Introduction
If you’re picking up this book, it could be for several reasons:
- You keep hearing Microsoft talk about “Switching to a modern, managed desktop” at a conference, online, or in someone’s speech.
- You have no idea what EMM and/or MDM is, but thought, “Hmm…interesting looking cover. Let me see what’s inside it.”
- You already subscribe to an MDM service, like Intune, Workspace ONE, or MobileIron, and you use it for phones and want to get started using it for Windows 10.
- You know what EMM and/or MDM is, see it on the potential horizon for your company, and are looking to get a handle on it.
- You purchased my “moderately famous” big, green Group Policy book, maybe even the first edition of Group Policy, Profiles, and IntelliMirror back in 2001, or maybe one of the more recent editions like Group Policy: Fundamentals, Security, and the Managed Desktop, Third Edition.
- Maybe the boss walked into your office and dropped this book on your desk and said, “Learn this EMM/MDM/Modern Management whatever-it-is and see if we should ‘do this thing.’”
- Maybe your “boss’ boss” struck a deal on the golf course, and now it’s your job to learn MDM.
So what is EMM/MDM and Modern Management? And how is it different than on-prem, traditional management?
Let’s define some terms so we can map our course and get on the road:
- EMM is Enterprise Mobility Management. It’s a fancy term for “managing settings and applications and stuff over the Internet.”
- MDM stands for two things. Officially, MDM is Mobile Device Management. It’s more or less the guts, protocol, and moving parts that the concept that is EMM will use to perform the work.
- Modern management is a collection of overall features, concepts, how-tos, and step-by-steps of, well, rolling out, then managing a Windows Desktop (exclusively Windows 10) in a new way that opens up new opportunities and capabilities. Usually modern management also means managing (mostly) over the Internet; that is, by the cloud.
So, unofficially, MDM stands for Modern Device Management. You can see Microsoft really pushing the word modern into the conversation. So even though MDM originally had one meaning, it’s really taken on two meanings at the same time.
To be clear, the lines are a little blurry here. And EMM and MDM (the official and unofficial definitions) mean so many different things to different people. As of this writing, here’s what Wikipedia says:
“Enterprise mobility management (EMM) is the set of people, processes and technology focused on managing mobile devices, wireless networks, and other mobile computing services in a business context.”
And if you want to read Microsoft’s definition of MDM, it can be found at https://docs.microsoft.com/en-us/windows/client-management/mdm/. But here’s the important bit and opening sentence on the definition of MDM from Microsoft:
“Windows 10 provides an enterprise management solution to help IT pros manage company security policies and business applications, while avoiding compromise of the users’ privacy on their personal devices.”
It’s not super easy to find a unified definition of Modern Management anywhere. Maybe by the time you read this, some unified definition will be everywhere. But here’s a quote from Microsoft’s corporate vice president of management at Ignite 2018 that resonates with me reasonably well:
“The modern desktop is a paradigm shift which takes things to a whole different level. In the modern desktop, everything, and I mean literally mean everything is connected to the cloud: Windows, Office, management security, it’s all connected to the cloud.
And that cloud connection makes your users more productive, gives you in IT security superior insights and control. Because it gives the full power of the Microsoft Intelligent Cloud behind you.
As you cloud connect everything you have, you can take advantage of simplified management of your desktop devices, as well as compliance updates, updates which enhance your security, advanced data protection, and finally those cloud capabilities make your users far more productive.”
Another place to go for understanding Microsoft’s vision for a modern desktop can be found at:
So, Modern Management is a shift not just from the traditional on-prem tooling of Active Directory, Group Policy, and SCCM toward something cloud-y. It’s rather a shift in mindset to making Windows management more proactive and automated. Think “Drop a new system out of the box on someone’s front door, and…bingo. They’re all set up, and nicely managed, and the end user didn’t have to lift a finger except for pressing the On button.” That’s the dream, anyway, of modern management.
