Why Unified Endpoint Management (UEM) Is Your Next Mobility Management Practice

With Microsoft’s Intune Graph APIs, partners can pull PCs, tablets and smartphones under one policy and control umbrella, commonly described as unified endpoint management, or UEM. That should be music to the ears of any partner with a mobility management practice — but beware Windows desktop admins seeking to preserve the status quo.

Why Unified Endpoint Management (UEM) Is Your Next Mobility Management Practice

  • Learn about the new UEM opportunity for partners with expertise in mobility and endpoint management and security. Besides Microsoft, VMware and a raft of security vendors have compelling stories for partners.
  • Discover why end of life for Windows 7 could be the tipping point — and why you should never do a Windows 10 migration without the UEM discussion.
  • Hear what Brad Anderson, corporate vice president for Microsoft’s enterprise mobility and management group, has to say about the end of images and the dawn of auto provisioning from the cloud.

Content Summary

The Windows 10 Factor
Intune-Enablement for the EMM/UEM Ecosystem

The revolution in mobility that swept the workplace earlier this decade has created an uneasy divide in enterprise IT organizations: on one side, administrators who configure and manage PCs with traditional imaging methods and on the other, those who enroll smartphones and tablets owned by employees with modern device and app management.

Now there’s a major push to bring the two together, creating an opportunity for partners with expertise in mobility and endpoint management and security to play a key role in helping customers make the transition to what’s commonly described as unified endpoint management (UEM).

Bringing mobile device, app and PC management together is a significant change for most enterprises, especially those with formidable IT organizations staffed with administrators who have decades of training and skill using Microsoft’s System Center Configuration Manager or similarly sophisticated management tools and procedures. The UEM model shifts the emphasis from device management with different tools to managing each user’s identity, associated with conditional access to apps and data.

Like any change of this magnitude, seasoned administrators typically balk at the notion that the tools and processes used to configure, manage and secure PCs (and Macs) should give way to a simpler and less costly enterprise mobility management model. Enterprise mobility management (EMM) defies traditional technical assumptions and operational norms associated with Windows management, centered around creating a gold image joined to Active Directory Group Policies.

Technology Components That Define the EMM Technology Market

  • Mobile device management (MDM): Monitor, manage, and secure endpoints, including smart mobile devices and Windows 10 systems
  • Mobile application management (MAM): Capabilities that enable organizations to deploy, secure, and manage apps utilized within the workplace
  • Mobile app development: Mobile app development and configuration capabilities including low and no-code solutions, that enable organizations to develop custom mobile apps across a range of devices and operating systems
  • Mobile content management (MCM): Secure access to corporate files and data specifically for smart mobile devices
  • Network access control (NAC): Governs and secures network infrastructure supporting use of mobile devices
  • Identity and access management (IAM): Identity management and authentication capabilities, important in managing and securing identity across numerous devices and apps
  • Telecom expense management (TEM): Functionality that supports the monitoring and management of mobile telecoms spending

Phil Poje, president of Tech Orchard, a Kansas City, Missouri, solution provider specializing in enterprise mobility management, comes across this obstacle all the time. Whenever Poje makes the pitch to bring EMM and Windows systems management together, business and IT managers are willing to consider it, but desktop administrators typically reject the idea.

“They see it as pure blasphemy,” Poje said, describing their traditional reaction when he presents the idea of moving to an EMM approach of managing PCs, Macs, Chromebooks and apps running on mobile devices and cloud services. These are frequently engineers who maintained certifications and best-practices for decades. The most experienced senior engineers command six-figure salaries.

“I’ve been in meetings where I thought they were going to throw stones at me,” Pohe said. “It’s human nature. We’re going to protect our own turf. And you’ve got two guys sitting across from you at a table that have made their lives and their careers on knowing SCCM. Heck no they’re not going to be for [UEM] because they’re going to feel threatened. But as you well know, that never stops technology, never stops advancement because somebody feels threatened. When the dollars are big enough, trust me, the CIO will pull the lever on that deal all day long.”

The Windows 10 Factor

Until recently, Windows administrators had the upper hand on the technical side of the argument favoring the traditional approach to PC configuration, deployment and management. EMM solutions from the likes of VMware’s AirWatch business, MobileIron, Citrix, IBM, Samsung, Blackberry and others offered suitable solutions for letting IT provide sandboxed access to corporate email and other apps on smartphones and tablets running iOS and Android. But given the proprietary interfaces and design model of Windows, managing PCs has been a whole different story.

