As businesses look to give employees flexible work environments, whether on desktops or mobile devices, in the office or out in the field, IT shops have had to scramble to consolidate the management of hardware using a single console.
With that IT goal in mind, Microsoft in 2011 launched its Intune cloud service to address the emerging enterprise mobility management (EMM) needs of the workplace.
After eight years, Microsoft decided to combine its Intune unified endpoint management (UEM) platform with its System Center Configuration Manager (ConfigMgr), enabling users to access both with just one interface.
The combined products – now called Endpoint Manager – make licensing for Intune available to all ConfigMgr customers to co-manage Windows devices. Between the two cloud services, more than 200 million devices are now being managed, according to Microsoft.
Along with a single management interface for ConfigMgr and Intune, Endpoint Manager includes the Device Management Admin Center (DMAC) and Desktop Analytics.
The software gives IT admins on-premises and cloud management tools as well as co-management options to provision, deploy, manage and secure endpoints – desktops, mobile devices and applications – across an enterprise.
Simply put, Endpoint Manager is designed to make it easier to manage a variety of devices in a way that protects corporate data while still allowing employees to do their jobs using both corporate and personal devices. It combines mobile device management (MDM) capabilities with mobile application management (MAM) and, while obviously tied to Windows 10 and other Microsoft products, it can manage hardware running other operating systems.
The re-branding of Intune this year had a few effects, according to Gartner research vice president Chris Silva. For one thing, all customers using ConfigMgr gained access to the feature set formerly known as Intune for their Windows devices, pushing them in the direction of UEM for those PCs.
Combining the two was Microsoft's answer to questions about whether traditional PC management tools like SCCM/ConfigMgr were finally dead. (They’re not.)
Traditional management tools will continue to play a role in co-managing PCs that require traditional lifecycle tasks like imaging, along with using MDM, according to Silva.
“All that said…, the total [endpoint devices] managed solely by UEM/MDM today is less than 5%,” Silva said. “We expect the number to grow more rapidly now that the question of which tool or tools are relevant for managing PCs has been answered by [Microsoft] that's managing them currently.”
Intune arrived eight years ago as companies were being forced to manage a sudden onslaught of devices accessing corporate data and networks – fallout from the bring-your-own-device (BYOD) trend that took off after the release of Apple's iPhone in 2007.
"Even if the workers are not mobile all the time, the way we do business today requires a different approach, and that's where Intune comes in," said Maura Hameroff, Microsoft's director of security product marketing. "We started with a cloud solution...to enable employees to have access to everything they need on the device they need."
As a subscription service, Microsoft charges companies on a per user/per month basis. Pricing starts at $8.74 per seat as part of Microsoft's Enterprise Mobility Suite, which includes the Azure Active Directory, Azure Rights Management Services, and Advanced Threat Analytics.
TABLE OF CONTENTS
- How UEM (and Endpoint Manager) fit into the EMM market
- Widely available, rarely used
- What Endpoint Manager can do
- Carhartt tried Intune, ran into problems
- Brother International and its cloud consolidation plan
How UEM (and Endpoint Manager) fit into the EMM market
Driven by corporate BYOD programs, hardware management is shifting away from a Windows-dominant world to one that is increasingly diverse and includes iOS, Android and Apple devices. Gartner predicts that 80% of worker tasks will take place on a mobile device by 2020, increasing the momentum behind unified endpoint management (UEM), which allows all user-facing devices to be managed from a single console.
By 2022, Gartner said, 30% of company-owned Windows 10 PCs will be managed using EMM software or UEM tools. That should help companies boost operational efficiency. The difficult part for many will be choosing whether to use something like Intune, or cobble together a management ecosystm built on software from a number of third-party vendors.
To be successful, any comprehensive UEM product, according to Gartner, will need to integrate with client management tools and meet the following objectives:
■ Provide a single console to configure, manage and monitor traditional mobile devices, PCs and device management of IoT assets.
■ Unify the application of data protection, device configuration and usage policies.