Beyond that, the promise of modern management, in theory anyway, is that it should be simpler than traditional management with Active Directory, Group Policy, and/or SCCM. Why is that? Well, if you have zero on-prem infrastructure to babysit, that’s going to be a plus. And, all the management options are all in one place: the MDM system you choose. So instead of 80 different ways to manage a device, using Group Policy, scripts, and so on, at least you have it all reasonably centralized in one management tool and portal.
Now, for me, I’m interested in this new modernly managed desktop world because EMM and MDM doesn’t replace Group Policy; it opens up and augments new opportunities where Group Policy cannot go.
So, for me, I see a few categories of organizations. Maybe you fit into one of these categories right now, or your perspective might change over time:
- Maybe you’ll stay exactly where you are; keep using on-prem Active Directory with domain-joined machines and keep using Group Policy to manage those machines. (In this case, this book might be interesting, if only to see where you could maybe stretch into the future.)
- Maybe you’ll use EMM/MDM to augment your current world so you can do and accomplish new, interesting things (that you couldn’t do before with Group Policy alone). Maybe you’ll keep your traditionally managed machines for your headquarters but create a “Modern Managed parallel universe” for your non-domain-joined or far-flung machines where you have intermittent connectivity. In other words, you’ll keep doing some (or many) traditional things in the original universe and spin up a parallel universe for some of the new scenarios we’ll explore. (I foresee this scenario for many, many companies, by the way.)
- Maybe you’ll completely walk away from the traditional management and rip and replace on-prem Active Directory and Group Policy and/or SCCM management. Then jump both feet in to EMM/MDM. (I call this the “Big Band-Aid rip.”)
- Maybe you have zero on-prem infrastructure today and see that some of the world is heading toward a “let’s put everything in the cloud” model. So, because you’re starting with no on-prem infrastructure already, maybe it doesn’t make sense to spin up a new on-prem Active Directory and/or SCCM. You’re already all in on being a cloud-based company and this Modern Managed world would be a natural extension for your company.
So if you’ve already decided to go toward Modern Management or are still dabbling with the decision to open up some new doors that Traditional Management cannot, then this is the book for you. It could also be the book for you even if you are in the first camp; that is, you have no direct intention of walking away from Traditional Management (like on-prem Active Directory with Group Policy) but want to get a feel for what a EMM/MDM and Modern Management can do for you and start to get a handle on it.
In this book, I’m going to simply assume you’re already familiar with existing traditional, on-prem paradigms, like Active Directory, Group Policy, and maybe a little SCCM. I’m not saying you need to have “wizard level” understanding of these items, but in looking forward to MDM and Modern Management, I will often refer backward to how things are done in a traditional sense and explain how they’re different.
As such, if you haven’t got a copy of my Group Policy book and think you might need a copy, head over to www.MDMandGPanswers.com/book and get your own “author signed” copy of the big green Group Policy book as this book’s companion.
EMM and MDM Redefined
So EMM is Enterprise Mobility Management. It just means all the tools and people and stuff you need to manage your mobile devices in a modern way. So in short, EMM is the “concept.”
And, MDM stands for Mobile Device Management.
Ask some people and they will say it stands for “Modern Device Management” or “Modern Desktop Management,” which also kind of works.
I will always abbreviate it as simply MDM for short. MDM is a “cousin” to Group Policy. A newer cousin, with somewhat different goals, different parents, different upbringing, and so on. So, “cousin” is really the best analogy here. So, in short, MDM is the “worker bee.”
You can also think of MDM like it’s the moving part, or the transport for the ideas of EMM.
Like Group Policy, MDM has a moving part, or policy processing engine, inside the Windows 10 operating system. And actually, here’s the thing: MDM isn’t just inside Windows 10; that similar moving part is already embedded and inside mobile phones, tablets, and so on.
So if it’s the similar moving part in both Windows and mobile devices, a new interesting opportunity opens up: use one management system, and leverage the in-box MDM engine (in Windows and also phones, etc.) as the moving part to receive “directives” (or policies) and have “one tool to rule them all.”