Market Landscape: Enterprise Mobility Management, 2017
Market Landscape: Enterprise Mobility Management, 2017

However, the tide started changing with the introduction of Windows 10. The fact that Windows 10 is optimized for EMM makes a compelling argument in favor of providing a common approach to enrolling, provisioning, implementing policies and deprovisioning PCs and all other devices with the same tools and processes.

Microsoft itself started pushing this idea several years ago when it released Intune and later incorporated it into the broader Enterprise Mobility + Security (EMS) service. Intune provides configuration and policy management of Windows, MacOS and mobile devices. EMS also includes Azure Active Directory Premium and Azure Rights Management, which offers data loss prevention (DLP) and, more recently, intelligent threat analytics capabilities.

Last summer’s launch of Microsoft 365 brought a new solution that includes bundled subscriptions including: Office 365, Windows 10 and optionally Dynamics 365 managed together with EMS. At that time, Microsoft stepped up its effort to promote the notion of using EMS to manage PCs and devices and started making the case that enterprises should think of a world without using SCCM to deploy and manage Windows.

“We are encouraging you to move away from imaging,” said Brad Anderson, corporate vice president for Microsoft’s enterprise mobility and management group, speaking at the company’s Ignite conference for IT pros in September. “Stop maintaining those images and all of the libraries and drivers and let’s move to a model where we can automatically provision you from the cloud.”

EMS and the Intune management console run in Microsoft Azure and provide self-service configuration of Windows 10 and other devices. A feature called AutoPilot, introduced by Microsoft last year, is designed to take a PC’s serial number and configuration settings, such as employee’s network, applications, certificates and profiles. Partners or customers can use the AutoPilot settings via Microsoft’s Windows Store for Business. When Microsoft launched AutoPilot, the company announced several OEMs including Dell, Fujitsu, HP, Lenovo and Panasonic would offer it on their commercial systems. Besides Microsoft’s latest Surface PCs, so far, only Dell has said it is offering AutoPilot on the new commercial systems it introduced in late April. Lenovo recently said it is testing it with customers and HP reportedly will start offering AutoPilot this fall.

AutoPilot supports conditional access to certain data or applications, so if an employee is at a local coffee shop, using his or her own device or in a less secure setting than the office, certain restrictions are applied based on those conditions.

“All of this is done based upon the unique need of that individual and their role and identity inside of Azure Active Directory,” Anderson explained. The company calls OEM models with this out-of-box support “Microsoft 365-powered PCs,” though AutoPilot isn’t restricted to those devices.

Three-quarters of all enterprise PCs are managed by SCCM, according to Microsoft. Because only the most recent Windows 10 releases support the latest UEM and EMM capabilities, many organizations will not make a wholesale change overnight, since a vast majority still have large populations of Windows 7-based PCs in service.

However, as customers move to Windows 10, partners can help make the transition with a co-management bridge that allows administrators to use SCCM and Intune together. This is important if you are looking to persuade a reluctant customer to try a more phased migration approach.

Approaches to Managing Mobility
Approaches to Managing Mobility

In one example offered by Microsoft, a customer could move Windows 10 updates to Intune while continuing to use SCCM for software distribution or deep system security configuration, a feature the company calls co-management. An organization can switch any function done in SCCM to Intune at their own pace, according to Microsoft. The company last year made it easier for partners to offer EMS as a onestop solution by integrating Intune, Azure AD and Azure Information protection into the Microsoft Azure cloud portal.

Intune-Enablement for the EMM/UEM Ecosystem

Microsoft has made a strong case for its EMS mobility management stack. In many instances, it’s practically free, especially for customers with Microsoft Enterprise Agreements. The company makes an equally strong case for the Microsoft 365 bundle, especially for those customers standardizing on Office 365, which automatically puts them on Azure Active Directory, which has hooks into AD onpremises. Further simplifying the solution, partners can recommend the so-called Microsoft 365-powered PCs.

Gartner Vice President Michael DIsabato said many customers are captivated by the notion that Microsoft’s Intune is effectively free. “Everybody says: ‘We’ve got an Office 365 E3 or E5 subscription and so we’ve got Intune and it’s free,’ and I tell them, that there’s no such thing as a free puppy,” he said. “I had a full 17 years of happiness with a free puppy, but I can tell you it wasn’t free.” Depending on an organization’s requirements, EMS offers strong baseline EMM, but every customer must consider the level of security required and the overall nature of their client device footprint, he advises IT managers.

