14
Modern Endpoint Management: Why ‘built in’ is better than ‘bolt on’
Modern EndpointManagement:Why ‘built in’ is better than ‘bolt on’
04
The evolution of mobile management
05
The modern management model
08
A modern desktop, built for modern management
12
Making the transition
14
Conclusion
Modern Endpoint Management Table of contents 2
Table of contents
03
Introduction
Modern Endpoint Management Introduction 3
Managing endpoint devices in today’senterprise is an increasingly complex—and often frustrating—activity. Themodern workplace is defined by adiverse mix of desktops, laptops, tablets,and smartphones, spread across a widevariety of locations, used for manydifferent purposes.
This complicated landscape has madeit difficult for IT leaders to rein inburgeoning support costs and keepusers current with the latest appsand functionality. Perhaps even moreimportantly, uneven management ofendpoint devices increases security risk,because it’s impossible to ensure thatall devices are up to date with the latestpatches and protection. IDG’s 2019Security Priorities Study found thatimproving protection of confidentialand sensitive data is the No. 1 priorityfor nearly 6 in 10 IT and securityprofessionals. Protecting data tiesdirectly to better device management.
The traditional answer to thischallenge—strict policies thatlimit access to corporate networks,
applications, and data—has given rise toanother IT pain point: frustrated users.Employees have grown accustomedto seamless access to informationfrom their personal devices; theywant the same seamless experienceat work. IT teams are sympathetic:In IDG’s 2019 Digital Business Study,IT leaders said improving workerproductivity is a critical component ofdigital transformation, and IT managerssaid improved employee productivityis the most important metric formeasuring digital business success.
To address these ongoing challengesof the modern enterprise, IT teamsneed a modern approach to devicemanagement, one that seamlesslyintegrates all components, from thechip to the cloud.
Introduction
Modern Endpoint Management The evolution of mobile management 4
Mobility management is a historicaljumble of acronyms, from MDM (mobiledevice management) and MAM (mobileapplication management) to EMM(enterprise mobility management)and, more recently, UEM (unifiedendpoint management). These termsall share a primary goal: provide acomprehensive, yet streamlined, viewacross endpoint devices to help ITteams more effectively manage policies,applications, and updates.
The need for a more modern endpointmanagement approach, featuringstreamlined policy enforcement, isdriving the emergence of UEM. AnalystJack Gold expects enterprises to embraceUEM to eliminate the overlap betweenmobile and PC management solutions.
The full benefits of modernmanagement come from wipingthe slate clean with a pure form ofcloud-based management. It’s a built
in model, with tightly integratedfunctionality from silicon to cloud,versus simply bolting on a series ofincreasingly complex solutions.
“If you are not viewing endpointmanagement strategically, and notpreparing for the next phase incapabilities, you risk putting yourcompany on a path to reducedproductivity, increased threat surface,and higher TCO,” Gold writes inComputerworld.
The cloud plays a critical rolein this transition to modernmobile management.
The evolution of mobile management
IntuneAzure Active Directory
Microsoft Surface
Modern EndpointManagement
Modern Endpoint Management The modern management model 5
Traditional endpoint managementassumes every device IT managesis owned by the organization and isconnected to an on-premises network.Group policies lock down how each useroperates the device assigned to them.
IT teams often struggle, however, to keepup with growing security threats and theincreasing speed with which operatingsystems and applications change. As aresult, they are frequently reactive—fixingproblems—instead of proactively addingfeatures and functionality that enhancethe user experience instead of inhibiting it.IT may also be hamstrung by confusing oroutdated policies that were instituted byprevious management, further increasingoverall IT complexity.
Users, for their part, are giving IT anearful about what many see as an overlyrestrictive approach. Today’s workforceis accustomed to an established
smartphone/app ecosystem thatprovides a steady flow of new capabilitiesand their choice of easy, intuitive devicesand apps. They want a seamless start-up experience when they receive a newdevice and more self-service options forcustomizing their experience. They alsowant the technology to adapt to theirwork style instead of being requiredto modify their own behavior. In otherwords, they want the technology to fadeinto the background while they go abouttheir day.
