Share

Modern Desktop Management – Shift your Mindset, Not the Workload

Recently I was involved in a discussion in a Facebook group that asked the question “How do you find Intune suits your needs today?”. The person asking the question continued to elaborate with some detail about how they tried to transfer their existing Windows 10 configuration, policies and customisations from their on-premises environment to Intune, and everything fell in a heap. They deemed Intune was unable to do what they wanted and therefore too complicated. The overall light in which Intune was painted was that it isn’t fit for purpose.

The discussion brought to light a very important point regarding modern management, and this article elaborates on the context I put forward in which modern management should be viewed. If you’re in a position where you’re trying to explain modern management to someone, I hope this article can assist you.

How did we get here?

Modern management requires a change in how we think about information technology. I know this has been covered many times by other blog posts and Microsoft slide decks, but there are still many organisations out there who are trying to get their head around the concept; or are having trouble articulating the concept to their stakeholders and management.

Classic IT

Firstly, we must understand how IT has evolved over the last 10-15 years. We can think of this past period until recent times as “Classic IT”.

In the days of Windows XP and Windows 7, most users had desktop PC’s or laptops that were predominantly used in a fixed location, and more than likely this was their only work device. The company owned it, and it was joined to the corporate domain network. The device was heavily managed by group policy, users were locked down in the environment, applications were deployed by configuration management tools such as SMS, SCCM, Tivoli/BigFix or Kace. If those endpoint management services didn’t exist maybe a desktop support person would need to use a tool like TeamViewer or VNC to shadow the users’ session and install software on their behalf. Typically, the application would be an MSI or a setup.exe that needed to be run as an administrator and would require further user input for configuration settings. The whole process was high touch, reactive and involved many steps (some manual) to execute the workflow.

Classic IT

The Transition – Then to Now

In 2007 something amazing happened. Steve Jobs announced the Apple iPhone. Many hardware vendors had tried to introduce mobile devices before in the form of tablet PC’s or hand-held devices that required a stylus for input. Some tried slide-out keyboards (I’m looking at you iMate JasJam/HTC Tytn II) with limited success. But none of these devices set the world on fire like the first iPhone did.

Regardless of whether you like Apple or not – the iPhone kick started a push for user friendly, software driven devices. It put usable technology into the hands of anybody who could afford one, regardless of their prior computer literacy level.

People started using mobile devices not only for personal use, but now they were bringing them to work – connecting their email app to the corporate mail server, opening documents and replying to instant messages. All of this powered by an explosion of broadband internet capability around the world. 3G wireless connectivity gave way to 4G wireless wide area networks. Broadband internet became cheaper and cheaper, with more download quota, or no quota at all. People started working from home. As time went on people began not only using their mobile phone, but iPads, Android tablets, Surface Pro’s, laptops, their old desktop PC, etc. They were using SkyDrive/OneDrive, Dropbox, Send Space, Rapidshare, Evernote, OneNote; and the list goes on. All these applications are freely available and easily accessed with an internet connection.

Having access to technology without being chained to a desk, fast internet from just about any location, and a myriad of internet-based services to make life easier have changed the fundamental way of how and when people work. While this has been great for productivity, employee flexibility and investors in Apple (AAPL) stock, it has also opened a pandoras box for organisations.

The Problem

How do you control a device that is not connected to your network, isn’t part of your domain, and you may not even own? That old “Classic IT” model is now almost impossible to apply.
Suddenly users and more importantly, your enterprise data, are now on a device that can be anywhere, attached to any network. The common point of interconnect is no longer the corporate LAN in a shared trusted location, but the global public internet. Yes, devices may come back to the corporate network from time to time (or even everyday), but what will they bring with them? Has the device been compromised while it was away from the network? How can you ensure someone is who they say they are when they are accessing your corporate resources?

It’s easy to see the conundrum organisations are faced with in this new world. The traditional IT model that’s worked well for so long is suddenly a square peg trying to go into a round hole.
This lack of control over data, identity validation and device compliance can expose organisations to data theft, embarrassment, brand damage and loss of confidence by peers and the public. These are very hard to recover from (if you can recover at all) – and doesn’t even consider the financial impact of such an event.

