In-Depth

Endpoint Management Tools To Tame a Universal Client World

Now that using multiple devices, apps and OSes is ubiquitous in the workplace, new unified endpoint management tools are introducing a common approach to configuration, security and administration.

Capital One Financial Corp. wants to empower its workforce of nearly 50,000 employees to provide better customer service to its 65 million account holders by letting them use different devices. Embracing the trend toward creating a modern, virtual work environment means providing a common UX on multiple devices with a secure, unified endpoint management (UEM) approach that dynamically -- based on conditions such as location -- can enforce policies.

In many organizations such as Capital One, supporting multiple devices per user is no longer considered optional. "The expectations are changing in the workforce, driven largely by the experiences people have in their personal and consumer lives," said Jennifer Manry, VP of End-User Computing and Identity and Access Management at Capital One, speaking at the annual VMworld conference, held in late August. "They want to come into the enterprise and feel they can operate with their colleagues the same way they operate with their friends and family outside. We realized we needed to rip out and replace a lot of the technology that we have and provide much more modern capabilities to our associates, and part of that started with devices."

The bank, the eighth largest in the United States with $240 billion in holdings, earlier this year started rolling out VMware Workspace One, the company's new UEM platform, designed to provide secure access to applications and data with unified deployment, security and management, regardless of device or infrastructure. VMware showcased several customers that are using Workspace One, not just to provide mobile device management, but in a new release now rolling out this quarter, to configure and securely manage Windows 10 PCs, Macs, Chromebooks and applications, including Office 365.

Another customer showcased by VMware was the American Red Cross bringing its Horizon VDI environment into Workspace One, according to Dave Bullamore, the non-profit humanitarian aid provider's VP of IT End-User Services, who described how enabling UEM has made it easier to let employees and volunteers access its resources on their own devices. "It has allowed us to not only allow volunteers to use more of their own technology, but employees, as well, in a simple and secure way," said Bullamore, also speaking at VMworld, coincidently as Hurricane Harvey was descending on Texas.

"The expectations are changing in the workforce, driven largely by the experiences people have in their personal and consumer lives." -- Jennifer Manry, VP of End-User Computing and Identity and Access Management, Capital One Financial Corp.

Workspace One, launched last year, brings together VMware's AirWatch device and application management platform with the Horizon VDI and virtual application service environment. VMware claims the new Windows 10 device enrollment and management capability using Microsoft's Intune APIs, support for Macs, Chromebooks, Office 365 policies, analytic reporting and workflow capabilities coming to Workspace One makes it the first UEM offering that can configure and manage all of the major mobile and computing devices.

Also new is the addition of VMware Identity Manager to the Workspace One AirWatch console, which the company said gives administrators a common place to manage devices, context and identity. The new console now allows administrators to require enrollment through Workspace One for specified groups, an organization or specific operating system platforms.

That common user and management experience gives Workspace One a much broader capability than existing mobile device management (MDM) offerings, including Microsoft's Enterprise Mobility + Security (EMS) suite, said Mitch Berry, VP of Unified Endpoint Management at Mobi, which provides managed mobility lifecycle management services and software. "I think their technology is a lot more advanced than a Microsoft, or a MobileIron or Citrix in that the experience they are able to provide across multiple device types really gives them the lead," said Berry, whose company has partnerships with all the major MDM providers, including Microsoft.

Gartner Inc. Analyst Andrew Garver agreed. "Few vendors provide the breadth of Workspace One's offering, and VMware did a good job of telling a comprehensive EUC [end-user computing] transformation story at VMworld," Garver said. "Enterprises looking to shift to this more holistic approach to system and applications management, which he calls "unified workspaces," will find Workspace One appealing, according to Garver, because it provides "modern management across traditional and mobile endpoints, tight coupling with Horizon VDI and apps and a robust set of gateways for both cloud and on-premises."

Windows 10 Configuration and Management
In a demo at VMworld, the VMware officials showed the enrollment of a new Windows 10 PC. Once the user enters an e-mail address and password, Workspace One starts provisioning the PC based on the policies defined by IT for that employee. "In the background, drivers, DLLs, applications, everything that used to be in that golden image, now comes over the air to fully transform this device," said Jason Roszak, VMware's Windows 10 product manager, who gave the demo. Windows updates and patches can also be deployed based on how critical they are and when and where the user is connected.

