Microsoft Enterprise Mobility Management (EMM) is Here

| October 28, 2013 | 21 Comments

I’m pleased to announce the release of Microsoft’s Enterprise Mobility Management (EMM) solution comprised of Windows Server 2012 R2, System Center Configuration Manager 2012 R2 and Windows Intune.

In this article, I’ll walk you through each EMM component and illustrate the respective Microsoft capabilities.

Mobile Device Management (MDM)

This is the most general type of management where IT can apply policies, configurations, provisioning, and settings to mobile devices enrolled with an on-premise MDM server or cloud-based service.

The Microsoft MDM solution interfaces with the management APIs exposed by the various mobile operating systems.  As with all MDM offerings on the market, this means there are variations in management capabilities across operating systems since each exposes a different set.

Policy settings for enrolled devices include:

  • Requiring passwords and associated configurations and restrictions
  • Enforcing device encryption
  • Allowing cameras, web browsers on iOS and Android
  • Allowing iCloud backup and document sync on iOS
  • Content ratings on iOS
  • Allowing cloud settings and credential sync on Windows 8.1
  • Internet Explorer settings on Windows 8.1
  • Allowing voice and data roaming on iOS
  • Deployment of user and device certificates for managed devices by using the Simple Certificate Enrollment Protocol (SCEP). These certificates can be used to support Wi-Fi and VPN connections.  Supported devices include those running iOS, Windows 8.1 and Windows RT 8.1, and Android.  Learn more on TechNet: http://technet.microsoft.com/en-us/library/dn261202.aspx
  • Deployment of VPN profiles that provision devices with the settings and certificates that they need to access corporate networks.  Supported devices include those running iOS, Windows 8.1, Windows RT and Windows RT 8.1.  Learn more on TechNet:  http://technet.microsoft.com/en-us/library/dn261217.aspx
  • Deployment of Wi-Fi profiles that provision devices with the settings and certificates that they need to access corporate Wi-Fi hotspots.  Supported devices include those running iOS, Windows 8.1, and Windows RT 8.1, and Android.  Learn more on TechNet:  http://technet.microsoft.com/en-us/library/dn261221.aspx
  • Jailbroken iOS devices and rooted Android devices are detected

A comprehensive matrix of supported policies per device can be found on TechNet:
http://technet.microsoft.com/en-us/library/dn376523.aspx

In addition to Remote Wipe which removes everything from a device, we also have Selective Wipe which removes company apps, data and management policies from the mobile device while leaving personal apps and data untouched.  Learn more on TechNet:  http://technet.microsoft.com/en-us/library/jj884158.aspx#bkmk_dev

Mobile Application Management (MAM)

A more specific type of management, MAM focuses on delivering native apps from a corporate app catalog to an employee device while giving IT the power to selectively remove downloaded apps and associated data without touching personal apps and data.

Microsoft provides a Company Portal (Self Service Portal) that is downloadable from the Windows Store, Apple App Store, and Google Play.  Windows 8/RT, Windows 8.1/RT/Pro/Enterprise, Windows Phone 8,  Android 4 and higher as well as iOS 6 and higher are all supported.  Users can download corporate apps to their device from the portal.

Company Portal

Corporate apps can also be pushed (user consent may be required) and remotely uninstalled from all devices except Windows Phone 8.  Public apps made available by IT can deep linked to their respective public stores via the portal.  Remote apps can also be made available and accessed across mobile platforms via Remote Desktop Services (RDS) for high-security scenarios.  Administrators can view an inventory of installed corporate apps on the devices while not seeing the personal apps.

iPad Portal

A new Identity and Access feature is Workplace Join which makes your mobile device known to your IT department by creating an object in Active Directory.  Employees can access applications and data everywhere, on any device. Employees will get single sign-on when using browser applications or enterprise applications.

Workplace Join

Single Sign On (SSO) is facilitated via the new Web Application Proxy which securely publishes corporate resources out to mobile devices without the need for VPN.  Active Directory Federation Services (ADFS) simplifies access to systems and applications using a claims-based access (CBA) authorization mechanism to maintain application security.  ADFS supports Web single-sign-on (SSO) technologies that help information technology (IT) organizations collaborate across organizational boundaries.  Multifactor authentication boosts the level of secure access to corporate resources.

Mobile Information Management (MIM)

This is the most granular type of management where IT policies are assigned directly to the data to ensure security no matter where it resides, flows to, or which app is using it.

Active Directory Rights Management Services protects and encrypts documents and Exchange email by identifying the rights a user has to a given file and removes the option to perform actions outside those rights.  This data loss prevention (DLP) capability keeps corporate email from being forwarded to external email accounts and data from being uploaded to 3rd party cloud file sharing providers.  Using our rights management technology means your mobile data is secure wherever it goes.

