First published on CloudBlogs on Jul, 30 2014
When I introduced the “ Managed Everything ” model in this series’ previous post, I emphasized that niche management products (AirWatch or MobileIron, for example) are counterproductive compared to the huge benefits of a single, cohesive management system that can manage everything from mobile devices, to PC’s, to servers. This kind of end-to-end enterprise management is in Microsoft’s DNA, and it’s something we continue to excel at today. I encourage our customers and partners to have high expectations for their management solutions and to fully leverage the infrastructures and solutions they purchase. For example, can your management solution effectively govern both corporate owned PC’s and personally owned mobile devices (which hold a mix of personal and corporate data)? Or, can your management solution proactively protect both corporate apps and corporate data? And, can your management solution actively adapt to new mobile device types, new platform updates, and new operational guidelines – all at a moment’s notice? Taking this even further: Can the infrastructure you’ve deployed also provide malware protection for your organization? If your answer to all four of these questions is a solid “ No ” or a reluctant “Maybe,” then Microsoft has a solution that you are going to love! With things like Group Policy, System Center Configuration Manager (SCCM), System Center Endpoint Protection (SCEP), and the Enterprise Mobility Suite , Microsoft customers can always answer “ Yes! ” The importance of that answer simply can’t be overstated in the high-intensity, high-expectation world of IT. One of the points I have repeatedly made to the SCCM community over the years is that the SCCM infrastructure that most companies have deployed in their enterprises can be used for so many different things . I have spent the majority of my career building enterprise infrastructure solutions – and I deeply understand the costs and complexities of deploying, securing and maintaining these infrastructures. Having seen so many different infrastructures in so many enterprises around the world, my advice is this: Deploy as few of these global infrastructures as possible and leverage the daylights out of the ones that you do deploy. This is one of the reasons why I love the SCCM product so much – it delivers an infrastructure that provides rich and sophisticated PC, device, and server management. Here in Redmond, our Endpoint Protection is built on that same infrastructure, and, with the aforementioned connection to Intune , all of your mobile device management can be done through the SCCM console. When using Intune + SCCM, all the data on your mobile devices are all stored in the SCCM infrastructure.

PC + Device Management

“ Managed Everything ” obviously implies that there is a lot for us to do – now and in the future. Our leadership presence in the Gartner Magic Quadrant for PC management is still unchallenged, and most enterprise organizations around the world rely on us for the workloads/scenarios that require deep management functionality. What this depth of PC management and device management expertise demonstrates is simple: A “Managed Everything” model doesn’t replace PC’s with devices, it extends the skills and use of the infrastructure you’ve already deployed to provide the best solutions available (for any device) in the IT industry.

Taking Command of Your Infrastructure Once and For All

The mechanics of the “Managed Everything” model are really straightforward: It centers on connecting your standard SCCM deployment to Intune . This is something I wrote about in a widely circulated post a few weeks ago, and the power of combining these two things is something I want every IT organization to experience. In a world where we are all constantly being asked to do more and be more efficient, fully leveraging the SCCM infrastructure you’ve already deployed is a huge bonus. Here at Microsoft, we have a few “World View” points that are the foundation of our strategy, as well as the capabilities we are delivering for you. Here are three:

• We have a world view that sophisticated/rich PC management will be an on-premises workload far into the future.
• We have a world view that Enterprise Mobile device management should be delivered from the cloud.
• We have a world view that organizations want a single console ( i.e. pane of glass) to manage all their PCs and devices.

