First published on CloudBlogs on Jul, 30 2014
When I introduced the “
Managed Everything
” model in
this series’
previous post, I emphasized that niche management products (AirWatch or MobileIron, for example) are counterproductive compared to the huge benefits of a single, cohesive management system that can manage everything from mobile devices, to PC’s, to servers.
This kind of end-to-end enterprise management is in Microsoft’s DNA, and it’s something we continue to excel at today.
I encourage our customers and partners to have high expectations
for their management solutions and to fully leverage the infrastructures and solutions they purchase. For example, can your management solution effectively govern
both
corporate owned PC’s and personally owned mobile devices (which hold a mix of personal and corporate data)? Or, can your management solution proactively protect
both
corporate apps and corporate data? And, can your management solution actively adapt to
new
mobile device types,
new
platform updates, and
new
operational guidelines – all at a moment’s notice? Taking this even further: Can the infrastructure you’ve deployed
also
provide malware protection for your organization?
If your answer to all four of these questions is a solid “
No
” or a reluctant “Maybe,” then Microsoft has a solution that you are going to love! With things like Group Policy, System Center Configuration Manager (SCCM), System Center Endpoint Protection (SCEP), and the
Enterprise Mobility Suite
, Microsoft customers can always answer “
Yes!
” The importance of that answer simply can’t be overstated in the high-intensity, high-expectation world of IT.
One of the points
I have repeatedly made to the SCCM community
over the years is that the SCCM infrastructure that most companies have deployed in their enterprises can be used for
so many different things
. I have spent the majority of my career building enterprise infrastructure solutions – and I deeply understand the costs and complexities of deploying, securing and maintaining these infrastructures. Having seen so many different infrastructures in so many enterprises around the world, my advice is this: Deploy as few of these global infrastructures as possible and leverage the daylights out of the ones that you do deploy. This is one of the reasons why I love the SCCM product so much – it delivers an infrastructure that provides rich and sophisticated PC, device, and server management. Here in Redmond, our
Endpoint Protection
is built on that same infrastructure, and,
with the aforementioned connection to Intune
, all of your mobile device management can be done through the SCCM console. When using Intune + SCCM, all the data on your mobile devices are all stored in the SCCM infrastructure.
PC + Device Management
“
Managed Everything
” obviously implies that there is a lot for us to do – now
and
in the future. Our leadership presence in the
Gartner Magic Quadrant
for PC management is still unchallenged, and most enterprise organizations around the world rely on us for the workloads/scenarios that require deep management functionality. What this depth of PC management and device management expertise demonstrates is simple: A “Managed Everything” model doesn’t replace PC’s with devices, it extends the skills and use of the infrastructure you’ve already deployed to provide the best solutions available (for
any
device) in the IT industry.
Taking Command of Your Infrastructure Once and For All
The mechanics of the “Managed Everything” model are really straightforward: It centers on connecting your standard
SCCM
deployment to
Intune
. This is something I wrote about in a
widely circulated post
a few weeks ago, and the power of combining these two things is something I want every IT organization to experience. In a world where we are all constantly being asked to do more and be more efficient, fully leveraging the SCCM infrastructure you’ve already deployed is a
huge
bonus.
Here at Microsoft, we have a few “World View” points that are the foundation of our strategy, as well as the capabilities we are delivering for you. Here are three:
-
We have a world view that sophisticated/rich PC management will be an on-premises workload far into the future.
-
We have a world view that Enterprise Mobile device management should be delivered from the cloud.
-
We have a world view that organizations want a single console (
i.e.
pane of glass) to manage all their PCs and devices.
Seeing these world views spelled out may help you understand more about
what
we have been building,
where
we continue to invest in SCCM around PC management,
why
we have invested in Intune for mobile device management, and
why
we are now bringing all of this together in the SCCM console.
Part of the challenge we needed to address in bringing SCCM and Intune together was this: How can we use the cloud-based nature of Intune to quickly and easily update the SCCM administrative console whenever there are updates that the SCCM console needs? We knew we needed to avoid anything that would require the SCCM administrators to constantly have to download and install updates, and we wanted the updates made in Intune to automatically be downloaded from the cloud and lit-up in the SCCM console. I guess in some ways we needed to “SaaSify” SCCM. Sure, that may not be a word, but it does a great job of describing what we needed to do – and we were in a very innovative mood at the time.