■ Provide a single view of multidevice users for better end-user support and to gather detailed workplace analytics.
■ Act as a coordination point to orchestrate the activities of related endpoint technologies such as identity services and security infrastructure.
The big difference between MDM and UEM: The latter envisions managing desktop hardware as easily as mobile devices.
The majority of vendors whose software allows UEM come from the MDM and EMM market, and many have been adding Windows management capabilities over the past couple of years, according to Chris Silva, vice president of Gartner’s Mobile, Endpoint and Wearables Computing team.
"Many have recently expanded to support ChromeOS and macOS platforms as well, placing them in a position to take on management of multiple types of traditional endpoints alongside the mobile endpoints they manage," Silva said via email. "The slate of traditional client management tools vendors, or CMTs, have been slower to build out extensions to their traditional PC management tools to handle mobile devices and modern OSes, (like Chrome, which require an MDM-like approach to manage). So, in short, the field looks very similar to past analyses of the MDM/EMM space."
In addition to Microsoft, other vendors offering UEM solutions include Blackberry, IBM, MobileIron and VMware.
In particular, VMware's AirWatch has been a standout in the capabilties it offers, particularly enabling enterprises to "bridge" the gap between traditional client management software, such as System Center Configuration Manager (SCCM) or LANDESK, and modern UEM tools, said Bryan Taylor, research director on Gartner’s Mobile, Endpoint and Wearables Computing team.
"Intune and AirWatch both have a larger set of features and functionality geared toward helping you through the transition to modern management," Taylor said about the Endpoint Manager predecessor.
The migration of traditional PC management to EMM/UEM tools is a "key strategic imperative" for companies, but the timeline for deployment depends largely on how quickly companies want to move in that direction – and how much money they're willing to invest, according to Gartner.
The research firm recommends that "Type A" organizations – those most aggressive in adopting new technology (about 10% of all enterprises) – should already be making the shift to UEM as of this year. These organizations believe technology is a strategic differentiator.
"Type C" organizations, or the least likely to quickly embrace new technology (about 20% of enterprises), should consider UEM by 2022.
The bulk of enterprises ("Type B" or 70% of organizations) fall somewhere in the middle. They currently use a mix of technology approaches and only a small number are actively moving into UEM this year; the majority continue to maintain separate PC management tools and processes, Gartner said.
"Over the next year, we'll start to see more testing of this. But for most organizations we're not going to see earnest efforts to start moving significant portions of their Windows and Mac to a modern management paradigm [UEM] for another two to three years," Taylor said.
Widely available, rarely used
More than 50% of large enterprises already have UEM tools, mostly through comprehensive licensing agreements, but only about 5% actually use those tools today.
"Most organizations are just trying to get their heads around what it means to start down this journey," Taylor said. "They’re planning and strategizing and experimenting."
Intune's adoption rate, prior to its inclusion in Endpoint Manager, had been going "gangbusters," he said, mostly because it comes with Microsoft's Enterprise Agreement (EA) – the company's volume licensing package for organizations with 500 or more users. Intune is bundled with Azure Active Directory (AD) in EA.
[ Further reading: What's the difference between MDM, MAM, EMM and UEM? ]
"You need Azure Active Directory to make just about any of their latest generation products work," Taylor said. "So, it's not an if but a when for most organizations."
Adoption is also being driven by the overwhelming popularity of Microsoft's subscription-based software suite, Office 365, which also requires Azure AD to work.
Endpoint Manager benefits because Microsoft requires it to set data protection policies for Office 365 mobile apps, in particular the famillar ‘save as’ command for any documents. Neither iOS nor Android OS knows what to do with the "save as" command in Microsoft Office.
Not surprisingly, Intune/Endpoint Manager evolved quickly over the past year as Microsoft has moved to address many of its shortcomings; the Microsoft team seems to have gotten "religion" around the speed of mobile and has begun keeping up with the advances of other leader UEM vendors such as AirWatch and MobileIron, Taylor said.
