Unified Device Management Allows Centralized Governance of Corporate Network Devices
Business Case Study
Published: July 2013
The following content may no longer reflect Microsoft’s current position or infrastructure. This content should be viewed as reference documentation only, to inform IT business decisions within your own company or organization.
The recent bring your own device trend that allows employees to use devices they own for business productivity has IT departments struggling to maintain data security and centralized device governance. The Microsoft IT solution demonstrates how a large company can implement UDM with minimal cost and disruption to its existing Configuration Manager environments.
Business Case Study, 451 KB, Microsoft Word file
Products & Technologies
Microsoft Information Technology (Microsoft IT) lacked a timely solution for keeping pace with the surging trend of employees who use personal devices to do Microsoft work. Without a user- and IT-friendly way to bring all devices into the scope of centralized management, IT risked improper exposure of secure company data, among other concerns.
Microsoft System Center 2012 Configuration Manager SP1 with Windows Intune™ enables Unified Device Management (UDM) to allow flexible, centralized management for company-owned and user-owned devices while maintaining corporate compliance and control.
Over the past decade, business environments have changed in significant ways. One key change is workers' use of technology devices. For many years, businesses generally followed a model where each worker fulfilled his or her duties by using one computer, owned by the company and located on the business premises. Today, that model has been augmented to include multiple device types, variable ownership, and variable locations. More employees work remotely than in the past, and their productivity is not limited to a company-provided computer. Laptops allow employees to work from home, tablet devices are the tool of choice for conference room participation, and smartphones enable the use of email and other applications from virtually any location in the world. Some businesses provide these devices for their workers, but in many environments, employees purchase the devices for personal use and then adapt the devices to their work requirements as needed.
This bring your own device (BYOD) model poses new challenges for IT. The model has become so ubiquitous that in many work environments, BYOD has become a decisive factor in employee satisfaction and retention. At the same time, the proliferation of heterogeneous devices in the workplace raises privacy and security concerns for both the worker and the employer. IT departments find they must strike a balance between allowing the flexibility that workers need and ensuring the safety and efficiency of IT device management operations.
In 2012, Microsoft IT addressed these needs for its organization. In order for BYOD to be successful on the Microsoft corporate network, IT needed a comprehensive plan. Four key success factors were identified:
- Users must be able to work from any location at any time using any device they choose.
- Devices must be centrally managed in a way that is acceptable to the entire business.
- Applications used for business purposes must be centrally available for install/uninstall.
- Data policies must provide for corporate data security on all devices while maintaining the privacy of workers' personal information.
Like many enterprise companies, Microsoft uses Microsoft System Center 2012 Configuration Manager to manage assets connected to its corporate network. The latest version of this product, Configuration Manager 2012 Service Pack 1 (SP1), did not contain functionality that allowed Microsoft IT to centrally manage devices and applications in the cloud. Currently, no other solutions are available that provide enterprise-level centralized management of both on-premises and cloud-connected computers, devices, and applications.
To meet the needs of its changing device management environment, Microsoft IT enabled Unified Device Management (UDM) by adding a Windows Intune subscription and connector to its Configuration Manager console. UDM enables centralized, Configuration Manager–based management and access to cloud-connected personal devices that users choose to enroll, as well as the corporate applications that users run on the devices. IT manages the devices together via the Configuration Manager administrative interface. This hybrid solution retains the scalability and administrative functionality of Configuration Manager while extending its reach via Windows Intune cloud-based device management.
Figure 1. Microsoft IT UDM solution architecture
As part of this solution, users can choose their devices to enroll and have access to resources via a web-based self-service portal. Users can then extend their enrollments across all devices they use, regardless of platform: for example, Windows Surface™ RT, Windows Phone 8, or Apple iOS. Based on the success of a recent beta program, IT made UDM available to all 98,000+ Microsoft employees.
To assemble the solution, Microsoft IT performed the following steps:
- Using its existing production Configuration Manager environment, provisioned users by performing user discovery for the entire corporate Active Directory® forest.
- Provisioned a Windows Intune subscription for the Microsoft tenant and configured the Windows Intune connector.
- Synchronized all existing Configuration Manager data with the Windows Intune cloud.
- Redirected Domain Name Service (DNS) for the user portal website to the Windows Intune beta environment.
- Applied device-specific certificates for Windows Phone 8, Windows Surface RT, and Apple iOS.
The solution can be replicated in any Configuration Manager 2012 SP1 environment that owns a Windows Intune subscription. Future plans include support for Android devices.
- Simplified, low-cost implementation. Enabling UDM does not require adding any new infrastructure, hardware, or network complexity to the Microsoft IT environment. Also, because the connector uses native Configuration Manager 2012 SP1, no custom coding is required for its use. In these ways, the solution provides significant benefits with minimal cost or effort.
- Native support management. Enabling UDM allows IT to synchronize user and device data without relying on an external service, such as Microsoft® Exchange ActiveSync®.
- Cohesive balance of user productivity with secure IT. By managing the installation and removal of IT-approved corporate applications on a variety of devices via the user portal, the solution allows user flexibility and the enforcement of corporate data security policies while leaving users' personal data untouched.
- Single administrative and user interfaces. Although the solution spans two technologies —Configuration Manager and Windows Intune—only the Configuration Manager administrative console is required for managing devices and computers. Similarly, employees who log on to the portal have a seamless user experience, regardless of the server technology they use to request applications and services.
- Enterprise-level scalability. The solution connects the cloud capabilities of Windows Intune to the scalability of Configuration Manager, which was designed to support large companies' infrastructures but which previously lacked a cloud-based method for managing off-premises devices.
UDM plays a key role in Microsoft IT's people-centric IT (PCIT) vision, which places users' needs at the core of a new approach to managing the modern workplace. More enterprise workers expect their professional technology to look and behave the same as their personal technology: always on and always available. In order to allow employees to work with their preferred device whenever and wherever they choose, PCIT provides options for creating a consistent, reliable, and secure work environment that can be centrally managed by Microsoft IT regardless of each user's location or device.
Figure 2. Pillars of the PCIT vision
The UDM feature that best models PCIT to users is the self-service portal, which functions as a marketplace and self-service command center for enterprise applications. As adoption of UDM at Microsoft increases, more employees are visiting the portal to perform these tasks:
- Provision new devices and add the devices to their corporate user profiles.
- View, install, or run corporate applications on their registered devices.
- Remove applications from devices and remove devices from the corporate network.
Employee Productivity and Satisfaction
The Microsoft IT UDM solution enhances employee productivity in key ways. Not only can users choose the device to run an application, they can also store work-related data in a single location and use it in various scenarios: for example, they can check mail from their phones or use their personal tablets to present at meetings. Although these abilities are not specifically part of Windows Intune or Configuration Manager functionality, cloud-based data storage enables this data to be kept in sync regardless of the devices being used to store or retrieve it.
A subtle but important PCIT concept that guided effective UDM adoption at Microsoft was letting users opt-in to using the technology rather than feel it is being foisted upon them. By introducing the solution in phases through internal marketing campaigns to select areas of the company, Microsoft IT was able to deliver the message to employees that a platform is now available for accessing corporate resources using their personal devices.
For More Information
For more information about Microsoft products or services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada Order Centre at (800) 933-4750. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information via the World Wide Web, go to:
© 2013 Microsoft Corporation. All rights reserved. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.