Managing Windows 10 with MDM: VMware has the right idea, but IT needs help getting there

VMware's Unified Endpoint Management is the future of managing Windows and mobile devices, but you can't just replace 20 years of Windows management. How do we get there?

I’ve been swept up in all the good vibes coming out of VMworld 2016 and the talk of Windows Unified Endpoint Management. Apart from reusing an acronym that’s already in use today (UEM), the entire concept of managing Windows 10 via MDM has gone from pie in the sky concept to viable new management strategy in the course of a year. You’d think that I, the salty old IT veteran that writes about how Windows isn’t dying, would be somehow opposed to the entire idea, but I’m not. I’m sold. I want this. I want everyone else to want this, too, because then we’ll see some good competition.

When VMware first started talking about it last year, many questions came to mind. What are the gaps between this and traditional desktop management? How will they handle identity and authentication? Will it tie into AD? We know we can use AirWatch to deploy mobile applications and policies, but how will that work on Windows? How will we ensure Windows is updated and fix any problems? Plus, Project A2 is just that–a project–so are we just relying on Windows Store apps or something else?

VMware addressed all of those things during the show. Project A2 was simply integrated into the platform. VMware Identity Manager will handle users’ identities and access, along with SSO and federation across multiple providers. And perhaps most importantly, VMware has partnered with Tanium to incorporate TrustPoint into the platform, which can be used to seek out and remedy security threats. There appears to be more to TrustPoint, too, that we’ll get into another time.

Sounds good, right? It’s early, but it looks like things are shaping up. So what’s missing from this new management approach? In a word: Migration.

The main problem I foresee (though I’m sure there are many others), is that this is so different from the way we currently manage our Windows desktops that there isn’t a migration path. If you were starting with a green field today, you might go this route, but if you are starting from scratch are you really making a Windows-centric IT environment? Probably not. So in order for this to catch on, VMware, Microsoft, Citrix, and anyone else attempting to do this are going to have to build a few bridges to help people cross to the other side.

Think of all the stuff that has to change to get from where we are today to this new strategy. Our desktops are currently managed, secured, and patched by AD-based services. Access to printers and file shares is handled by the domain, as are applications, VPNs, and more. And we can do all this because our users log in with AD account to PCs that are joined to AD. AD is at the center of everything we do, but on top of that we’re still heavily dependent on Windows 7, which has no MDM management capabilities.

That means that for us to be able to use Windows Unified Endpoint Management (speaking broadly, not just about VMware), we’re going to have to:

  • Migrate all our desktops to Windows 10
  • Migrate all our file shares to a modern platform not tied to AD
  • Find a new way to manage printing
  • Change the way we manage applications
  • Change the way we patch applications and Windows
  • Change the way we access applications
  • Change the way we access VPNs

VMware has addressed some of these with Identity Manager, TrustPoint, and AppVolumes, but my mind keeps drifting to those companies that find themselves wincing in pain at the top three items on the list (which, I believe, is most companies). For them, this isn’t a switch from LANDESK to SCCM. This is an epic project with effects and changes that ripple across all of IT. It doesn’t matter how much we like the new plan. In order to embrace it, we need help getting there.

We have new questions to be answered, too. Like can we manage domain-joined PCs with AirWatch and, if we can, can that aid in the migration? What if we can’t? How do you migrate 20 years of processes, systems, and services, all with bespoke tweaks that only apply to individual companies, to unified management? I’m not saying it’s not possible. Remember, I want this to happen, and I suspect we’ll see answers to these questions and more in the coming year.

The concept is out there, and from most angles it looks pretty great. Now we need help getting there, and though VMware is currently in the driver’s seat, that doesn’t mean that they have everything solved. There is room for others to get on board, too. As this continues to take shape, we’ll dig deeper and learn what TrustPoint enables us to do, and we’ll explore what the feature gap between traditional management and unified management looks like.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

What is VMware doing about managing Win 10 Mobile?