In the last decade, we moved from mobile device management (MDM) into enterprise mobility management (EMM), and now we’re shifting towards a unified endpoint management (UEM) model. You may be asking what exactly is UEM? In its simplest form, UEM is bringing together the management of mobile and laptop/desktop devices into one solution. This is something that hasn’t been entirely possible until just recently.
Today, at least a couple of different device management products often exist within the enterprise. At minimum, you will typically come across a solution that manages traditional desktops and laptops with an imaging solution and another that manages mobile devices via an MDM/EMM solution.
Our users have come to expect a more natural and consumer-like experience in the workplace. To meet their needs and provide a more efficient experience with the needed security, enterprises need to start their journey to UEM. A UEM solution is able to manage a device from the top down and able to manage a device “out of the box” with the original operating system (OS) on the device. This is a significant change from the traditional model of device imaging, a model that has historically worked, but a model that is ready to be disrupted and simplified.
So what can we expect from a UEM solution in the enterprise? Let’s take a look and break down the components we should expect to be available to effectively and efficiently manage all end-user devices within the enterprise.
Device Management Essentials
Device management is the core of UEM. A robust UEM solution will manage all major device OSs: iOS, Windows, Android, Mac, Rugged, etc. We not only need a solution that can manage corporate assets but also a solution that enables full Bring-Your-Own (BYO) deployment. This flexibility allows users to access work information from their personal devices in a secure and managed manner.
It is essential that the UEM solution is able to provide the overall device management functionality and features that we can expect from both the MDM/EMM platform andthe traditional device management platform. Some of this functionality includes the ability to:
- Manage configurations and settings
- Enforce policy and compliance
- Provide detailed reporting
- Manage security
- Integrate corporate identity and Single Sign-On (SSO)
- Integrate with enterprise systems
- Allow for containerization
- Push updates
- Allow for multi-user, single user or kiosk options with ease of management for all devices
One of the major benefits of moving away from a legacy device deployment platform is the ability to leverage an “out-of-the-box” deployment. This provides the ability to take a pre-installed OS on a device and apply management from the top-down, layer security onto the device, enable required settings and allow the option for users to self-serve. This option moves IT away from a time-consuming imaging process and a model that mostly relies on Group Policy Objects (GPO), which over the years has become extremely complex and challenging to manage.
Traditionally, EMM covered mobile OS management extremely well but hasn’t provided too much opportunity for traditional Windows OS management, until now. With the introduction of Windows 10, the landscape has changed. Windows 10 allows for a device management model that is providing for significant opportunity within the enterprise and a shift in the way devices can be deployed and managed. This is where we are seeing the opportunity for a big shift in device management to a true UEM deployment.
Application & Browser Management Basics
A critical capability for application management within UEM is the ability to efficiently deploy applications to all OSs managed by the enterprise. Today, the mobile space has significantly simplified application management and deployment, a model that has become easy to adopt and use for end users. Catching up to this model is Windows, where application management and deployment has been and still is an extremely complex and tedious task in the enterprise. The need to deploy dependencies for applications, deploy extremely large install files and require custom scripting is something we need to move away from. As we move to bring Windows management within UEM, Microsoft is changing its architecture with application deployment, following that of other mobile platforms with the Windows App Store and moving to a modern app deployment using APPX as its format.
One point to note is enterprises are not going to be able to convert their apps from traditional Win32 apps to a modern app deployment overnight. Many years of engineering, configuration and scripting has been developed with Win32 apps and deployments in a traditional device management model. In order for UEM to be successful across all platforms for application management, specifically Windows, the full lifecycle of deployment and support for Win32 apps will be required. Without Win32 app support, many enterprises will not be able to adopt UEM for Windows management.
Application management on all platforms needs to provide ease for deployment and upgrades, and at the same time, provide for a simplified experience to the end users. Along with the ability to push apps to the user’s devices administratively, it’s critical that UEM provides for self-service. The ability to provide one-touch access to apps via Single Sign-ON capabilities and an application catalog to the users will allow for much more efficiency, productivity and a model that the users are familiar with today as consumers. Applications also need to be deployed efficiently over the air and with no dependency on corporate networks. They need to have the ability to be deployed over the internet to support an anywhere, any access model.
In addition to application management and deployment, it is critical that UEM is able to simplify and provide web links/clips to users for ease of access to intranets, websites, etc. As application infrastructures move towards cloud deployments and web-based access for users, being able to provide simplified access is critical, including the ability to efficiently manage and configure browsers on any device being managed by UEM.
