Transcription
Redefine Windows10 ManagementEmbrace True Business Mobility
Table of ContentsIntroduction. 3VMware Solution.4Reduce Cost and Complexity of Management. 5Simplify Management.8Secure and Control Windows 10 Devices.17Minimize Risk of Data Loss. 23Summary. 26VMware AirWatch: Redefine Windows 10 Management / 2
IntroductionMany IT organizations are still treated as cost centers with their roles squarelyfocused on run-the-mill operations – relentlessly supporting users, devices,apps, and operating systems (OS).Consumerization of IT (with BYOD) and mobile-cloud initiatives are quickly becomingthe norm in order for businesses to stay competitive. This is forcing organizations tothink beyond basic end user productivity and collaboration, and embrace modernbusiness mobility initiatives that require reengineering core business processes toa mobile-cloud model.With Windows 10, Microsoft brings to market a mobile and cloud-ready OS that ispoised to have a significant impact on organizations’ end user computing (EUC)strategy. The modern OS offers a unified platform for building apps and extendingthe organization’s core processes to end users anywhere and using any Windows10-powered device. However, enterprise wide execution of this business mobilityvision comes with its own set of challenges. A 2015 VMware study involving 1,000 IT decision makers identified the following top concerns for adoptionof mobility initiatives:11) Reduce the overall cost andcomplexity of management2) Ensure security and controlof devices at all times3) Minimize the risk of corporatedata lossWith a unified endpoint management vision, VMware is strategically positioned toaddress these challenges. VMware’s EUC solution enables organizations to fullycapitalize on their mobility initiatives and IT departments to redefine themselves astrue business enablers. This whitepaper is targeted at Technology Decision Makers(TDMs) and IT Pros and highlights how VMware redefines Windows 10 deploymentand management across the enterprise.1VMware State of Business Mobility Report. Rep. VMware, Nov. 2015. Web. ss-mobility-report-2015/ .VMware AirWatch: Redefine Windows 10 Management / 3
VMware SolutionAt the core of VMware’s unified endpoint management vision lies theAirWatch enterprise mobility management (EMM) solution.VMware AirWatch offers Windows 10 management support and introduces smarterways to deploy, control, and manage an organization’s PC fleet. It reduces thetotal cost and complexity of management by enabling IT to consolidate on therequired tools and management panes of glass, and eliminating many of the painpoints of traditional PC lifecycle management tasks (e.g. need for staging andimaging; complexity of maintaining drivers; managing OS updates, firewall, antivirus,encryption policies).Further, AirWatch enables IT to control and secure devices for end users via detailedsecurity profiles, compliance settings, and device restrictions. The solution minimizesthe risk of data loss by ensuring that only managed devices meeting companydefined compliance polices get access to apps, content, and email.The rest of the whitepaper goes through in detail, how the VMware End User Computingsolution helps address an organization’s concerns for adoption of business mobilityinitiatives, particularly as it relates to their Windows 10 deployments.VMware AirWatch: Redefine Windows 10 Management / 4
Reduce Cost and Complexityof ManagementWindows 10 enables IT administrators to take full advantage of the new enterprisemobility management capabilities. AirWatch embraces the best of the traditionalclient management functions and brings together the industry leading EMMcapabilities to simplify Windows 10 desktop and mobile device management.Streamline DeploymentWith AirWatch, IT administrators can dramatically simplify the process of deviceenrollment and provisioning. AirWatch provides an intuitive Windows 10 onboardingexperience over any network—public (cloud domain joined) or private (non clouddomain joined)—across corporate, BYOD, and CYOD scenarios. AirWatch integrateswith Microsoft Active Directory (AD) on-premises and Microsoft Azure AD in thepublic cloud to support either hybrid or full cloud enrollment models for joining thedevices to the domain.End-UserSimplifiedOnboardingIT SimplifiedOnboardingOut of nt onInitial Power ONSettings AccountsEnrollment viaMicrosoft AppWorkplaceEnrollmentBulkProvisioningSettings AccountsPackageInstallationFigure 1: AirWatch Windows 10 provisioning use casesVMware AirWatch: Redefine Windows 10 Management / 5
