If you’re picking up this book, it could be for several reasons:
So what is EMM/MDM and Modern Management? And how is it different than on-prem, traditional management?
Let’s define some terms so we can map our course and get on the road:
So, unofficially, MDM stands for Modern Device Management. You can see Microsoft really pushing the word modern into the conversation. So even though MDM originally had one meaning, it’s really taken on two meanings at the same time.
To be clear, the lines are a little blurry here. And EMM and MDM (the official and unofficial definitions) mean so many different things to different people. As of this writing, here’s what Wikipedia says:
“Enterprise mobility management (EMM) is the set of people, processes and technology focused on managing mobile devices, wireless networks, and other mobile computing services in a business context.”
And if you want to read Microsoft’s definition of MDM, it can be found at https://docs.microsoft.com/en-us/windows/client-management/mdm/
. But here’s the important bit and opening sentence on the definition of MDM from Microsoft:
“Windows 10 provides an enterprise management solution to help IT pros manage company security policies and business applications, while avoiding compromise of the users’ privacy on their personal devices.”
It’s not super easy to find a unified definition of Modern Management anywhere. Maybe by the time you read this, some unified definition will be everywhere. But here’s a quote from Microsoft’s corporate vice president of management at Ignite 2018 that resonates with me reasonably well:
“The modern desktop is a paradigm shift which takes things to a whole different level. In the modern desktop, everything, and I mean literally mean everything is connected to the cloud: Windows, Office, management security, it’s all connected to the cloud.
And that cloud connection makes your users more productive, gives you in IT security superior insights and control. Because it gives the full power of the Microsoft Intelligent Cloud behind you.
As you cloud connect everything you have, you can take advantage of simplified management of your desktop devices, as well as compliance updates, updates which enhance your security, advanced data protection, and finally those cloud capabilities make your users far more productive.”
Another place to go for understanding Microsoft’s vision for a modern desktop can be found at:
So, Modern Management is a shift not just from the traditional on-prem tooling of Active Directory, Group Policy, and SCCM toward something cloud-y. It’s rather a shift in mindset to making Windows management more proactive and automated. Think “Drop a new system out of the box on someone’s front door, and…bingo. They’re all set up, and nicely managed, and the end user didn’t have to lift a finger except for pressing the On button.” That’s the dream, anyway, of modern management.
Beyond that, the promise of modern management, in theory anyway, is that it should be simpler than traditional management with Active Directory, Group Policy, and/or SCCM. Why is that? Well, if you have zero on-prem infrastructure to babysit, that’s going to be a plus. And, all the management options are all in one place: the MDM system you choose. So instead of 80 different ways to manage a device, using Group Policy, scripts, and so on, at least you have it all reasonably centralized in one management tool and portal.
Now, for me, I’m interested in this new modernly managed desktop world because EMM and MDM doesn’t replace Group Policy; it opens up and augments new opportunities where Group Policy cannot go.
So, for me, I see a few categories of organizations. Maybe you fit into one of these categories right now, or your perspective might change over time:
So if you’ve already decided to go toward Modern Management or are still dabbling with the decision to open up some new doors that Traditional Management cannot, then this is the book for you. It could also be the book for you even if you are in the first camp; that is, you have no direct intention of walking away from Traditional Management (like on-prem Active Directory with Group Policy) but want to get a feel for what a EMM/MDM and Modern Management can do for you and start to get a handle on it.
In this book, I’m going to simply assume you’re already familiar with existing traditional, on-prem paradigms, like Active Directory, Group Policy, and maybe a little SCCM. I’m not saying you need to have “wizard level” understanding of these items, but in looking forward to MDM and Modern Management, I will often refer backward to how things are done in a traditional sense and explain how they’re different.
As such, if you haven’t got a copy of my Group Policy book and think you might need a copy, head over to www.MDMandGPanswers.com/book
and get your own “author signed” copy of the big green Group Policy book as this book’s companion.
So EMM is Enterprise Mobility Management. It just means all the tools and people and stuff you need to manage your mobile devices in a modern way. So in short, EMM is the “concept.”
And, MDM stands for Mobile Device Management.
Ask some people and they will say it stands for “Modern Device Management” or “Modern Desktop Management,” which also kind of works.
I will always abbreviate it as simply MDM for short. MDM is a “cousin” to Group Policy. A newer cousin, with somewhat different goals, different parents, different upbringing, and so on. So, “cousin” is really the best analogy here. So, in short, MDM is the “worker bee.”
