Endpoint management still fractured between mobile and desktop

Finally Microsoft has provided a way to unify endpoint management of mobile devices and Windows desktops, but it's doomed to many years of impracticality.
Written by Larry Seltzer, Contributor

When I first thought about it years ago, I assumed that Microsoft would find some way to incorporate management of their mobile devices into Active Directory and Group Policy. These are Microsoft's home turf, a domain they control and the world of IT filled with people trained in them and companies committed to them.

I was wrong. Microsoft didn't. They did nothing.

They had the opportunity to do something with Windows Mobile going back over 10 years, although I'm sure the need for it wasn't so obvious at the time. Meanwhile, BlackBerry invented MDM, Apple ripped them off and Exchange ActiveSync became the default lowest common denominator for management. Innovative third parties like MobileIron and AirWatch, and again BlackBerry, expanded the technology into EMM (Enterprise Mobility Management), providing much more sophisticated management of users, data and applications, in addition to the device configuration itself.

By the time Microsoft got around to addressing this problem directly, all they could do was follow the pack, and now they have begun to consolidate management of all devices--mobile, desktop, laptop, perhaps even servers eventually--with EMM.

The argument, and it's not a bad one, is that Active Directory is built for the old model of perimeter-oriented security. The future of enterprise architecture is in the cloud, and security needs to focus on the devices and data and users no matter where they are. This is what Microsoft shoots for in their EMS (Enterprise Mobility Suite). For instance, EMS enables end users to use the Office mobile apps without a device enrollment.

But it still leaves enterprises using two management methods: Active Directory Group Policy and EMM.

There's a lot to like about the new approach, and even the other EMM vendors like it. VMWare's AirWatch is enthusiastic.

Microsoft has a few products involved in managing this new approach: There's System Center Configuration Manager (SCCM, often pronounced 'SCUM') integrated with Intune, their EMM product. They have an Identity Manager and a number of Azure services, including Azure Active Directory, meant to streamline control of it all. In fact, you can probably run all of these functions in Azure, which fits in well with Microsoft's clear move to putting anything and everything up in the cloud.

And all you have to do is upgrade all your Windows desktops and laptops to Windows 10. There's lots of companies out there doing it. Aren't there? OK, so in the meantime you can manage Windows 10 and mobile devices with EMM and older systems with Group Policy. It sounds like a nice interim strategy in the abstract, but the policy sets are different and uncoordinated so that you can't, at least not easily, maintain a consistent set of policies between the two groups.

I stand by my first impression: Two separate management systems and policy sets is an invitation to waste and error. By moving to EMM, Microsoft is diminishing the significance of Active Directory and Group Policy, technologies that keep enterprises committed to Microsoft. They might gain by getting enterprises to consolidate mobile devices and desktops/laptops into one Microsoft management architecture, or enterprises might just move everything onto a third party system like AirWatch. It's too soon to tell.

For many years this will remain just an option. Few if any enterprises will be able to phase out group policy and so separate management systems will persist, and even Windows 10 systems will basically be managed through Group Policy. Finally we have a vision of unified endpoint management, and that's all it is. A vision.

See also:

Editorial standards