Taking a step back, when you used Group Policy to manage your systems, Microsoft sold you everything, all at once, and it was all included in the box and worked “forever.” Here were the general steps:
- You created an on-prem Active Directory and made a domain.
- You joined machines to the domain.
- You used a Microsoft MMC snap-in called the GPMC to make Group Policy Objects.
- Those GPOs contained policies.
- Those policies were downloaded through Ethernet or VPN.
- Those policies were processed by the Group Policy engine.
Now, with EMM, the deal is a little different:
- The expectation is that you walk away from or don’t need your on-prem Active Directory anymore, but you might have Azure Active Directory for Office 365, for example.
- Machines are domain joined (maybe) because you had them historically joined. But the new idea is that you don’t need to have them domain joined anymore but it’s okay if they are.
- If you want to, you can get a bonus by “cloud attaching” your on-prem Active Directory and/or SCCM infrastructure to the cloud and gain additional benefits by leaning on the cloud.
- You purchase or otherwise acquire an MDM solution. Yes, you read that right: You have to buy something to make your EMM dreams a reality and purchase something to command the MDM moving part on your Windows and phones to perform actual work. And, if you opt for a cloud-based MDM service, you need to keep paying to keep your MDM service working.
- You make policies in your MDM service to deliver software and/or lock down settings.
- Those policies are downloaded through the Internet.
- Those policies are processed by the MDM engine.
So, some things are kind of the same, and some things are different.
But, the gist of MDM is the same as Group Policy: You have users and devices. You make “wishes” and store those wishes somewhere centrally, and endpoints download and process those wishes. What’s majorly different is the need for being domain joined for Group Policy to work versus having zero on-prem infrastructure for MDM to work.
Group Policy and MDM have different goals and different upbringing, but we’ll dig into that in Chapter 1.
Terminology
In this book, I’ll be writing the letters (and terms) EMM, MDM, and Modern Management a lot.
I might say, “In your EMM environment” to talk about your business, or world at large.
I might refer to “an MDM system,” “an MDM solution,” or “your MDM.” That’s the thing, well, a service really, you purchase and maintain to perform the work of modern desktop management.
Modern Management will be the things we put in place after we get our MDM solution set up. Like the icing on the cake to get new machines rolled out and software deployed, locked down, and reported upon.
But of course, there’s the other part as well, the MDM moving part that’s pre-baked into Windows 10 (and also mobile phones, etc.). I’m going to refer to that as the MDM engine.
So in summary:
- EMM: This is about you and your business. your entire delivery ecosystem at large.
- MDM solution or MDM system: The thing you buy and pay monthly or yearly for.
- MDM engine: The moving part and guts built into Windows 10.
- Modern Management: The newer, (mostly) cloud-based way of performing similar activities you did with on-prem systems.
Other terminology, which I’ll just say here, one time, and then assume you read this as I head onward in the book:
- AD or on-prem AD is Active Directory, as in the “stand up an on-prem domain with on-prem Domain Controllers.” Ya know, the thing you’ve been doing since 2000.
- AAD is Azure Active Directory. This will be explored in more detail later, but this is Microsoft’s cloud-based identity service.
- DJ++ is the shorthand terminology for when a machine is both joined to on-prem AD and also using AAD. I’ll mention this again when the time comes.
- Workplace join means when the computer is not being managed by on-prem AD or by Azure Active Directory. This is a way to give people outside of your organization access to some resources and applications, but they are not fully managed.
A good blog article explaining all of these terminology items with good, if not blurry, screen shots can be found at:
What You’ll Need to Get Started with This Book
As I just stated, and as we’ll go into more detail in Chapter 2, you’ll need to acquire an EMM system, which uses MDM as its transport. To keep things simple, I’m just going to call these “MDM solutions” like other people typically do. I guess some people might call them “EMM systems” or “EMM solutions,” but that’s not generally what my peers and I call these systems when we talk about them.