You can also think of MDM like it’s the moving part, or the transport for the ideas of EMM.
Like Group Policy, MDM has a moving part, or policy processing engine, inside the Windows 10 operating system. And actually, here’s the thing: MDM isn’t just inside Windows 10; that similar moving part is already embedded and inside mobile phones, tablets, and so on.
So if it’s the similar moving part in both Windows and mobile devices, a new interesting opportunity opens up: use one management system, and leverage the in-box MDM engine (in Windows and also phones, etc.) as the moving part to receive “directives” (or policies) and have “one tool to rule them all.”
Taking a step back, when you used Group Policy to manage your systems, Microsoft sold you everything, all at once, and it was all included in the box and worked “forever.” Here were the general steps:
Now, with EMM, the deal is a little different:
So, some things are kind of the same, and some things are different.
But, the gist of MDM is the same as Group Policy: You have users and devices. You make “wishes” and store those wishes somewhere centrally, and endpoints download and process those wishes. What’s majorly different is the need for being domain joined for Group Policy to work versus having zero on-prem infrastructure for MDM to work.
Group Policy and MDM have different goals and different upbringing, but we’ll dig into that in Chapter 1.
In this book, I’ll be writing the letters (and terms) EMM, MDM, and Modern Management a lot.
I might say, “In your EMM environment” to talk about your business, or world at large.
I might refer to “an MDM system,” “an MDM solution,” or “your MDM.” That’s the thing, well, a service really, you purchase and maintain to perform the work of modern desktop management.
Modern Management will be the things we put in place after we get our MDM solution set up. Like the icing on the cake to get new machines rolled out and software deployed, locked down, and reported upon.
But of course, there’s the other part as well, the MDM moving part that’s pre-baked into Windows 10 (and also mobile phones, etc.). I’m going to refer to that as the MDM engine.
So in summary:
Other terminology, which I’ll just say here, one time, and then assume you read this as I head onward in the book:
A good blog article explaining all of these terminology items with good, if not blurry, screen shots can be found at:
As I just stated, and as we’ll go into more detail in Chapter 2, you’ll need to acquire an EMM system, which uses MDM as its transport. To keep things simple, I’m just going to call these “MDM solutions” like other people typically do. I guess some people might call them “EMM systems” or “EMM solutions,” but that’s not generally what my peers and I call these systems when we talk about them.
The main MDM solution gorillas on the block are as follows:
These are all cloud-based, subscription based services.
To make the most of this book, you’ll need one of these subscription-based services. Basically, I’ll be using Microsoft Intune for most of my MDM examples. Not because it is or isn’t the best, but because it’s included with many Microsoft Enterprise customers’ existing licensing and subscriptions.
There are also a handful of other MDM services that are less well known, and some that work (ironically) when they are deployed on-prem. I will not be covering those. That said, if you have another cloud-based MDM solution (SOTI, Citrix Endpoint Management [formerly XenMobile], and others), what we go over here should reasonably translate for you as well, even though I won’t specifically be showing you any examples.
And, to be fair, for managing Windows 10 machines, they are all roughly equal. Some MDM solutions have different bells, others have different whistles. Ultimately, as I’ll re-explain when the time comes, the MDM solution (the paid service) simply drives and directs the moving part (the MDM engine) on the endpoint.
Anyway, more on this in Chapter 2 when we do a little bit of comparison shopping, er…comparative analysis between the solutions.
I’m focusing on managing Windows 10 in this book. I’m really not planning on covering phones, Macs, and/or other gizmos of various flavors. I’m also not spending a lot of time looking backward to Windows 7, but it might come up from time to time.
As of this writing, in 2019, if you ask 10 admins, what they are currently using an MDM service for. Most would say, “Managing phones.” Because MDM, that is, it’s very name—Mobile Device Management—does a great job for phones and remote lock and wipe and so on.
But of those 10 admins who are using an MDM service right now, almost none say, “And we’re also using it to manage our entire fleet of Window 10.”
But many of those admins are saying, “I think I’d like to get to know MDM and Modern Management to see if there are some interesting capabilities for my company with Windows 10.”
So that’s my focus for our time together. To help you see if EMM/MDM and Modern Management can open up new opportunities and do things you couldn’t do yesterday with Group Policy and traditional tools.
Phones (of all kinds), iPads, Android, Macs, Chromebooks, and so on: for me—interesting, very interesting. And, yes, they would be controlled by your MDM system and fall under the umbrella of modern management. But, they’re just not part of this book.
