Consumerization of IT within Microsoft
Quick Reference Guide
Published February 2013
Supporting a proliferation of devices, identities, social technologies, and apps in the workplace
Employees today are blurring the lines between their work and personal lives. People want to use their personal devices to work, often outside of core business hours, but also want the flexibility to utilize the same technologies and applications at work that they use on their personal time. Moreover, they expect this to be a seamless, rich user experience, without downtime or delays when connecting to their corporate networks.
This blending of consumer and enterprise technologies is the Consumerization of IT, and it has led many organizations to rethink their business models to promote agility and flexibility for their employees. At the same time, this enables an enterprise to remain competitive by significantly increasing their employees’ productivity and satisfaction.
Microsoft IT has instituted policies and procedures that enable the Consumerization of IT while simultaneously ensuring that Microsoft’s valuable intellectual property remains protected. Microsoft supports a hybrid model of enterprise-standard and consumer-standard hardware, and offers support and data access to employees who want to use their own devices, provided those devices meet minimum hardware requirements and employees agree to varying levels of device management.
The Consumerization of IT challenges IT departments to:
- Maintain strict security parameters while managing user identities, so that employees can access enterprise information and resources from a diverse range of devices.
- Enable users to capitalize on the social capabilities and ease of collaboration that electronic devices and applications provide, thereby integrating their work and personal lives.
- Ask continually what its users want and need, particularly with respect to providing rich, usable applications for those devices.
Riding The Wave of the Consumerization of IT
Historically, IT departments procured and managed computing devices for their employees. As mobile computing devices have evolved, from laptops to smart phones to tablets that can go anywhere, IT departments are facing a wave of personal devices with which employees want to access and interact with corporate data. The data that employees want to access includes:
- Corporate email
- Calendar and task information, including creating and conducting meetings
- Productivity and other work-related applications , such as Microsoft Office 365™ and Microsoft SharePoint®
Microsoft IT has embraced this wave, riding it to the point where the following is true today:
- Two-thirds of employees are active on Twitter, a social-networking website from which users can send short messages to family and friends, known as their followers.
- 94,000 Windows Phone devices synchronize to the Microsoft corporate network.
- 2,000 cloud-based apps comprise the Microsoft portfolio, which properly identified devices can leverage.
Microsoft IT currently provides and supports 22,000 wireless access points, and has saved approximately $300,000 U.S. dollars annually, per facility, by enabling users to connect remotely by using DirectAccess, a feature of Windows® 8, and Windows Server® 2012 R2.
For several years, Microsoft IT has supported a hybrid environment of managed and unmanaged devices. It has increasingly focused less on managing hardware and devices, and more on establishing and managing the identities of its users and their permissions to access data on the corporate network. Three business drivers support the continuing evolution of the Consumerization of IT within Microsoft, including:
- BYOD: The concept of Bring Your Own Device enables employees to work seamlessly and productively on their Microsoft IT-procured and personal devices, including laptops, smartphones, tablets, and slates.
- Employees can work whenever they want, from wherever they want, provided the device with which they want to access corporate data can be identified, authenticated and, meets security requirements.
- Microsoft continues to attract the best and the brightest of employees because of the work/life balance that it supports.
Data protection is the primary concern that the Consumerization of IT poses for any organization. Microsoft IT determined that it could best protect intellectual property, and support the Consumerization of IT, by shifting its service paradigm from a hardware-centric focus to a data-driven support model. The focus is on controlling whether users have access to data, based on:
- The data’s security classification, which can be high business impact (HBI), moderate business impact (MBI), or low business impact (LBI). Who you are, and the permissions attached to your identity, partly determine your level of data access.
- The identity of the device with which a user is attempting access. What device you are using, specifically the level of Microsoft IT management that you have allowed for it, and whether it can authenticate to the network, also determines your level of data access. Identity refers to the user, group, or service.
