With the recent news that Windows On ARM isn't going to support Active Directory, the question that immediately came up was "So if this is an enterprise tablet, how will I manage it?"
It turns out that while Microsoft hasn't explicitly given us an answer, it's given us enough pointers that we can put together a credible device management scenario for WOA. And surprise, surprise, it's built around tools and technologies that enterprises are already using – and into the next generation of Windows Server and System Center. It also points to how Microsoft and its partners will be positioning WOA devices, as employee-liable hardware for use in businesses with Bring-your-own-device policies.
So how do we think it will work?
There's actually a very simple answer: the way Windows always has.
The domain model used by Active Directory isn’t the only management tool Microsoft has – we’ve had unmanaged devices connected to Windows networks since Windows for Workgroups, and partially managed since the early days of Windows CE and Windows Mobile. So it’s not surprising that the tools we’ll need to manage WOA are already part of a Windows sysadmin’s kit, and are most likely already being used.
If you've installed the Windows 8 Consumer Preview and connected the Mail app to an Exchange server you won't have been able to collect mail until you'd accepted a set of security policies. Exchange Active Sync policies are at the heart of Microsoft's multi-device management strategy. Available to any company that supports EAS, but baked into its Windows Phone platform (and now into Windows 8 via Mail), these policies let administrators control device features (including forcing hardware encryption for all stored data), user actions, and what applications can be installed. EAS also gives administrators the ability to lock or even remote wipe a device.
EAS's management tools aren't just for organisations using Exchange. Third party management frameworks like Odyssey Athena and RIM's BlackBerry Fusion use EAS to manage Windows Phone devices, so it's easy to see them offering the same level of control to WOA devices – with no need to change their software to support a whole new class of devices.
The one thing Microsoft doesn't currently do is certify EAS implementations on devices, though we've recently heard rumours of company mooting such a scheme. That's the final part of the EAS part of the scenario, with organisations able to prove both that the devices in their networks are secure, and that they have an intrinsic manageability that meets the standards required by their regulators.
Delving into the realm of speculation, it’s also possible to envision Microsoft extending the EAS management capabilities (with updates to System Center, to Exchange, and to Office 365) adding additional device management capabilities that might have been delivered by Active Directory – for example prepopulating shares and certificates, as well as setting up connections to Direct Access and other corporate networking tools, and even setting up the redirects to the corporate update server and any enterprise links in the Windows Store.
Exchange 15 is due for release on roughly the same timescale as Office 15 and Windows 8, giving Microsoft the ideal opportunity to deliver an enhanced EAS alongside Windows 8. If there is an update, you can expect to see the same thing delivered through Office 365 – and licensed to other EAS partners, for use in mobile device management tools and for other cloud messaging services (including Apple’s iCloud and Google’s Gmail). Significant updates to EAS would also likely to be delivered as an update to existing Exchange 2010 installations.
Another part of the story comes from the very Active Directory that isn’t supported by WOA. If a machine isn't part of a domain, that doesn't mean that a user isn't part of one. As soon as a device they’re using touches managed resources, they're subject to the restrictions associated with their user ID – so user-centric security tools like the new information management features in Windows Server 8 will work for users on WOA devices. With enforced server side security (and support for IRM and other information-centric security tools baked into WOA and Office 15), there’s plenty of scope for controlling users access to data, and to applications.
If a user is managed, does it really matter if a device is unmanaged? We're in the middle of a transition from local data to cloud data, where users interact with services that can be anywhere – and where only their identity matters. In that model Active Directory goes back to its beginnings, as a user directory, where user roles and permission are managed. Device management becomes a secondary feature, one that falls out of third party tools and from platforms like EAS (whether from a local Exchange Server, from a cloud service like Office 365 or Google Mail, or from a mobile device management server or service).
Microsoft has other management tools for machines that aren’t part of a domain. These include its cloud managed service provider Intune, which includes tools for delivering group policies to devices and keeping them updated (and enforced). While it’s unlikely to work with WOA – as it requires a machine-specific agent on every managed device – there’s scope for some Intune features to become part of EAS. If a future EAS is able to deliver group policies to managed WOA devices, then there’d really be no need for Active Directory. Merging InTune and EAS makes a lot of sense, especially as a managed service solution for BYOD, and it would also make it easier to deliver an agentless cloud management solution for WOA – something that would be very attractive to the growing number of managed service providers out there.
What this all means, of course, is that despite dropping built-in support for Active Directory, WOA remains a manageable platform. EAS will handle much of the BYOD management requirements (especially those needed for regulatory compliance), while Active Directory will continue to be the heart of user-centric security implementations. With both parts of the management equation covered, it looks as though enterprises should have no worries about deploying WOA devices, or certifying them for use in BYOD schemes.