You may have been reading up on the Enterprise Mobility Suite by Microsoft. Especially now that Windows 10 has been released, it seems like everything is becoming easier and simpler for end users, managers and admins alike while Microsoft is really pushing the Anywhere, Anyplace, Anytime concept.
Let me state first off that I believe these advancements are incredible, and I really feel Microsoft is heading in the right direction, but there are quite a few ‘gotcha’s’ that you probably don’t know about that could hurt your implementation, they may not always apply to you.
In my opinion, as EMS currently stands as a suite, when used to manage Windows 10 laptops / tablets and desktops, is only suitable for very ‘light’ management situations unless there is an additional device management authority such as SCCM fully configured and implemented as Internet Facing for true device and application management.
The Enterprise Mobility Suite as a standalone product for full Windows 10 is NOT suitable for almost all Application Deployment scenario’s.
So basically, Enterprise Mobility allows you to securely enable anywhere, anyplace and anytime ways of working and accessing data by enrolling your devices into your Azure or your local Active Directory. But don’t be fooled, this process is not as streamlined or user friendly as you may believe. Let me talk about the different pro’s and con’s in detail, and don’t forget the scope is ONLY for Windows 10, non-mobile (phones) devices.
Why could Enterprise Mobility be good for me?
- Self-service password reset and change, anywhere, anyplace, anytime, integrated into Windows 10
- Multifactor Authentication for most Microsoft services AND your own
- Single SignOn to supported MS services and to your own directory when using ADFS
- Light management of devices
- Secure simple publishing of on-premises legacy websites without expensive proxies/vpn’s
- Selective wipe
- Conditional Access
- Highly customizable encryption
- Supports Android, Apple and Windows
Self-service password reset and change, anywhere, anyplace, anytime
Now this IS awesome. Password resets are the number one most frequent calls helpdesks accross the world get. It’s a costly one too if you get down to the numbers. Allowing your users to securely reset or change their password using Multi Factor Authentication is turned into a breeze with Enterprise Mobility. And they don’t have to be in the office to do it, Microsoft securely syncs the password change back to your on premises Active Directory. Changing your password from the Windows 10 start menu will automatically direct you to the proper webpage if your Windows 10 machine was enrolled. From any other device, you’ll have to visit https://passwordreset.microsoftonline.com/. Learn how to set up self service password reset here.
Multifactor Authentication for most Microsoft services and your own
The Enterprise Mobility suite offers you Multi Factor Authentication accross services through a handy app, a phonecall or via text messages. This service works for most if not all cloud based Microsoft offerings, but you are also allowed to download and install an MFA server into your own network if you prefer. MFA can then be used internally as well and supports a plethora of protocols (LDAP included of course). Users can set up their own preferences using a portal that is automatically configured by the wizard. Don’t think this is a fully local implementation though, the phonecalls are still made by Azure. When you enroll your Windows 10 device and you’re enabled for MFA, you’ll have to do multi factor authentication before your device is joined to Azure AD.
Single SignOn to supported MS services and to your own directory when using ADFS
Devices that have been enrolled in Azure Active Directory or into your own on premises Active Directory, or have been synced back will automatically sign you into services such as the highly popular Office 365 and Azure Apps. More and more services are being added and a lot of vendors are starting to see the benefits of SSO.
Light Management of Devices
If you’re not planning to assert a large degree of control over the Windows 10 devices your users use, and expect them to configure their device and install the software they like on their own, EMS is pretty cool. It allows you to configure the bare basics such as password policies, encryption requirements and a handfull of other settings. You can view device status and compliance in the Intune Console or in Office 365 and offer remote support.
Secure simple publishing of on-premises legacy websites
Using Azure App Proxy and the included proxy connectors, you can publish any internal website to the world wide web without the need for an expensive firewall or proxy. The Azure App Proxy takes care of all the technical stuff and supports almost all commonly used authentication methods. Connections are always terminated in the cloud first, then forwarded to the on-premises webserver over a secure HTTPS tunnel. Of course it is possible to use MFA and Conditional Access. Read here how to set it up.
