Microsoft recently revealed Windows Phone 8.1 at Build 2014 in San Francisco. While a lot of people were excited about Cortana and universal Windows apps, naturally I was most excited to dig into all the mobile device management updates.
The verdict? Microsoft has taken what was a pretty basic set of MDM options and turned it into a much more powerful tool that should make Windows Phone 8.1 viable in a lot of new situations. Let’s dive in.
Windows Phone 8 MDM background
Microsoft was essentially starting with a blank slate when it comes to their current client-side mobile device management framework. Windows Mobile—probably the last Microsoft phone OS that many of you used—had lots of enterprise management features, but of course all that went away when Microsoft launched the consumer-oriented Windows Phone 7 in 2010. Then in 2012 Windows Phone 8 introduced a new MDM framework that I described at the time as “table stakes.”
Overall, many of of the basic concepts in Windows Phone 8 MDM are more similar to Apple iOS MDM than Android MDM: The management agent is built into the OS itself and the remote management protocol is predefined, leaving the management server as the only third-party component. Over-the-air management is opt-in only and users can choose to un-enroll at any time, but doing so will protect the enterprise by removing any corporate credentials, settings, and apps.
Windows Phone 8 MDM has limited visibility into and control over much of what the user does on the device, including user-installed apps. However most of the basic management settings are there, including password policy, encryption, remote wipe, certificate management, enterprise data wipe, email configuration, and reporting on basic device information. MDM servers can also push a “company hub” app and company app token to allow users to install in-house apps.
(For more in-depth information about Windows Phone 8 MDM, check out this white paper from Microsoft.)
Brand new Windows Phone 8.1 features
MDM for Windows Phone 8.1 uses the same frameworks and protocols, but it adds a ton of new options. Microsoft still hasn’t put out detailed technical documentation, but it was covered in a Build session and they have a basic overview white paper. (Many of these features were also teased last summer under the guise of the “Enterprise Feature Pack.”)
So what’s new? First, there are some basic configuration options.
- Windows Phone 8.1 adds VPN support, which was completely missing previously. VPN credentials can be configured via MDM, and options include on-demand, app-triggered, and location-triggered VPNs.
- Certificate support was improved; certificates can be used for authenticating email, Wi-Fi, VPN, the browser, and enterprise apps. S/MIME is possible now, as well as 2-factor authentication with virtual smart cards.
- There’s support for more types of enterprise Wi-Fi authentication.
- There are more queries and commands the server can ask of the device, including roaming status, information about the Wi-Fi network, the device phone number, remote lock, remote password reset, and remote ring.
Last, but certainly very important—all MDM commands, queries, and configurations can now be pushed to the phone at any time. Previously, after a device was enrolled MDM interaction would only happen when the phone queried the server on periodic intervals.
Besides all of the new base-level functionality, there are now also a lot more ways to control how Windows Phone 8.1 is used. It’s possible to disable features like the camera, Bluetooth, Wi-Fi, location data, personal email accounts, screenshots, the SD card, copy/paste, Office document saving and sharing, desktop syncing, NFC, data roaming, and more.
In a departure from what’s possible with iOS and most versions of Android, Windows Phone 8.1 MDM actually has real whitelisting and blacklisting capabilities for apps from the Windows Store. Also, while it’s not possible to uninstall users’ person apps, MDM can prevent apps from being launched. The apps will be grayed out and display a message indicating that they’ve been blocked by corporate administrators.
Windows Phone 8.1 MDM even provides everything needed to completely lock down phones. IT can block Internet Explorer, prevent users from doing a developer unlock, and block the Windows store. It’s also possible to push apps the the phone, determine what apps appear on the start screen and app list, control the behavior of the lock screen, control notifications, remap the search button, and do custom UI theming. Finally, to make sure all these changes stay put, it’s possible to lock the device into MDM and prevent users from doing a factory reset. (So there’s no loophole like iOS had for a while.)
For most typical enterprise MDM situations—like for BYOD, COPE, and other knowledge worker scenarios—the new features like VPN support and better certificate and wifi support will fill in some important holes.
Then there all the other restriction and lockdown features. We’ve long ago established that you don’t want to even think about these for personal phones and even for most typical knowledge workers. But what these features will enable is a whole new set of use cases for education, healthcare, industrial, embedded device, retail, and kiosk use cases.
Keep in mind that even though Microsoft is encouraging an MDM-centric approach to BYOD (just like Apple and Samsung do, too), there are plenty use cases where you might want to forgo MDM in favor of an apps-only approach. For those situations most EMM vendors are providing a variety of sandboxed email apps, third-party browsers, file syncing tools, and more. (Though that’s really a conversation for another day.)
Even though there was a lot of progress, Windows Phone 8.1 MDM isn’t perfect.
One thing that might be nice to have is a clearer line between the MDM features that would be used in typical enterprise and BYOD scenarios and features that would be used in locked-down scenarios. For comparison, look at the example set by Apple iOS: all of the locked-down kiosk mode features can only be used in what’s known as Supervised Mode, and there are limitations to how devices can be enrolled in this mode. In addition, the MDM protocol in iOS specifically defines what rights a remote management server may have over a device. There’s nothing like this in Windows Phone 8.1. Instead you just have to trust your administrator, but hey, that’s what it’s like with any MDM, really.
Another issue is that work and personal separation features aren’t very good yet. There’s no full-on dual user environment features, but that’s okay because for right now that’s a fairly limited use case, Android-only, bleeding-edge feature right now. But for more typical use cases, the work and personal management features could be better. Yes, it is possible to use MDM to disable cut and paste and block Office document sharing, but I think the iOS 7 technique of providing “open-in” controls that apply to all enterprise-provisioned apps and email accounts together is a better way of doing it.
Finally, it’d be nice to have a desktop MDM utility, some sort of image management tools, and some options for mass deployment. These would be analogous to the Apple’s iPhone Configuration Utility, the Apple Configurator, and the Device Enrollment Program.
Now if it sounds like all I’m doing is saying Windows Phone 8.1 MDM isn’t as good as iOS, it’s not because I’m an Apple fanboy or anything, it’s just that iOS MDM has benefit of being refined for 6 generations. I’m willing to give Microsoft some slack, seeing as how they’re only on the second generation of Windows Phone MDM.
Overall Windows Phone 8.1 brings many much-needed improvements, so kudos for Microsoft! Will that help them sell anymore phones? Maybe? Who knows? At the very least Windows phone is suitable for a lot more use cases now.