My expertise is in Windows endpoint management, and that’s where I’m going to focus my attention.
Note, too, that there are also specific books on the EMM/MDM services themselves; their ins and outs and how to make a company portal, nuke a phone that Sally in Accounting left inside the taxi, share documents securely, and a lot of other items that you might or might not care about.
But if your main goal is to get on the road managing Windows 10 settings with MDM and learn to augment your traditional management skills and manage Windows 10 in a modern way, then this is the book for you.
Here’s some other stuff I won’t be covering:
MAM (Mobile Application Management) This is a method to manage applications like Office on iOS and Android and prevent things like “Save as,” cut/copy/paste, perform remote wipe of data, and more. This is nifty, and worth investigating because, while it does require an MDM service, it doesn’t require any enrollment of users’ devices in those services. Again: interesting, but not covered. Learn more about MAM here: https://docs.microsoft.com/en-us/intune/mam-faq
.
Microsoft Identity Manager Pretend for a moment you have multiple directory sources, like your existing on-prem AD, a human resources database, and some other custom database. Now imagine you need to sync identities across all those things and have them magically work in Azure AD. That’s Microsoft Identity Manager, and I’m not covering it. In Chapter 2, I will be covering basic Azure AD Connect, which is an on-prem AD to Azure AD synchronization system and is in this ballpark. But to learn more about Microsoft Identity Manager, start here. https://docs.microsoft.com/en-us/microsoft-identity-manager/
.
Azure Information Protection (and Rights Management) Sally in HR just emailed “too many people” the organization chart with salary information embedded into it. Bad Sally, bad. Now what? Well, if you were using Azure Information Protection, or AIP, then you could automatically classify and protect documents based upon contents. For instance, say the word Confidential was in the document. When that gets emailed, the data actually stays with the originating company, not the receiving company. So Sally’s “big oops” becomes Sally’s big “nonevent.” Learn more about Azure Information Protection (and Rights Management) here, because I won’t be covering it in this book:
https://docs.microsoft.com/en-us/azure/information-protection/
Single Sign-On So right now, Sally in HR has a login to on-prem AD, soon also to have a login to Azure AD, and also to the external payroll system, another at Dropbox.com
, and also (yet another) login at Salesforce.com
. Wouldn’t it be great if she could have one single sign-on (SSO) to these external applications using her Azure AD account? You bet that’s cool. But since I won’t be covering that in this book, here’s an example walk-through of how to use Azure AD to make a single sign-on with an external application like Salesforce:
https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/salesforce-tutorial
User Self-Service Users love forgetting their passwords. And doing another password reset is booooriing. So both Office 365 and Azure AD has a way to enable users to perform self-service password resets. Since I won’t be covering it, if you want to set this up and/or see a quick walk-through of it, check out:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/quickstart-sspr
Two-Factor Authentication Azure AD has a way for some resources to require a second authentication. Either a biometric authentication, like a fingerprint or YubiKey, or accepting phone calls or texts. This is Azure multifactor authentication and you can learn more about it here:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-licensing
To me, these additional Azure services are super, duper interesting. But they are not part of my focus for you and this book. Our job: We’ll be focusing on using an MDM service and other Azure services to manage Windows 10 PCs.
If there’s one thing we can be sure about, it’s that this new world of cloud services seems to move faster than most of us can handle it.
But don’t panic.
I agree that it’s hard to keep up with all the magic cloud coders spin out every day. Literally. Every day. For on-prem infrastructure, that’s not the deal. You download, you install, you let it sit until you do an upgrade.
For this book though, my plans are to show you things I think won’t be changing too, too much. I cannot know for sure, of course. But my plan is to explain concepts that seem like they will be entrenched for a while; those I think will likely be the most used concepts over the long haul.
No guarantees. I don’t work for Microsoft, I dont directly influence its road map. So it’s possible some steps might be a little bit different in the Azure or Intune portals from the time I wrote this to the time you get the book. And then after the book is out, and it’s, say, two or three years on.
But the stuff I’m planning on guiding you through with examples is reasonably solid with regard to the basic steps and examples. And I’m not going to be heading down too much experimental territory. I’ll be explaining stuff that’s already been working for some real-world companies for some length of time and stuff I’m pretty sure will continue to be foundational in the world of modern management for the foreseeable future.
I could be wrong, and I could make some mistakes and talk about some concept today that gets killed or supplanted tomorrow. But I have a reasonably high degree of confidence in the specific chapters and concepts I’ve chosen to write about along with the examples.