So how can Modern IT solve this?

Where we are today can be considered “Modern IT”. The end user technology landscape has changed and is defined by the following characteristics.

Modern IT
The devices, applications and services we use today are incredibly diverse. Almost every user has more than one device they access corporate services on, and these devices are commonly from different vendors, running different operating systems. Updating of the device is handled by the vendor whether that be iOS, Android or Windows 10 (we’re all familiar with the cumulative update and feature update release cycle now). More and more applications these days are run from the cloud, and users expect certain freedoms of choice around what they can do with their device. Users want to be able to access corporate resources, but don’t want their employers locking down their device or disabling some other capability of their access unnecessarily.

The line between work/personal device and work/personal data has been blurred. Classical management techniques are not capable of abstracting the difference and applying the intelligence required for today’s modern IT world.

And it is because of that exact reason why a “lift and shift” approach of on-premises policies, applications and security restrictions to a cloud-based platform (such as Microsoft Intune) will be certain failure.

Shift the Mindset – Not the Workload

The point of Intune and cloud management is not to micromanage the endpoint. Locking down a device and controlling everything through access control lists and group policies is the old way. The thinking around security has now shifted higher in the stack. It’s not just about the device and the user profile, but also securing identity, access, the applications and the data. These are things group policy just can’t cover.

This is a huge shift in thinking and may even be challenging to accept for some of you reading this, however; let’s break this down into three parts as to why this change in thinking may not be as big of a challenge as it seems.

Security Management

The elephant in the room and my first point. Organisations felt the need to lock down their environments in the past using Group Policy Objects (GPO) in the name of security. GPO becomes irrelevant once you look at the modern management strategy. There were two things GPO’s were used for; applying security settings and doing things on the user’s behalf (e.g. drive mappings).
In modern management, security moves higher up and is applied at the data, network, application and identity levels. It’s not so much about the device and restricting what the user can/can’t do anymore. Sure, you may have some compliance settings you require (such as the device isn’t allowed to be jailbroken), but security in the context of modern management is no longer about preventing the user from looking at the system files. It’s about validating authentication and protecting data. This is performed several ways:

  • Conditional Access (grant or deny access depending on where the request is coming from)
  • Multi-Factor Authentication (require additional authentication when outside a trusted location)
  • Information Protection (data classification to prevent unauthorised access to information)
  • Application Management (Apply application specific security restrictions e.g. disable copy/paste, screen shots, require even further authentication etc)
  • Device Security (compliance, encryption and configuration settings for the device)

Historically any security or configuration changes applied through group policy were necessary for old applications. Many applications these days are SaaS applications, which removes the need for such settings to be locally applied.

Yes, I am aware there are still many organisations out there that run some specialised application that hasn’t been updated in 10 years and there is still only an MSI or setup.exe installer available. I am also willing to bet that these same organisations are looking forward to the day when they don’t need to deal with that application anymore. Quite possibly that application is what is holding them back from moving forward in their IT strategy. My advice in this instance is to question the viability of continuing to use such an application like that, especially when it comes to compatibility testing and how the vendor will continue to support that application.

Access to Local Resources

I get asked this question a lot. “How can I print to a printer right next to me if my devices & identity are in the cloud?” Again, this is a departure from how we’ve thought about IT for decades.
Traditionally a local resource needed local identity authentication to use it. These same local resources, whether they be file servers or printers can still be accessed in the modern management world.

