Microsoft Exec Outlines New Mobile Device Management Improvements
Microsoft's themes coming out of the TechEd keynote this year included mobile device management and security controls. Those themes were elaborated further in a Q&A phone chat on Tuesday with Andrew Conway, a senior director of Windows Server and management on Microsoft's enterprise mobility strategy team.
Conway said that this year's TechEd keynote announcements were built upon the Office for iPad and Enterprise Mobility Suite announcements made in March by Satya Nadella, Microsoft's new CEO. Those ideas centered on enabling bring-your-own device capabilities in organizations as well as supporting the growth of software-as-a-service applications as enabled by the cloud, while also empowering IT to protect corporate information, he explained.
Microsoft's device protection capabilities include support for "hybrid identity and access management," which is enabled by the new Azure Active Directory Premium service, which was made generally available in April. In addition, Microsoft supports information protection via Azure Active Directory Rights Management, which also is generally available.
Windows Intune Announcements
At TechEd, Microsoft announced two upcoming Windows Intune mobile device management capabilities. One of them is a new ability to use Windows Intune to manage Office Mobile Apps on Android and iOS devices, which is a capability expected to arrive "by the end of this calendar year," according to Conway. The TechEd keynote on Monday featured a demo by Julia White, general manager of Microsoft Office product management, showing that information copied from an Excel attachment could not be pasted into an unmanaged app on an iPad.
"What that means is you have the ability for IT to set policy around how those apps work, and, most importantly, what you can do with the data in those apps," Conway explained.
The second Windows Intune announcement was about a new app wrapping tool that is expected to arrive "later this year."
"We also announced that we would make available an app wrapping tool, which companies could use to wrap their line-of-business iOS and Android apps," Conway said. "And similarly, once those applications are wrapped, IT can use Intune to set policy around how those apps interact with other apps on the device, and, when I interact with data in those apps, what I can do with that data."
I asked Conway about the difference between a wrapper and a container in Microsoft's view. Based on his response, it seems that Microsoft sees its new app wrapper tool as something that will enable IT pros to set security polices "at the level of the app."
"Frankly, I don't see a huge difference between a wrapper and a container," he said. "I know a lot of the language here is nascent, but you might think of a wrapper as a container shrunk to the level of the app. If I can set policy around what that app does, then I've effectively wrapped or containered that app. So that's how I think about it at the level of the app."
He added that "there are certain things that you'll do at the layer of the app, which is what we've announced today with Office Mobile Apps and the app wrapping. You can call that 'a container'; you can call that 'a wrapper.' We're calling that 'app wrapping.'"
Apparently, there's a dispute over containerization vs. wrapping. At least, Forrester Research is investigating which approach is best for enterprise security and mobile deployments.
In addition, Microsoft is enabling security protections at the file level through its Azure Active Directory Rights Management Services. Conway suggested that rights management was just easier to deliver from the cloud.
"One of the challenges of RMS in the past was that it was, in some cases, challenging for people to deploy RMS on premises," he said. "So what we've done is we've taken RMS to the cloud. RMS allows you protect at the level of the data itself, and the data travels with a key, and it needs to call home to AD [Active Directory] and check that someone still has active credentials and is allowed to open and unencrypt that information with those keys. And so, with RMS, what we're doing is we're protecting at the level of the data itself. We've moved that to Azure. And we're also now allowing people, if they wish, to bring their own key to the Azure datacenter. If you're a customer that might be more cloud reluctant and you don't like the idea of us having the key in the datacenter, then we'll let you bring your own key to a hardware security module in the Azure datacenter."
New Azure RemoteApp Service
Microsoft also announced at TechEd that it has released a public preview of a new Azure RemoteApp service, which delivers Windows applications from the Microsoft Azure cloud to mobile devices. The Azure RemoteApp service "will be available later this calendar year," according to Conway.
"You can think of this [Azure RemoteApp] as Remote Desktop Session Host," he said. "What we've done, though, is we have rearchitected that for the Azure cloud. So if you are doing a Remote Desktop Services deployment on premise, you would have to deploy a gateway and manage that gateway; you'd have to deploy a broker, licensing server, a session host. And then, as you scale up or scale down that deployment, you'd have to manage the number of servers that you deployed into that so that you gave an appropriate level of service. With Azure RemoteApp, all of that would be taken care of by Azure. So it's a finished service. It's part of Azure. You access it through the Azure portal. And that's available right now for free in preview. We are not yet announcing pricing and licensing details for the GA [general availability release]."
Azure RemoteApp works with clients that use Microsoft's Remote Desktop Protocol (RDP). Most of those clients are currently available for testing.
"When it comes to accessing RemoteApp, basically you use our RDP client," Conway said. "We shipped these clients, at least the cross-platform clients, in the R2 timeframe, so that was last October. I do want to be clear about what clients we have today for access. We have an iOS client, we have an Android client, we have a Mac OS X client and we have a Windows client. All of those clients have been updated to work with the Azure RemoteApp service, and it's the same clients. We are in the process of updating the [Windows] RT client -- that will be coming soon. And we're in the process of updating our Windows Phone 8.1 client -- that will be coming soon as well. The [Windows Phone] 8.1 client is in preview right now."
Conway added that Microsoft also has a "rich ecosystem of partners" that is using Windows to deliver capabilities such as remote apps, session desktops and virtual desktop infrastructure (VDI). They typically use protocols from Microsoft or its partner Citrix. Microsoft's Azure RemoteApp user experience is different from VDI because only the apps are accessed from Microsoft Azure.
"VDI, unfortunately, is used inconsistently in the industry, but typically VDI is used to refer to a scenario where you are delivering a full Windows desktop or at least a desktop experience," he explained. "Citrix would call that a 'XenDesktop.' When you think about just delivering the app, [then] that's something that we call 'RemoteApp.' That's the feature of Remote Desktop Services. Citrix would refer to that as 'XenApp.' One is the apps in a running in a session environment; the other is desktop."
Mobile Device Management Solutions
It may seem confusing that Microsoft has two device management solutions, Windows Intune and System Center Configuration Manager. However, when it comes to mobile device management (MDM), that's the province of Windows Intune. However, management can be centralized within Configuration Manager via a connector, if wanted, Conway explained.
"We're delivering the MDM and the mobile app management capabilities that we talked about today in Intune, and Intune is the cloud service, and if you wish to use that just from the cloud, you can," he said. "If you have Configuration Manager on premises, and you wish to connect the two together because you're using ConfigMan today and you want to have visibility for all of those mobile devices in one place, you can do that too. I view that as a deployment choice."
Conway downplayed a statement by Brad Anderson, Microsoft's corporate vice president for Windows Server and System Center, that "Windows Intune is Configuration Manager from the cloud."
"I prefer to say that Windows Intune is our cloud-based MDM solution," Conway said. Its connection with System Center Configuration Manager is "very straightforward," using extensions, and it "looks like just another site server" in Configuration Manager, he explained.
"It's not like we're asking people to do huge updates to ConfigMan to consume this new [Windows Intune] stuff," he said. "It just needs updates and the extra Intune features just show up."
It's also possible to use the Windows Intune and Configuration Manager combination to manage hybrid networks. "That's really a deployment choice for customers who want to do that on-premises PC management and cloud-delivered MDM in one place," Conway said.