reason, it can be platform agnostic.
I spoke with Jason Leznek, Microsoft Director of Windows Server and Management Product Marketing, about a new cross-platform mobile device management (MDM) initiative. He started the conversation by saying:
"The choice of device is rapidly becoming the consumer’s, not IT's."
For emphasis, Leznek quoted a leading industry analyst who said "IT will either be on or under the bus of consumerization."
Microsoft can be late to the MDM Market
Gartner estimates that the MDM market will grow to $1.6 billion in 2014, which is a good reason that Microsoft is integrating Android and iOS into its MDM solution. IDC analyst Robert Young explained the details of Microsoft’s market position:
"MSFT was the leading vendor in the worldwide Change and Configuration market with 21.5% in 2012. In addition, it had 28.4% in worldwide Software Distribution and 34.8% in IT Asset Management and was also the leader in both these markets."
Microsoft also dominates enterprise IT directory services with Active Directory. These all add up to a strong market position from which Microsoft enters the MDM market.
The problems that MDM solves are: authenticating users and devices, configuring policies on devices, distributing and updating approved software and tracking of the devices connected to the enterprise. Microsoft already does this well with PCs and Servers. Now it wants to do the same for mobile devices, at least those running Windows, Android and iOS.
Airwatch, Citrix, Good Technologies and Mobile Iron are in the lead, but they are point solutions requiring duplication of management consoles, identity management and policies. But the market is changing. Recently, desktop management vendors have been buying companies to add MDM to their portfolios. IBM agreed to acquire Fiberlink Communications last week, Landesk acquired Rovelink and Kasaya acquired Rover Apps.
Overview of Microsoft’s MDM Offering
Microsoft has taken a different approach. It is a mobile-first approach to building its MDM solution by extending Windows Server 2012 R2, System Center 2012 R2, Configuration Manager and InTune to include not only Windows 8 mobile devices, but also Android and iOS. It has delivered first releases of Android and iOS apps.
Microsoft’s MDM relies on the user identity in Active Directory for authentication and setting access, application and data access policies. To get started, the user enrolls the device with Workplace Join. After authenticating using Active Directory enterprise credentials with single or two-factor authentication, a certificate is written to the device that will be used for security and policy management. Devices that are lost or retired can be un-enrolled by either the user or the system administer. The data, apps and certificate on the un-enrolled device are wiped clean.
After enrolling the device, the user downloads the corporate portal app from either the corporate portal, Google Play or the Apple App Store. Jail broken iOS or rooted Android devices can be detected and refused.
Only apps approved by IT are available for download by the user. App policies are set based on the user’s identity rather than the device. A user with a company-issued iOS device and Windows Laptop and a personally owned Android device is granted access to download the device-specific versions of an application like Skype. Access to these cross-platform apps is granted through Configuration Manager, based on the user’s Active Directory group or role.
InTune is a Microsoft SaaS service that translates policies set at the Configuration Manager console into device-specific system management protocols that are implemented differently in Android, iOS and Windows Phone. For example, if an enterprise has a policy in Configuration Manager to restrict users from downloading from public app stores, InTune will remove public app stores in the settings of each heterogeneous device.
Web Application Proxy is a reverse proxy used to “publish” corporate resources, available to users based on the policies created in Configuration Management. Web Application Proxy can be used with Work Folders to synchronize files between the mobile device and enterprise Windows Server 2012 R2. Work Folders are a powerful example of how Configuration Manager and Active Directory Federated Services (ADFS) work together with Web Application Proxy to prevent data leakage.
Conditional data access policies applied to Work Folders are enforced by Web Application Proxy based on the device’s certificate and the user’s identity in Active Directory. An Android app that uses sensitive data stored in Work Folders could be configured to work only with the on-premise Wi-Fi network but not from public Wi-Fi networks. Data access policies for less sensitive data could allow another app to access data through Web Application Proxy from on-premise and public Wi-Fi networks. Web Application Proxy can also manage access to other services, such as mobile applications built on the .Net framework.
Also new and notable for BYOD devices is the certificate written onto the device with Workplace Join, and that the user’s Active Directory credentials can be used to give access to enterprise resources published with Web Application Proxy without configuring the device into the enterprise’s domain.
Work Folders are available now on Windows 8.1. Leznek said “work Folders are being ported to Android and iOS, but no release date is planned."
Microsoft doesn’t use containers or wrappers to protect the device from poorly written or malicious apps. According to Leznek:
“Creating a container to separate an app and its data from other apps and the OS is more effectively handled by the operating system.”
This is the right approach because recent releases of Android and iOS can protect data from other executing programs and the OS.
Microsoft’s MDM offering is a work-in-progress. Microsoft will use Windows 8.1 to define the mobile-first use case and build the first releases that integrate it into the System Center R2 unified management portfolio and then recreate this integration for Android and iOS.
Microsoft isn’t finished coding its cross-platform MDM offering yet, so the enterprise that is ready to give mobile users access to sensitive enterprise data now will need to choose one of the point MDM solutions to be compliant.
For the innovative enterprise customers using System Center with iOS, Android and Windows mobile devices to manage, this is worth investigating. Microsoft’s Configuration Manager policies are very granular, too granular to completely explain here, but there is a lot of information on TechNet for people interested in the details.
Microsoft’s MDM is attractive, but integration isn’t finished yet
If the rich feature set and polices of System Center are integrated across Android, iOS and Windows 8.1 mobile platforms, Microsoft will have an MDM offering that meets most enterprise compliance requirements. Managing personally owned and enterprise-owned mobile devices and PCs from one Configuration Manager console based on the user’s Active Directory identity is very compelling because it eliminates the need to increase system administrative staff, user identity management and policy management.