The main MDM solution gorillas on the block are as follows:
- Microsoft Windows Intune
- VMware Workspace ONE (formerly VMware Airwatch)
- MobileIron
These are all cloud-based, subscription based services.
To make the most of this book, you’ll need one of these subscription-based services. Basically, I’ll be using Microsoft Intune for most of my MDM examples. Not because it is or isn’t the best, but because it’s included with many Microsoft Enterprise customers’ existing licensing and subscriptions.
There are also a handful of other MDM services that are less well known, and some that work (ironically) when they are deployed on-prem. I will not be covering those. That said, if you have another cloud-based MDM solution (SOTI, Citrix Endpoint Management [formerly XenMobile], and others), what we go over here should reasonably translate for you as well, even though I won’t specifically be showing you any examples.
And, to be fair, for managing Windows 10 machines, they are all roughly equal. Some MDM solutions have different bells, others have different whistles. Ultimately, as I’ll re-explain when the time comes, the MDM solution (the paid service) simply drives and directs the moving part (the MDM engine) on the endpoint.
Anyway, more on this in Chapter 2 when we do a little bit of comparison shopping, er…comparative analysis between the solutions.
What I Won’t Be Covering in This Book
I’m focusing on managing Windows 10 in this book. I’m really not planning on covering phones, Macs, and/or other gizmos of various flavors. I’m also not spending a lot of time looking backward to Windows 7, but it might come up from time to time.
As of this writing, in 2019, if you ask 10 admins, what they are currently using an MDM service for. Most would say, “Managing phones.” Because MDM, that is, it’s very name—Mobile Device Management—does a great job for phones and remote lock and wipe and so on.
But of those 10 admins who are using an MDM service right now, almost none say, “And we’re also using it to manage our entire fleet of Window 10.”
But many of those admins are saying, “I think I’d like to get to know MDM and Modern Management to see if there are some interesting capabilities for my company with Windows 10.”
So that’s my focus for our time together. To help you see if EMM/MDM and Modern Management can open up new opportunities and do things you couldn’t do yesterday with Group Policy and traditional tools.
Phones (of all kinds), iPads, Android, Macs, Chromebooks, and so on: for me—interesting, very interesting. And, yes, they would be controlled by your MDM system and fall under the umbrella of modern management. But, they’re just not part of this book.
My expertise is in Windows endpoint management, and that’s where I’m going to focus my attention.
Note, too, that there are also specific books on the EMM/MDM services themselves; their ins and outs and how to make a company portal, nuke a phone that Sally in Accounting left inside the taxi, share documents securely, and a lot of other items that you might or might not care about.
But if your main goal is to get on the road managing Windows 10 settings with MDM and learn to augment your traditional management skills and manage Windows 10 in a modern way, then this is the book for you.
Here’s some other stuff I won’t be covering:
MAM (Mobile Application Management) This is a method to manage applications like Office on iOS and Android and prevent things like “Save as,” cut/copy/paste, perform remote wipe of data, and more. This is nifty, and worth investigating because, while it does require an MDM service, it doesn’t require any enrollment of users’ devices in those services. Again: interesting, but not covered. Learn more about MAM here: https://docs.microsoft.com/en-us/intune/mam-faq.
Microsoft Identity Manager Pretend for a moment you have multiple directory sources, like your existing on-prem AD, a human resources database, and some other custom database. Now imagine you need to sync identities across all those things and have them magically work in Azure AD. That’s Microsoft Identity Manager, and I’m not covering it. In Chapter 2, I will be covering basic Azure AD Connect, which is an on-prem AD to Azure AD synchronization system and is in this ballpark. But to learn more about Microsoft Identity Manager, start here. https://docs.microsoft.com/en-us/microsoft-identity-manager/.