Focusing on Four Key Areas with Respect to the Consumerization of IT
Microsoft IT continues to provide hardware standards and management for personal computers and laptops. However, with the Consumerization of IT, Microsoft IT has had to broaden its approach to managing identities and data access. The result? A hybrid environment in which employees can seamlessly use their Windows devices and non-Windows devices to be productive and from which Microsoft IT derives the following benefits:
- Increased employee productivity: Consumerization of IT enables employees to be more productive by using their preferred devices at work and at home. This ensures current employees are happy, and is enticing to potential employees, who want the freedom to work where they want, and when they want, and with the apps and technologies that form the cornerstones of their (technological) lives.
- Support for innovative products and services: Today’s consumers – including Microsoft employees – have high expectations for device performance. They want to leverage an array of applications on these devices easily, so they can be productive on the go.
- Increased device cohesion: Microsoft has a large array of products and services that employees can utilize. Microsoft IT benefits by providing cohesion in what could be a fragmented work environment.
- Continued protection for data and its integrity: Microsoft IT provides a balance between stringent corporate policies for security, and their users’ favorite devices and technology. Not all devices and services share the same security model, and access to corporate data depends on a user’s identity and the permissions assigned to it, as well as the device with which that user is attempting access.
Microsoft IT has four areas, which the graphic below shows, on which it focuses as it supports the Consumerization of IT for Microsoft employees:
- Social technology experience
- Applications and services
These four areas are distinct, but not separate. It is important to note that Microsoft IT’s customers – Microsoft employees, vendors, business associates, and other visitors – do not benefit by Microsoft IT focusing on just one of these areas. Rather, the combined focus across those four factors provides the most value to the enterprise and its employees.
A Proliferation of Devices in the Workplace
Microsoft IT must accommodate multiple types of devices. While it cannot test and support every device in the marketplace, Microsoft IT carefully selects a subset of devices in each category – laptops, smartphones, slates, tablets – to test. Microsoft IT aims to support a variety of user experiences, so it must ensure that identity and authentication will work across a myriad of devices.
With so many devices available, and employees wanting to use them to access the corporate network and its sensitive intellectual property, Microsoft IT continues to ask itself, “How do we promote the right level of flexibility and agility for our users to access the correct resources, but also manage devices to promote data security?”
That can be a tough question to answer. It used to be that there were only two working states for employees and their devices: fully managed and remote. Today, the landscape has changed dramatically:
- Microsoft employees are working on at least two devices at any given time, and often, from anywhere but their office.
- Employees are not just utilizing Windows devices, but also Apple, Android, and other operating systems.
- There are more than 90,000 mobile devices synchronizing to the corporate network, and more than 290,000 PC-based devices being managed.
- Microsoft Lync® and Lync mobile clients are one the highest rated services in Microsoft IT, and enable employees to conduct meetings and collaborate from their mobile devices.
Microsoft IT must enable employees to work seamlessly both in and out of the office by having the applications and the access to data that they require. At the same time, Microsoft IT must ensure data remains protected from malicious users or inadvertent exposure. The data access a user has depends solely on what type of device he or she is using, and can include access to:
- Their email, calendar information, and personal data
- All of the above and line-of-business (LOB) applications
- Full mobile access to all corporate data that they could access from a PC that is hard-wired into the corporate network
To allow access, Microsoft IT must determine whether a device is healthy and if it has reached a base level of security compliance, including the ability to join a domain or use a Trusted Platform Module (TPM) chip, which provides an extra layer of security between hardware and software.
Additionally, users must accept varying levels of Microsoft IT management for their devices, or opt-in with respect to their device management. Furthermore, it requires education of employees about their role and responsibilities regarding protecting corporate data that resides on their devices.
Protecting Data on Devices
Device security is the ultimate challenge in the Consumerization of IT. A shocking 637,000 laptops are reported lost, each week, in U.S. airports. That number likely exponentially higher when you additionally consider all of the devices lost elsewhere, around the globe.
Malicious users who are attacking corporate security are more sophisticated than ever, and IT departments have to be vigilant and thorough in their methods of preventing such attacks.
There are three ways in which employees and their devices, typically PCs and laptops, operate with respect to the corporate network:
- Fully managed: The device, regardless of ownership, has full access to the corporate network, and device reporting is available to Microsoft IT. Users must opt-in for their personal devices to be fully managed.
- Trusted: This layer is for use by Microsoft Exchange ActiveSync®, an application-programming interface (API) that provides users with access to an enterprise’s network. Reporting is available.