The point is this: Yes, any specific step-by-step or screenshot might change a little bit, but I think you’ll be reasonably safe with what I’m publishing now, and it should work into the reasonable future. So, with what you learn here, even if the steps and names of things are a little different in a year or two, you should be able to figure it out.
I believe in you.
You are, after all, an IT professional.
I realize this may be my last chance to grab your attention in the bookstore, or more likely, Amazon or Safari or whatever you are using to read this introduction. And if you know me, and you’ve seen me speak, and know my body of work, right now maybe you’re thinking, “I guess he’s done with Group Policy and now Jeremy’s on to MDM?”
For total, 100% clarity, let me repeat a common mantra I have espoused for years: Group Policy is not dead. The irony though, the more I (or others) say, “Group Policy is not dead,” the more people think Group Policy is dead.
It is, in fact, not dead. Microsoft has not “turned off” Group Policy usage for on-prem scenarios, nor have product teams stopped producing new functions that can be controlled by Group Policy.
Au contraire. Group Policy continues to be supported, and new settings for the OS, Edge, and more ship each and every time Windows is revised.
Indeed, many scenarios will always require on-prem Active Directory and Group Policy, like non-Internet-connected machines, ultra-secure scenarios, and for the foreseeable future, RDS, Citrix, and on-prem VDI scenarios.
I wrote a pretty famous “off the rails” blog post called, “Why Group Policy is Not Dead Manifesto.” It would be a good read at this point if you have a moment. Here’s the link (or Goog…, I mean, Bing for, “Group Policy Not Dead.”):
https://www.gpanswers.com/blogs/view-blog/the-why-group-policy-is-not-dead-manifesto
“Why then, Jeremy, are you writing a book on modern management with Microsoft’s cloud solution for settings management, MDM, and Intune?” I hear you ask.
The answer is that I feel there is room for both a traditional management model with domain-joined machines (with Group Policy and other on-prem management systems like SCCM) and for something new with EMM/MDM and the Modern Management scenarios that are brought to the table.
It would be foolish for me to close off my mind to new possibilities that an MDM system can add, and what solutions modern management will solve. But it would be equally foolish to walk away from almost 20 years of a proven technology like Group Policy, which is currently in use in just about every single company on the planet.
So this book is to enable you to explore the EMM/MDM/Modern Management route for yourself; try some examples, and see if it’s right for you.
You can make a plan to walk away from the old, have some kind of hybrid with old and new, or jump all in with the new.
I’ll leave that to you.
I’ve been managing Windows systems since I was a toddler. Well, not quite, but almost. I was one of the first MCSEs in the world back in 1994, and I spent lots of time being a consultant to organizations of all sizes for many years.
Then I found and fell in love with Group Policy, wrote my popular Group Policy book, and became a Microsoft Group Policy MVP for 15 years. And, more recently, I have been anointed as a Microsoft MVP in Enterprise Mobility (with a focus in Intune). Additionally, I’ve been helping companies try to understand this new MDM world and what it means to the original Group Policy world.
I also founded and run a company called PolicyPak Software, which extends both Group Policy and MDM to do more amazing things than what is possible with what’s in the box alone. For instance, here are some of the things you can do with the products from PolicyPak:
…and a whole lot more.
So I’m going to try to walk a fine line here. With your permission, I’m going to, from time to time, describe when something from PolicyPak could enhance a situation or solve a problem that cannot be solved out of the box. I’ll show you real examples of how to solve real problems.
And I’m not doing it to sell you something, but if that happens, that’s okay too. The point, really, is to demonstrate a problem or situation that might not have any other way out of it. So basically, if I didn’t explain that the “PolicyPak possibility” to fix a particular problem existed, you wouldn’t know about it, and you’d always be stuck in a rut.
And if there’s an alternative or other third-party way to achieve the same goal, I’ll do my best to explain that too.
As you read this book, it’s natural to have questions about Modern Management, MDM (or Group Policy). For that, I have a blog that can be found at MDMandGPanswers.com
.
I usually post a “Tip of the week” and send it through email. You’ll also find downloadable PowerShell scripts, tips and tricks, and lots more.
If you want to meet me in person, book me for onsite training, or attend my live public MDM and Group Policy courses, my website at MDMandGPanswers.com
shows my upcoming scheduled events. I’d love to hear how this book met your needs, got you started with MDM, or helped you out.
Start out by following and/or tweeting me Use the hashtag #mdmbook
and let me know what’s helping you out today.
Thanks for being part of the journey.
3.15.218.254