VMware might be out in front in talking up advances to Workspace One, and while it's poised to become a leading UEM platform, the battle is just emerging. The most noted alternatives are Microsoft's EMS service, which consists of Intune, Azure Active Directory and Azure Information Protection services to provide data loss protection and Citrix Secure Digital Workspace, among others that offer different approaches but are all centered around common configuration, security and management of all devices.

Citrix Systems Inc. last month released its XenMobile 10.7 MDM platform, which brings new UEM capabilities. Citrix said XenMobile lets admins apply Microsoft's BitLocker security and encryption policies to Windows 10 devices directly from the XenMobile console.

The Citrix XenMobile update also offers Apple's latest iOS security policies and integration between the Google Play store, which lets admins apply Android for Work policies to managed Android apps from the XenMobile console. Citrix Essentials, which offers Windows 10 as a desktop or app service, uses the Citrix Cloud and runs in Microsoft Azure. Citrix and Microsoft have longstanding partnerships and last year created their latest pact toward providing native Intune support in the Citrix XenMobile device management platform and enabling XenEssentials in Azure.

"Sure, the APIs are available to everyone, they have to be that way, but the engagement between Citrix, Microsoft and the customer will deliver a differentiated value by taking advantage of Microsoft Graph, but then also extending that to all areas of the workspace are really important," said Calvin Hsu, speaking at an event in August with Brad Anderson, Microsoft's corporate VP, overseeing the company's Enterprise Client and Mobility Group.

"Everything we do in Enterprise Mobility + Security is exposed to the Microsoft Graph. Citrix is doing the work to deeply integrate with those Graph APIs," Anderson said. "What that means is, if you're a Citrix XenMobile customer today, you can actually set all of the EMS policies through the XenMobile console, which will then, for example, set the Intune MAM [mobile application management] policies on any of the applications. So you get this single point of administration, this single console, with the work that Citrix is doing to integrate with the Microsoft Graph."

In a sign of just how strategic UEM is becoming, the new Microsoft 365, launched in July, is a bundle that brings together Windows 10, Office 365 and EMS as a subscription. It remains to be seen whether IT decision makers heed Microsoft's advice that EMS offers the core UEM capabilities organizations need to manage all their Windows and mobile devices. But there's a strong case that many enterprises will see EMS as a baseline and despite the competitive rhetoric, Microsoft is fostering a UEM ecosystem.

Enabling UEM with Microsoft Graph APIs
Microsoft has played a key role in advancing UEM with the release of the Microsoft Graph APIs, which include the Intune interfaces, as Redmond has reported over the past year. Still in preview in mid-­September, the expectation is Microsoft will release them at any time, which is why some of the key platform players such as Citrix, MobileIron Inc., Jamf, BlackBerry Ltd. and IBM Corp., among numerous others are also expected to support them shortly.

Sumit Dhawan, senior VP and general manager heading the VMware End-User Computing group, said that VMware has "leveraged those public APIs extensively." By "extensively," Dhawan explained that their use goes beyond just enrollment and providing policy management; it's about integrating identity management and applying context, while striking a balance between providing user control and privacy and ensuring that corporate data remains secure.

Dhawan said Workspace One has evolved to meet its mission of bringing mobile, desktop and application management together. The addition of the VMware Identity Manager into its AirWatch console provides a common interface for managing devices, context and identity, he said. It also has a simplified mobile single sign-on interface and, using the Microsoft Graph API, it can apply Office 365 enrollment and management, as well as support for other Software-as-a-Service (SaaS) apps. The new Workspace One release will manage and enforce security polices and provide Office 365 data loss prevention (DLP) upon release of the Office APIs by Microsoft.

It's to Microsoft's benefit to share the Intune APIs, said Ojas Rege, MobileIron's chief marketing officer. "This move toward opening up the APIs to a graph is really good for Office 365, because otherwise, the majority of customers would not be able to apply the new DLP controls to Office 365," Rege said. "Only Intune customers would've been able to do that. That ends up hurting and not helping Microsoft's position with Office 365, because the best thing for Office 365 is no matter which EMM [enterprise mobility management] solution you pick, you can secure Office 365 fully. Having a secure Office 365 service is a competitive advantage of Office 365 versus other productivity tools."