End User Simplified OnboardingIntegration with Azure Active Directory enablesorganizations to support end user self-serviceenrollment with zero IT involvement and minimal userinteraction. End users can enroll via:OpEx/IT Productivity:End user self-serviceenrollment with zeroIT involvement An out-of-box enrollment experience upon boot Adding their corporate credentials Signing in to organizational applications (e.g.Microsoft Office)The self-service enrollment methods using work credentials join the devices to thecloud domain; correctly configure profiles, settings, apps, compliance policies, andcontent; and set up the device for management by AirWatch – all in onestreamlined workflow.IT Simplified OnboardingTraditional imaging and domain joining has alwaysbeen a time consuming and complex solution forenrollment of devices. Runtime provisioning inWindows 10 when combined with AirWatch productprovisioning capabilities enables IT admins moregranular, policy-based approach to bulk enroll deviceswithout the need for re-imaging for individual use.VMware AirWatch: Redefine Windows 10 Management / 6OpEx/IT Productivity:One click bulkenrollment via policywithout the need forre-imaging
(cont. from IT Simplified Onboarding)Using AirWatch, IT administrators can bulk import specific device serial numbers andmap these to the user accounts that are receiving the device. AirWatch provides thenecessary staging and provisioning service URLs (discovery, enrollment, and policy),which feeds into the Windows Imaging and Configuration Designer (ICD).Combined with AirWatch product provisioning capabilities (see ApplicationManagement section), AirWatch enables IT to to create a single pre-configuredenrollment package; where configuration settings, apps (including EXEs and MSIs),software updates, drivers, files, and commands are delivered remotely to the end uservia email or a media disk, and installed with just one click. Alternatively, the packagemay be imported directly by the admin or the end user within Windows WorkAccess settings.ConfigurationApplications Remove BloatwareInstall MSIsInstall EXEsInstall DLLsInstall DriversInstall Store AppsInstallWindows UpdatesDeploy WindowsLicense KeysDeploy Custom Scripts ns Windows Update ClientApplication RestrictionsAdd AccountsConfigure Start MenuConfigure WallpaperPrinter ConfigurationFigure 2: Provisioning package can include app lists and configuration settingsVMware AirWatch: Redefine Windows 10 Management / 7
Simplify ManagementDevicesThe AirWatch admin console features the devicedashboard that provides IT administrators a quick,high-level, and real-time view of the entire fleet oforganization’s endpoints – including Windows 10based devices. The device dashboard is customizable,searchable, and includes filtering capabilities so adminscan find specific devices based on various criteria,e.g. device platform, OS version, compliance status,ownership type, etc. The drill down capabilities makeit simpler and faster to perform MDM actions andadministrative functions on a particular set of devices.OpEx/IT Productivity:Unified dashboardfor managementand reporting for alldevices, apps, andOS platformsThe AirWatch admin console also enables for a deeper assessment of any specificdevice. For example, admins can get detailed information on the security status ofthe device, e.g., whether or not the Windows 10 device is enrolled into management,if the device is compliant with the passcode and encryption policies, and whether thedevice posture is healthy based on the configured Health Attestation settings (seeDevice Posture section).AirWatch also features an extensive set of pre-configured reports and event loggingcapabilities that provide administrators with actionable, result-driven statistics ontheir Windows 10 deployments. IT administrators can also create custom reports,define distribution lists and automate report delivery and schedules all within thecentralized admin console.VMware AirWatch: Redefine Windows 10 Management / 8
Device InventoryAirWatch features asset intelligence capabilities built into the console. IT adminsare presented with various device inventory details such as devices in specificorganization groups, device network connection status, devices with specificapplications installed, whether the device is compromised, and many otherpre-configured and detailed reports.Figure 3: AirWatch Device DashboardApplicationsOne challenge IT admins face with PC managementis the fragmented app ecosystem. With Windows10, organizations no longer need multiple appdistribution tools for each app type, and admins canenable end users to access all apps - be it an EXE ora MSI package, a web app, remote, or a universal app- from one unified app store. The new store supportsapps that maintain a single code base across mobileand desktop platforms of Windows. This featuresaves time for developers and enables admins towork towards unified endpoint management.VMware AirWatch: Redefine Windows 10 Management / 9OpEx/IT Productivity:End user self-serviceinstallation of apps