Critical Content & Collaboration Management Capabilities
Content and collaboration management is critical to the overall management of devices within UEM. Users shouldn’t spend all of their time trying to figure out how to access content and set up collaboration tools they need to be efficient and effective. UEM should make content and collaboration tools easily accessible across all platforms, including iOS, Android and Windows.
Content and collaboration covers a wide array of technologies: file sharing, web repositories, content management, cloud technologies, email clients, collaboration platforms, enterprise social media systems, video systems, etc. When devices are enrolled, accessing content and collaboration should be effortless. This includes the ability to:
- Have email settings pre-configured
- Provide easy access to internal and external file sharing
- Simplify access to web repositories
- Leverage a single point of identity for SSO
- Provide easy access to web-based content and enterprise social media
One approach that specifically aids with content access and management is enterprise file synchronization and sharing (EFSS). EFSS is a solution that simplifies access to enterprise content from different platforms, including on-premises and cloud models across any type of device whether it be a phone, tablet or PC. Having EFSS as part of UEM will also be critical to the overall management of devices.
Security and Compliance Management Minimums
Entire business models and workflows increasingly run on technology, and the shift towards mobile first, cloud first everything continues raising expectations for “anywhere @ anytime” access to information and work tools. It is critical that we prioritize and focus on security. I don’t expect UEM to meet all security requirements, specifically advanced security and threat detection. But UEM does need to provide essential security and compliance to devices and applications.
At a minimum, UEM needs to be able to:
- Force encryption on devices
- Enforce basic access management (passwords and PINs)
- Manage device OS versions and updates/upgrades over the air
- Manage security patches and critical updates
- Validate if security tools such as antivirus (AV) are installed
To ensure devices enrolled in UEM are correctly managed and secured, a robust compliance engine is equally important, in addition to security. To meet compliance needs, UEM should provide:
- Some basic checks against devices to ensure that encryption, passwords, updates, security tools etc. are installed, being used and up to date.
- If the compliance engine detects issues, it needs to be able to take action against.
- Actions should include the ability to: resolve issues by pushing updates or required security apps, prevent access to corporate information until the device is in compliance, notify the user of actions they need to take to become complaint and re-enable and enforce security controls that may have been changed or disabled.
Reporting Management Musts
Having visibility into and detailed information on every device are musts. There will need to be some level of control with reporting against non-corporate devices because of privacy concerns, but for corporate-owned devices, there will be an expectation to be able to provide detailed reporting across all devices. Reporting plays an important role as it allows us to efficiently and effectively manage licensing, view device information, check OS and application versions and to check data usage, to name a few roles.
Reporting also supplements the compliance engine to provide a more secure environment. Because of this, it will be important that the UEM platform is able to provide accurate and up-to-date reporting on managed devices. As part of ongoing operations, security and management will continuously request detailed reports on all inventory for compliance and auditing. Being able to provide this information along with automation is a must in the enterprise.
As we look at UEM in the enterprise, we are able to begin the transformation to a more service- and consumer-oriented approach. With a UEM model, we are able to take a device “out of the box” and simply enroll it into the UEM environment. Once enrolled, we can then apply the needed security, applications, policies and any configurations specific to that user based on their identity and role. With the advancement of the latest Windows OS, this is now a possibility within the laptop and desktop space where traditional imaging and complex policy management has been precedent for many years. Now we are able to apply device management methodologies across all major platforms transforming the way we can provide and deploy technology to our end users.
As we move beyond UEM for mobile, laptop and PC devices within the enterprise, we need to ensure we keep very close to the Internet of Things (IoT). IoT is another device type that will need to be managed by UEM. Examples include industrial devices, smartwatches, wearables, cars—basically any device that can connect to the internet. There is a significant gap at this time in regards to being able to manage IoT devices and most importantly secure them. There are currently no standards around these devices, and they are appearing everywhere fast. As we continue to grow the UEM model and as it matures, it will be critical that we will be able to bring in the management of IoT devices within the UEM platform. If not, there will be significant security holes and gaps that will make your enterprise extremely vulnerable.
It is clear we are in a major shift with technology in the enterprise today. We need to ensure that we look at IT as a service to the business and show the value it provides. We need to ensure we are meeting the needs of our users and customers and demonstrate IT is no longer something that is just a costly operation to the business. Technology has slowly become the foundation and core to the enterprise and has become critical in every function of the business. As we move towards a mobile-cloud, “anywhere @ anytime” model, technology can be delivered much faster and much more efficiently and always remain up to date. It is critical that we can deliver this level of service in the enterprise, especially with the demand and consumerization of technology in recent years. We need to meet the demand of the consumer space and move away from the legacy era.