- Unmanaged: This layer is for testing, development, and guest access. No reporting is available.
The levels of device management that users allow Microsoft IT to perform directly affects their access to corporate data. At a minimum, users who want to access their email and calendar data must allow Microsoft IT to enforce the following policy settings to their personal devices:
- Encryption: A device that lacks encryption is a prime target for malicious users who want to access the sensitive corporate data that residents have on it.
- Autowipe capabilities: Microsoft IT must have the ability to wipe the device’s contents remotely should it become lost or is stolen.
- PIN: The user must establish a four-digit personal identification number (PIN) that he or she uses to unlock the device.
Microsoft IT has to ensure that devices have the correct identities and associated permissions to access the varying levels of corporate data, including HBI, MBI, and LBI. Additionally, with respect to corporate data on personal devices, Microsoft IT must carefully consider:
- The blend of corporate and personal data that likely is on most users’ mobile devices.
- How to ensure that corporate data is removed from personal devices after employees leave the enterprise.
- Where the data actually is being stored:
- Is it actually being stored on the personal device? If so, per some countries’ laws, if that device is lost, neither Microsoft nor its employee retains the rights to that content.
- Is it being stored on-premise or in the cloud?
- If it is being stored in the cloud, does Microsoft really own it?
- How best to educate employees regarding their responsibilities. If they are using non-Microsoft services, they must remember that Microsoft corporate data cannot be shared, and take steps not to expose it inadvertently.
Working with Identities
Microsoft IT supports a variety of devices and platforms. Central to making their environment function correctly and safely is identity, which can be a user, service, or group. To make an authorization decision the identity of an object (user/device/service/group) must be known and originate from a system of trust. Maintaining the Identity System for an enterprise requires significant effort and costs. Therefore there is a benefit to accepting a consumer identity in the enterprise from a consumer identity provider (Google, Facebook, LiveID, Yahoo) as this would reduce the costs of managing identities and also provide users with a potentially reduced set of credentials to remember.
Microsoft is not just a Windows shop anymore. In fact, Microsoft is one of the largest developers of Macintosh apps, and Microsoft IT supports a multitude of non-Windows platforms, including the Macintosh operating system, the newly released Windows® RT and Windows® Phone 8 operating systems, Androids, the proprietary Nook and Kindle e-readers, Linux and UNIX servers, and even Nintendo and other handheld gaming systems. Additionally, Microsoft IT must support a multitude of identities and user scenarios to meet the access needs of its customers – Microsoft employees, vendors, business guests, and other visitors.
Microsoft System Center 2012 Configuration Manager has changed the device-management landscape by offering a single pane of glass through which to manage devices and the Microsoft intellectual property that they may contain. It enables Microsoft IT to manage diverse environments.
Microsoft IT utilizes System Center 2012 Configuration Manager to track and manage broad choice of devices that connect to the corporate network by using Exchange ActiveSync, and Configuration Manager automatically detects a device’s restrictions to the corporate network, which enables smooth and seamless application deployment to devices. System Center 2012 Configuration Manager provides several key benefits, including:
- Baseline management for all Exchange ActiveSync-aware devices. This enables Microsoft IT to determine when devices are synchronizing to the corporate network, manage those devices and remotely wipe them, if necessary, and enforce PIN use on devices.
- A management infrastructure for System Center 2012 Endpoint Protection and alignment of the client compliance and remediation capabilities of System Center 2012 Configuration Manager with the antimalware and vulnerability protection features of Endpoint Protection. This consolidates device management, which lowers infrastructure costs and increases network and environment transparency.
- A user-centric approach to application delivery, which means that Microsoft IT can establish policies that enable System Center 2012 Configuration Manager to evaluate user identities, application dependencies, device types, and network connections so that Microsoft IT can deliver an engaging and rich application experience to users on whatever healthy devices they are using, via Windows Azure™.
- A single infrastructure for asset, usage, and desired configuration management for personal and virtual desktops. System Center 2012 Configuration Manager integrates with Microsoft Application Virtualization (App-V) to deploy and manage virtual and physical applications, to enable easy scaling of application deployment as fully streamed virtual applications, locally delivered packages, or both.
