If we talk about pre-covid times, people were working in offices, data was monitored\controlled using proxy servers and firewalls etc in place. End users were keeping files using roaming profile or folder redirection. File sharing was allowed over SMB. Authentication and authorization were there using Kerberos in Active Directory. In some organizations, USB Stick\Hard Disk was not allowed in office or might be the USB port itself was blocked and such configurations were endless.
And then COVID-19 came, halting all our day-to-day activities.
This unprecedented situation pushed users along with IT Admins to start working from home forcing administrators to change their way of managing organizational devices.
Earlier, users, devices and data were limited to office premises, in a controlled environment. Work from home scenario brought everything onto the open internet. Moreover, admins still need to manage users, devices, and data.
With this shift, admins are in state of either:
In hybrid mode, admins are trying to make use of existing solutions work on internet-based machines using VPN. And then, user forget to connect to VPN, or they don’t care about it at all.
If I would say, start from scratch in cloud world, that will be injustice. Let’s take an example of Group Policies for now. Our admins spent more than 20 years in configuring these group policy settings. There must be settings coming from network team, security team, update compliance team, server team and the list goes on and on… year by year. Do I need to recreate them?
On other side, I can treat this as an opportunity to clean-up those settings which were configured long time back, but they are not required\applicable\relevant\better solution available at present. Just because it was configured, it’s not fair to keep it forever. It’s an opportunity to talk to respective team and check if they still need it.
Is it not fair to plan something in between? Like migrate group policy settings using some tools.
Luckily, Intune Product Group team came up with a solution called Group Policy Analytics.
It is a tool in Microsoft Intune that:
Some older settings aren’t supported, or don’t apply to cloud native Windows devices. After you analyse your GPOs, you’ll know which settings might still be valid.
Mobile Device Management solution has an advantage over group policies from on-prem. The following table can provide more information to it.
Group Policy |
Mobile Device Management |
Changes require connectivity to your corporate network or VPN |
Changes can be updated over the Internet |
High impact on boot-time and performance |
Lightweight policy management |
Configuration drift is common and hard to predict |
Configuration issues and conflicts are detected |
Assumed results and enforcement |
Reporting and monitoring from the MEM Admin Center |
GPO vs MDM comparison
If we need to frame it, below phases can be considered.
1. Discover
2. Assess
3. Migrate
Discover
Assess
With Modern Management, where most the solutions are taking advantage of cloud world, we may want to re-think on existing solutions. Group Policy Object is one such configuration with thousands of settings available in it. Looking for new Modern Management scenarios, lots of settings does not fit well and may need a new solution to explore.
While designing the new solution following things are considered:
When we think of Group Policies, they should also be aligned with points mentioned above.
It is not necessary to deploy every single setting from Intune. However, at the end, device should be secure enough keeping security compliance of any organization in mind.
We can follow the flowchart mentioned below to align the existing GPO model with new solutions available.
During the assessment process, we should ask following questions to ourselves:
If there is a new cloud ready solution available, we it’s better to explore that option instead. New cloud ready solution is build keeping new operational challenges in mind. Existing GPO based solution may not fit for current requirement.
Migrate
Fresh policies are recommended to start from Intune directly. However, when we talk about migrating existing policies, a decision-making flow chart is needed. Below is one such flow chart to refer.
Once we confirm that we are going with existing GPO by migrating to Intune, we need to make use of group policy analytics from Intune Portal.
We can further talk about the following points on how to achieve following line items.
Hope this helps.
Thanks
Bindusar Kushwaha
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.