Mobile and PC management: a difficult but unstoppable path to merger

[[124757]]

Obviously, we only jump into a trend when it’s near or at its peak, and the same is true for mobile management. Years ago, niche vendors like Good Technology and Zenprise, along with startups like MobileIron and AirWatch, pioneered the market. Today, many major vendors, including CA Technologies, Citrix Systems (which acquired Zenprise), Dell, EMC VMware (which acquired AirWatch), IBM, and Microsoft, are actively promoting their own mobile management tools.

As major manufacturers have entered the mobile device management (MDM) business market, the field itself has been defined as the mobile category we know today. Tablet devices include the iPad camp, which pioneered a new concept, and the "deconstructed laptop" products that are half smartphone and half notebook products vigorously promoted by Microsoft and other Windows device manufacturers. For some users, tablet devices are enough to completely replace laptops, while for others, tablets are just a supplement to existing computing devices. In any case, the boundary between computers and mobile devices is becoming increasingly blurred.

Even in areas where there is a clear division of labor between devices, users still tend to use multiple devices to handle daily work. It seems that overnight, it has become difficult for administrators to complete management work in the way that they used to clearly divide different hardware platforms - passwords, access and other management policies have begun to overlap greatly, regardless of whether the relevant tools are ready.

In view of this, MDM has begun to move from a purely mobile scope to cover any and all areas that users may access: smartphones, tablet devices, computers and even cloud desktop services. Some of them may be owned by users themselves, some by enterprises, but in most cases, they are a mixture of both. The types of operating systems involved are also diverse: different versions of Windows, OS X, iOS and Android are essential, and there may also be Linux, Windws Phone, Chrome OS and Blackberry OS mixed in.

But achieving this unified client management state is not easy. The underlying technology used on different clients varies greatly, which directly affects security, manageability, and how these two prerequisite goals are achieved. In addition, vendors will also choose different development paths to meet their actual needs. For example, large enterprises have decided that in the near future, the state of PCs and mobile devices going their own way will be completely ended and devices will be managed in a unified way.

When it comes to management, Windows is like no other

What capabilities does a tool need to have to achieve unified management? In fact, the management of various devices under the Windows camp requires completely different technologies and investments from other popular operating systems. The reasons for this problem are long-standing and far-reaching: "In the field of mobile devices supported by operators, we don't have to worry too much about the operating system - the operator will help users solve such problems. But Windows is different. We always need to have full control over it," recalled Neal Foster, executive director of product promotion of Dell's mobile management department.

In addition to the traditional BES of Windows and BlackBerry, other typical solutions are to add a payload containing management policies to the device. In this way, the device will implement the relevant policy guidelines through its standard API. CA's Varadarajan calls this a single-form mechanism: we push out the policy package, and the device will execute it and "digest" the relevant payload as it receives it. When the device tries to access our servers in the future, there will be a corresponding policy to check whether it has actually adopted the correct management policy, and if it is positive, it will be released.

This type of payload is great for managing mobile devices because you can manage them equally with or without connectivity - yes, even without connectivity, the device is still managed, so you don't even need to have a secure space for policy delivery up front. However, this approach is weak in terms of governance, as you can't audit compliance and you only know about it through reports when the device tries to connect. Apple and other vendors have focused a large user base for payloads, but some industries still need to have continuous assurance capabilities.

Windows is a completely different world, where computers are protected by trusted firewalls and never leave the trusted network - in fact, such computing devices are considered access points rather than occasional visitors. The root of all this is the domain management system formed by Active Directory and System Center. Of course, over time, laptops have become popular, and management in the Windows camp also needs to provide more convenient external network access capabilities - usually using VPN to extend the trusted network to the Internet.

Domain-joining solutions allow users to take more proactive measures between clients and servers, and also provide better continuous auditing capabilities. However, they perform poorly on computing platforms such as mobile devices, which log on and off frequently, which explains why even Microsoft itself has not pushed domain-joining mechanisms to Windows Phone and Windows RT. "Domain-joining exists as a prerequisite for PC devices," said Dell's Foster, "but as more and more PCs are no longer connected to the domain, this prerequisite is no longer available."