Many people don’t know this but when you are on the corporate LAN, you can authenticate to local resources via Azure AD. There is a catch though – you must have a Windows Server 2016 Domain Controller with line of sight to Azure AD. That means, no firewalls or proxies that may get in the way to make a mess of things. Without getting into the weeds of detail – this is how it works:

  1. User logs into Windows 10 – credentials are validated against Azure AD.
  2. Azure AD authenticates the user and sends back a Primary Refresh Token (PRT) and an ID token. The ID token contains 3 attributes (sAMAccountName, netBIOSDomainName and dnsDomainName).
  3. Kerberos picks up these 3 attributes and uses the dnsDomainName to find an on-premises domain controller via the DC Locator process. If a domain controller is found the sAMAccountName attribute is used to authenticate against it.
  4. When domain controller authentication occurs, a Kerberos Ticket Granting Ticket (TGT) is returned to the user and is held in cache by Windows 10.
  5. When a user attempts to access local resources (File/Print Server, Web Server etc) authentication occurs through Windows Integrated Authentication and they get access.
    Of course, the usual song and dance here would be to move data into SharePoint Online or OneDrive, but I realise this may not be possible or realistic for a lot of organisations. But using the above method to access these resources on-premises is a good alternative.

Device Management & Customisation

iOS and Android really come under Mobile Device Management and in the context of Intune these can be managed through security policies and Microsoft Application Management (MAM) policies.
When I say “device management” I’m really talking about Windows 10 here because Windows 7 & 8 were architected before “Modern IT” was a thing. Most of us are familiar with the traditional wipe & load methodology of deploying an operating system. We capture a master image that has applications built-in and deploy it on-mass. There may be issues with drivers, customisations, answer files, PXE booting, vendors changing chipsets on motherboards half way through a procurement cycle, Java suddenly wanting updates again even though it shouldn’t be asking for it…. I could go on. This way of deploying an “SOE” worked well for its time, but it still involved a lot of effort and trouble shooting. I mean…it’s better than finding a CRC error on floppy disk 20 of 21 when you’re installing Windows by hand; but these days, refreshing an operating system should be a process, not a project.

This is where Windows 10 becomes the foundation of modern management in the enterprise. Windows 10 is the last of the OS deployments and for good reason. It is now provided “as-a-service” borrowing the same in-place security and feature update style as iOS and Android. I won’t re-cap all the details about update cadence (you can read about that in the hyper-link just above), but what I do want to touch on here is OS customisation.

Again, many organisations still feel the need to customise the operating system heavily. It must have a certain wallpaper, the service desk phone number must be in “Computer Properties”, icons must be arranged in a certain way etc. In modern management users can setup and configure their machines how they want. Things shouldn’t really be enforced on the user unnecessarily. Naturally, you may have requirements for a corporate standard wallpaper, so nothing that can be considered offensive or “off-brand” can be seen on a corporate owned device. Or you may wish to deploy an internet browser homepage or a Wi-Fi certificate for the user just to save them some trouble. But all those little niggly customisations like pinned icons, desktop shortcuts, service desk phone numbers & support hours, forced locale etc – are they really required? I’ve never come across a business that folded because there wasn’t a desktop icon for an installed application.

When thinking about customisations, consider the following.

  • Does this customisation enhance IT security?
  • Does this customisation protect the company brand and reputation?
  • Does this customisation empower the user?

If the answer isn’t “Yes” to at least one of those questions – you don’t need it. And here’s a fun fact… if you look at all the security, compliance and configuration policies you can do in Intune now, you’ll probably notice they are aimed at enhancing those three things.

Take Away

Modern management is a new concept many organisations are still coming to terms with. It is a revolution in IT management methodology that takes time to implement. There is no single switch to make this happen overnight. It requires cultural change, which is not easy to do. It also requires a level of IT and organisational maturity to be successful. But it is here now, and it is not going to go away. The Anywhere Workplace and remote access to corporate applications and resources is going to become even more common place than it already is.

“Work is a thing you do, not a place you go”.

Like all big changes, it’s best to break it down into smaller, more manageable steps. Modern management is a journey that will see you slowly but surely unshackle yourself from old management platforms and put your management where your users now are – the cloud. This will then open the doors to do things you’d never dream of doing on-premises before. I like to use the example of conditional access and multi-factor authentication. To do that on-premises was an incredibly complex and expensive task. Now it’s a tick box.