"I've never seen a product team at Microsoft move so quickly," he said.
Gartner's magic quadrant for UEM vendors as of June, 2018.
What Endpoint Manager can do
Through Endpoint Manager's (Intune's) console, IT administrators can execute a UEM strategy where end users can be onboarded through any hardware platform, and rules can be applied governing which applications and what data they can access. UEM uses MDM APIs on mobile platforms to enable identity management, wireless LAND management, operational analytics and asset managment. In theory, at least, UEM enables IT to remotely provision, control and secure everything from smart phones to tablets, laptops, desktops and now, Internet of Things (IoT) devices from a single management console.
Some UEM products also allow mobile application management (MAM), letting IT admins control access to specific business apps – and the content associated with them – without controlling the entire physical device.
Many of the basic application and system provisioning functions required for business laptops and PCs running Windows 10 can now be done through that OS's EMM control consoles, which are enabled by Microsoft's Intune protocol. That means organizations with more recent Windows PC deployments can use consolidated management tools and unified policy and configuration platforms via UEM.
For example, the software's integration with Microsoft's Azure AD and Azure Information Protection enables admins to classify (and optionally protect) documents and emails by applying access rules and conditions. And Intune's integration with Azure Data Protection lets admins include watermarks on any images taken with a mobile device, whether company-issued or used via a BYOD corporate policy.
Intune's enrollment screen
To make device management easier – especially for Windows-based shops – Microsoft last year added native EMM functionality to Windows 10 and Windows 10 Mobile OS via Intune. That's in addition to Windows 10 Mobile OS, which has a built-in device management client to deploy, configure, maintain and support smartphones.
In all editions of Windows 10, including those for desktop, mobile and Internet of Things (IoT) hardware, the client provides a single interface through which Intune can manage any Windows 10 device.
Intune enables conditional access, including denial of access to devices not managed by it or compliant with corporate IT policies; management of Office 365 and office mobile apps; and management of PCs running Windows Vista or more recent Windows releases.
An open API also allows third-party software providers, such as SAP, to wrap their application access controls into Intune's UI.
"We also use AppConfig that works for any would-be Android containers, so we can port the OS functionality for any application that needs to be protected through Intune," said Microsoft's Hameroff. "Because of the deep integration management we have with applications, we're also protecting the data within an application. So, for example, you can enforce things like copy-and-paste block. Our SDKs also have that capability, so any application you wrap it with can have copy-and-paste block."
Many of the basic application and system provisioning functions required for business laptops and PCs running Windows 10 can also be performed through EMM control consoles. Endpoint Manager works with agent-based SCCM to support more advanced PC and server management capabilities.
(The primary subscription includes usage rights to SCCM, which allows organizations to manage PCs and mobile devices through the same management console - another benefit of a UEM strategy.)
Carhartt tried Intune, ran into problems
John Hill, CIO for work clothes manufacturer Carhartt, used Intune to manage its mobile phone environment as part of an Office 365 rollout. But after running into several issues, his team abandoned it for a more comprehensive platform.
(Carhartt has 1,850 Windows PC clients, 300 corporate-issued smartphones and 200 phones under a BYOD policy; 95% of the smartphones run iOS.)
As part of a 2016 upgrade to its internal security program, Carhartt rolled out Intune through its Microsoft enterprise agreement. Hill admits he hadn't done a lot of research and assumed Intune would be easy to plug into his existing Microsoft environment.
Intune's control panel for device administration where security parameters can be selected.
Chris Walker, Carhartt's director of infrastructure, said the company leans more toward a BYOD policy, so a MAM strategy was appealing since the hardware platform used by employees would be moot. Problems with Intune mounted, though, and Carhartt eventually limited its deployment to its mobile environment.
"We had so many problems with mobile that there's no way I was going to add desktop to it," Walker said.
Most of the issues involved policy control, policy deployment and overall administration, Walker explained. He would run into random end-users losing access to all corporate applications and data; the IT staff then had to uninstall and reinstall Intune on the device or move the users out of a group and back into the group to regain access.