Azure Information Protection (and Rights Management) Sally in HR just emailed “too many people” the organization chart with salary information embedded into it. Bad Sally, bad. Now what? Well, if you were using Azure Information Protection, or AIP, then you could automatically classify and protect documents based upon contents. For instance, say the word Confidential was in the document. When that gets emailed, the data actually stays with the originating company, not the receiving company. So Sally’s “big oops” becomes Sally’s big “nonevent.” Learn more about Azure Information Protection (and Rights Management) here, because I won’t be covering it in this book:
https://docs.microsoft.com/en-us/azure/information-protection/
Single Sign-On So right now, Sally in HR has a login to on-prem AD, soon also to have a login to Azure AD, and also to the external payroll system, another at Dropbox.com, and also (yet another) login at Salesforce.com. Wouldn’t it be great if she could have one single sign-on (SSO) to these external applications using her Azure AD account? You bet that’s cool. But since I won’t be covering that in this book, here’s an example walk-through of how to use Azure AD to make a single sign-on with an external application like Salesforce:
https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/salesforce-tutorial
User Self-Service Users love forgetting their passwords. And doing another password reset is booooriing. So both Office 365 and Azure AD has a way to enable users to perform self-service password resets. Since I won’t be covering it, if you want to set this up and/or see a quick walk-through of it, check out:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/quickstart-sspr
Two-Factor Authentication Azure AD has a way for some resources to require a second authentication. Either a biometric authentication, like a fingerprint or YubiKey, or accepting phone calls or texts. This is Azure multifactor authentication and you can learn more about it here:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-licensing
To me, these additional Azure services are super, duper interesting. But they are not part of my focus for you and this book. Our job: We’ll be focusing on using an MDM service and other Azure services to manage Windows 10 PCs.
How Do You Know This Book Won’t Be Out-of-Date 80 Seconds after You Buy It?
If there’s one thing we can be sure about, it’s that this new world of cloud services seems to move faster than most of us can handle it.
But don’t panic.
I agree that it’s hard to keep up with all the magic cloud coders spin out every day. Literally. Every day. For on-prem infrastructure, that’s not the deal. You download, you install, you let it sit until you do an upgrade.
For this book though, my plans are to show you things I think won’t be changing too, too much. I cannot know for sure, of course. But my plan is to explain concepts that seem like they will be entrenched for a while; those I think will likely be the most used concepts over the long haul.
No guarantees. I don’t work for Microsoft, I dont directly influence its road map. So it’s possible some steps might be a little bit different in the Azure or Intune portals from the time I wrote this to the time you get the book. And then after the book is out, and it’s, say, two or three years on.
But the stuff I’m planning on guiding you through with examples is reasonably solid with regard to the basic steps and examples. And I’m not going to be heading down too much experimental territory. I’ll be explaining stuff that’s already been working for some real-world companies for some length of time and stuff I’m pretty sure will continue to be foundational in the world of modern management for the foreseeable future.
I could be wrong, and I could make some mistakes and talk about some concept today that gets killed or supplanted tomorrow. But I have a reasonably high degree of confidence in the specific chapters and concepts I’ve chosen to write about along with the examples.
The point is this: Yes, any specific step-by-step or screenshot might change a little bit, but I think you’ll be reasonably safe with what I’m publishing now, and it should work into the reasonable future. So, with what you learn here, even if the steps and names of things are a little different in a year or two, you should be able to figure it out.
I believe in you.
You are, after all, an IT professional.
A Final Note about Group Policy vs. MDM
I realize this may be my last chance to grab your attention in the bookstore, or more likely, Amazon or Safari or whatever you are using to read this introduction. And if you know me, and you’ve seen me speak, and know my body of work, right now maybe you’re thinking, “I guess he’s done with Group Policy and now Jeremy’s on to MDM?”
For total, 100% clarity, let me repeat a common mantra I have espoused for years: Group Policy is not dead. The irony though, the more I (or others) say, “Group Policy is not dead,” the more people think Group Policy is dead.
It is, in fact, not dead. Microsoft has not “turned off” Group Policy usage for on-prem scenarios, nor have product teams stopped producing new functions that can be controlled by Group Policy.
Au contraire. Group Policy continues to be supported, and new settings for the OS, Edge, and more ship each and every time Windows is revised.