To do this we built
Extensions for Windows Intune
. With Extensions for Windows Intune, whenever we add new features to Intune we are able to describe the additions that need to be made in the SCCM console in XML. Then, when the SCCM admin opens the SCCM console, they simply get a prompt that new updates from Intune are available, and the next step is being asked to approve the Extensions. When the admin chooses to then accept the Extensions, they are download and installed. Now the SCCM console is updated to reflect the new capabilities that are available in Intune and can be managed from the SCCM console.
And that is how we
SaaSify
the SCCM console. There is a constant stream of new capabilities being released for Windows, iOS, and Android devices, and this approach enables us to constantly stream down new capabilities from the Intune SaaS app to SCCM. This is how you can
all
of your PC’s and devices via the SCCM console.
It takes just a few mouse clicks for a SCCM admin to setup a connection from their SCCM infrastructure to Windows Intune and, once this done,
all
the devices in their organization that are managed by Windows Intune show up in the SCCM console. Once this setup is complete, the admin gets a consistent workflow UX for deploying apps and policies for both PCs and modern devices. There are already a lot of customers using Extensions for Windows Intune. If you are not one of them, why in the world not? :)
After all, there isn’t another management provider on the planet that can do this.
You can read more technical documentation about Extensions for Windows Intune
here
.
Why Your Hybrid Setup Really Matters (I mean,
Really
)
By combining SCCM and Intune, your
hybrid infrastructure
immediately becomes incredibly powerful and you have the ability to manage a lot more from the SCCM console. Here are just a few things you can do:
-
Deploying apps cross platform
With SCCM+Intune you can deploy an app to users across different platforms (e.g. iOS, Android and Windows) all from a single console. With this single console you’re using a consistent workflow and UX regardless of the devices you manage, and this means less training and time to support new devices or platform updates. This hybrid setup allows you to
simplify and unify
your management.
-
Setting policy cross platform
This hybrid management also allows you to set a single device security policy for all your device types and then push that out to all of them – no matter where they are or how they’re used within your infrastructure.
-
Wi-Fi configuration, VPN, certificate management – cross platform
Similar to policy controls, with the unified console you no longer have separate wireless LANs based on device platforms – instead you simply set up your Wi-Fi profiles once and then deploy them to all your devices types.
-
Inventory cross platform
Get a complete and accurate inventory of all your Windows, iOS, and Android devices in a single place. Desktops, laptops, tablets, phones, POS devices – all at a glance within the SCCM database.
The Future of Office Apps
In the very near future, this hybrid pairing of SCCM and Intune will also be able to manage your Office apps. Coming up, new versions of the Office apps will ship natively instrumented to be managed by the Windows Intune app restriction policies. This will allow IT to do things like manage copy/paste between apps, or control where the user can save information to/from an app.
There will also be a feature called “Conditional Access” which allows the admin to grant access to O365 (e-mail and OneDrive for Business) or on-prem Exchange/SharePoint
only
if
the device is managed by Windows Intune and meets the policy criteria. For example, you can set a policy that a mobile device can only get corporate e-mail if the device has a power-on password, is encrypted, and is not jail broken. If any of these criteria are not met the flow of e-mail to the device stops and the user’s corporate inbox is emptied except for a single e-mail that informs the user that their device no longer meets the required corporate criteria. Helpfully, that e-mail walks them through bringing the device back into compliance.
I used e-mail as an example here, but the conditional access capabilities we’re delivering in Intune can be applied to
any
corporate app.
To see some of this in action,
skip ahead to about 21:00
(especially around 22:30) in my recent keynote at Microsoft’s Worldwide Partner Conference.
These functionalities are incredibly valuable because they allow your end-users to use the apps they love (Office, for example), and you can implement the necessary controls to ensure they can only access information that meets IT policy. And, of course, the data on the device is protected too.
Note: Check out the
“Managed Everything” for Small Enterprises
post.