Hill said he even reached out to two different industry partners who had existing Microsoft practices for advice and help. Neither were able to solve the issue.
Another problem Hill described as "absurd" involved using too few management tools on Intune, which resulted in all the mobile and application controls being deployed at once. Because the company has a BYOD policy, and "80% of corporate-issued devices are used for personal" communications, Hill said he didn't want to have phones wiped of all data because they were misplaced or a wrong password was entered too many times.
"We didn't want to have an effect on those other things: their contacts, their personal pictures and those things that make people cagey about having a management tool on their phone," he said. "We were apparently doing too little for device management and that was apparently partially causing our issues. You should be able to load an MDM [toolset] and literally be able to turn every policy off.
"We were just trying to streamline things. That's how InTune is built; it has a list of 100 different options and you just turn them on or off. We were unable to reduce the controls," Hill added.
Early last year, Carhartt gave up on using Intune-only licensing and piloted – and later purchased – Microsoft's Enterprise Mobility Suite, which includes an Intune license while also offering MAM.
"It went really well and was easy to deploy. So, we essentially got rid of the independent Intune licenses and went all EMS, which gave us all those capabilities," Hill said. "That made life so much easier. Whatever apps you put in the container – and only those – is what is affected, without impacting the rest of the device."
One issue the company is still working out is the ability to support Windows, Apple and Chrome devices under one management console. "You really need three solutions to manage that," Walker said.
"The companies don't play well together. Maybe it's intentional," he added.
Brother International and its cloud consolidation plan
Tony Serignese, vice president of Information Technology at Brother International Corp., said his company also rolled out Intune to manage its mobile device environment. After deploying Office 365 five years ago, he later learned one of the licensing packages included Intune.
So in 2016, the company rolled it out, along with Microsoft Azure. Brother has about 1,800 Windows desktop clients along with nearly 500 mobile users, most of whom are on iOS, with a smaller percentage on Android.
Prior to using Intune, Brother had used MobileIron's MDM platform for several years. But as the number of mobile devices used for work-related functions increased, so did the cost of licensing the software.
"The support we had wasn't really good, either," Serignese said.
"The support for Android at the time was not as robust compared to Intune," said Kai Fan, a network systems infrastructure administrator. "For example, we'd have to download separate apps in order for email to work on Android. And for Intune, with the Outlook app, we could configure a native email client on an Android [device]."
Cost, however, was the main driver – that, and consolidating systems on Microsoft, Serignese said.
"The good thing is it won't cost me any more money; it's part of our [Office 365] licensing agreement," Serignese said.
One of the IT team's complaints, however, involved problems generating reports.
"They need to improve their reporting," Fan said. "You know the devices that are on it, you can see all that, but to do anything with the data – that's very difficult."
For example, Fan said, just pulling up a list of all the Android apps running on devices was an arduous task in Intune. "It should be something easy to get," Fan said.
Another complaint was how much manual work the installation required to complete. It took the department two months to deploy; Brother would hold "Intune deployment parties" twice a week, pulling in end users from pre-determined departments.
Intune took about 15 minutes, per user, to set up. "The most time-consuming part was people figuring out what their Apple ID was," said Kirit Nayee, Brother's senior technical lead for Microsoft and cloud platforms.
Implementing Intune's configuration and topology, however, was pretty straight forward, as was setting its management policies, according to Fan.
Moving to cloud-based services has been an ongoing theme at Brother, which now uses external services for both its ERP and CRM environments; it's also planning a move to Amazon Web Services beginning next spring.
"I can say for the guys in my office, there are so many more exciting things to do than worry about memory in a server going bad or did the backup run last night," Serignese said.
Using a cloud-based mobile management platform like Intune has given the IT shop a greater sense of control over its mobile environment – and new security capabilities that weren't available on its previous in-house MDM platform.
"We're just now starting to look at the security aspect of Intune," Serignese said. "By moving to it, there's a lot more capability we can look at and not have to buy yet another product."