(Cont. from Applications)AirWatch enables admins to deploy a unified app catalog so end users can accesscorporate approved apps from one location. Application configuration policies inAirWatch also ensure that only trusted apps run on the end users machines (seeApplication Groups section). Integration with VMware Identity Manager, an Identityas a Service (IaaS) solution enables IT to control and secure access to corporateapps and provision convenient one-touch access for end users using these appsanywhere and on any device (see Single Sign On section).The VMware AirWatch App Catalog fully integrates with the Microsoft Store andenables self-service installation of apps that are assigned to the user based onplatform, user group, role, and more. It enables developers and admins to view appinstallation statistics, collect feedback / comments, push update notifications, silentlyinstall apps on end users’ devices, and create custom branding and categories for thecatalog. The AirWatch App Catalog can be pushed to devices automatically duringthe Windows 10 enrollment workflow or on-demand as a web clip.With the development of the Microsoft Windows Store for Business, Microsoftdelivers the place for developers, IT decision makers and administrators to submit,find, acquire, manage, and distribute Windows 10 apps for organizations. AirWatchis excited to be working with Microsoft to integrate with the Windows Store forBusiness so that end admins can access, deploy, and use Windows 10 appsin their organization.VMware AirWatch: Redefine Windows 10 Management / 10
Product ProvisioningAirWatch enables for remote delivery of apps, files, and commands via “productprofiles.” AirWatch product provisioning capabilities lets IT admins push apps,drivers, firmware updates, complex packages or scripts to keep the organization’sWindows desktops up-to-date and always ready for use. Admins can furthersimplify product provisioning and software distribution tasks by creating automatedschedules and workflows for installation, which can also be configured to installdepending on certain conditions, such as network, schedule, or power. AirWatch fullysupports basic installation of MSIs, and it goes further by featuring a traditional taskautomation scripting engine, which provides capabilities that would typically requireuse of a PC Lifecycle Management (PCLM) tool. This enables IT admins to embracethe best of traditional PCLM capabilities as they transition to the new EMM basedmanagmenet flow.Figure 4: AirWatch product provisioningApplication InventoryAirWatch supports full inventory control, collection, and reporting for Windowsdesktop (legacy) and Metro (modern) apps. IT admins can view reports onapplication versions and deployment status, presence of apps on selected devices,list of applications with their costs; and access many others applicationinventory features.VMware AirWatch: Redefine Windows 10 Management / 11
Office 365 SupportFor organizations using Microsoft Office 365, AirWatch and VMware IdentityManager make the process of provisioning access to the various Office 365 appssimple and automated by sycing with existing directory services (LDAP) user groups.The integration ensures a common identity for authentication and conditional accessto the apps so only authorized users, on managed devices, and with purchasedlicenses are able to access the various Office 365 services.EmailAirWatch delivers comprehensive email managementfunctionality for Windows 10 to support and securean organization’s corporate email infrastructureby enabling only compliant users and devices getaccess to email. AirWatch supports email access onthe native mail client (Microsoft Outlook) or usingthe AirWatch Inbox application; and deployingmultiple email management configurations2 withinthe same organization, including Exchange Onlineand Office 365. This enables IT admins to centralizemanagement of different email environments acrossbranches or user groups, and support upgrade ormigration scenarios where a portion of the endpoints may be on a different environment.OpEx/IT Productivity:Support and centralizemanagement ofmultiple emailinfrastructuresContentAirWatch content management solution helps organizations securely deliver andaccess content across Windows desktop and mobile devices. IT admins can configureand upload managed content in the admin console, sync corporate file servers (e.g.Microsoft SharePoint, Microsoft OneDrive, network shares, etc.), and also enablepersonal content space for end users. End users can access and share data in asecure manner using VMware AirWatch Content Locker .VMware AirWatch: Redefine Windows 10 Management / 12
