Data Centers optimize

Microsoft's MDM solution solves SMB and enterprise needs

Windows Intune provides a solution for both the SMB and enterprise MDM needs. John Joyner explains how it works with System Center 2012.

Mobile Device Management (MDM) is a hot industry segment. MDM represents the intersection between the Bring Your Own Device (BYOD) megatrend and traditional IT responsibilities like security and identity management. Organizations large and small need to deliver on employee expectations for device freedom while protecting corporate data using all reasonable means. Example MDM features are enforcing policies like enabling use of the device's camera, or the number of failed login attempts before the device is remotely wiped. A key concept to effective MDM is regardless if, for example, the employee has an Apple iOS or an Android mobile device, the same policies will apply.

As far as risk assessment, to indiscriminately allow employees to download sensitive documents to any device of their choosing is to invite business disaster or worse. Large organizations have rapidly invested in vertical MDM solutions like Airwatch and MobileIron to maintain control over information while allowing employees to use their preferred devices. Microsoft has long had basic MDM features (such as command-directed remote wipe in the case of a lost or stolen device) in their Exchange product.

Microsoft is late to the market for a comprehensive MDM solution, but has fairly quietly and quickly modified the alignment of their client device management applications, System Center 2012 Configuration Manager (SCCM) and Windows Intune. Following a recent upgrade wave to the System Center and Intune products, when it comes to managing client devices like PCs, smart phones, and tablets, organizations of all sizes have a good value and solid MDM solution available from Microsoft. Figure A shows a possible hybrid SCCM and Intune architecture that demonstrates how a managed PC can download software from both on-premise and Windows Azure public-cloud-based repositories from Windows Intune.

Figure A

A Hybrid SCCM and Intune architecture works inside and outside the corporate network.

Appealing to the SMB

Smaller companies may be challenged to select, deploy, operate, and support MDM software in a cost-effective manner. There is no reason a start-up's data should be more exposed than that of their larger competitors. The chance of a business loss due to missing or compromised data does not diminish with a company's size. For the Small and Medium Business (SMB), having an effective MDM solution is a critical insurance policy.

The SMB space is especially attractive for a good cloud-based MDM solution. The expense to deploy an on-premise or private cloud MDM solution is a barrier to the SMB. Windows Intune lets the SMB owner apply enterprise-class MDM device policies at a very reasonable cost. With Windows Intune alone, you can manage Windows PCs, Apple iOS, Android, Windows RT, and Windows Phone 8 devices without any on-premise infrastructure setup requirements.

Figure B shows the web-based Windows Intune console, open to the Create Policy page. It is a simple matter to create a policy that applies to multiple device platforms, like IOS or Windows RT and apply that policy to an Intune user group. All the devices of each group member will receive and use the consistent policy.

Figure B

"Allow Documents to Sync to iCloud" is an available Windows Intune MDM setting for IOS devices.

Scalable feature-rich solution for the enterprise

What is significant for the larger organization is that Windows InTune now includes System Center Configuration Manager (SCCM). This really changes the pricing dynamic and makes InTune features available more economically. If you just need the MDM and client management features of SCCM, you can get the best of both Intune and SCCM for 33% less cost than previous license terms. Figure A demonstrates an SCCM "plus" Intune topology that can be deployed just by subscribing to Windows Intune.

Using System Center to manage client PCs and mobile devices requires a System Center Client Management License that costs about $108 per year per user and includes all the System Center components such as Operations Manager (SCOM) and Data Protection Manager (DPM), but not Windows Intune. The news is that a Windows Intune subscription, which starts at $6 per month, includes SCCM. As an Intune customer, there is now no license cost (other than the Windows Server OS where SCCM is installed) to host an SCCM instance on-premise to augment your Intune subscription.

When you integrate SCCM with Intune, you make a one-time irreversible decision to either (1) use the Intune console to author and deploy MDM policies (as seen in Figure B), or (2) use the SCCM console for MDM policy management. A main difference between using Intune vs. SCCM consoles regarding MDM policies is that SCCM, being the larger and more feature-rich product, includes the concept of Configuration Baselines. Whereas Intune policies are applied directly to Intune groups, SCCM policies (Configuration Items) are applied to SCCM Configuration Baselines, which are in turn deployed to SCCM collections.

There are three steps to deploy MDM settings to devices managed by SCCM behind Windows Intune:

  1. Create a Configuration Item for the device (see Figure C).
  2. Create a Configuration Baseline that includes the Configuration Item, any desired Software Updates, and/or any other Configuration Baselines.
  3. Deploy the Configuration Baseline to a collection.

Figure C

In SCCM, settings for MDM are added as Configuration Items, which form part of Configuration Baselines.

About

John Joyner, MCSE, CMSP, MVP Cloud and Datacenter Management, is senior architect at ClearPointe, a cloud provider of systems management services. He is co-author of the "System Center Operations Manager: Unleashed" book series from Sams Publishing, ...

5 comments
garkin88
garkin88

I have a thousand tablet devices to update with our app and would not like to have the user need to accept, as in control of what the device veraion od our S/W is.  Other services offer $3-4 per device; but also have a limited device version.  $9 is too high to consider and andriod device does not necessarily cover all tablets.

We can already lock them down to our app and Internet.   Why would this be a good update solution via APN dn what would justify the cost?

zdnetxx6
zdnetxx6

Great, a solution to this massive problem.

albayaaabc
albayaaabc

who say every think is money i don't agree that chance for get our security online with other managment in our small or medium office is make us trust our self and do the better.

JCitizen
JCitizen

I couldn't help notice that there are no icons representing smart phones or tablets here; not that I can't stretch my imagination. I guess I like lots of cartoons in my network graphics. :p

zenmaster
zenmaster

...the pricing you noted is *ridiculously* more expensive than competitive solutions. It seems to make even less sense if you have an Enterprise Agreement w/ eCALs. Given how little it actually buys you relative to EAS / IPCU and the still-present gaps managing their own WP8 devices, this is a non-starter for Enterprise customers. I wish it weren't.