As businesses look to give employees flexible work environments, whether on desktops or mobile devices, in the office or out in the field, IT shops have had to scramble to consolidate the management of hardware using a single console.
With that IT goal in mind, Microsoft in 2011 launched its Intune cloud service to address the emerging enterprise mobility management (EMM) needs of the workplace.
After eight years, Microsoft decided to combine its Intune unified endpoint management (UEM) platform with its System Center Configuration Manager (ConfigMgr), enabling users to access both with just one interface.
The combined products – now called Endpoint Manager – make licensing for Intune available to all ConfigMgr customers to co-manage Windows devices. Between the two cloud services, more than 200 million devices are now being managed, according to Microsoft.
Along with a single management interface for ConfigMgr and Intune, Endpoint Manager includes the Device Management Admin Center (DMAC) and Desktop Analytics.
The software gives IT admins on-premises and cloud management tools as well as co-management options to provision, deploy, manage and secure endpoints – desktops, mobile devices and applications – across an enterprise.
Simply put, Endpoint Manager is designed to make it easier to manage a variety of devices in a way that protects corporate data while still allowing employees to do their jobs using both corporate and personal devices. It combines mobile device management (MDM) capabilities with mobile application management (MAM) and, while obviously tied to Windows 10 and other Microsoft products, it can manage hardware running other operating systems.
The re-branding of Intune this year had a few effects, according to Gartner research vice president Chris Silva. For one thing, all customers using ConfigMgr gained access to the feature set formerly known as Intune for their Windows devices, pushing them in the direction of UEM for those PCs.
Combining the two was Microsoft’s answer to questions about whether traditional PC management tools like SCCM/ConfigMgr were finally dead. (They’re not.)
Traditional management tools will continue to play a role in co-managing PCs that require traditional lifecycle tasks like imaging, along with using MDM, according to Silva.
“All that said…, the total [endpoint devices] managed solely by UEM/MDM today is less than 5%,” Silva said. “We expect the number to grow more rapidly now that the question of which tool or tools are relevant for managing PCs has been answered by [Microsoft] that’s managing them currently.”
Intune arrived eight years ago as companies were being forced to manage a sudden onslaught of devices accessing corporate data and networks – fallout from the bring-your-own-device (BYOD) trend that took off after the release of Apple’s iPhone in 2007.
“Even if the workers are not mobile all the time, the way we do business today requires a different approach, and that’s where Intune comes in,” said Maura Hameroff, Microsoft’s director of security product marketing. “We started with a cloud solution…to enable employees to have access to everything they need on the device they need.”
As a subscription service, Microsoft charges companies on a per user/per month basis. Pricing starts at $8.74 per seat as part of Microsoft’s Enterprise Mobility Suite, which includes the Azure Active Directory, Azure Rights Management Services, and Advanced Threat Analytics.
How UEM (and Endpoint Manager) fit into the EMM market
Driven by corporate BYOD programs, hardware management is shifting away from a Windows-dominant world to one that is increasingly diverse and includes iOS, Android and Apple devices. Gartner predicts that 80% of worker tasks will take place on a mobile device by 2020, increasing the momentum behind unified endpoint management (UEM), which allows all user-facing devices to be managed from a single console.
By 2022, Gartner said, 30% of company-owned Windows 10 PCs will be managed using EMM software or UEM tools. That should help companies boost operational efficiency. The difficult part for many will be choosing whether to use something like Intune, or cobble together a management ecosystm built on software from a number of third-party vendors.
To be successful, any comprehensive UEM product, according to Gartner, will need to integrate with client management tools and meet the following objectives:
■ Provide a single console to configure, manage and monitor traditional mobile devices, PCs and device management of IoT assets.
■ Unify the application of data protection, device configuration and usage policies.
■ Provide a single view of multidevice users for better end-user support and to gather detailed workplace analytics.
■ Act as a coordination point to orchestrate the activities of related endpoint technologies such as identity services and security infrastructure.
The big difference between MDM and UEM: The latter envisions managing desktop hardware as easily as mobile devices.
The majority of vendors whose software allows UEM come from the MDM and EMM market, and many have been adding Windows management capabilities over the past couple of years, according to Chris Silva, vice president of Gartner’s Mobile, Endpoint and Wearables Computing team.
“Many have recently expanded to support ChromeOS and macOS platforms as well, placing them in a position to take on management of multiple types of traditional endpoints alongside the mobile endpoints they manage,” Silva said via email. “The slate of traditional client management tools vendors, or CMTs, have been slower to build out extensions to their traditional PC management tools to handle mobile devices and modern OSes, (like Chrome, which require an MDM-like approach to manage). So, in short, the field looks very similar to past analyses of the MDM/EMM space.”
In addition to Microsoft, other vendors offering UEM solutions include Blackberry, IBM, MobileIron and VMware.
In particular, VMware’s AirWatch has been a standout in the capabilties it offers, particularly enabling enterprises to “bridge” the gap between traditional client management software, such as System Center Configuration Manager (SCCM) or LANDESK, and modern UEM tools, said Bryan Taylor, research director on Gartner’s Mobile, Endpoint and Wearables Computing team.
