Last year, the concept of Unified Endpoint Management—managing Windows with the same tools we use for mobile devices—was a hot topic at VMworld. In general, the world is receptive to the idea. After all, Windows has evolved to the point where it can be managed as a mobile device, and so it was only a matter of time until this kind of thing appeared. That said, nobody is rushing to use it, mainly because traditional management is so entrenched in IT that a number of problems need to be solved first.
We've written about those challenges before, focusing on how domain-based resources like file shares, printing, SCCM, and Group Policies are a major roadblock to UEM adoption. Due to modern file sharing platforms, it's easy enough to envision a future where we're not tied to the domain. The same can be said about printing and management. Group Policies, on the other hand, represent a significant challenge.
Most companies configure settings on the system via Group Policy, even going so far as to create their own policies in addition to the built-in ones that come with Windows. Microsoft's Group Policy engine is complex, and organizations have spent many hours building policies that follow a particular user or computer. Per Jeremy Moskowitz of GPAnswers.com and PolicyPak.com (more on that in a minute), there are over four thousand built-in Group Policy settings (not to mention custom ones or Group Policy Preferences), compared to around 1,500 MDM policies, of which only 600 or so overlap. That leaves thousands of settings in Group Policy that are unattainable via MDM alone!
If you had trouble seeing the problem before, it should be abundantly clear now. MDM doesn't hold a candle to Group Policy in terms of the amount of configuration you can do. I'm not going to argue that it should, either. After all, MDM is about managing modern devices and operating systems in the way that makes the most sense for them. But to talk about MDM replacing traditional Windows management means that something has to give. Either we need to entirely use modern applications (which is just around the corner, right? :), or we have to be able to do more with MDM, or we have to accept the fact that we can't manage Windows as much as we used to or need to.
Bridging the gap
Last October, we wrote about MobileIron Bridge, which gets credit both as the source of the awesome pun that I used for the title of this section and as the first company we spoke to that attempted to solve this problem.
MobileIron Bridge set out to create an engine that could deliver ADMX templates through the MDM wall and implement them on Windows devices that are not joined to the domain, but are enrolled in MDM. To accomplish this, they essentially found a way create ADMX-like policies (not actual ADMX policies, though) and deliver those to an agent that runs on the endpoint, at which time the settings are added to the local device policy.
MobileIron Bridge also allows you to install non-MSI applications on the endpoint by scripting the installations as part of an MSI package. You can even configure per-app VPNs and other settings so those apps have access to their backend data.
The MobileIron approach is interesting because it's coming from an MDM vendor that seems to understand what must be done to get to UEM from where we are today. There is, however, another option…
Jack and I had a chance to talk to Jeremy Moskowitz of PolicyPak to hear about how it can bridge the gap between traditional and modern endpoint management. You probably know Jeremy from GPanswers.com or from his training classes, and you know he knows his stuff when it comes to Group Policy. Even an old-school guy like that knows that MDM is coming and that we need something to maintain the manageability we enjoy today, and that's why he created PolicyPak.
At a high level, PolicyPak is software that allows you to use Group Policy to manage Windows applications that you wouldn't ordinarily be able to manage out of the box. Many applications like Firefox, Java, Flash, OpenOffice and others store their settings in unique ways; so Group Policy (as Microsoft provides it) just cannot cut it alone. After they created that, they decoupled the "Things that Group Policy Could Do" from the Group Policy engine itself. In this way now all real Group Policy settings (of any type) could be delivered via SCCM or some other method (like, to devices that aren't joined to a domain). They call this the "Not Group Policy Method."
With those two features under their belt, the leap to Unified Endpoint Management wasn't too far, and so they've released a version of PolicyPak specifically for deploying Group Policy settings via MDM. In fact, there are three editions of PolicyPak: On-premises, MDM, and Cloud. The functionality is essentially the same, and the edition that you choose is governed by how you want to deliver your settings.
The On-Premises edition allows you to deploy via SCCM or integrate directly into Group Policy. You simply install the admin console on any computer that also has the GPMC, as well as the client side extension on the endpoints. Most customers use this edition.
The MDM edition (which was announced today) is like the On-Premises edition, but it includes a tool that lets you package and deploy the policies you create in the GPMC to MDM platforms as an MSI file, which is then deployed to the endpoint devices. They've tested the MDM edition with AirWatch, Intune, and MobileIron, but any OMA DM-compliant MDM system should be compatible.
Last, the Cloud edition is for companies that don't have their own delivery mechanism. In addition to the client side extension that interprets the PolicyPak policies, there is also an agent that communicates with a cloud service that acts as the delivery mechanism for the policies. It is used instead of SCCM, Group Policy, and MDM (but only in this very specific instance–it's not an SCCM or MDM replacement).
It's important to note that PolicyPak does not replace MDM, Group Policy, or SCCM in any way. It simply works with those things to deliver advanced settings. In the case of MDM, it allows you to take Group Policies and deliver them via MDM in addition to all the other MDM-specific that your MDM platform can do.
Enough about that…what can PolicyPak actually do?
PolicyPak consists of several components that have built up over time. Originally, it was about managing other applications for which there weren't any GPOs. It's since evolved into a management platform that accomplishes a lot of the tasks that admins find valuable, even going so far as to overlap some of the other areas that we cover here like User Environment Management, Application Management, and Browser Management.
The main components of the PolicyPak suite are:
- Applications Manager – Allows you to configure settings for over 400 applications and browsers, from FireFox and Flash to WinZip and Java.
- Least Privilege Manager – Allows you to elevate privileges for certain apps and scripts, while blocking others that come from insecure or untrusted sources (a feature they call SecureRun).
- Browser Router – Maps websites to specific browsers in much the same way as Browsium Catalyst. Websites that are supposed to run in Chrome will open in Chrome, even if the address is entered into IE.
- Java Rules Manager – Maps different websites to specific Java versions
- File Associations Manager – Map file extensions to applications in Windows 10, the best example of which is making sure PDFs open in Adobe Reader instead of Edge.
- Admin Templates Manager – Reduces the number of GPOs by creating templates.
Each of these things on their own is valuable, but to have them all in one place, managed by GPO is really beneficial. Throw in the fact that this can all be delivered via MDM to devices that are not domain-joined, and you have a product that makes a major dent in the delta between traditional management and Unified Endpoint Management.
In fact, I would go so far as to say that this technology would be incredibly valuable to a company with an MDM platform that wanted to start doing UEM. MobileIron already has Bridge, and they've no doubt been working hard on it since we last spoke. It wouldn't surprise me, however, to find out that VMware or Citrix showed interest PolicyPak as a shortcut to something they're eventually going to have to build anyway.
Whatever happens, it's great to see products showing up that will help traditionally-managed Windows devices inch towards Unified Endpoint Management. Every time something like this comes out, UEM's momentum picks up. It will be interesting to see what VMware has planned in just over a month at VMworld, because you can be sure they haven't been idle, either. In the meantime, check out PolicyPak. Even if you're not ready for the new MDM product, I bet it will help with something in your environment.