Review As Microsoft continues its corporate redefinition as a subscription-driven cloud slinger we should bear in mind that this path includes more than simply Office 365 or Azure.
Microsoft's Enterprise Mobility Suite (EMS) is slated to become an important new buzzword as it wraps up Windows Intune, Azure Active Directory Premium (AADP) and Azure Rights Management (ARM) into a single offering.
EMS offers data protection as well as device, identity and access management all in one easy-to-licence offering. The goal is to be everything you need to manage a device in this new, cloud-oriented future.
Windows Intune is the meat and potatoes of the EMS offering. Intune offers device and configuration management in a fairly easy-to-use browser-based interface. Intune can manage Windows PCs and Windows Phones, as well as Android and iOS devices.
Like any good mobile device management software, Intune supports remote lock, remote password reset and selective wipe. This last allows sysadmins to wipe the entire device or just remotely wipe corporate apps and data while leaving personal apps data alone.
Intune supports Remote to My PC (think Teamviewer) on Android and iOS as well as email profile management and data protection for iOS devices. Knox support has recently been added for Samsung Android devices, enabling secure management of a huge chunk of the Android ecosystem.
AADP is cloud-based identity and access management. Think single sign-on that marries your corporate directory to many of the SaaS apps that are being developed for Azure.
AADP comes with "machine-learning-driven security reporting and anomaly detection", which is a fancy way of saying that there is an algorithm in the authentication server that starts asking pointed questions if, for example, it sees you doing odd things like logging into web services from distant IPs.
AADP requires some effort in setup on the part of sysadmins. To get passwords to sync properly, you need to get ADFS set up on a server in your corporate domain. Without it, you can sync users but you will end up with different passwords internally and externally. (Though some admins may see this as a plus.)
ARM is a combination of encryption and file security permissions and policies reimagined for the cloud. Individuals and groups can be assigned rights to various bits of content including "read, copy, print, save, forward, and edit".
If the device is managed by Intune or System Center, or if the documents are hosted on Office 365, then the security permissions and policies will be applied. Office 2010 and newer also respects ARM.
Office 365 users can add policies requiring message encryption to be used. Similarly, policies can be applied which will snoop on email content to make sure files that don't have rights for external users to access them are not leaving the company via email.
In a fully managed corporate environment, ARM also prevents employees from using email to bypass security permissions, as the applications simply refuse to open a document to which the user wasn't granted access, even if emailed to them by someone who was.
If you want to license just Intune, the cost is $6 per user per month. It climbs to $11 per device per month if you want Software Assurance (including the rights to upgrade your Windows licence to Enterprise) and the Microsoft Desktop Optimisation Pack. Do note the per-user-per-month and per-device-per-month difference here.
Intune licences include System Center Configuration Manager (SCCM) and Endpoint Protection CALs. If you have already paid for SCCM and Endpoint Protection elsewhere in your licensing, then you can get Intune for only $4 per user per month. There is no discount for those seeking the Software Assurance variant.
AADP will set you back $6 per user per month and ARM is a relative lightweight at $2 per user per month. Based on the above, the EMS bundle of Intune (non-SA variant), AADP and ARM would cost $12 per user per month as individual components.
Microsoft is offering it for $7.50 per user per month if you buy it as a bundle, all prices in USD.
EMS supports Windows, Windows RT, Windows Phone 8, iOS, Android (with extra support for Samsung devices via KNOX) and – unofficially – BlackBerry.
The BlackBerry support is unofficial in large part because BlackBerry devices are managed only through Exchange ActiveSync (EAS). And although EAS is currently supported by both Intune and SCCM, Microsoft is officially moving away from the protocol.
EAS has proved to be a highly popular protocol, supporting access to email, calendar, contacts and tasks, as well as seeing use for device management and the transmission of security policies.
Generally, the user must accept the security policies to connect. However, enforcement of these policies is up to the client implementation of EAS and has been spotty at best.