Indeed, many scenarios will always require on-prem Active Directory and Group Policy, like non-Internet-connected machines, ultra-secure scenarios, and for the foreseeable future, RDS, Citrix, and on-prem VDI scenarios.
I wrote a pretty famous “off the rails” blog post called, “Why Group Policy is Not Dead Manifesto.” It would be a good read at this point if you have a moment. Here’s the link (or Goog…, I mean, Bing for, “Group Policy Not Dead.”):
https://www.gpanswers.com/blogs/view-blog/the-why-group-policy-is-not-dead-manifesto
“Why then, Jeremy, are you writing a book on modern management with Microsoft’s cloud solution for settings management, MDM, and Intune?” I hear you ask.
The answer is that I feel there is room for both a traditional management model with domain-joined machines (with Group Policy and other on-prem management systems like SCCM) and for something new with EMM/MDM and the Modern Management scenarios that are brought to the table.
It would be foolish for me to close off my mind to new possibilities that an MDM system can add, and what solutions modern management will solve. But it would be equally foolish to walk away from almost 20 years of a proven technology like Group Policy, which is currently in use in just about every single company on the planet.
So this book is to enable you to explore the EMM/MDM/Modern Management route for yourself; try some examples, and see if it’s right for you.
You can make a plan to walk away from the old, have some kind of hybrid with old and new, or jump all in with the new.
I’ll leave that to you.
A Little about Me, This Book, PolicyPak, and Beyond
I’ve been managing Windows systems since I was a toddler. Well, not quite, but almost. I was one of the first MCSEs in the world back in 1994, and I spent lots of time being a consultant to organizations of all sizes for many years.
Then I found and fell in love with Group Policy, wrote my popular Group Policy book, and became a Microsoft Group Policy MVP for 15 years. And, more recently, I have been anointed as a Microsoft MVP in Enterprise Mobility (with a focus in Intune). Additionally, I’ve been helping companies try to understand this new MDM world and what it means to the original Group Policy world.
I also founded and run a company called PolicyPak Software, which extends both Group Policy and MDM to do more amazing things than what is possible with what’s in the box alone. For instance, here are some of the things you can do with the products from PolicyPak:
- Manage third-party applications like Java, Flash, Firefox, OpenOffice, and hundreds more.
- Take on-prem Group Policy and Group Policy Preferences settings and use them with your MDM service.
- Marry a website to a specific version of Java.
- Manage “which website should open in what browser.”
- Copy files down from cloud services and keep them up-to-date.
- Remove local admin rights and elevate processes and applications that require UAC prompts.
- Dynamically manage the Windows 10 Start Screen and Taskbar.
…and a whole lot more.
So I’m going to try to walk a fine line here. With your permission, I’m going to, from time to time, describe when something from PolicyPak could enhance a situation or solve a problem that cannot be solved out of the box. I’ll show you real examples of how to solve real problems.
And I’m not doing it to sell you something, but if that happens, that’s okay too. The point, really, is to demonstrate a problem or situation that might not have any other way out of it. So basically, if I didn’t explain that the “PolicyPak possibility” to fix a particular problem existed, you wouldn’t know about it, and you’d always be stuck in a rut.
And if there’s an alternative or other third-party way to achieve the same goal, I’ll do my best to explain that too.
As you read this book, it’s natural to have questions about Modern Management, MDM (or Group Policy). For that, I have a blog that can be found at MDMandGPanswers.com.
I usually post a “Tip of the week” and send it through email. You’ll also find downloadable PowerShell scripts, tips and tricks, and lots more.
If you want to meet me in person, book me for onsite training, or attend my live public MDM and Group Policy courses, my website at MDMandGPanswers.com shows my upcoming scheduled events. I’d love to hear how this book met your needs, got you started with MDM, or helped you out.
Start out by following and/or tweeting me Use the hashtag #mdmbook and let me know what’s helping you out today.
Thanks for being part of the journey.