The modern management model
Modern Endpoint Management The modern management model 6
Microsoft helps IT teams address thesechallenges through a modern endpointmanagement approach that leveragesthree core components: Azure ActiveDirectory, Intune, and Microsoft Surface.
Center Configuration Manager (SCCM),makes it easier for IT administratorsto set policies for controlling access tospecific apps without controlling theentire physical device. Intune also allowsfor self-service capabilities, ensuring thatusers can easily access the apps theyneed while reducing the burden on IT.
Azure Active Directory helpsadministrators assign and manageapplication privileges via existinggroups in Active Directory. It includesfeatures such as Conditional Access,which protects services in multiple ways,including multifactor authentication, andcan include policies to take appropriatemitigation or remediation actionsautomatically when a user or sign-in isflagged as risky.
Microsoft Surface devices are designedfor modern management, providingthe optimal balance of productivity andsecurity while also lowering TCO. A recentForrester Consulting study found thatSurface increased the ROI of Microsoft365 investments and provided severalother benefits, including:
Boosting employee productivity.
Enhancing workforce creativityand teamwork.
Reducing costs and improvingIT manageability.
Improving security and compliance.
Intune is the platform for managingSurface and many other modernendpoints, including employee-owneddevices. Intune integrates with AzureActive Directory for identity andaccess control, and Azure InformationProtection for data protection. Intune,combined with Windows 10’s System
Azure Active Directory
Microsoft Surface
Intune
Modern Endpoint Management The modern management model 7
Security breach remediation costsdecreased by 80 percent andthe number of annual breachesdecreased by 50 percent. Usingtwo-factor authentication, AdvancedThreat Analytics, and Surface EnterpriseManagement Mode (SEMM), thecomposite organization reduced breachremediation costs by a risk-adjustedpresent value (PV) of nearly $1 millionover a three-year analysis.
A reduction in several third- party technology costs, devices,infrastructure, and IT supportrequirements. A wide variety of third- party technology, device, and support
How much do Surface devices add to the business benefit of Microsoft 365? Quite abit, according to a Forrester Consulting Total Economic Impact™ (TEI) study. The studyexamined the potential ROI enterprises may realize by implementing Microsoft 365Enterprise on Microsoft Surface devices. Among the findings, as demonstrated by a 1,500-user composite organization Forrester built for the study:
costs were reduced or eliminatedusing Microsoft 365-powered Surfacedevices, saving the organization a PV ofover $1.9 million over three years.
Help desk calls for password resetsdecreased by over 86 percent, whiledevice and application performance- related tickets decreased by 15percent. The stability of Surfaceresulted in fewer incidents of crashingand nearly eliminated the number ofpassword-reset help desk tickets fromMicrosoft 365-powered Surface deviceusers. The total risk-adjusted PV overthree years surpassed $150,000. threeyears surpassed $150,000.
Modern Management: Maximizing ROI
Source: Maximizing Your ROI From Microsoft 365 Enterprise With Microsoft Surface
Security Help desk Costs
Windows 10
Modern Endpoint Management A modern desktop, built formodern management
Microsoft thinks about Surfacemanagement before customers evenreceive the device. Setting up the devicebefore it has been deployed significantlyreduces the IT burden.
A Microsoft Cloud Solution Provider(CSP) will enroll a new device via itsserial number into the customer’s AzureActive Directory environment. Thisallows for the creation of device profiles(e.g., applications, policies, and settings)before the device is sent to the customer.A customer can create profilesfor different groups (e.g., engineering,marketing, or HR) so that all of theproper settings and applications areavailable to the user the first timethey turn on the device, via WindowsAutopilot, with no unnecessary orunwanted bloatware.