EAS policies have traditionally included password management, remote wipe and various flavours of encryption, but modern mobile device management is moving beyond what EAS was designed to cover. Microsoft has instead chosen to use native device APIs where possible.
Microsoft naturally thinks its own APIs are tops – and make no mistake, they are pretty good – but iOS is top tier and Knox phones are pretty good too.
The rest of the Android ecosystem is patchwork and honestly rather crap, but Microsoft does the best it can with what is to hand and does it pretty well. A complete list of supported policies and devices can be found on TechNet.
It appears we live in a world where you need to subscribe to something to fully use some other thing
Of course, to get the full benefits of mobile device management you will want to be able to load company-coded applications onto your devices, as well as control what users can access from public app stores.
Do bear in mind that Windows Phone 8 requires an Enterprise ID from Microsoft in addition to a code-signing certificate from Symantec. Windows RT requires side-loading keys and iOS devices require an Apple Push Notification certificate.
It appears we now live in a world where you need to subscribe to something in order to fully use some other thing you are subscribing to.
You should be running the latest version of Windows Server as your file storage and to have the latest version of System Center to accomplish full integration between your corporate network and Microsoft's cloudy offerings.
Choose your blend
Like its CloudOS approach to Windows Server, Microsoft's device management solution embraces hybrid cloud computing. Those who have deployed System Center locally can use applications such as Configuration Manager to manage devices from behind their corporate firewall.
Those preferring a fully public cloud solution can use EMS. If you are looking for a mix of both you can use System Center integrated with EMS to make sure that your device management works from anywhere.
The biggest advantage of hybrid integration is that it gives systems administrators a single view of all devices in use. There is just one place to view and manage applications, configuration, security settings and policies.
EMS features a company portal where users can manage their own devices. The portal includes the ability to self-provision native apps, web apps and links to vetted applications from the public app stores. Users can set up synchronisation of work data, manage certificates and grab VPN and WiFi configuration information.
They can also add and remove devices from corporate management. However, Microsoft remains steadfast in its belief that no individual user will ever have more than five devices.
So if you are a sysadmin, developer, testbed tech, nerd or just a power user, be prepared to play musical devices with the company portal to make sure the ones you want to work on are active at any given time.
Outburst of sanity
Intune as a standalone, non-integrated offering is hard to resist. It is priced competitively against other cloudy mobile device management offerings and a strong competitor against other desktop management tools, such as the recently reviewed GFI Cloud.
Microsoft has done a god job of simplifying device management. It is almost as if the company took the folks who worked on Small Business Server 2011 and told them to make Intune awesome.
It has just the right amount of complexity: enough settings to adapt the product to the majority of use cases but no rabbit hole of obscure nerd knobs to twiddle, ultimately resulting in madness.
Intune even has a tolerable user interface without any space-wasting big coloured rectangles. How’s that for a nod to sanity?
The larger EMS bundle is pretty neat. If you are an all-Microsoft shop – or all Microsoft except for the mobile devices – then the integration of all the bits and bobs is good.
Like most things involving Microsoft's hybrid cloud offerings, however, it is a bit of pain to set up and a little too fragile for my liking.
EMS is nowhere near as complex to set up and manage as System Center proper. If you have a System Center deployment up and running then expect the level of difficulty in integrating EMS and System Center to be roughly on a par with running a hybrid Exchange/Office 365 setup. That is to say about two days of research, testing and documenting all the PowerShell commands you had to use.
The end-user portion of the exercise – which really boils down to the company portal – is reasonably straightforward and frustration-free. The whole system seems to have been designed from the start with both end-users and overloaded sysadmins in mind.
If you want a level of complexity that requires a PhD and two Microsoft Certified IT Professionals to properly configure and maintain, you can always use full-bore System Center. The integration between the two really does deliver the best of both worlds without much compromise.
Every now and again, Microsoft gets it right. This is one of those occasions. Well done to the EMS team. ®