There have been many new versions of Windows over the years, some good and some not so good (remember Windows ME?)
Windows 10 is different though as for the first time it’s designed to be managed as a mobile device. Why is this significant….?
Well for the first time IT departments are now at a crossroads as to how to manage these devices. Up until now organisations have tended to stick with traditional PCLM tools like SCCM to do the full management of corporate devices. This includes software distribution, patching and of course group policies.
But the way users now work has changed a lot over the last few years, with more and more of us on the move and the wrong side of the company firewall. You see tools like SCCM etc are client / server based and rely on devices being inside the firewall. This can mean that GPO changes and patches take days, weeks or even months to reach devices if they are of the corporate network for a period of time. Not to mention the fact that users have to take devices back onsite sometimes to get new software installed.
So as i said earlier there is now a crossroads for Windows 10 management. Whilst it’s totally ok to carry on with this model, Microsoft has designed Windows 10 to be managed as a mobile device. They’ve even committed themselves to moving the SCCM functionality into their cloud based InTune platform.
So let me tell you about what VMware Airwatch has been doing in this area.
First off in this new model, windows 10 devices are managed from the cloud, meaning whatever network they are on they can get updates, patches and software.
VMware have made onboarding devices incredibly easy. You boot up and are asked whether the device is business or personal, you select business and enter your email address. The device is enrolled in the air watch cloud and all settings, policies, software are pushed to the device over the air or network.
VMware also identified that a large number of these devices will still be provisioned by IT departments so they’ve made it possible to create a single executable that when run on a new device will register it do all the configuration with one click of a button.
For any of the traditional complex stuff such as running scripts and copying files etc, you can use the automation engine to do almost anything, copy files, run scripts, add registry entries etc.
The Workspace ONE unified catalogue makes it simple for users to consume any type of application, be in SaaS, mobile or legacy, and it even comes with single sign-on and conditional access which i’ll talk more about later.
VMware have really done a great job on enabling control and deployment of legacy win32 applications. You upload your exe, msi etc to the cloud, add some metadata, upload any dependencies such as .NET etc. Then you can apply transform files and define install criteria such as only install when on mains power, connected to wifi and at 2pm in the afternoon, and do it with elevated admin rights. Once the apps are installed you can deploy patches to keep them updated and of course because they are always cloud connected you can at any time run a full inventory of whats installed and who’d got which apps.
Patch Management run from the cloud should keep security managers happier as devices can be updates in minutes, not days weeks or months, and it can even integrate with existing patch management tools like WSUS.
For the first time Windows 10 can expose device health to Airwatch about things like is the device encrypted, does it have a firewall and AV enabled, and did it secure boot. We can use this device posture information to control whether users can run certain apps from the catalogue. If a users device fails to meet policy their access is denied. Not only that be we can inform their boss. If they don’t take action in a day we can wipe off their apps from their device. A little extreme i know but it demonstrates the power of the cloud model. A more likely scenario is that a device fails due to non encryption for example. In this scenario we can get Airwatch to take corrective action and enable device encryption. Once this is done the user is allowed access to the apps again.
Data Loss Prevention is taken care of too. Windows 10 allows you to tag data as belonging to your secure domain. This can include corp onsite data as well as other areas such as cloud based one cloud for business. Users are forced to only access this secure data using protected apps which have policies in place to prevent data leakage. For example users are prevented from copying data to twitter.
Hopefully i’ve given you a very quick insight as to how Windows 10 really does give you a new way of doing things. Check out Airwatch and Workspace ONE from VMware. They will keep users and enable their freedom, but also keep IT happy by giving them piece of mind around security.