Windows Autopilot leverages the OEM- optimized version of Windows 10
Surface has been designed with built-in support for simplified modern management ofthe entire device lifecycle: before it’s deployed, during it’s use, and after it’s returnedto be redeployed or retired.
that is preinstalled on a device, savingorganizations from having to maintaincustom images and drivers for everymodel being used. Instead of reimagingthe device, an existing Windows 10installation can be transformed into abusiness-ready state, applying settingsand policies, installing apps, and evenchanging the edition of Windows 10being used (e.g., from Windows 10 Proto Windows 10 Enterprise) to supportadvanced features.
A modern desktop, built for modern management
8
Before
Certificates
Windows security baselines
VPN connections
Bitlocker
Update settings
Wi-fi connections
Device features
Modern Endpoint Management A modern desktop, built formodern management
9
During
Microsoft Surface containssophisticated, mature hardware andfirmware designed for comprehensivemanagement, empoweringadministrators to control even the lowestlevel of hardware settings without havingto touch the machine.
By comparison, managing firmwaresettings on previous generationsof devices was quite difficult. Anyconfiguration and management optioninvolved custom or third-party software,known as a UEFI (Unified ExtensibleFirmware Interface), provided by themanufacturer. Surface, by comparison,includes a Microsoft-created UEFI, whichenables automatic updating of both theoperating system and the UEFI/firmwarein one action. This approach not onlyprovides streamlined administration, butalso greater security.
Managing UEFI firmware settings is donevia the Device Firmware ConfigurationInterface (DFCI), a component of Intune,and an open-source standard Surface
UEFI from Microsoft’s Project Mu. WithDFCI, Intune asks the Autopilot serviceto confirm a given customer tryingto manage the firmware is the actualowner of the device. After Autopilotconfirms the owner, Intune then appliesthe appropriate settings with no userinteraction. On Surface devices, ITadmins can also use Surface EnterpriseManagement Mode (SEMM) to managethe device at the boot level with customfirmware controls. Using SEMM, Intuneenables direct management of manySurface device settings, including:
Modern Endpoint Management A modern desktop, built formodern management
10
Every Surface component, from firmwareto Windows 10 policy settings, can bemanaged by Intune and updated viaWindows Update for Business.
Surface also integrates into theMicrosoft 365 security stack to detectvulnerabilities across the globe andautomatically protect devices—evenwhile they’re asleep. Surface devicesimplement a Modern Standby low- power state that allows the deviceto appear asleep, drawing very littlepower, but also listening for updatesvia Windows Update for Business andapplication data streams like email. Thisallows a Surface on battery power toachieve a long standby battery life whilealso staying up-to-date on applicationdata, and automatic pushes of securityupdates even down to the UEFI.
In addition, Surface includes purpose-built tools for diagnostics and tuningthat can automatically fix
issues, assist with troubleshooting,and optimize functionality frombrightness control to battery usage.The Surface Diagnostic Toolkit forBusiness (SDT), for example, enables ITadministrators to quickly investigate,troubleshoot, and resolve hardware,software, and firmware issues withSurface devices.
Surface devices are tuned to providethe perfect balance between batterylife and performance. Windows PowerManagement mode on Surface is theresult of significant research in processorheat and performance measured againstthe need for all-day battery life.
Finally, integration among Intune,Surface, and Microsoft 365 letsadministrators configure custom suitesof Office 365 apps, choose how andwhen those apps are updated, and evendecide which apps are mandatory.
Windows 10
Modern Endpoint Management A modern desktop, built formodern management
11
During
Endpoint management should extendto when a device is returned to IT to beredeployed or retired, or is lost or stolen.This end-of-life management givesadministrators piece of mind that settingsand other data on the device won’t beexposed to unauthorized users.
Using Intune, an IT administrator canremotely lock a device, reset passcodes, or wipe the device completely—protecting data in the event that a deviceis lost or stolen. After a wipe, the device is reset to the out-of-box experience, atwhich point proper credentials are once more required for setup.
In addition, using the Fresh Start option inWindows 10, an administrator can removeall applications and install the latestversion of Windows.
