Posey's Tips & Tricks
Mobile Management with Intune Misses the Mark
Windows 8 on mobile devices will be managed with Microsoft's cloud-based management tool. Here's why that's a bad thing.
Ever since I first got my first real look at Windows 8 and Windows Server 8 last fall, I have been telling people that one of the of the best things that the new version has going for it is a comprehensive management strategy. After all, Microsoft was planning on releasing Windows 8 for desktops / laptops, tablets, and smart phones. The information that I got originally was that the operating system would be nearly identical from one device to another and that this consistency would make enterprise level management much easier.
Sadly, nearly identical operating systems are not the same thing as identical operating systems. As I'm sure you have heard by now, Microsoft is releasing Windows 8 in two flavors. One is the x86 / x64 version and the other is an ARM version (intended for use on tablets and smartphones). The x86 / x64 version is being branded as Windows 8, while the ARM version is being branded as Windows RT (short for Windows Run Time).
For the most part Windows 8 and Windows RT are indeed very similar. However, there is at least one very important difference between the two. Windows RT cannot be domain joined. The reason why this is such a big deal is because System Center 2012 can only manage domain members. So much for a comprehensive management strategy.
This week I am attending TechEd in Orlando, and one of my goals for the conference was to find out what in the world the people at Microsoft were thinking and what their solution was for mobile device management going forward. My assumption was that Microsoft would probably recommend using Exchange Server for mobile device management. Exchange Server has a feature called ActiveSync Mailbox Policies that allow various policy elements to be applied to mobile devices. For example, you can enforce password rules, disable a device's camera or force the device to lock after a period of inactivity.
What I discovered was that Microsoft's preferred solution for mobile device management will be Windows InTune. Windows Intune isn't a new product. It has been around for the better part of the last two years. Even so, the Intune team has created at least three major revisions to the service within its short life. If you are not familiar with Windows Intune, it is a cloud-based management product.
I will be the first to admit that I haven't had a chance to try out the latest version of Windows Intune for myself yet. I did get to try Windows Intune last year however. At the time, I was not impressed. The service seemed as though it might one day have potential, but it was nowhere near as powerful as System Center. I couldn't help but get the feeling that Microsoft created it just so that it could claim to have a cloud based management service, even if Windows Intune really didn't do all that much.
Today I got to watch a demo in which Windows Intune was used to manage a variety of mobile devices. Windows RT wasn't among those devices, but presumably it will be supported once the new operating system has been released.
The demo was relatively short, but what I saw basically looked like a rehash of the same mobile device management policies that are available in Exchange Server today. I asked the presenter why anyone would even bother with Intune if they could do the same thing with Exchange. He said that the latest edition of Intune was capable of managing PCs and mobile devices through a single pane of glass, whereas the ActiveSync Mailbox Policies found in Exchange apply only to mobile devices (not PCs).
The presenter also said that Windows Intune can be used for software distribution. It has the ability to side load applications onto mobile devices. The ironic thing is that this capability is supported for iOS and Android, but not for Microsoft's own Windows Phone 7 devices. When I asked about the reason for this, I was told that Windows Phone 7 devices only support side loading of applications if the device if first put into developer mode. However, I can tell you from first-hand experience that putting a Windows Phone 7 device into developer mode isn't a big deal. I would think that Microsoft would have found a way to temporarily place Windows Phone 7 devices into developer mode, load the application, and then put the devices back into consumer mode. I have to assume that there are engineering challenges that I am simply unaware of.
In conclusion, I still think that Microsoft has a good thing going with Windows 8 and Windows RT, but I think that they missed a huge opportunity from a device management prospective. I can only hope that Microsoft adds domain enrollment capabilities to Windows RT and improves their overall strategy for mobile device management.
About the Author
Brien Posey is a 22-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.