I wrote just after VMworld that while I love the concept of Windows management via EMM tools, we can’t just switch overnight. There are so many domain-based resources and incompatible applications that the move will require a lot of operational re-factoring before we ever actually touch the endpoints. And that’s just the infrastructure! Jack wrote about UEM earlier in the year, saying that when it comes to viability of UEM management of Windows, “the devil is in the details.” He went on to note that while EMM was geared towards newer types of desktop apps that come from app stores, it’s generally not great at traditional applications.
For the vast majority of companies, keeping traditional management around is done specifically because of these domain-based resources and traditional applications. You can also throw in security for good measure. For those companies, the concept of UEM is little more than a pipe dream, which is why we’re starting to see products that are chipping away at that huge mountain that stands between 20 years of Windows management and a future where we manage everything the same way.
VMware debuted their first attempt at VMworld, and now MobileIron is getting into the mix as well with MobileIron Bridge.
MobileIron Bridge, to put it succinctly, is a framework built upon MobileIron’s existing platform that gives you the ability to perform traditional Windows management tasks such as script execution, policy enforcement, and application installation that go beyond what you can do with the MDM APIs that are built in to Windows 10.
Using MobileIron Bridge means you first need to enroll the desktop in MobileIron MDM. This gets you the baseline MDM capabilities that the Windows 10 MDM API allows. This includes the ability to deploy .appx apps and MDM-based configurations and policies. With Windows 10, it also means that you can deploy MSI-based applications, but not legacy apps. That’s where Bridge comes in.
Bridge is installed as an MSI file, “bridging” the gap between the modern side of OS and the traditional side. It runs as an agent on the traditional side, communicating with MobileIron and its configuration/policy engine. By creating the bridge to the other side of Windows, you can now manage and deploy any script that you would normally run on a traditionally-managed desktop via MobileIron MDM.
This opens up the capabilities beyond what you can normally do with MDM on Windows 10. You can tweak the filesystem and registry, fully corporatizing the look and feel as if you were using GPOs. You can run de-crappification scripts (my word, not theirs) to remove all the junk from the device. You can also install legacy Win32, non-MSI applications that are otherwise off-limits. End users choose and install these applications from the MobileIron enterprise app store as they would any other application.
What’s cool about this is that the desktop where these traditional apps live doesn’t need to be on the same network or domain to run them anymore. As part of setting up the application in MobileIron, you can specify per-app VPN settings like you would with any other application. You’re not exactly adding functionality to the application this way, but you are removing a roadblock that would have otherwise existed.
That said, this doesn’t do anything to help assign domain-based resources to end users. If you have those (think file shares & printers), you’ll need to come up with something to deal with that first. This is one of the major things that needs to be addressed before UEM takes off. (To be clear, I’m not saying it’s the entirely the responsibility of the UEM vendors to facilitate this, but as an industry it domain-based resources present a challenge that needs to be overcome.)
It’s important to understand that this is a first step for MobileIron, as are the offerings from any other EMM company that’s getting into the UEM market (AirWatch, for example, which has been making their own waves recently). Their ultimate target is to create a platform that can fully bridge the gap and give companies a migration path from the traditional ways of managing desktops to the new ways, but that kind of thing can’t happen overnight. What we have here is a framework that MobileIron can build upon to get closer and closer to that target as time goes by.
Currently, MobileIron Bridge isn’t trying to convert your entire desktop management platform to UEM. Instead, they’re focusing on certain device types, like Microsoft Surface tablets (these have been coming up a lot lately), or scenarios that require faster onboarding and offboarding procedures. Typically, this is the “contractors, temps, and seasonal workers” use case that we lean on so much for other new technologies like DaaS. (Boy, we sure do like to stick all the new, unproven stuff on those groups!)
As companies begin to use UEM, those features that need to be added in order to facilitate a migration will be prioritized and put on the roadmap. In a few years, we may look back on these early days and laugh at how primitive UEM was. The more we try this stuff out now and provide feedback, the faster we can get there.