When an employee leaves the company,IT can reprovision the device remotelyvia Intune without the need to return thedevice to a central IT location. The devicedoes not have to be shipped back to bereimaged.
IT can also manage the deprovisioningof remote devices via the Azure ActiveDirectory portal for devices that havebeen retired or destroyed.
Modern Endpoint Management Making the transition 12
Making the change to modernmanagement isn’t always easy. IT teamshave already invested time and resourcesinto their infrastructure. Unfortunately,legacy IT processes and hardwarecontinue to be the biggest roadblocks totransitioning to modern management.
Surface makes the transition easier,because it can address IT needs regardlessof where the organization is in itsmodernization journey:
Traditional on-premises management:On-premises device management providesa lighter-touch approach, using SCCM tomanage devices. This option relies on thedevice management capabilities built intoWindows 10 and is not as full-featured asclient-based management. On-premisesdevice management requires a MicrosoftIntune subscription, which is used solelyto track licensing of the devices; Intune isnot used to manage or store managementinformation. All management data is storedat your organization using the on-premisesConfiguration Manager infrastructure.
Making the transition
Windows 10
Modern Endpoint Management Making the transition 13
Hybrid/co-management: Co- management enables IT admins toconcurrently manage Surface devices byusing both SCCM and Intune. Creatinga bridge between Active Directoryand Azure Active Directory allowsadministrators to unlock new cloud-basedfunctionality, such as conditional access.
Co-management provides flexibility to usethe technology solution that works bestfor your organization. IT controls whichworkloads, if any, to switch from SCCMto Intune. Enrolling existing SCCM clientsin co-management provides severalimmediate benefits:
Full cloud-based management: Intuneprovides a highly scalable, integratedendpoint-management platform thatleverages the cloud to help IT teamsstreamline and automate deployment,provisioning, policy management, appdelivery, and updates. A global distributedcloud architecture ensures devices arealways up to date, and Intune’s appprotection policies enable granular controlover Microsoft 365 data on endpointdevices. Other benefits of the Intuneexperience in the Azure portal include:
• An integrated console for all enterprisemobility and security components.
• An HTML-based console built on web standards.
• Microsoft Graph API support toautomate many actions.
• Access to Azure Active Directorygroups to provide compatibility acrossall Azure applications.
• Support for most modern web browsers.
• Conditional Access with devicecompliance.
• Support for Intune-based remoteactions, such as restart, remote control,or factory reset.
• Centralized visibility of device health.
• The ability to connect users, devices,and apps with Azure Active Directory.
• Modern provisioning with Autopilot.
IT teams face many challenges asbusinesses become more digital.Managing endpoint devices usingoutdated tools or processes makesit difficult to keep devices and datasafe and users productive and happy.The bolt-on method to endpointmanagement is no longer sufficient forthe modern workplace.
Microsoft has built many innovativemanagement features into Windows 10,but if your device manufacturer doesn’tembrace modern management andtake advantage of these capabilities, youcan’t realize the full potential of modernendpoint management.
Microsoft Surface for Business devicesoffer modern hardware and softwarethat is built to take advantage of themanagement capabilities of Windows 10.
Every Surface component, from firmware toWindows 10 policy settings, can be managedby Intune and updated via Windows Update forBusiness. Surface integrates into the Microsoft365 security stack to detect vulnerabilitiesacross the globe and automatically protect yourdevices—even while they’re asleep. Surfacetools can automatically fix issues, assist you withtroubleshooting, and optimize functionalityfrom brightness control to battery usage.
To ensure a seamless integration into yourbusiness, find Microsoft Surface resellersthat can help you deploy and manageSurface devices and software.
Conclusion
© 2019 Microsoft Corporation. All rights reserved. Thisdocument is provided “as-is.” Information and viewsexpressed in this document, including URL and otherInternet website references, may change without notice.You bear the risk of using it.This document does notprovide you with any legal rights to any intellectualproperty in any Microsoft product. You may copy anduse this document for your internal, reference purposes.
Request a call
