Managing Mobile Devices? Pair System Center 2012 SP1 with Windows Intune
Enterprises looking to manage mobile devices are using both Microsoft products to get the job done.
Microsoft recommends that organizations who want to manage mobile devices with Microsoft solutions should have System Center 2012 Service Pack 1 Configuration Manager and Windows Intune, both of which were released last week.
With the new product capabilities, it's not a Windows Intune vs. SCCM 2012 world. Rather, with respect to mobile device management, Microsoft is recommending the use of both tools, especially for larger organizations. The new SCCM 2012 solution, according to Microsoft's formulation, will serve as the "single pane of glass" for IT pros.
This product technology shift is reflected in the licensing changes that Microsoft made in early December. Windows Intune, SCCM 2012 and System Center Endpoint Protection (formerly known as "Forefront Endpoint Protection") have been bundled into three licensing product offerings.
For instance, Windows Intune is available under Enterprise Agreements (EA) or EA Subscription (EAS) plans, which come with the rights to use SCCM 2012 and Endpoint Protection for $6 per user per month. Another approach, for organizations that already have licensing for SCCM 2012 and Endpoint Protection in place, is to get Windows Intune as an add-on, which costs an extra $4 per user per month.
Those two plans are for large organizations with more than 250 users or devices. Organizations with less than 250 users or devices can get Windows Intune through the Microsoft Online Subscription Program. This "MOSP" option costs $11 per user per month, adds Software Assurance for one device but includes use-rights for four other devices, and also gives the organization the rights to use SCCM and Endpoint Protection, along with the latest Windows Enterprise edition.
In all three cases, the licensing is now offered on a per-user basis, rather than on a per-device basis. This per-user licensing shift, made by Microsoft in December, likely will be favorable for organizations wanting to support multiple-device scenarios, since five managed devices are covered under one user license.
"So what we've done is we've tried to make the licensing, No. 1, easier and less expensive because it's per user rather than per device, but then also more flexible in that you're basically licensing or paying for what you want or need," explained Jason Leznek, director of product marketing of enterprise client management on Windows Intune licensing, in a phone call on Wednesday.
System Center 2012 consists of eight solutions, which can be bought as a complete suite under Enterprise CAL licensing, but the product is also sold under Core CAL licensing in which SCCM 2012 is bundled with Endpoint Protection, Leznek explained.
"Certain components of System Center are focused very heavily on the desktop or the user device management," he said. "Mostly, that's Configuration Manager as well as Endpoint Protection. Those are sold separately as a full complete product on its own for device management, for endpoint management. It's part of the Core CAL."
Unified Device Management
The combination of Windows Intune with SCCM 2012 is part of Microsoft's "unified device management" concept, in which SCCM will serve to provide a single view for both cloud and on-premise activities, according to Leznek.
"There are two main worlds. There's the in-the-cloud and there's the on-premise," he said. "The on-premise offering is typically your Windows PC (desktop or laptop), Macs, etc. that are corporate owned and corporate connected, and I'm going to do deeper management there because, from an IT perspective, I own the PC…and that's what Configuration Manager has always done. Windows Intune is completely in the cloud. As a customer using it, you have no infrastructure requirements. It's totally Web based and it's all handled on Microsoft's servers."
Typically, IT shops would use siloed solutions to manage those two worlds, but Microsoft unified the management pane with SCCM 2012 SP1. While SP1 enables SCCM 2012 to manage Windows To Go and Windows Embedded devices, as well as Linux, Mac OS X and Unix servers, the broader mobile device management capabilities are found in Windows Intune. The types of devices that Windows Intune can manage include those running Windows 8, Windows RT, Windows Phone 8, Android 2.1 and later versions, and Apple iOS versions 5.0 and 6.0.
SP1 for SCCM 2012 just adds a few new management capabilities for some older Windows mobile device scenarios, including management for Windows Mobile 6.1, Windows Mobile 6.5 and Nokia Symbian mobile devices (enabling discovery, inventory, software distribution, settings management and remote wipe), according to Wally Mead, a senior program manager on the System Center client management team, in a December Microsoft-produced Channel 9 video. Configuration Manager still has Exchange ActiveSync (EAS) management capabilities but SP1 adds integration with Windows Intune to enable management through a single view in SCCM 2012. Mead demonstrated how to use SCCM 2012 SP1 to create a Windows Intune subscription and how to create an APN (Apple Push Notification) certificate that's required for managing Apple iOS devices.
Exchange ActiveSync Requirement
Exchange ActiveSync is still a requirement for managing some non-Windows devices under Microsoft's scenario, but the company is moving away that approach.
"There's kind of a baseline set of management settings capabilities that are in Configuration Manager today, as well as Intune, and it's called 'Exchange ActiveSync,' and that's still there," Leznek explained. "However, we're moving beyond Exchange ActiveSync for deeper management capabilities, and we're basically using a native management client, or API set, that's already built into the operating system. For example, Apple has a native Apple management API in iOS. Windows RT has a native management API that's based on an industry standard called 'OMA-DM' [Open Mobile Alliance-Device Management]. So it's a more modern protocol that can let you do deeper manageability beyond EAS. We're putting those investments into Intune. So the deeper mobile device management capabilities beyond just the simple EAS support is not in Config Manager, it's in Intune."
Mead said back in December that those wanting to manage Android devices still need to use EAS to do so because Microsoft would not have an Android client agent ready in time for System Center 2012 SP1.
"So for the Android environment, it's only through the Exchange ActiveSync connector," Mead said. "It's pretty much the same features that I kind of referred to a little bit earlier -- being discovery, a little bit of inventory, a little bit of settings management. But we are providing some software distribution capabilities for that as well. The reason this has a little bit of differences in capabilities is we haven't written a client agent yet for the Android platform. It's high on our list to do but we're just not going to get the client agent ready for our Service Pack 1 release, so it'll be through our Exchange ActiveSync connector. For Windows Phone 8, Windows RT and the iOS devices, we'll have over-the-air enrollment. So you, as an end user, provided you've got the capabilities assigned to you from the Config Manager administrator, you'll be able to enroll your device into that environment. Once you've done that, we'll be able to get inventory on your device; we'll be able to deploy software targeted to you as a user…; you'll be able to do some settings management…; you'll be able to retire a device…, and you'll also be able to remotely wipe a device."
In terms of its mobile management strategy, Microsoft conceives of application distribution to end users as somewhat akin to the smartphone model. Under this "self-service" model, apps can be downloaded by users either from an online app store or from a company-maintained Web portal. Self-service portals for iOS and Android are prebuilt into Windows Intune, Leznek explained. Configuration Manager has a self-service portal capability today, but, for mobile devices, it's typically handled through Intune.
The portal is mostly for providing a space for distributing apps, rather than device management, Leznek said. There are two processes for IT pros to distribute apps. "Deep linking" is the process by which an app is published to an app store, such as Microsoft's Windows Store. The second process, called "sideloading," is the process IT pros would use for publishing corporate apps. Microsoft is requiring that apps be signed with a certificate when sideloading apps for security reasons.