Seeing these world views spelled out may help you understand more about what we have been building, where we continue to invest in SCCM around PC management, why we have invested in Intune for mobile device management, and why we are now bringing all of this together in the SCCM console. Part of the challenge we needed to address in bringing SCCM and Intune together was this: How can we use the cloud-based nature of Intune to quickly and easily update the SCCM administrative console whenever there are updates that the SCCM console needs? We knew we needed to avoid anything that would require the SCCM administrators to constantly have to download and install updates, and we wanted the updates made in Intune to automatically be downloaded from the cloud and lit-up in the SCCM console. I guess in some ways we needed to “SaaSify” SCCM. Sure, that may not be a word, but it does a great job of describing what we needed to do – and we were in a very innovative mood at the time. To do this we built Extensions for Windows Intune . With Extensions for Windows Intune, whenever we add new features to Intune we are able to describe the additions that need to be made in the SCCM console in XML. Then, when the SCCM admin opens the SCCM console, they simply get a prompt that new updates from Intune are available, and the next step is being asked to approve the Extensions. When the admin chooses to then accept the Extensions, they are download and installed. Now the SCCM console is updated to reflect the new capabilities that are available in Intune and can be managed from the SCCM console. And that is how we SaaSify the SCCM console. There is a constant stream of new capabilities being released for Windows, iOS, and Android devices, and this approach enables us to constantly stream down new capabilities from the Intune SaaS app to SCCM. This is how you can all of your PC’s and devices via the SCCM console. It takes just a few mouse clicks for a SCCM admin to setup a connection from their SCCM infrastructure to Windows Intune and, once this done, all the devices in their organization that are managed by Windows Intune show up in the SCCM console. Once this setup is complete, the admin gets a consistent workflow UX for deploying apps and policies for both PCs and modern devices. There are already a lot of customers using Extensions for Windows Intune. If you are not one of them, why in the world not?  :) After all, there isn’t another management provider on the planet that can do this. You can read more technical documentation about Extensions for Windows Intune here .

Why Your Hybrid Setup Really Matters (I mean, Really )

By combining SCCM and Intune, your hybrid infrastructure immediately becomes incredibly powerful and you have the ability to manage a lot more from the SCCM console. Here are just a few things you can do:

• Deploying apps cross platform With SCCM+Intune you can deploy an app to users across different platforms (e.g. iOS, Android and Windows) all from a single console. With this single console you’re using a consistent workflow and UX regardless of the devices you manage, and this means less training and time to support new devices or platform updates. This hybrid setup allows you to simplify and unify your management.
• Setting policy cross platform This hybrid management also allows you to set a single device security policy for all your device types and then push that out to all of them – no matter where they are or how they’re used within your infrastructure.
• Wi-Fi configuration, VPN, certificate management – cross platform Similar to policy controls, with the unified console you no longer have separate wireless LANs based on device platforms – instead you simply set up your Wi-Fi profiles once and then deploy them to all your devices types.
• Inventory cross platform Get a complete and accurate inventory of all your Windows, iOS, and Android devices in a single place. Desktops, laptops, tablets, phones, POS devices – all at a glance within the SCCM database.

The Future of Office Apps

In the very near future, this hybrid pairing of SCCM and Intune will also be able to manage your Office apps. Coming up, new versions of the Office apps will ship natively instrumented to be managed by the Windows Intune app restriction policies. This will allow IT to do things like manage copy/paste between apps, or control where the user can save information to/from an app. There will also be a feature called “Conditional Access” which allows the admin to grant access to O365 (e-mail and OneDrive for Business) or on-prem Exchange/SharePoint only if the device is managed by Windows Intune and meets the policy criteria. For example, you can set a policy that a mobile device can only get corporate e-mail if the device has a power-on password, is encrypted, and is not jail broken. If any of these criteria are not met the flow of e-mail to the device stops and the user’s corporate inbox is emptied except for a single e-mail that informs the user that their device no longer meets the required corporate criteria. Helpfully, that e-mail walks them through bringing the device back into compliance. I used e-mail as an example here, but the conditional access capabilities we’re delivering in Intune can be applied to any corporate app. To see some of this in action, skip ahead to about 21:00 (especially around 22:30) in my recent keynote at Microsoft’s Worldwide Partner Conference. These functionalities are incredibly valuable because they allow your end-users to use the apps they love (Office, for example), and you can implement the necessary controls to ensure they can only access information that meets IT policy. And, of course, the data on the device is protected too. Note:  Check out the “Managed Everything” for Small Enterprises post.