News

Microsoft Expanding Mobile Device Management Capabilities in R2 Products

• By Kurt Mackie
• 06/10/2013

Microsoft explained how its next wave of products will address "consumerization of IT" issues in talks given last week.

The new mobile device management capabilities will depend on technologies arriving with the R2 wave of Microsoft products, particularly System Center 2012, Windows Server 2012 and Windows Intune. Microsoft plans to deliver a customer preview of System Center 2012 R2 and Windows Server 2012 R2 sometime this month, with product releases scheduled for year's end. Windows Intune won't be available as a preview, but the service also is scheduled for product release by the end of 2013.

In a TechEd overview called "Enabling People-Centric IT," which is Microsoft's phrase for the consumerization of IT and "bring-your-own-device" (BYOD) scenarios, Andrew Conway, director of product marketing for System Center, talked about how Microsoft has evolved its mobile device management capabilities, including for supporting non-Windows devices.

Evolving Management Capabilities
Conway said that Microsoft's people-centric IT approach began with the 2012 release of System Center Configuration Manager. In April of 2012, Microsoft had designed that product to have a more user-centric management focus, instead of being device centric, he said. Microsoft also enabled mobile device management via Exchange Active Sync in Configuration Manager. In June, Microsoft added an application-sideloading capability, by which IT pros can set up portals for user access to company apps. By September, Remote Desktop Services, Remote Desktop Protocol 8.0 improvements and dynamic access control improvements were added. Dynamic access control lets IT pros execute a policy decisions across Windows Server, and it can set file-level access control. In December of 2012, with SP1 of Configuration Manager 2012, Microsoft integrated Windows Intune access. The team also added mobile device management support for Windows RT, Windows Phone 8, iOS, and Mac OS X on top of Windows 8 clients.

It's not exactly clear why Microsoft has two solutions that support mobile device management, namely Configuration Manager and Windows Intune. However, a recent blog post by Microsoft attempts to explain why both applications would be needed. Per that explanation, System Center 2012 R2 Configuration Manager by itself is capable of deploying and managing Windows Server 2012 R2 and Windows 8.1, and it can provision "certificates, Wi-Fi and VPN profiles" for end users. However, when the R2 version of Configuration Manager 2012 is used with Windows Intune, then that combination enables a consistent experience for end users in installing corporate apps. It lets IT publish apps for access by various devices. It also lets IT pros control settings on Windows, iOS and Android devices, including the ability to wipe corporate apps and data from user's devices.

In an interview following the TechEd keynote, in which the people-centric IT approach was demonstrated, Conway suggested that the future of mobile device management for Microsoft was increasingly moving toward Windows Intune, mostly because of the cloud connection.

"The way we think about it is that [Microsoft's] customers increasingly want to manage mobile devices and personal devices from the cloud -- because they're more often than not connected to a cellular network and into the Internet than they are connected to the corporate network, for instance," Conway said. "And as we thought about the investments that we are making in mobile device management -- in particular, we're making those in Intune -- and so if you have Configuration Manager today, you plug in Intune and all of the new capabilities light up. Now, to answer your question, there are some capabilities that exist just solely in Configuration Manager. They are limited to management of the EAS [Exchange Active Sync] connector. But going forward, we expect that customers will be adding Intune to their existing Configuration Manager deployments to really address this new trend."

Device Registration and Enrollment
IT pros can set up a "workplace join" for devices and they can add secondary authentication (typically a phone call to the user's smartphone), if wanted, as a security precaution. This secondary-authentication capability is enabled by Phone Factor technology that Microsoft acquired. After registering a device in Active Directory, IT departments can get permission from the user to configure the device, too, and that will connect the device to Windows Intune, which Microsoft refers to as "the enrollment phase." Once the device is enrolled, IT can push down virtual private network (VPN) profiles and install a company portal app to the device to provide user access to applications.

The enrollment setup also gives IT organizations the ability to wipe corporate data and apps remotely, without touching the user's data. Windows Server 2012 adds a new "work folders" feature that enables anywhere access to a file share to be set up, which can be synchronized. IT can set policies for these work folders, too, such as file encryption, multifactor authentication and dynamic access control. Corporate resources for end users get published through the company firewall using the new "Web application proxy" feature, which is a Windows Server 2012 R2 technology.

The workplace join capability adds the benefits of single sign-on, multifactor authentication and auditing capability. User profiles can be synced from on-premises Active Directory to Windows Azure Active Directory, which provides the cloud-enabled identity and single sign-on experience.

That was the overview given at TechEd, but Microsoft further breaks down these new R2 product capabilities and dependencies in a document, "Enabling People-Centric IT Preview Guide" (PDF), published this month.

Simpler Mobile Device Management?
Microsoft essentially will be offering a somewhat new way to manage devices using familiar tools such as Configuration Manager, provided that the organization has the licensing for the new R2 products. On that front, Conway contended that Microsoft is making things easier for organizations because of a change to per-user licensing.

"A lot of these point-MDM [mobile device management] vendors, they charge you per device," Conway said. "We're charging on a per-user basis for Intune, and if you have Configuration Manager today, we'll basically give you a step-up price to go from Configuration Manager to Intune. So if you buy Intune, Configuration Manager is included; if you already have it, we'll take that delta out of the price. We vastly simplified the licensing in December …. Aligned with our many customers who are buying Office 365 right now, it's way simpler than other vendors' [offerings] out there."

Maybe mobile device management is getting simpler, or maybe not, but the BYOD phenomenon is already here, according to Ovum. The analyst and consulting firm conducted a multimarket study of BYOD employees and found that "corporate BYOD activity" has been at nearly 60 percent for the past two years. Ovum made that conclusion based on a survey of "4,371 consumers across 19 different countries."