“Intune and AirWatch both have a larger set of features and functionality geared toward helping you through the transition to modern management,” Taylor said about the Endpoint Manager predecessor.
The migration of traditional PC management to EMM/UEM tools is a “key strategic imperative” for companies, but the timeline for deployment depends largely on how quickly companies want to move in that direction – and how much money they’re willing to invest, according to Gartner.
The research firm recommends that “Type A” organizations – those most aggressive in adopting new technology (about 10% of all enterprises) – should already be making the shift to UEM as of this year. These organizations believe technology is a strategic differentiator.
“Type C” organizations, or the least likely to quickly embrace new technology (about 20% of enterprises), should consider UEM by 2022.
The bulk of enterprises (“Type B” or 70% of organizations) fall somewhere in the middle. They currently use a mix of technology approaches and only a small number are actively moving into UEM this year; the majority continue to maintain separate PC management tools and processes, Gartner said.
“Over the next year, we’ll start to see more testing of this. But for most organizations we’re not going to see earnest efforts to start moving significant portions of their Windows and Mac to a modern management paradigm [UEM] for another two to three years,” Taylor said.
Widely available, rarely used
More than 50% of large enterprises already have UEM tools, mostly through comprehensive licensing agreements, but only about 5% actually use those tools today.
“Most organizations are just trying to get their heads around what it means to start down this journey,” Taylor said. “They’re planning and strategizing and experimenting.”
Intune’s adoption rate, prior to its inclusion in Endpoint Manager, had been going “gangbusters,” he said, mostly because it comes with Microsoft’s Enterprise Agreement (EA) – the company’s volume licensing package for organizations with 500 or more users. Intune is bundled with Azure Active Directory (AD) in EA.
“You need Azure Active Directory to make just about any of their latest generation products work,” Taylor said. “So, it’s not an if but a when for most organizations.”
Adoption is also being driven by the overwhelming popularity of Microsoft’s subscription-based software suite, Office 365, which also requires Azure AD to work.
Endpoint Manager benefits because Microsoft requires it to set data protection policies for Office 365 mobile apps, in particular the famillar ‘save as’ command for any documents. Neither iOS nor Android OS knows what to do with the “save as” command in Microsoft Office.
Not surprisingly, Intune/Endpoint Manager evolved quickly over the past year as Microsoft has moved to address many of its shortcomings; the Microsoft team seems to have gotten “religion” around the speed of mobile and has begun keeping up with the advances of other leader UEM vendors such as AirWatch and MobileIron, Taylor said.
“I’ve never seen a product team at Microsoft move so quickly,” he said.
What Endpoint Manager can do
Through Endpoint Manager’s (Intune’s) console, IT administrators can execute a UEM strategy where end users can be onboarded through any hardware platform, and rules can be applied governing which applications and what data they can access. UEM uses MDM APIs on mobile platforms to enable identity management, wireless LAND management, operational analytics and asset managment. In theory, at least, UEM enables IT to remotely provision, control and secure everything from smart phones to tablets, laptops, desktops and now, Internet of Things (IoT) devices from a single management console.
Some UEM products also allow mobile application management (MAM), letting IT admins control access to specific business apps – and the content associated with them – without controlling the entire physical device.
Many of the basic application and system provisioning functions required for business laptops and PCs running Windows 10 can now be done through that OS’s EMM control consoles, which are enabled by Microsoft’s Intune protocol. That means organizations with more recent Windows PC deployments can use consolidated management tools and unified policy and configuration platforms via UEM.
For example, the software’s integration with Microsoft’s Azure AD and Azure Information Protection enables admins to classify (and optionally protect) documents and emails by applying access rules and conditions. And Intune’s integration with Azure Data Protection lets admins include watermarks on any images taken with a mobile device, whether company-issued or used via a BYOD corporate policy.
To make device management easier – especially for Windows-based shops – Microsoft last year added native EMM functionality to Windows 10 and Windows 10 Mobile OS via Intune. That’s in addition to Windows 10 Mobile OS, which has a built-in device management client to deploy, configure, maintain and support smartphones.
In all editions of Windows 10, including those for desktop, mobile and Internet of Things (IoT) hardware, the client provides a single interface through which Intune can manage any Windows 10 device.
Intune enables conditional access, including denial of access to devices not managed by it or compliant with corporate IT policies; management of Office 365 and office mobile apps; and management of PCs running Windows Vista or more recent Windows releases.
An open API also allows third-party software providers, such as SAP, to wrap their application access controls into Intune’s UI.
“We also use AppConfig that works for any would-be Android containers, so we can port the OS functionality for any application that needs to be protected through Intune,” said Microsoft’s Hameroff. “Because of the deep integration management we have with applications, we’re also protecting the data within an application. So, for example, you can enforce things like copy-and-paste block. Our SDKs also have that capability, so any application you wrap it with can have copy-and-paste block.”
Many of the basic application and system provisioning functions required for business laptops and PCs running Windows 10 can also be performed through EMM control consoles. Endpoint Manager works with agent-based SCCM to support more advanced PC and server management capabilities.
(The primary subscription includes usage rights to SCCM, which allows organizations to manage PCs and mobile devices through the same management console – another benefit of a UEM strategy.)