When more and more of your employees or perhaps contracts start using your services on their own devices, your data will likely also end up on those devices. Enterprise Mobility allows you to selectively wipe only that data, leaving their personal data intact and you without worry for a lawsuit 🙂 This sounds really cool, but it sounds better than it is, selective wipe only wipes company data from supported applications that support this feature. Right now this is limited to the Office Suite only and it is quite easy for users to circumvent this this feature. In such cases you may still want to do a full wipe ‘just to be safe’.
One of the more promising and interesting features of the EMS suite is the ability to limit access to your resources such as Exchange, Sharepoint and Onedrive to devices that are managed by EMS and are compliant with EMS policy. This can be scoped, so you could easily pilot this functionality or only enable it for contractors or other less trusted parties. The error messages you’ll receive when attempting to access a protected resource from an unsecure device cannot be customized and the way users are guided to become compliant are only for the more advanced users, but the feature itself is pretty cool. Learn how this set this up here.
Highly customizable encryption
With Azure Rights Management Service, as included in EMS, you can encrypt data in Sharepoint Online, from the Office Suite, or in Exchange. This allows you to protect files even when they are not on your network anymore, this is key to Azure RMS. You can set policies that determine exactly what people can do with your documents, including but not limited to the ability to print, forward, open, time-based expiration and edit.
Supports Android, Apple and Windows
Although this doesn’t pertain to Windows 10, I still want to say that it is awesome that Enterprise Mobility is anywhere, anyplace, anytime. So, also, any device. With the exception of Linux, where only web based tools are supported. you can manage and monitor Android and Apple devices as well! They even have their own full suite of Office applications. This leaves your users free to choose a device that lets them work in the way they prefer. Your older non saas/webbased business applications may not always work natively on these devices, but you can always use RemoteApp for those.
This one also doesn’t really pertain to Windows 10 devices which have builtin A/V, if you install the full Intune Client you can also protect your Windows 7, 8 and 8.1 devices with Microsoft Endpoint Protection, free of charge.
Why could Enterprise Mobility be bad for me?
- No reliable application deployment / management*
- No seamless enrollment / user experience
- No group policies / detailed management of clients
- No windows store integration
No settings roaming
- Already using O365 MDM?
Reliable application deployment, management and seamless enrollment
When you enroll a Windows 10 device into Azure AD, you will NOT be able to deploy any type of application to this device out of the box. Neither a store nor normal application. The user first has to manually install a Company Portal App from the Windows store. This has its challenges, read more about that under Windows Store integration.
If the user does manage to install the Company Portal App, it can literally take hours or days before published applications show up. And only Store Apps actually show up, normal MSI/EXE applications cannot be deployed in this way, for that, you have to install the Intune Client application. This requires a manual download from a URL that you can only reach if you’re an Intune Admin and manual configuration your average user really won’t understand. If you’re using SCCM, you can compare this to installing the SCCM client. If you’re not having your users enroll their own devices, you can use Group Policy or another method to prestage the Intune Client on your user’s device.
There is no reliable method to uninstall applications deployed using Intune, and custom script or detection methods are also not supported. The portal is only available in English.
So, basically, Enterprise Mobility with Intune still means you have to expend serious effort to bring a device fully under management if you want to do more than basic security settings, while you actually get less flexibility than you’d have using SCCM. I don’t recommend Enterprise Mobility as an application management or deployment solution.
Group policies / detailed management of clients
If you are used to SCCM baselines or Group policy, you will feel quite left out on this front as well, there are only a handfull of settings you can manage on devices that have been enrolled with Intune. You can find the list of settings here.
Windows Store integration
This is one of the things that baffled me the most. If I enroll my Windows 10 device into AzureAD, which is set to automatically enroll me into MDM (Intune) as described here, I won’t be able to use the Windows Store. It does sign me in using my work account, but when I want to download, for example, the Company Portal app, which I need for the very MDM EMS signs me up for, it forces me to sign out and sign back in with, believe it or not, a Microsoft Account!
As with the store integration, this built in Windows 10 functionality to synchronise your settings and other preferences between devices is disabled until you add a Microsoft instead of Work account, this is not something your average user will understand or may even have.
Update 05/02/2016: this is now in public preview!
Already using Office 365 as your MDM?
Then you should know that buying EMS and then setting up Intune will have no effect, your users and devices won’t show up in Intune until you create a service request in Office 365. This experience is also far from streamlined (although it was even worse in the past).