This year it’s going to become easier to sell the UEM approach, whether it’s with Microsoft’s full EMS stack, or in combination with some leading alternatives, most notably VMware’s Workspace ONE UEM solution. There are others, as well. The January release of the Intune APIs from the Microsoft Graph with interfaces to the mobile application interfaces to Windows has removed a key barrier to going with a UEM approach and is opening new doors for partners and customers.

While Microsoft provided the Intune Graph APIs last year as a technical preview, the general release is a key step in letting partners use the Windows Mobile Application Management (MAM) controls in their own practices.

Most of the key EMM vendors have said they will integrate these REST-based APIs into their solutions, and don’t underestimate how much this emboldens the case for a UEM approach to manage all client devices and PCs.

Disabato and his Gartner colleague Andrew Garver wrote a report on why this opens new doors. A key factor, they note, is Intune’s ability to control Microsoft’s Office mobile apps.

“Intune app protection (MAM) control is built directly into Microsoft Word, PowerPoint, Excel, Outlook and OneDrive for Business, and certain granular controls of these apps are only accessible to third parties through the Graph API,” according to the report. “With respect to identity management, corporate authentication and authorization into the Office applications are inextricably integrated with Azure AD — another example of integration that is forcing other EMM providers to extend the platform (e.g., via federation) rather than compete directly.”

Just as important for MSPs, exposure to the Intune platform through the Microsoft Graph API provides similar function to SCCM.

“Intune as a core management and configuration layer will be adequate for many organizations bought into the Microsoft ecosystem, yet extended by other vendors (including EMMs such as VMware Workspace ONE) where more specific functionality creates a niche or where tighter integration with the other vendor’s products is beneficial,” the report also states.

VMware has eagerly awaited the GA of these APIs. Its Workspace ONE is considered the most robust of the offerings, and now VMware can bring together its Horizon desktop as a service, VDI, VMware Identity Manager and AirWatch EMM solutions into a common UEM solution. Other options the company touts is its Boxer email and calendaring as an enterprise-class, secure alternative to Outlook and web mail, and its Blast remote display protocol for optimal client experiences.

In March, VMware released an update to Workspace ONE incorporating the Graph APIs and AI features incorporated from its acquisition of Apteligent last year. The AI features provide recommendations for managing an entire digital workspace in a common dashboard based on monitoring system and application performance using a recommendation engine administrators can act on, according to VMware.

The new Workspace ONE release also now includes a decision engine that can automate common functions, such as responding to vulnerabilities in Windows 10 endpoints with critical patches, and implementing conditional access controls at the individual or group level. VMware said this automation can offload mundane tasks and can integrate with third party tools such as ServiceNow and Slack.

VMware also announced in March the new Workspace ONE Trust Network, an ecosystem of endpoint security management providers. Carbon Black, CrowdStrike, Cylance, Lookout, McAfee, Netskope and Symantec are the initial vendors that will apply the Workspace ONE AI and automation features into their solutions when integrated with VMware’s UEM platform.

Many solution providers and MSPs in the VMware Cloud Partner Network have expressed interest in jumping on the rising interest among companies to accelerate their Windows 10 deployments with UEM in mind, according to Jeff McGrath, VMware’s senior director of product marketing.

“They really see the value because when doing outsourced management of Windows 10 systems, anything they can do to reduce costs and increase their margin on their services is a big win,” McGrath said.

Providing better endpoint management and security in unison has emerged as a key priority for enterprises. The key is not inhibiting employees’ ability to remain productive regardless of the device, who owns it or where it’s used.

The opportunity to unify endpoint management and remove the divide that exists in most large organizations is just unfolding. It will grow over the next two years as the end of mainstream support for Windows 7 approaches in 2020 and organizations further accelerate their Windows 10 upgrades.

“There are a lot of Fortune 1000 companies that are still infants when it comes to leveraging mobility,” Tech Orchard’s Poje said. “They’re just doing the basic MDM stuff. However, there is that subsection of companies of all sizes that are related leveraging mobility to provide additional productivity and use cases.”

Sponsored By: AT&T