New SCCM and EMM Co-Management Capabilities for Windows 10
Abby Guha | September 28, 2017
How To Derive the Most Value For Your Enterprise
The Modern Enterprise
The modern enterprise is going through radical shifts at the moment. Users are driving tremendous change in the way work is done, paralleled only by the acceleration of the pace of change in modern operating systems. The introduction of Windows 10 marked a watershed in end-user computing, giving both IT teams and users alike a new paradigm for security and productivity. The Windows 10 OS gives enterprise IT the ability to secure and manage corporate-approved and BYO desktops with modern management techniques, while users have the flexibility to work on the devices they love, anywhere, anytime.
With more and more Windows 10 devices coming into the enterprise, it gives IT organizations pause for thought when trying to understand how and when to take the right approach to handle key use cases. Tools that have been in use for many years, such as System Center Configuration Manager (SCCM), have been able to handle, to a great extent, most of the use cases for PC security and management within the corporate network. However, as we continue evolving how we work, with some users off the corporate network or accessing business cloud services from desktops, a more modern EMM approach aligns better with IT’s need to secure devices, while giving users a greater experience and a faster runway to productivity.
Until recently, SCCM and EMM could not coexist on the same device without a third-party agent. This meant that IT had to choose which management solution would be placed on a certain existing or new device coming into the organization. However, with Microsoft’s recent announcement that both SCCM and EMM could co-exist on the same device, the pathway is now clear for IT teams to really use the right approach for the right job. This enhances choice for IT and allows users to work effortlessly on the latest devices they love, in the manner in which they want to work.
The Right Solution For the Right Use Cases
With more choices comes the opportunity to experiment, especially in this early stage of the journey, as enterprises strive to strike the right balance between continuing to leverage existing tools that have worked well thus far and begin looking at modern and potentially more efficient approaches. We here at MobileIron recommend starting off by identifying distinct PC use cases in your organization to determine when to use legacy solutions, a hybrid approach, or EMM only. Here are some areas to think about...
Scenario 1: Using Traditional Client Management Tools
Today, a common model of PC management requires devices to join a domain that’s governed by a set of group policy objects (GPOs), which define what a system looks like and how it behaves for a certain group of users. Existing client management tools are most effective when all devices are connected to a persistent local area network. When securing and managing Windows 7 and Windows 10 devices in this scenario, use SCCM to conduct OS, software and driver patching, comprehensive monitoring of the device, and to get granular details on asset information.
Scenario 2: Taking a Co-Management Approach with SCCM and EMM
So when should the desktop IT team consider a “right tool for the right job” approach? Below are recommendations for using a hybrid approach
Simplifying Provisioning: While you may still prefer to use SCCM for traditional PC imaging, there may be key use cases where fast and remote provisioning is of interest due to efficiency and cost reduction. In this case, consider moving from traditional imaging using SCCM to a modern EMM approach instead. This is a much lower touch model, with configuration done in minutes over-the-air. This approach works particularly well for branch or remote offices, and temporary or contract workers. And, if you must use imaging, try creating a lightweight image to register to the domain, use EMM with minimal configs and apps, and let the modern approach take care of the rest
Optimizing Around the Most Efficient Approach: If you already have and use SCCM to push GPOs, then best to continue with that approach. It is best not to use corresponding EMM policies to lock down the devices if you already use GPOs to take certain actions. And, if you typically use SCCM to push Win32 applications, do it at the time of imaging and use EMM for new or updated applications. And finally, in order to push Universal Windows Platform (UWP) or Business Store Portal (BSP) applications, use EMM instead of SCCM for modern app distribution and management.
Updating the Device OS and Drivers and Microsoft Apps: If you use Windows Server Update Services (WSUS) to update device OS, drivers, and Microsoft apps, there is a way to bring in EMM to specify certain update parameters such as:
- What day(s) to do the update
- What time to do the update
- Whether the updates or upgrades should be deferred
- Whether the Current Branch or Current for Business should be
If the device will not be under domain control, use EMM to do the updates. However, for those enterprises that have WSUS implemented, use that service to get the update of record, and then use EMM to send instructions to the device.
Scenario 3: Employing Modern Security and Management Using EMM Only
Start assessing those use cases that involve users being off the corporate network for periods of time. Also look at key user populations, such as executives, who prefer to use the latest devices such as detachables that look like a traditional laptop but can quickly morph into a tablet allowing the user to stay seamlessly productive on-the-go outside of the corporate network. Consider scenarios where user devices need to be provisioned devices in remote or branch offices where IT staff is limited. With a modern approach and for the right use cases you can still push GPOs to the Windows 10 desktop for more granular control. Imagine being able to drop ship a PC to a remote office and have a simple and easy over-the-air process to get the user up and running in minutes, with all key configurations and security policies in place on the device. And of course, for enterprises that do not currently use legacy tools for managing Windows devices, the recommendation is to start using modern approaches like EMM for all Windows 10 devices coming into the organization.
Starting the Journey and Getting it Just Right
So how do you embark on the road to applying a modern approach for the right use cases within your organization? Here’s a quick five-step playbook.
Step 1: Use cases - Identify distinct PC use cases in your organization, for example, remote vs. local, company-owned vs. BYO, or app-heavy vs. email-only.
Step 2: Pilot - Enroll Windows 10 PCs that can’t be effectively imaged, like remote or BYO PCs, into MobileIron to gain experience with UEM.
Step 3: Side-by-side - Add MobileIron to general-purpose Windows 10 devices already managed by Microsoft SCCM. IT can now manage the PC even when not on the domain.
Step 4: Trusted access - Use MobileIron to ensure that unauthorized Windows 7 and 10 PCs cannot access business cloud services such as Office 365 or Salesforce.
Step 5: Migration - Migrate required GPOs and policies to MobileIron in a structured transition from traditional desktop engineering to modern agile IT operations.
In this new era of modern work, the right approach can enable your organization to deliver the best security and user experience outcomes, which will ultimately lead to business acceleration and differentiation.