The next version of Microsoft's cloud PC management service will add mobile device management, including sideloading enterprise apps to iOS and Android devices. That's not ready to try out in the pre-release version you can sign up for now, but you can check out the new user interface and see how the Windows Azure Active Directory sync will work.
This is the first step of what Microsoft is calling 'people-centric' management, where you think about the people using the PCs and devices you're managing, and what they need access to, rather than starting by thinking about what features in Windows to lock down. With 'bring your own device' both common and a concern to many admins (the fourth biggest worry for IT professionals in an ISACA study this month), you're going to have to look beyond centralised PC management to a more holistic approach. Will Windows Intune be a key tool? Maybe — especially if you expect to have Windows RT tablets in your organisation.
The Intune portal gets a new, simplified look; there's also a second portal for managing users and groups that looks just like the Office 365 portal, and a third portal for end users with a simple Metro interface. The front screen of the portal makes it easier to see alerts and warnings, with a 'top three' list that you can sort by date, category or severity. What Microsoft counts as severe doesn't always match what you count as severe, so you can change the level of a specific alert.
Choose how important different alerts are to you
Another minor but welcome change takes the summary of all the PCs you're managing and moves it from a report buried deep in the interface to the site's front screen. You can now get a report showing which PCs are up to date with patches and which have tried and failed to install a patch. And you get the details of smartphones and tablets that you're managing too (or at least as much information as the phones provide, like the operating system version and some hardware details). You can't get a list of what software is installed on a phone or tablet the way you can for an Intune-managed PC — not only do smartphone operating systems not let you find that out, but it wouldn't make you popular with the users (or as Microsoft would put it, people) whose devices you're scanning.
Filter what you see in reports and see which PCs have the latest updates
The mobile management piece, for iOS 4.0 and Android 2.1 and above, lets you set the same Exchange ActiveSync policies you can set today from Exchange, but you can do it in the same place you're setting policies for controlling PCs, and with the same users and groups of users. You can choose the recommended settings (devised by the security accelerator team at Microsoft) or go in and customise the policy.
Pick the Recommended Settings for what you should be doing
You can set policies that apply to devices by type, or to users — who can be members of groups you create specifically in Intune, dynamic groups you create using rules such as PCs with specific hardware, or groups you've already set up in Active Directory. The current version of Intune doesn't know anything about AD, and in the past Microsoft has talked about it as a tool for companies that don't have AD. But now it's turning into a way to use AD outside the framework, on devices like phones that can never join the domain — as long as that device's user has an account that can.
Mobile device management supports simple EAS policies
As well as basic mobile device management (like 'only phones with a strong password and encryption can get email from Exchange'), you can use Intune to sideload custom apps on phones and tablets — although you can only make apps available, not install them automatically the way you can on a PC. At the Microsoft Management Summit, Brad Anderson — Corporate Vice President of Microsoft's Management and Security Division — talked about linking to apps that are in the App Store and Google Play as well as the Windows Store: "we're deeply integrating with the Apple App Store, as well as with Android. We're doing things like giving you the opportunity inside of the administrative console to do deep-linking into apps... as your users log in with their Active Directory ID they see the icons that appear for those applications".
The Windows Store integration will arrive first in a future version of the on-premise System Center 2012 Config Manager (Windows 8 support in Intune will come after Windows 8 ships). The iOS and Android deep linking is something Microsoft has planned but it hasn't announced where we'll see it. What the next version of Intune will have is a way to distribute your own internal iOS and Android apps by uploading the app packages (and, for iOS, the policy manifest file); corporate users can download them a self-service portal where they can also ask for support or add and remove devices from Intune (if they get a new phone, for example). The app files are encrypted and stored on Windows Azure, and your Active Directory is reflected up into Azure to authenticate users who download the apps.
This is where things get a little frustrating. You won't be able to use the new version with Office 365 or Exchange Online, just with versions of Exchange that you run on-premise. And you can't yet download the connector for Exchange that lets you manage mobile devices or sideload apps, because Microsoft doesn't want you trying out a pre-release tool with your production Exchange environment. The Exchange connector will be ready when the new version of Intune is released, but Office 365 support won't come until a future version.
End users get other options in the portal (especially if they look at it from a PC rather than a phone). They can wipe a device, but they can't lock a device if they're not sure where it is (something that encourages people to lock a phone they might just have left at home because it's not such a drastic step, instead of waiting until they get home to check). There isn't the option to look at the location of a phone either (something Apple lets you do from the web), so this isn't a one-stop shop for what users need. We'd like to see improvements here to make it more useful, and to encourage users to do the right thing.
There's no extra charge for managing mobile devices; for every user you manage in Intune, you can manage up to four devices too. The price of Intune isn't going up either, and it's worth noting that the Intune licence gives you the rights to the most recent Microsoft operating system, so Intune users will get a Windows 8 licence when it comes out. Microsoft isn't going into any details about what Intune will do for Windows 8 until Windows 8 comes out, but as well as the same management options you already have for Windows 7 we're expecting the ability to manage ARM-based Windows RT devices. Windows RT includes a management client that Microsoft says "can communicate with a management infrastructure in the cloud to deliver line of business apps to users", which sounds very like a future version of Intune. (We don't know if a Windows RT device will count as a full Intune user or an associated device for licensing.)
As a cloud service, Microsoft can update Intune quickly — the next version will be the third release in a year. It's nowhere near as powerful as System Center, but it doesn't require PCs to join the domain or log onto a corporate network to be managed. The incremental improvements are certainly welcome; the mobile management tools are similar to what you can already do in other systems, but it's definitely more convenient to have all of this in one usable interface. And extending Active Directory to a much wider range of devices than PCs could turn out to be just what enterprises want without upsetting their employees too much, as well as key to managing Windows RT.