Mobile Content Management (MCM)

Secure distribution and mobile access to documents for employees.

Secure mobile file synchronization is facilitated by Work Folders.  This is a secure share on Windows Server 2012 R2 that is made available to individual mobile devices that are Workplace joined.  In order to say “Goodbye” to Dropbox and “Hello” to corporate file sync, you’ll have to accept some security policies on your device.   Your IT department can encrypt the Work Folders on your device, require a password to sign in, and erase all the files in your Work Folders if you lose your device.

Work Folders

Our Dynamic Access Control technology can be used with the server share to provide automatic document classification and protection based on their content.  Using Work Folders is a great way to make your work files available to all your devices, even when you’re offline.  You can even control if files are synched over metered connections or while roaming.

Takeaways

System Center Configuration Manager is the Gartner Magic Quadrant Leader for Client Management Tools with the largest global market share.  With the majority of corporations using SCCM to manage their Windows and Mac desktops and laptops plus Windows, Linux and UNIX servers, this is management technology that you probably already own and a skillset your IT staff already has.  Over the years we’ve added support for managing new clients as dictated by their market share and customer requests.  Managing the growing variety of mobile devices roaming on wireless data networks via our Windows Intune cloud gateway allows you to leverage 20 years of SCCM “know-how” instead of purchasing point solutions.  You’ll get the massive scalability you’re looking for as well as the support and sustained engineering you’ve come to count on from Microsoft.

Tags: , , , , , ,

Category: Mobile Device Management

About the Author ()

A mobile strategist and cloud architect at Microsoft, Rob has spent his career as an entrepreneur, advisor, teacher, developer, speaker, and author of bestselling books on mobile and wireless technologies. A pioneer of the smartphone revolution, he drove the development of the mobile app ecosystem from its earliest days and co-founded the world’s first cloud-based mobile device management company.

Comments (21)

Trackback URL | Comments RSS Feed

Sites That Link to this Post

  1. Microsoft Enterprise Mobility Management (EMM) - Windows Intune France - Site Home - TechNet Blogs | October 29, 2013
  2. SCCM 2012 Starter kit Very Useful Links | October 30, 2013
  3. Windows Azure now offers encryption key management for users | Motifworks - Cloud Migration and Mobile Development | November 8, 2013
  4. Meet & Greet with Rob Tiffany–Mobile Strategist @Microsoft | November 14, 2013
  5. Bericht: Microsoft stellt morgen BYOD-Komplettlösung Enterprise Mobility Suite vor | ZDNet.de | March 26, 2014
  6. Microsoft to unveil Enterprise Mobility Suite alongside Office for iPad – ZDNet | Home Gadget Deals | March 26, 2014
  7. Microsoft to unveil Enterprise Mobility Suite alongside Office for iPad | iphone 6 / iphone6s IOS7/8 jailbreak | March 26, 2014
  8. Microsoft to unveil Enterprise Mobility Suite alongside Office for iPad – ZDNet | Top Computer Mart | March 26, 2014
  9. Microsoft to unveil Enterprise Mobility Suite alongside Office for iPad – ZDNet | You Buy Computers | March 26, 2014
  10. Microsoft to unveil Enterprise Mobility Suite alongside Office for iPad – ZDNet | Deals to find | March 26, 2014
  11. Microsoft to unveil Enterprise Mobility Suite alongside Office for iPad – ZDNet | Top Computers Outlet | March 26, 2014
  12. Microsoft to unveil Enterprise Mobility Suite alongside Office for iPad – ZDNet | Right laptop mart | March 26, 2014
  13. Microsoft to unveil Enterprise Mobility Suite alongside Office for iPad | TechNewsDB | March 26, 2014
  14. Best laptops online store | March 26, 2014
  15. Microsoft ‘EMS’ biz suite due, for ‘bring your own device’ scenarios – CNET | Everyday News Update | March 27, 2014
  16. Microsoft’s Enterprise Mobility Suite | Nerv News | April 3, 2014
  1. kerryog says:

    Great Post Rob, way to clearly define the categories and SCCM’s features in each

  2. Richard Jones says:

    Looks really nice. I’m in the process of building a suite of Dynamics AX mobile/Win 8 app. I wonder if I can make use of…

  3. Does the new Workplace Join feature described eliminate the need to include a product like Cisco ISE for the mobility platform and provide all of the necessary metadata to the environment for EMM to make decisions on who what when where and how and individual application is made available?

  4. Darryl Baker says:

    Hi Rob,

    Really interested to know what the application for corporate app stores is called on the Apple and Google app stores?

    Regards

    Darryl

  5. André says:

    Hi Rob, nice article. I saw a video of you and Mathijs in which you used a EMM powerpoint slidedeck. Is that downloadable somewhere? I would like to use it.

    André

Leave a Reply