Tip

Manage Windows 10 desktops, mobile devices with EMM software

Windows 10 supports crucial functions that enable enterprise mobility management. IT must follow a few important steps to prepare desktops for management through EMM.

With the right EMM software for Windows 10, IT can streamline and modernize device administration to manage desktops and mobile devices from a single interface.

Windows 10 includes a set of unified components that support mobile device management (MDM) and mobile application management (MAM). With these capabilities, IT can use enterprise mobility management (EMM) software to manage desktops, laptops and mobile devices across the enterprise.

Some organizations still need apps such as Microsoft System Center Configuration Manager, but others are ready to fully embrace Windows 10's unified device administration.

Setting up Windows 10 MDM

The MDM layer in Windows 10 consists of configuration service providers (CSPs), interfaces that help IT set configuration settings on endpoints and built-in software clients. The CSPs interface directly with each device's OS to read and modify its configuration settings. For example, the RemoteWipe CSP makes it possible to remotely wipe a device.

CSPs act as intermediaries between the OS and local device clients. These clients, which IT must install on a device to execute EMM commands, communicate with the EMM server to receive instructions for provisioning devices and carrying out administrative tasks. There are two clients that enable IT to perform Windows management tasks: the enrollment client (EC) and the device management client (DMC).

Are your needs met by today's EMM products?

The EC registers the device with the EMM server's enrollment service, which verifies that the device is authenticated and authorized for IT to manage. The client and EMM enrollment service then use the Microsoft MDM Enrollment Protocol version 2 to communicate with each other.

The enrollment process includes three primary steps: discovering the device, installing a security certificate and provisioning the DMC to communicate with the EMM server after enrolling. Once the device is enrolled through this process, IT can perform tasks with the EMM software.

Then, the DMC and EMM server communicate through the Microsoft MDM Protocol. This protocol is based on the Open Mobile Alliance standard for worldwide mobile interoperability. The DMC periodically synchronizes with the EMM server to check for updates and policy changes, which the CSPs apply to the device.

Once administrators enroll the device and configure the DMC, they have several options for protecting the device and its applications with EMM software.

Device management options

IT has a full range of options for EMM software that it can use to enroll and manage desktops and mobile devices. VMware AirWatch offers self-service device onboarding, bulk setups, and flexible OS updating and patching based on device priority and maintenance windows. AirWatch also supports over-the-air configurations for OS policies and settings, such as those that control Wi-Fi, BitLocker, account lockout and basic input/output system configurations. Administrators can update the configuration settings without a connection to the corporate domain or network.

SOTI's MobiControl offers automatic Windows 10 setups and the ability to synchronize Microsoft Exchange settings. In addition, administrators can send alerts to users and enable or disable settings for Cortana, screen capture, voice recording, or copy and paste. They can also modify device behavior based on whether the device enters or exits a geofenced region. Administrators can control network connectivity by user, device or application, regardless of the connection type.

Application management options

EMM software continues to add support for Windows 10 applications while offering additional services that enhance application management. An important component is Windows Store for Business, an administrative version of the Windows Store.

To safeguard resources, Windows 10 includes a wide range of capabilities for EMM to incorporate.

EMM software vendors are incorporating the Windows Store's capabilities into their features. For example, Citrix XenMobile uses the store to implement an application repository for in-house and custom applications that users can download and install without IT assistance. XenMobile also takes advantage of the store's capabilities, such as application metering and support for Win32 software.

EMM tools such as AirWatch, MobiControl and MobileIron also use Windows Store capabilities for managing and distributing applications. These products also take advantage of the MAM features built directly into Windows 10. For example, MobiControl administrators can whitelist or blacklist applications, use Active Directory to ensure that only authorized users can access applications and prevent users from downloading Windows Store applications.

Using EMM for Windows 10 security

To safeguard resources, Windows 10 includes a wide range of capabilities for EMM to incorporate.

MobileIron administrators can use the Simple Certificate Enrollment Protocol Windows 10 add-on to provision a certificate when enrolling a device rather than relying on username and password credentials. They can also install certificates directly on managed devices.

Administrators can use Windows AppLocker to control which applications and files users can run and to define rules using Windows 10's user role settings, which apply app permissions.

XenMobile EMM software takes advantage of Windows 10 security features, such as Device Guard and Secure Boot protection, single sign-on, remote locking and wiping, multifactor authentication, and encryption.

MobiControl uses Windows Information Protection policies to prevent unapproved applications from accessing an organization's files and websites. The tool also uses rules based on Device Health Attestation to detect and respond to noncompliant devices.

Dig Deeper on Windows OS and management