I am surprised this post by Microsoft Program Manger Jeffrey Sutherland has not attracted more attention. It describes enterprise app deployment to Windows on ARM devices, now officially called Windows RT devices. These devices run Windows 8 compiled for ARM, which means high efficiency but a greater degree of lockdown than with x86. In particular, desktop applications cannot be installed, though Microsoft Office is pre-installed, but without Outlook.
The interesting aspect is that what Sutherland describes is not just a way of managing Windows RT computers, but a new approach which fits with the trend towards BYOD – Bring Your Own Device – where employees use their own devices for work as well as at home.
Quick reminder: in the old model, Windows clients are managed by being joined to a domain, controlled by Active Directory. Once domain-joined, the machine is subject to group policy administered by the domain, a fine-grained system for configuring settings and deploying applications.
Windows RT devices cannot be joined to a domain. However, there is a new option in Control Panel to “connect to your company network”.
Note that the user must still be joined to the Active Directory domain. Since this is now joining the machine to the network and subjecting it to a degree of centralised control, Windows RT network joining is conceptually not far distant from domain joining, but it is a completely new approach.
The next step is to install a management agent which communicates with the Enterprise network.
Once network-joined and with the agent installed, the machine:
- Is subject to a set of security policies covering password and logon rules (eg whether to allow picture logons)
- Is audited for antivirus and antispyware status, drive encryption and auto-update; network connection can be refused if not compliant
- Will lock encrypted drives if wrong password is entered repeatedly
- can automatically set up a VPN profile for network access
- enables access to a self-service portal (SSP), operated by the enterprise, for app deployment
- can be deactivated which renders all SSP-deployed apps inoperable
The SSP can deploy custom or third-party Metro apps, but can also include links to the Windows store and web links to web application.
Microsoft envisages the above tools being used both for company-owned and employee-owned Windows RT devices. One advantage over domain-joining is that it is less intrusive to the user. When you domain-join a Windows PC, it creates a new user profile on the machine, which can be a nuisance if the user wants to use the machine for non-work purposes; they have to either switch profiles or use the work profile for home as well.
Metro-style apps are inherently better suited for intermingling business and home, since they are isolated from one another and from the operating system.
This new approach is not only for Windows RT machines but works on x86 as well:
We do support this functionality on x86. However, x86 also has a load more management functionality through Domain membership, Group Policy and existing tools like System Center.
says Microsoft’s Iain McDonald in the comments.
Although it is true that the old domain-joined model offers a higher degree of control, Windows RT should have security advantages thanks to the lockdown preventing desktop applications from being installed, which will restrict malware.
Windows computer domains are not going away, but BYOD and the trend towards cloud computing will gradually reduce the number of domain-joined machines. For example, a small business using Small Business Server will usually domain-join all its machines, but a small business using Office 365 will usually not do so.
I should add that although the approach outlined above is great for simplicity and flexibility, the fatal flaw for many organisations will be its dependence on Metro-style apps. If you have any Windows desktop apps to deploy, then it will not work.