Enterprise Windows Phone: Is Microsoft too late?

Mobile devices have been a disruptive technology in the enterprise. It's a cliche, but it's absolutely true and extremely important. Unfortunately for Microsoft, it's Apple that has been doing most of the disrupting.

Like most (maybe all) disruptive technologies, mobile devices gained their foothold without the cooperation of IT, and perhaps even against their policies. Obviously IT departments are on board now, but in the meantime, purchasing decisions have moved, in great part, out of their control.

That's why it's hard to gauge the significance of Microsoft's announcements yesterday of enterprise security and management improvements in Windows Phone 8.1. Looked at in isolation, they're very important and technologically impressive. The problem is that if end users don't want to buy Windows Phones it may not matter.

What exactly are the improvements? Microsoft spelled them out in a blog entry yesterday. There will be a session on the at BUILD later today and the video will be available (at this link) 24-48 hours later.

The major bullet points:

• Mobile Device Management — This makes it easier for enterprises to enroll Windows Phones in a management system, either Microsoft's or (more likely) a third party system from MobileIron, AirWatch or one of the many others. This is, of course, important, but not revolutionary, although it's worth pointing out that Android still lacks this at the base OS level. Android MDM support is typically added by the handset companies like Samsung.
• Windows App Platform Convergence — This is huge and especially appealing to enterprises that write in-house software. The possibility exists to write one app that will run on Windows desktops, tablets and phones. (And Xbox, for all those enterprises that do Xbox deployments.)
• Security — There are numerous improvements here such as secure and trusted boot and remote lock and PIN reset. The PIN feature is just one a few that address the big pain points for help desks; in previous versions, a PIN reset requires a complete system reset.
• S/MIME for Secure Encrypted Email — The standard mail client can do signed and encrypted email under management of the Exchange server.
• Assigned Access — Lock a handset to a single app. This might be a good idea for enterprises to use with low-cost Windows Phones (and there are some very low-cost ones) in order to have rigid control of the device.
• Enhanced App Management — Enterprises can set up an app store ("private app catalog") and black/whitelist apps in the Windows Store. Enterprise apps can be pushed to the device, updated, removed or defined mandatory. Store apps can also be published in the enterprise store. As I discussed in a story yesterday, app deployment and management control is more flexible for Windows Phone than for other platforms.
• Certificate Management — Many enterprises use digital certificates for stronger user authentication. Now, using your MDM system and SCEP (Simple Certificate Enrollment Protocol) you can deploy these certificates to Windows Phone.
• Enterprise VPN and Wi-Fi — Like a lot of MAM (Mobile Application Management)/EMM (Enterprise Mobility Management) systems, Windows Phone supports per-app VPNs that are built-up and torn down on the fly for each invocation of the app (see the graphic below). Particular Wifi networks can be designated by IT for Mobile Data Offloading, so when they are available traffic will go through them rather than through the mobile network.

A white paper from MobileIron on Windows Phone 8.1 in the Enterprise actually goes into much more detail than what Microsoft has so far provided and includes interesting analysis. They expect significant interest from their enterprise customers in Windows Phone 8.1, particularly from those in regulated industries.

I spoke with Ojas Rege, MobileIron's VP of Strategy. He and the white paper point out important improvements not mentioned in the Microsoft blog. The management tools are better for all sorts of important characteristics: connections to corporate Wi-Fi networks; conventional system-wide VPNs; phone log support is improved so that help desks can get access to them to troubleshoot more effectively; there are even management policies to disable Internet Explorer, disable data access when the phone is roaming, and to disable Save As and/or sharing in Microsoft Office. 

It took a long time, till the third generation of Windows Phone, for Microsoft to put meaningful security features in it. But, then again, the same was true of Apple and Google. It wasn't till the third or fourth generation of iOS and Android till they started dealing with security, and arguably Google still doesn't.

This was obviously intentional. As I've said before, Microsoft seems determined to ape Apple's phone strategy. They're even making the phones now that they bought Nokia. Their app security and store policies are very similar, but with 8.1 they may be leapfrogging Apple, at least with respect to the enterprise.

What they've accomplished with Windows Phone 8.1 is to make the product appealing to IT in many ways. The heavy subsidies for Windows Phone models, much heavier than iPhones and even top Android phones, might make other powers in the enterprise welcome Windows Phone for large deployments.

In that sense, the most important thing Microsoft has to do in order to make their enterprise features successful, is to make their phones desirable, or at least acceptable, to end users. They know this too; it's why all the wiz-bang consumer features were announced early on BUILD day 1 and the enterprise features were announced later, and to much less fanfare.