Introduction to Windows 10 Management - Workspace One UEM
Traditionally it was the case that applications existed within the datacenter and were accessed by clients internally on the LAN. Externally users were given VPN clients that would tunnel their laptops directly into the corporate network. More and more Applications are now SaaS based running in the cloud. Access to these applications needs to be different, a new perimeter that does not require VPN but actually increases contextual security is required. At the same time the user experience has to be more simplified, supporting bring/choose your own device. Workspace One provides this capability combining device posture and user authentication. To see a demo of the user flow you can look at my previous post here
Workspace One is a multi platform solution designed to standardize device management across corporate owned and BYOD providing unified endpoint management encompassing device, application and identity policy control.
As in the screenshot above, traditionally we have used unified endpoint management for devices that we control over the air providing management, compliance, restrictions and applications. This would include iOS, MacOS, Android, Tizen, Chrome and Rugged Devices etc. Whats interesting is now with Windows 10 we can treat this as a mobile device and manage it in the same way.
With older MS desktop operating systems such as XP and Windows 7 the process for provisioning, managing, and retiring machines was generally done with the reliance of traditional infrastructure. Active Directory, Group Policy and SCCM was the infrastructure that provided the initial "join", "trust" and ongoing PC lifecycle management (PCLM). It was a way of controlling access and standardizing. Everything is on the domain, within the walls of the organisation generally with a "these machines are for these users" approach. If users are accessing remotely they have a VPN connection back to the business to access files, applications or to collaborate. Machines are generally provisioned by IT by pushing a corporate windows image to the machines and then synchronizing with SCCM for the latest updates and software. In many cases machines are then shipped to remote locations (making sure RealVNC, RDP or whatever remote control software is enabled for remote management!).
Windows 10 is different and can be considered a modern mobile-first, cloud-first operating system. It can be managed in new ways by exposing API's that device management can plug into. This in turn creates user trust, asses device posture, enforce conditional access and enable a data loss prevention mechanism (DLP) wherever the device may be. It's moving away from a traditional machine on a LAN to a mobile device, accessing data from anywhere and on any network. With Windows 10 Workspace One UEM can replace SCCM or co-exist with SCCM depending on requirements. Its considered "modern management".
The ability to distribute software automatically and also offer a choice to install on-demand apps for the end user via a catalog is exactly what Workspace One provides. The key here is that it does not matter where that device is. . The power of Workspace One is that all management is combined to one single unified view. Essentially treating a device as just that, workflows, interface and management are similar whether we are dealing with Windows 10, iOS, Android, MacOS, Chrome etc..
We support internally developed, public or purchased application delivery. The flow being to add the application in the Workspace One UEM console, have the unified catalog enabled and then the application will be presented in the catalog ready for a user to select to install (It can also be set to automatically install). A really good video showing how Office is packaged and deployed or added to the catalog can be found here.
Windows Update Management
Certainly when I managed SCCM there was a constant feeling that if a machine was off the LAN network for a few months (which was highly likely) there was a lag in the windows critical "Patch Tuesday" security patches and a fingers crossed approach that the SCCM client was working and communicating! Managing a large estate was quite a lot of work, and this was just for Windows. Workspace One UEM provides a new way to handle updates. It does this by utilizing cloud patching, Real-time visibility, peer to peer delivery and an engine that can auto-deploy missing critical updates. Essentially providing an always up to date machine wherever it may be.
The flow to the image above is as follows:
1. Devices will communicate with Microsoft to query all available updates for the device.
2. Microsoft will reply with a list of updates available in metadata format (GUUID) to the device.
3. Devices will report the metadata to Workspace One UEM.
4. Workspace One UEM will call on Microsoft's Update Server to get the metadata information to make is readable and show as a conical name in the Workspace One UEM GUI.
5. Patches can be auto approved or approved manually to smart groups etc.
6. The list of authorized patches are then passed down to the device
7. The devices will go to Microsoft update and fetch the updates to the device based on configurations.
8. Delivery optimization by enabling peer to peer sharing a caching. This means a few devices collect the downloads and then distribute to it's neighbors locally.
Workspace One UEM has great dynamic smart groups so these can be used to create delivery rings. For example - Preview/Test, Pilot, Production, Critical etc. The patches can then be staged based on this.
Workspace One Unified Agent
The enrollment options vary based on the type of deployment, however the primary method is with the Workspace One Unified Agent for Windows Enrollment. End users download the agent from awagent.com and follow the prompts to enroll. During enrollment the user will be asked for (depending on configuration) email address, groups selection (such as location, business group, corporate, BYOD), they will then be redirected to Identity where there is a one time request for domain username and password. (SSO is enabled thereafter).
Azure AD Enrollment
If using Azure AD, windows devices can automatically be enrolled with minimal end user involvement. There are 3 x options Join Azure AD, Out of the box (OOTB) enrollment and O365 enrollment. The OOTB is interesting from a zero touch perspective, Dell is able to deliver devices straight from the factory with Workspace One auto enrollment enabled on first use. The user just enters their credentials for the first time and Workspace One will configure the device over the air - pushing payloads, restrictions and compliance along with applications.
A device can also be pre set with device staging, the device is enrolled through the Workspace One UEM Agent. Once done the device can be shipped to the end users ready for them to login, once they do the information is sent to Workspace One UEM and registration of the device to the user is performed. There is also an option to do bulk provisioning based on Microsofts Assessment & Development Kit.
This post is intended to cover where Workspace One UEM can help manage Windows 10. Stay tuned for the next post on this topic where I will record a Workspace One UEM demo and go a little deeper into the patch management and deployment.