Peter Egerton is a Microsoft System Center Consultant for Inframon Ltd. He travels the UK designing, implementing, supporting and training on the Microsoft System Center product range. I’ve been an IT Pro for 14 years and in my spare time I am a Community Leader for the Windows Management User Group (WMUG).
Today’s world is ever moving and ever evolving. Week by week there’s new software, new devices and people naturally want to keep up to date with the latest and greatest. Traditionally, trying to keep your corporate IT in line with this requires an army of staff and deep pockets. The days of a standard issue corporate machine are undoubtedly numbered - and I personally think this is a good thing.
I’m a consultant and I get to visit businesses and organisations all over the UK, I often ask them if they do BYOD. Some do and some don’t – or at least they think they don’t. The fact is that even if they say don’t, I can almost guarantee their users do and often there’s not a lot they can do about it. People use email on their personal devices, swap USB drives between corporate and personal devices, VPN from a personal device – you name it they will try it if it allows them to get their job done. So what we are looking at there is really BYOD – accessing corporate resource from non-corporate devices.
As someone who spent around 12 years in IT support I know this can be a nightmare but I know now that things can be made better and you can regain that control whilst making life easier for your users by allowing them to use whatever device they can get their hands on. For starters if your bug bear is devices then why not implement a Choose Your Own Device (CYOD) policy? Give the user a wider choice of devices and operating systems but from a range that you have chosen. The technology now available can allow you to put a level of management on other operating systems so you can include Apple Mac and Android in your CYOD range if you so choose.
Let’s look at some of our options:
Windows to Go
Make your corporate desktop mobile and give your users a Windows to Go USB stick so they can use their corporate desktop on their home device. This gives you flexibility as the user can take it anywhere and use it with multiple devices, it also gives you security – you can encrypt it with Bitlocker so your corporate data is protected and you cannot see the local internal storage in the machine you are using so there is no ‘cross-contamination’. Also don’t forget the cost aspect of this one, it’s a cheap solution for your occasional home workers or those who prefer to run their own device and maybe want to keep up with the latest and greatest. Once they’re done with work they can simply unplug it and use their personal desktop again.
For some detailed information on setting up Windows to Go in your environment take a look at this article to get you started.
RemoteApp and Microsoft VDI
If you want to deliver your corporate applications to your users then why not give them the applications they need to use over the wire? Give them a full desktop if you really want to. RemoteApp is a tool that has been around a little while now but seems to have reached prominence due to some recent feature enhancements which make the whole experience that little bit slicker. The basic functionality of delivering corporate applications to a device (corporate or other) with all the processes running in the data centre and no data being stored on the end users devices appeals to many folk I speak to.
Again it’s flexible as you can use it anywhere with an internet connection, it’s certainly efficient as you only need to make application or operating system patches, changes or upgrades in 1 place and it’s secure. You can run this in your own data centre if you prefer or Microsoft now offer RemoteApp in the cloud via Azure. As someone who has used this both on premise and through Azure I have to say from a technical perspective the Azure set-up has to be easier.
If you choose Azure RemoteApp then you have a fixed choice of applications including Microsoft office, the good thing about this is that it’s all maintained by Microsoft – no patching, updating, hot fixing etc. by you. That’s great, but not for all. If you want to deliver your own RemoteApps of desktops then you can use the RemoteApp Hybrid Deployment like this:
You essentially need to create a corporate ‘gold’ image which has all the applications you might need, upload that to Azure you can then publish either the full desktop or selected applications from within it. As you can see from the diagram these can be domain joined machines which are subject to your group policies, can be fully managed with SCCM like a standard client and they can access your data in your data centre. Now obviously you’re going to need to maintain this yourself but if I think back to my early days in IT and trying to support travelling directors who randomly call in with problems from countries far away, to give them something like this would have been amazing.
If you want to explore this a little further there is an excellent 2 part blog post from Microsoft UK IT Pro Evangelist Ed Baker here.
System Center Configuration Manager (SCCM)
I feel I should make a special mention for Configuration Manager or SCCM as it’s frequently known because it is a product I specialise in and spend a lot of time working with. I realise I’m writing this on a Microsoft blog but I’m still an independent and I have to say it’s an awesome product which can enable flexibility, efficiency and security for your workforce.