The shift to UEM provides a common approach "of unifying the experience across all applications and one place to unify your management across all devices," Dhawan said. "This, we believe, is a massive change and we think it is a great opportunity."

Workspace One to Gain Intelligence
VMware also plans to offer an add-on service to Workspace One that provides reporting and analytics designed to help administrators utilize the Windows Update Service. The new service, called Workspace One Intelligence, will include a rules engine that will allow automated actions to address real-time security and performance issues. It will offer reporting templates to give views on how vulnerable an organization is and provide automated remediation, said Andrew Levy, VMware's senior director of product management, who joined the company last year following its acquisition of mobile performance management provider Apteligent.

Workspace One Intelligence uses machine learning to detect anomalies, according to Levy. "This fundamentally transforms how you make decisions. You move from being reactive, sifting through mounds of information, to proactive decision making."

[Click on image for larger view.] Workspace One is integrated with VMware Identity Manager for single sign-on.

Capital One's UEM Deployment
Capital One began its Workspace One deployment in the second quarter with user acceptance testing and pilot cycles for its mobile fleet, and then began transitioning its Windows and Mac users, according to Brian Link, Capital One's senior director for UX Strategy and Engineering. "The Workspace One platform brings together technology silos -- mobile, desktop, VDI, identity -- as a single platform," Link said. "Ultimately, this is all about getting faster products to market, driving more innovation, and enabling our teams to deliver breakthrough experiences for our customers that help them with their financial lives."

The Horizon backbone now connects to Capital One's datacenters, but Link said the bank intends to utilize Amazon Web Services for the compute and storage capacity. "We see zero value in staying in the datacenter model," he said. "We want to deliver meaningful experiences, and secure experiences to our users on any device, anywhere, any time."

[Click on image for larger view.] The American Red Cross now runs its VMware Horizon 7 virtual desktops with Workspace One, providing employees and volunteers access to the association's custom specialized apps, as well as standard apps, including SharePoint, Concur, Outlook and ADP payroll.

Whither SCCM?
Perhaps the biggest impact the proliferation of UEM will have on IT pros over time is that it's poised to replace today's current approach of creating and configuring Windows on gold images with traditional tools such as Microsoft System Center Configuration Manager (SCCM). Of course, such shifts don't happen quickly, but many of the critical wares are now rolling out and early adopters are making the transition. It's a necessity realized by the onslaught of security lapses not addressed as virtual workplaces sprung up in recent years and the need for IT to protect enterprise data, while giving employees the flexibility and privacy they insist on -- and many businesses are now intent on providing.

The urgency for organizations to consider UEM will accelerate over the next two years as the clock runs out for mainstream Windows 7 support in January 2020. As the deadline approaches, organizations are considering how to handle their migrations to Windows 10, which was designed with UEM as a core tenet. Of course, the reality is there will be a mix of Windows 7 and above PCs in organizations for many years to come, though the option to move to a UEM is now a reality.

Over time, both Capital One and the American Red Cross hope the days of using SCCM to build gold images, package, deploy and manage Windows PCs will come to an end. "Over time we are going to slide away from SCCM and all of these other legacy [management] systems," Bullamore said.

The fact that Windows 10 is a fully managed MDM framework is an important advance, according to Link. "For us, that means we can unlock a lot of really interesting experiences that we couldn't before," he said. "And more importantly, we can eliminate SCCM imaging, GPO policy delivery and we can enable user-driven workflows from anywhere."

Shawn Bass, VMware's CTO for End-User Computing, said there are three key components to its strategy with UEM. First is allowing organizations to unify management of Windows 10, Mac and Chromebook computers the same way they manage their mobile Android and iOS devices. Second is giving employees assurances that their personal data isn't accessible by their employers, while ensuring that corporate data can't be copied outside the confines of the enterprise environment, even on a user-owned device. The third focus is enabling organizations to manage Windows as a Service by eliminating traditional image management. Rolling out or resetting a PC should be seamless, according to Bass.

"Nobody thinks poorly about having to switch phone devices, but with a PC, everyone frets what the experience is going to be like having to switch out their PC," Bass said. "Legacy management is slow, complex, it requires specialist teams, it's antiquated, and we think we have a better way."

Featured

comments powered by Disqus

Subscribe on YouTube