That is, Microsoft did not use the domain join mechanism in its mobile management tool Intune for mobile devices. Instead, the tool chose to install a client application on the PC device to handle the payload, and then configure the Windows system environment and build a secure space accordingly - this approach is similar to the sandbox solution implemented natively in iOS and OS X and on Android using third-party software.

Over time, the payload scheme is likely to become a standard, even in the Windows camp. Microsoft's Windows OS development team declined to share its views on management issues, and the server development team declined to communicate with the OS team. However, "In Windows 8.1, users can manage PC devices like mobile devices, such as adding agents to implement System Center functions or directly using management APIs. Windows RT also supports this management method," said Andrew Conway, Microsoft's director of product marketing for Windows Server and Systen Center. However, the upcoming Windows Phone 8.1 will support the domain joining mechanism, so Microsoft may also be trying to retain both methods and see how the market reacts.

The road to unified management

Of course, the pioneers in the MDM field have realized the trend of unified management, and some of them have already included Mac in their mobile solutions - the reason is simple, Apple has begun to provide a large number of unified APIs across iOS and OS X platforms to simplify product operations. Many partners and other suppliers have begun to launch PC and mobile device management solutions that are not truly integrated. This kind of product that simply uses different components to piece together can only achieve part of the shared or collaborative management policy.

But the most active vendors are working to reconcile the desktop and mobile worlds into a universal management environment, including asset tracking and even security policy enforcement. The reason is simple: these mainstream vendors usually already have tools for Windows environments, so they are equivalent to supporting most client devices in the workplace. The next step is to provide IT departments with a familiar experience starting with Windows PCs. (Microsoft says that 70% of enterprises currently use System Center as the preferred management solution for Windows PCs.)

These products can range from pairing two separate products based on commonalities - such as policy sharing or a common management console - to a single tool that handles the differences between different clients in the background. Most companies still prefer to have two separate teams to manage PCs and mobile devices, and a single tool approach is only possible after companies give up this isolation mentality.

"Most organizations don't use the same team to manage desktops and mobile devices. Desktop management has been around for a long time, and PC management is considered a normal business activity. Mobile is new and has been left to a separate team," said Ram Varadarajan, general manager at CA. "We haven't seen many real-world examples of a single management system being widely adopted, but it's a phased trend," said Dell's Foster.

This puts management vendors in a classic chicken-and-egg dilemma. As it stands, mobile devices are managed differently and by different teams than PCs. Mobile devices quickly became part of the Exchange domain admins’ radar, with email as an early use case, and Apple made Microsoft’s Exchange ActiveSync protocol its default management technology—a path Google has followed with Android.

As a result, IT organizations often choose two tools to manage PCs and mobile devices, even if they always have unification as the ultimate goal. "We have seen a general trend toward unification," said Microsoft's Conway. "Most enterprises no longer want to be bothered by these mobile silos and prefer to treat all computing devices as the same," explained CA's Varadarajan.

However, the unified tool still does not bring much practical significance before the actual integration of the responsible IT teams. Of course, the first step is for the IT department to centralize the management team and provide all existing alternative tools to the integrated unified team. From here, the IT department can then consider replacing the original independent tools with the unified management tool provided by the vendor.

CA, Dell and Microsoft are all good candidates to rely on and are worthy of reference for management solution providers in their attempts to move towards unified management. Perhaps the suppliers you are considering or have already started to collaborate with are following the established routes of the above mainstream companies.

CA is working towards a single console for all management, Varadarajan said. The platforms differ primarily internally, and that's where the platforms share management policies and is easiest to unify -- even if the actual implementation differs. "We've seen a common management tool for OS X and Windows. iOS and Android are not as different as they used to be," he said, suggesting that unification is less challenging than one might think because the platforms are already converging on some key attributes. "Yes, the approach and implementation may be different, such as using different types of agents for Windows, OS X and mobile, but they're all doing the same thing."