Additionally, Microsoft IT has used System Center 2012 Configuration Manager to deploy and manage Windows 8 and Windows® Server 2012, and to automate administrative tasks via Windows PowerShell® support.
As Microsoft IT looks at the proliferation of employees’ mobile devices within the enterprise, it also must be cognizant of the fact that its customers are not just full-time employees or those who can and do join their devices to the Microsoft domain. Microsoft IT has to consider the various user scenarios that it must support to ensure that all people who attempt to connect to the Internet while at Microsoft have a satisfying and productive experience, including:
- Business guests
- Other visitors
In April 2012, Microsoft IT piloted MSFTOPEN, which features a wireless network that serves non-domain-joined devices. It now is transitioning to a production service, as feedback from the pilot indicated that on-premise users were able to use their personal devices to connect to the Internet.
While one of the motivators for MSFTOPEN was to provide Internet connectivity to non-domain-joined devices, another was to limit the amount of devices connecting to the corporate network and therefore increase its capacity and security.
Currently, Microsoft employees are, on average, using two devices at once while working. However, they do not necessarily need full corporate-network access for both devices, just an Internet connection. What are employees accessing via the Internet? Likely social-media sites and technologies.
Supporting Social Technologies: They’re Not Just for Socializing
A common misconception about social technology is that it is just a mechanism for chatting with friends, sharing your adventures, and playing games. Instead, it can be a major force for driving action, collaboration, and integrating applications into your workspace.
Microsoft IT supports social technologies such as Microsoft SharePoint 2013 and Yammer. Although Yammer handles traffic that is 10 times the amount that SharePoint supports, both are powerful social and business tools.
SharePoint simplifies the process of storing, synchronizing, and sharing important data, and includes work-management capabilities that help users organize and prioritize tasks from across SharePoint, Microsoft Project, and Microsoft Outlook®. Additionally, it features a social feed that users can embed in team sites. This enables teams to utilize the social posts to generate and assign tasks.
Yammer offers similar functionality, and future development will include an option for extranet accessibility. That, however, will pose another question about data security, as the potential for inadvertent data exposure could exist.
Microsoft IT does not support the use of some other popular social technology applications, specifically Facebook and Dropbox. In fact, Microsoft IT has created a special group of experts to compare the business value versus inherent risk of social technologies that users want to access with their domain-joined devices, as well as the potential applications that need to be introduced into the Microsoft Store.
Microsoft IT employs a four-quadrant approach to new technologies and applications, to determine the risks versus the rewards for the enterprise. Microsoft IT developed a Consumerization of IT Steering Committee that includes representatives from each major division across the enterprise. This committee examines emerging technologies with an eye toward these four governance areas, and establishes best practices for the use of, and interaction with, social technologies and applications with domain-joined devices.
Here is a breakdown of the four areas of governance:
- Contain: Microsoft IT restricts usage of these technologies, and no service is provided. Technologies that fall into this category have a low Total Cost of Ownership (TOC) but are too important to employees to block completely.
- Embrace: Microsoft IT expects more entrances into this area especially when employees begin using these applications for support and marketing. However, these technologies require a substantial investment, but the business value could be significant.
- Allow w/Policy: Microsoft IT has not evaluated this technology and taken action. Future action is to be determined.
- Block: Microsoft IT blocks very few technologies, simply because of the cutting-edge culture at Microsoft. Technology that has a low business value and that is risky falls into this category.
The following graphic details the technologies that currently fall into the four areas of governance:
Although it has been a significant change for Microsoft IT to support the range of devices that employees want to use, it opens up Microsoft IT to a greater capacity for significantly increasing employee satisfaction and productivity. This is a watershed moment, and Microsoft IT is riding the wave to embrace the Consumerization of IT by:
- Continuing to ask, “What are our users’ core needs? How do we prioritize those needs?”
- Continuing to support and integrate social technologies into the workplace, so that employees can collaborate easily and fluidly with others around the globe
- Development of compelling LOB apps, that are easy to install and use
As the company's first and best customer, Microsoft IT works with product groups to adopt and test developing technologies, and then provides critical feedback to the product group. The Consumerization of IT adds another level of complexity to the Microsoft IT first and best customer role, because not only does Microsoft IT test and report on developing Microsoft technologies, it does the same with technologies across the world marketplace, from a variety of vendors and locations.
