Group policies, meet EMM: New and old Windows 10 management unite
- 11 October, 2016 21:00
One of Windows 10's biggest internal changes is support for management and security APIs à la enterprise mobile management (EMM). It uses APIs similar to those in iOS, Android, and MacOS. But Windows 10's EMM policies are limited compared to what traditional Windows management tools can do. Thus, a lot of what IT does to manage PCs today can't be done in Windows 10 via EMM, such as set up kiosk mode or enable local encryption. Instead, old-school tools like System Center Configuration Manager (SCCM) must be used instead.
EMM provider MobileIron has an answer: MobileIron Bridge, an add-on to its EMM tools that lets IT apply their familiar -- and often extensive -- group policy objects (GPOs) to Windows 10 PCs managed via EMM. Applying GPOs via EMM lets IT manage Windows 10 PCs using both legacy and modern techniques from one console (MobileIron's EMM), filling in the API gaps Windows 10 currently has.
Some vendors let IT install listener apps on PCs to locally apply some GPOs, a technique that could be used with traditional Windows 10 tools in parallel with an EMM tool. But MobileIron is the first to provide GPO support directly via EMM -- there's no local client app to install, and all the GPO settings go through the same channel as the other EMM policies.
MobileIron Bridge's support of GPOs is done by supporting PowerShell, VBScript, and registry scripts. IT can take existing scripts, as well as create new ones, and bundle them into policies that MobileIron Bridge then deploys like any EMM policy.
For example, Windows 10's EMM APIs can detect a PC where BitLocker encryption is disabled, rendering the PC noncompliant with corporate security policy. But those APIs can't be used to enable BitLocker. With MobileIron Bridge, PowerShell-driven GPOs can be used to enable BitLocker remotely, so IT can detect noncompliant PCs, then turn them compliant -- all remotely.
As another example, MobileIron Bridge can be used to run scripts to set up kiosk mode on Windows 10 PCs, which essentially locks a specified user to specified apps and can seal off their data from that of other people using the same PC. A retailer might use kiosk mode for a shared Windows laptop or tablet, giving each employee a separate kiosk account and retiring the accounts as employees leave.
Another scenario that MobileIron Bridge supports is setting up multiple user accounts on a PC, such as one used by contractors, for job-sharers, across shifts involving different departments in a "hoteling" workplace, or even by employees working from home on a personal PC. Working in concert with Azure Active Directory, IT can use MobileIron Bridge to remotely set up the multiple accounts, determine which accounts can share data with each other, and which accounts run in kiosk mode, then retire accounts as users leave.
MobileIron Bridge also lets IT install .exe apps onto Windows 10 PCs; Microsoft's EMM APIs support installation only of .msi and .appx software, which means most legacy apps aren't supported for remote, policy-based installation. MobileIron comes with a graphical interface to install such .exe apps, but it also can install other binaries using a command-line interface, again using scripts as it does for GPO deployment.
Ojas Rege, MobileIron's chief strategy officer, notes that when iPhones entered the enterprise in the late 2000s, IT couldn't reuse any of the many policies they had painstakingly set up in BlackBerry Enterprise Service for their BlackBerrys. Thus, they had to start from scratch. MobileIron Bridge's GPO support gives an IT an easier path to transition Windows 10 PCs from traditional management approaches to the EMM one used on other devices, he says.
However, Rege suggests that IT shops not deploy all their existing GPOs as is on Windows 10 PCs; they should use the EMM transition to evaluate what policies they still really need -- BlackBerry shops soon realized they didn't need all 450 BES policies, for example -- and deploy those in a staged approach. "It should be done with a change-management process," he says.
MobileIron Bridge will support Windows 10 Professional and Enterprise Editions, though some supported Windows 10 capabilities such as kiosk mode require the Enterprise Edition. Licenses will cost $3 per PC. It's now in prerelease at some customers, and the company hopes to make it generally available by January 2017.