I always think you can measure how valuable a piece of software is by taking it away and seeing how you get on without it, I’ve seen this with Configuration Manager and people soon realise how important it is to their daily work and how much time it saves them. You can deploy software to your users across multiple devices and they can choose where they want to consume that application with the Application Catalog.
You can obviously manage your standard office based desktop devices (over multiple operating systems I might add) but often forgotten about is the fact that you can configure Configuration Manager to use also internet based client management and manage your clients that are rarely in the office. I won’t dwell on all the features of Configuration Manager as I will be here a while but I wanted to just give a quick nod to the product just in case you haven’t seen it, you should really check it out.
If you want more information on Configuration Manager there is a huge community out there on the web – I’m part of it. If you want to trial Configuration Manager then you can download a 180 day free evaluation here.
I would also suggest checking out Microsoft Virtual Academy as an accompaniment before you implement your trial.
The icing on the cake – Enterprise Mobility Suite
Now I come to the latest offering from Microsoft in the world of Enterprise Client Management – Enterprise Mobility Suite. I class this as the missing link for client management as it completes the feature set which maybe some of the other tools on their own don’t cover. As the name suggests this is a suite of products and includes:
- Microsoft Azure Active Directory Premium
- Microsoft Intune
- Microsoft Azure Rights Management service
The image above gives you some of the highlights of each product but these 3 features combined offer you the flexibility to manage your devices on or off premise, domain joined or not and give you the ability to stretch your resources depending on your requirements at the time by leveraging Azure. The efficiency comes into this as it’s maintained by someone else meaning you can be getting on with the productive stuff whilst someone else worries about the upkeep. Self-service password reset and multi-factor authentication is both efficient and secure and the ability to easily remote wipe or reset mobile devices again from experience is a really easy and efficient process.
You can easily create an Active Directory in Azure using the portal:
And you can see the simplicity of the portal once it has been created:
In here you can manage your users and groups as you may in your current Active Directory and also configure the directory integration between the two as well as viewing the available reports. Another really neat feature of this is the SaaS application discovery. You can set a discovery process running against your in-premise Active Directory and then use those to configure Single Sign On with your Active Directory account. A nice add-on to this is that AD premium grants you rights to use Forefront Identity Manager on premise which is an awesome tool for hybrid identity management.
Microsoft Intune allows you to manage all kind of devices (iOS, Android, Windows Phone, Windows 8.1) from the cloud and apply a level of control and policy onto the device that is being used to access your corporate data. In a BYOD or CYOD scenario this is ideal as it keep both sides happy – you can manage and deploy applications to devices and the user can use whatever they want. You can also remotely wipe or reset devices at the click of a button for those occasions when that person leaves their device in a taxi. You can see the list of available options in Intune.
You can also combine Intune with Configuration Manager to create a Unified Device Management scenario and leverage the added functionality of Configuration Manager whilst at the same time creating a single point of contact for all your device management needs. The efficiency of this alone has to be noted, there are numerous examples out there of the simplified management this configuration offers.
The final feature in the Enterprise Mobility Suite is Rights Management. This is where the security of the whole offering becomes enterprise grade in terms of data protection. Azure RMS allows you to classify data and set specific policies depending on that classification, where it is stored, who is accessing it, when it is accessed, what connection they have and so on. As you might have guessed this can be used across multiple device types and can be audited, monitored and reported on accordingly. A particularly nice feature is preventing the use of copy/paste and even a snipping tool from taking screen shots of the data.
At a high level Azure RMS policies work like this:
The full process is detailed by Microsoft if you want to know more.
I believe that Enterprise Mobility Suite ties together the various Microsoft offerings and for me creates a really attractive proposition for Enterprise Client Management. Further information can be found here.
IN SUMMARY, you should see that there are various options out there for your whether your are on-premise, in the cloud or both and if you are a mobile organisation or static. Different products work for different businesses so take a look and see what meets your requirements.
Going back to the question - How do you transform the tech in your workforce, to enable flexibility, efficiency and security? I believe that by implementing at least some of the solutions outlined you will begin the transformation of your workforce whilst enabling flexibility and efficiencies both in front and behind the desktop and above all securing that vital data which is at the core of every organisation.
Does this article help you see how you can transform the tech in your workforce, to enable flexibility, efficiency and security? Is there anything you would add? Let us know in the comments section below or via @TechNetUK.