That is where the Consumerization of IT Steering Committee plays a critical role. Comprised of representatives from each section of IT, the group meets monthly to discuss emerging and new technologies and applications that Microsoft employees may want to use. The steering committee then weighs the business benefit versus the risk of that new technology, determines whether to support it, and then works to assimilate it into the Microsoft stable of approved technologies and promote it to the Microsoft Store. The steering committee typically is involved in most major Microsoft releases.
For example, with the recent release of the Microsoft Surface Windows RT™, the steering committee determined that the Microsoft Surface definitely fits into the Embrace category, because of its high business value and low risk.
Once Microsoft IT decides a technology falls into the Embrace category, it then has to determine how to get a list of apps for it into the marketplace. Microsoft IT will:
- Produce guidance and standards for developers, so they can begin developing rich, compelling apps for that technology
- Go through existing apps, to perform compatibility testing
- Survey users, asking what apps they want and need, and what are the most critical to their job
Supporting Development of Applications and Services
The process that takes an application from a conceptualized ideal to a rich and ready-to-use offering in the Microsoft Store often follows a path across devices and technologies already in play. An employee may decide that they need a specific technology on a domain-joined device, so emails peers with the idea. That email exchange may appear on Yammer, and that may lead to the creation of a workgroup on SharePoint, dedicated to developing that application and getting it published.
To embrace the Consumerization of IT fully, Microsoft IT must rely more on engineering and support teams to listen to employees (and all customers) and innovate in an agile way, and must promote creation of smaller, more agile development teams who can create rich and compelling apps that work across multiple device platforms.
Microsoft IT also is working to promote the idea of real-time IT, which requires that it embrace a model of central marketplace, in which it can implement and be proactive with respect to real app governance by analyzing, inventorying, and collecting data about apps.
Application development in the era of the Consumerization of IT requires a user-centric model. Users require line-of-business (LOB) applications that span device types. When users access the marketplace, they want to see consistent apps for their phone, slates, and tablets. Users have a high expectation that if an application exists on one platform, it will exist on others. They also expect the look and feel of those cross-platform applications to be relatively the same. Apps must be modernized to transcend platforms so that users do not suffer through disconnected experiences depending on what device they are using.
With respect to app development and supporting user scenarios with LOB apps, Microsoft IT now must:
- Embrace Consumerization of IT by relying more on engineering and support teams to listen to customers and innovate in an agile way.
- Develop smaller, flexible teams or app factories that provide small, workable, consumable applications that users can leverage quickly and easily. Applications must be content-driven, and provide workable solutions that employees need.
- Deliver an immersive, engaging experience, and need to provide more and better LOB applications.
- Promote the concept of Real-time IT, which means it embraces a model of a central marketplace, in which it can implement real governance by analyzing, inventorying, and collecting data about apps and being proactive.
Control and monitor apps once marketed and distributed, by using Windows Intune™ and System Center 2012 Configuration Manager. Furthermore, users must be encouraged to become involved in app development by sharing their experiences, concerns, and comments via enterprise social technologies, such as Yammer.
More and more devices, platforms, and technologies enter the market every month. Microsoft employees want to use these devices and technologies to work when they want, from where they want. They expect a seamless, flexible experience that enables them to be productive on the go and at the office.
Looking ahead, Microsoft IT must continue to maintain strict security parameters while managing user identities, so that employees can access enterprise information and resources from a diverse range of devices, and from work and on the go. This is imperative if Microsoft wants to continue to attract and retain the best and brightest. Additionally, Microsoft IT must enable users to capitalize on the social technologies that enable collaboration and communication, and the applications that increase their productivity.
By focusing on devices, identity, social technology, and applications and services, Microsoft IT can continue to provide a balance between stringent corporate policies for security, and their users’ favorite devices and technology. That, at its core, is what the Consumerization of IT is all about.
For More Information
The Consumerization of IT
Enterprise: Customer Stories