Traditional Windows Desktop & Data Management
First it is important to recognise how Windows 10 can be managed. The traditional approach of Active Directory with Group Policy is still available for domain-joined computers and this is fine in an environment where all computers are static and will always be connected to the network. Where the traditional approach falls down is when user mobility enters the equation. The whole point of Group Policy is to enforce compliance and acceptable use of the computer systems. This will be based upon the requirements that you have, be they security requirements, functional requirements, user requirements, application settings and/or application deployment requirements.
When group policies are set, you need confidence that those policies are being applied successfully to your end-points. In a scenario where you have a laptop user who is not office based and is out on the road all the time, it is not possible to ensure that your policies are being applied to their device in a timely manner.
VPNs can mitigate the problem, but more often than not the user will only use the VPN if and when they need to access something hosted internally.
The chances are, however, that the user is online and accessing web-based content. For the scenario described it therefore makes sense to have a policy/compliance mechanism that is cloud based; this is where Modern Management enters the fray.
This is a good point for me to mention the analogy of two different worlds of IT that exist currently:
The traditional client-server era, where we all had our own fiefdom of servers, desktop computers and users nicely contained in our respective places of work; and The Mobile-Cloud era, where not only are users are mobile and working outside the traditional office, but also many of our applications are delivered using some form of cloud technology, such as SaaS.
Device compliance and control is what I have mainly discussed above because it’s what is familiar to us. Security has always been a concern, but when we had the luxury of our data being accessible only from within our network, the network perimeter was the security boundary. Now that is no longer the case. Most, if not all, organisations now struggle with being able to reliably control the release of their corporate data into the wild.
With the advent of shadow IT and new ways of working using smart phone and tablet technologies, corporate data is haemorrhaging from our corporate networks; the chances are that we no longer know reliably where it is being sent, how it is being used and where it is being stored. Add the increasing need for regulatory compliance and accountability for data leaks, and the security of our data is paramount.
As such, we no longer have the confidence and comfort of knowing that very little of our data is leaving our corporate boundary. The security boundary is now the application or, more specifically, the data. We could go back to attempting to enforce strict policies and curtail the migration of data out of our corporate environment, but in part it’s that approach that brought us to the point that a new approach is therefore needed. We need an approach that gives us the confidence that we know where our data is, how it is being handled, that it is secure and most importantly that doesn’t impact the user’s ability to work in the manner they want to work.
Modern Management in conjunction with EMM* (enterprise mobility management) forms the foundation and, to some extent, the structure for us to do just that. Additional measures are necessary to form a complete solution and these will be discussed in a later post.
*NB: MDM – Mobile Device Management was introduced originally to manage mobile, Smart Phone & Tablet, devices, however as time has progressed many more devices now need to be managed and the term MDM has been replaced by EMM – Enterprise Device Management.
Microsoft Modern Management
There are numerous other articles online that discuss Modern Management but I’ll sum it up by over-simplifying and stating that it’s MDM (mobile device management) for Windows 10!
We have been using MDM for a number of years now and there are many different vendors with their own take on the ideal MDM solution, but for me VMware Workspace ONE Unified Endpoint Management (UEM) powered by AirWatch is the most flexible and adaptable out there. In the early days of architecting MDM solutions, I would frequently find that different MDM solutions offered differing functionality and whilst 90% of my customers required features were present in one solution, the last 10% was only possible in a different solution.
We should all be familiar with what MDM is and why it’s needed. Why, then, should we have one solution for managing our desktop computers and a completely different solution for all of our mobile devices? The easy answer is that we shouldn’t – and this is where Microsoft is coming from with the concept of Modern Management. We could have just one management platform for all of our devices.
With Windows 10, Microsoft has baked MDM functionality into the OS from the outset. Whilst Modern Management does not provide the same granularity that GPO management does, the purpose of end-point management has shifted considerably from the days that Group Policy was introduced.
Often, Group Policy was used to lock down or restrict the user interface of the operating system and applications. Often the settings were intended to simplify and improve the usability of the computers.
Modern management, including policies available in Intune or Workspace ONE, offers a much more suitable set of controls for today’s needs. For example, policies are available that will ensure that corporate data and personal data can remain separated on a device and not inadvertently leaked. Contrast this with the typical GPO of 10 years ago that merely hid a few menu items from the user, or stopped them changing their desktop background.
These days improvements in the operating system and applications mean that many traditional policies for end-point management are simply no longer necessary or practical in most cases. More than ever, though, the security of our data and our systems are of utmost importance whether it’s from an intellectual property, governance or regulatory perspective and it’s the ability to granularly control how the device is accessing or manipulating data with applications or storing data that Modern Management excels at.
Taking this a step further, the content delivered to users can even be controlled contextually using a feature called “conditional access”, whereby access to data is only granted if the device meets certain conditions, such as being compliant with policy, being in a certain location, or using certain client applications.
Additionally, how the data is used within the applications can be controlled; for example, to only allow copy and pasting of data between applications that are managed or to prevent data being stored locally on the device.
In short, the controls that can be exerted via Modern Management are very much the controls we need to be thinking about in the mobile-cloud era.
Leave a Reply