Microsoft Announces App Cloud Management Service for Windows RT Devices
Microsoft explained today how devices running Windows RT, or Windows 8 on ARM hardware, can be used for both personal and business purposes, even while organizational control is maintained over application access.
This new Windows 8 management approach was described in a blog post by Jeffrey Sutherland, a program manager lead for Microsoft's management systems group. Microsoft has a "management infrastructure in the cloud" approach that's designed to authenticate Windows RT device users and provide access to an organization's applications. The method applies to ARM-based devices, but Sutherland added that much of the approach can apply to x86/x64-based devices too.
Microsoft has said recently that Windows RT devices, when available, will not be capable of Active Directory (AD) management, whereas x86/x64 devices running Windows 8 will have this basic IT management capability. Since AD provides a means for establishing user access within a Windows-based network, it was puzzling why Windows RT would lack direct AD support. The answer to that riddle now seems to be associated with this new management structure for Windows RT, which handles user access to apps. In the background, Active Directory is still part of the process.
Self-Service Portal for Getting Apps
Microsoft's solution for situations where a person uses their Windows RT-based personal device for work, in which they must access "line-of-business" applications on the organization's network, is an authentication approach that's associated with a self-service portal (SSP). This SSP houses Metro-style applications that were internally developed by an organization or developed by an independent software vendor. It also can include links to Web apps and links to Windows Store-based apps.
To get access to the SSP and install the apps listed there on a Windows RT device, a user supplies an e-mail address and password via an applet accessed through Windows 8's Control Panel. The SSP works with an agent that "configures the client to communicate with the organization's management infrastructure," according to Sutherland. This agent also can be used to automatically configure a user profile for virtual private network access to an organization's network.
IT pros can control who can connect to the SSP by specifying AD domain users permitted to use the service. Certain groups of users can be limited to specific app access, according to this scheme. The maximum number of devices per user allowed to access an app also can be specified.
The authentication process is performed over a Secure Socket Layer connection. The service returns an activation key to the user's device, as well as a certificate to access the apps on the SSP. The agent monitors the Windows RT device's security compliance by checking for the status of antispyware and antivirus installation, drive encryption and whether the Auto Update feature is turned on. All of that information is reported back to IT personnel monitoring the network.
Personal vs. Business Apps
The agent monitors which apps are installed on a Windows RT device. However, it only monitors the line-of-business apps installed via the SSP. It doesn't monitor apps installed through Windows Store, according to the blog. Updates to apps loaded to the SSP by an IT pro will get automatically downloaded to the client device.
For those times when users leave an organization, Microsoft has devised a way to disable Metro-style apps that were installed on those devices through the SSP. This "disconnection" process can be initiated by the user via the Control Panel or remotely by an IT department. The process doesn't actually remove the applications installed on a device, but the apps can't be launched, Sutherland explains. Instead, it removes the application certificates that were delivered by the service and stops checking security compliance policies.
So far, Microsoft has only enabled this Windows RT client management process for use with "a single management infrastructure at a time," but Microsoft may expand that capability by the time of Windows 8's release, according to Sutherland. In the case of multiple management infrastructures, the most restrictive policies predominate.
"In the case where more than one policy exists for the same Windows 8 device, the policies will be merged and the most restrictive configuration will be selected for each," Sutherland explained.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.