In other words, vendors need to fork their own tools internally. "Forking is a very underrated skill, and it really drives the unification process to the next level," Varadarajan said. For example, "OS X and iOS use a lot of the same APIs, but with different semantics. I expect the same to happen with Android PCs in the future, and I believe it will happen with Windows in the future - after all, there are already huge differences between Windows Phone and PC Windows."

Of course, some management policies still don't apply directly to some devices, but unified tools will identify these situations and ignore them, while also noting those policies that can't be deployed to specific devices. The most common example of this is Apple's OS X Server, whose management console divides its management policies into three categories: iOS, OS X, and iOS and OS X. Enterprise-level tools can handle these situations in more detail, but there is no way to completely solve them.

Varadarajan also pointed out that the client is not the only obstacle in front of us on the road to development. We also have servers and network devices, which can also play a huge role after the device is connected, such as monitoring traffic, verifying access and executing management policies directly on the server side. Back-end management is the key to a unified device management solution, because all devices need to operate through the back-end - the back-end can be said to be the gateway to the enterprise information and services field.

Microsoft is taking two approaches to unified management: first, expanding its traditional System Center to the new world of mobile, where people log in and out frequently; and second, offering a payload-oriented tool called Intune. Of course, the two are not mutually exclusive. Intune can also be implemented on PCs through client applications, not just mobile devices, but its main use case still favors the latter, Microsoft's Conway pointed out. System Center, which is mainly for PC devices, can be combined with Intune on mobile devices, so that System Center can focus on asset management and configuration, while Intune focuses on security and device management policy deployment.

The release of Windows 8.1 marks that Microsoft's PC operating system has begun to follow the development direction set by Apple in the OS X Lion era: using APIs to implement mobile, payload-based management mechanisms.

Dell's solution is the most traditional: it includes a large number of targeted tools for different management needs, some for mobile devices, some for PC devices, and some for both. Customers choose the right tools for their needs, whether their relevant teams have completed the unified transformation, and Dell provides consulting services to help customers integrate tools according to their specific needs. "We find that the actual situations of customers vary greatly, so a lot of customization work needs to be done, and this is where our professional services space comes in," explained Dell's Foster.

Unified management does not mean managing a unified technology stack

The computing world is characterized by heterogeneity, with a multitude of different types of devices, operating systems, applications, and services. The days of everyone using a standardized PC and a standardized set of operating system images plus applications are long gone—now is the time to "make the world anew." "We have to accept this heterogeneity. If people are unhappy or even annoyed by this heterogeneity, then nothing will change," said CA's Varadarajan.

Cloud storage is a prime example of this, Dell's Foster said, citing Office 365, Google Drive and Apple's iWork. "But no one tool is the best of everything, so you need to mix and match." The same mix and match applies to apps, devices and other services, as no single platform dominates all of them. This is unlikely to change for a long time to come, especially as technology solutions become increasingly customized—there is rarely a "best set of tools" even if the intended results are similar.

The idea of ​​a universal management solution for all devices, apps and services is a pipe dream. But that doesn't mean IT should give up on the pursuit of uniformity. What IT needs to do is expand its focus, and a universal management strategy is one way to do it. There are other options, of course. "The best practice that has been adopted is single sign-on, represented by OAuth and SAML. With this approach, you no longer have to control the proxy mechanism, but first manage the access itself," Foster said. People match this high-level standard with what Foster calls "endpoint state" and then incorporate the two into a common policy framework to build access permissions based on roles and other factors.

Ironically, the path to unified management is also characterized by diversity and heterogeneity. The various specific tools currently on the market are sufficient to build a complete single management mechanism, but the specific construction tasks still need to be completed by vendors and IT departments in their own way.

English: http://www.infoworld.com/article/2608380/mobile-device-management/mobile-device-management-mobile-and-pc-management-the-tough-but-unstoppable-union.html