Traditional Client FunctionsTraditional Windows PC management methods arelargely dependent on Group Policy Objects. WithGPOs, it is necessary that devices be connected tocorporate network and have to reboot in order to getpolicies. Also, organizations would often require aseparate EMM-based management infrastructureto secure and manage their mobile andnon-Windows endpoints.CapEx/Infrastructure:Consolidate oreliminate licensesfor traditional PCmanagement toolsWith Windows 10 however, there is a fundamental transition from GPOs to EMMbased management of the platform. Powered by AirWatch, the Windows 10 devicescan now be configured with real-time updates over the air, on any public or privatenetwork. AirWatch also supports native OS settings for encryption, antivirus,malware, and firewall eliminating the need to purchase and support third partysoftware and agents. AirWatch enables co-existence of traditional GPO-basedmanagement alongside the new EMM-based approach so admins are not forced intochoosing either approach. By bringing together the best of traditional PC lifecyclemanagement (PCLM) and EMM, the AirWatch apporach aims towards elevating ITproductivity, reducing costs, and improving endpoint security.UpdatesWindows 10 features a new update service that is designed with mobility and cloudin mind. It changes the notion of the OS upgrade from a wipe and replace modelto one where periodic OS and feature updates are pushed over the air. The newWindows update as a service also features servicing plans or Update Branches thatenables admins to control the deployment schedule based on the organization’spreferred approach or sensitivity to feature and security updates. These changesmean that organizations now require a cloud-based managmenet tool to stay on topof the new update capabilities.VMware AirWatch: Redefine Windows 10 Management / 13
(Cont. from Updates)AirWatch provides granular control on howWindows updates are managed and deliveredacross the organization. IT administrator canchoose whether users have access to control OSupdates on their own, or can choose to enforce thedevice updates via subscription to the Windowsupdate sources. AirWatch integrates with the newMicrosoft Update Service, and also supports anorganization’s existing Corporate Windows ServerUpdate Services (WSUS).OpEx/IT Productivity:Remove complexityof managing updates,patches, drivers, andother traditional PClifecycle tasksAdmins can set policies on how the updates are delivered tothe device, such as automatically or user authorized and define maintenancewindows, such as the preferred day and time for installation, so updates don’tinterfere with user productivity. AirWatch also provides options to select if updatesfor other Microsoft and third party products may be installed simultaneous toWindows updates, and whether or not Windows Insider Builds should be pushedto the end users. AirWatch also supports new Windows 10 updates deliveryoptimization feature for peer-to-peer delivery, so users receive updates and appsmore quickly.Antivirus and MalwareAdministrators can also manage policies for the native Windows Defender antivirusand build compliance policies from within AirWatch. IT admins can enablereal-time monitoring, set definition update and scan windows, add exclusions,choose automatic actions across different threat levels, and set various otheradvanced monitoring and scan policies.In addition to native Windows Defender policies, admins can configure compliancerules for third-party antivirus solutions to ensure that monitoring is enabled and thethe virus definitons and signature files are up to date.VMware AirWatch: Redefine Windows 10 Management / 14
FirewallFirewall policies across private and public networks are yet another traditional clientmanagement functions that can now be managed more efficiently via the AirWatchadmin console.EncryptionAirWatch enables configuration of BitLocker Encryption policies so organizations cansilently encrypt a full disk or just the OS partition. Admins can escrow the BitLockerrecovery key within the AirWatch admin console and also the end user Self-ServicePortal (SSP) – as part of enabling a new self-service model that reduces the burdenon IT.Enable End User Self-ServiceAirWatch also enables for a number of end user self-service capabilities, whichfurther reduces the burden on IT in supporting end users and clients, and insteadenables them to focus on more value enablement tasks.VMware AirWatch: Redefine Windows 10 Management / 15
Self-Service Portal (SSP)XDeleteRegistrationView EnrollmentMessageResend EnrollmentMessageGenerate AppTokenRevoke AppTokenManage EmailReview Termsof UseUpload S / MIMECertificateXRecover BitLockerKeyXEnd user self servicemanagem
VMware AirWatch: Redefine Windows 10 Management / 11 Product Provisioning Application Inventory AirWatch enables for remote delivery of apps, files, and commands via “product profiles.” AirWatch product provisioning capabilities lets IT admins push apps, drivers, firmware update