Keeping It Real

Throughout this article I’ve made modern management sound like the magic silver bullet to everyone’s problems. I realise it isn’t and there are still some gaps; but these gaps are shrinking every day. Microsoft for example continues to add an incredible number of new features to Intune every week. The speed at which the platform is developing is mind blowing. I look at it nearly every day and I have trouble keeping up. I tell a customer “Oh yeah Intune can’t do that yet”, and then 2 weeks later it can.

Even so, I understand there will still be some organisations out there who CANNOT move to cloud management. This may be because of the applications they use, some regulatory requirement, or even some political battle with end users. I’ve heard stories of end users saying things like “If you want to push applications to me at home and use my internet – you should be paying for at least part of my internet bill.” etc.

These are all challenges outside the technical capability of modern management. But are challenges nonetheless.

Modern management is a new concept and we are still in the infancy of this concept. The noise of “Intune can’t do this, can’t do that” sounds very similar to when computer virtualisation first started coming out. “VM’s are slow”, “No way is this as good as a physical server”, “This can’t handle my workload”, “This application isn’t supported in a virtual environment” – and so on. But look at where we are now. Now it’s weird if something ISN’T virtualised.

Modern management is the same. It’s early days, but the onset of it will happen much faster than when virtualisation consumed the world. It may not be for everyone this minute, but it’ll get there, and it’ll happen a lot faster than you think.

Conclusion

You know what they call it when users take matters into their own hands and IT departments can’t keep up? They call it “Shadow IT”. Modern management puts a lid on that and helps you uphold enterprise security standards while allowing users the benefits of this modern world.

I’d encourage all IT Managers to start planning their journey towards modern management. Don’t try to “lift and shift” your current environment to the cloud – it simply will not work. Start looking at things like SCCM co-management, Windows 10 and Intune. Start a proof of concept and start gathering telemetry and data about your environment. See who’s using what and how they are using it. Keep up communication with users and make sure they have a say. See what workloads you can move to the cloud and what applications can be moved, retired or cut over to a SaaS version. If you need assistance, Data#3 can help. Little by little you’ll make the journey happen, and it all starts with shifting the mindset.

If you would like to know more about starting your modern management journey, or maybe you already have but need help progressing it, please feel free to contact me.


Contact us

Tags: Cloud, Mobility, Microsoft, Microsoft Windows 10, Security, Shadow IT, Mobile Device Management (MDM), The Anywhere Workplace, Cybersecurity, IT Lifecycle Management, Managed Services, Cloud Security, Microsoft Intune, Project Services, Microsoft System Center Configuration Manager (SCCM), Modern Desktop Management, Device Management

Featured

Subscribe to our blog

Related

Customer Story: Software Portfolio Management Solution

Data#3 helps Resource Customer Prepare for Transformation with Software Portfolio Management Solution Objective The resources industry accounts for six of…

Customer Story: Fiji National Provident Fund

Fiji National Provident Fund Gains Visibility of Devices and Software Licenses   Objective To better manage its Microsoft licenses, the…

Customer Story: A Digital Transformation Story

Digital Transformation solution helps staff serve their community Objective The customer organisation utilised a range of operating systems across the business,…

Customer Story: Non-Profit Organisation

Microsoft as a Service supports non-profit organisation in move to cloud Objective With a core responsibility in supporting not-for-profit organisations,…

The Future Asset Management Considerations for COVID-19

In our last blog, we took a look at the current state of asset management as organisations rapidly implement strategies…

From the coalface of consumption-based IT

Just before COVID-19 brought international travel to a standstill, I was fortunate enough to attend HPE’s GreenLake ‘Consumption…

The Here and Now of Asset Management Considerations for COVID-19

As more and more organisations are rapidly moving their workforce to work from home (“WFH”) on a large scale,…

Azure Resource Tagging
Masterclass Episode 1 – Microsoft Azure Resource Tagging

Welcome to Data#3’s five-part series focusing on the detail outlined in our recent blog, which covers our top five…