Windows 8.1 will add MDM-based management, confirming AD is not for device management anymore?

Microsoft post about how Windows 8.1 will support something called "Open MDM."

A year ago I wrote an article called The REAL reason Microsoft Windows RT devices won't be able to join AD domains. (Hint: AD is not about systems management anymore!) My belief at the time (and now) is that the whole Windows domain structure as a concept for desktop management is anachronistic in today's world, and that ultimately AD will only be used for authentication, authorization, and identity management, not for systems and device management.

I haven't thought too much about this since then until a few weeks ago when Microsoft wrote a blog post called "What's New in Windows 8.1." That post was covered widely on the various enterprise blogs, but if you haven't seen it, definitely check it out, as it talks about a lot more than the new ability to boot directly to a desktop with a Start button.

Anyway, that Microsoft post talked about how Windows 8.1 will support something called "Open MDM."

While many organizations have investments with System Center and will continue to leverage these investments we also know that many organizations want to manage certain classes of devices, like tablets and BYOD devices, as mobile devices. With Windows 8.1, you can use an OMA-DM API agent to allow management of Windows 8.1 devices with mobile device management products, like Mobile Iron or Air Watch.

Translating that statement, the first part about the "investments with System Center" is just marketing speak for "many organizations manage their PCs by joining them to domains and using traditional desktop management tools," and Microsoft is saying that will still be an option for the time being.

But they're also saying that Windows 8.1 will have an API that supports the Open Mobile Alliance's Device Management specification, allowing EMM vendors to design their systems so they can manage Windows 8.1 computers without having to put their own client on it. (I wonder if Citrix would expand their Worx stuff to manage Windows directly? If others like AirWatch and MobileIron and VMware do this, then how can Citrix not do it? Would that piss off Microsoft though? More on that tomorrow.)

What's the use case?

So let's imagine we have MDM for Windows. Okay, so what? What's the use case for that?

Obviously from a literal sense it means that we could push out device configurations, enforce security, have remote wipe / remote kill capabilities, turn Windows features on or off, pre-configuring WiFi, email, and applications—really everything you can do with Group Policy, except you're not using Group Policy or an Active Directory domain.

A lot of people think about MDM in the context of BYO, like, "Hey, this is great because then I can use MDM to configure users' personal devices." That doesn't really work in the mobile world though because users don't typically want their personal devices to be restricted by a company's MDM policy. (This is why companies look to MAM for BYO scenarios, only using MDM in a benevolent way to push out configuration URLs and such.) So the same would be true in the Windows world. I can't imagine any user wanting to allow the company to lock down their own personal laptop, nor can I imagine a company wanting to take administrative "ownership" of a user's personal laptop. Those are two problems with Group Policy and AD—management requires domain membership which implies full control (read: "liability") by the company.

So maybe this MDM approach could be like "desktop management lite." The company can get a bit of control over some of the aspects of the desktop while not having to "own" it outright? Of course I could be totally wrong on this, because MDM on mobile devices is the closest thing that world has to domain joins, and a device that's enrolled in a company's MDM environment can be "owned" by that company. (Just like a Windows computer in a domain.) So maybe my thinking about "Why MDM for Windows" is way off. (Also another new feature of Windows 8.1 are "Workplace Join" which is a middle ground between being in a domain and not.) So it's not like you need this Open MDM thing to get management without fully being in a domain. But if that's the case then what *is* the advantage of MDM for Windows? Could it be as simple as folks wanting a single management tool to manage all devices, including phones, tablets, and Windows computers? Could it be a simply having a management agent built in? Could it be as simple as a way to manage devices from Active Directory in Azure?

So Open MDM built in to Windows 8.1 is cool, and it confirms that you won't have to have AD for device management in the future. Beyond that, any thoughts? What's the real rationale behind this? (And by the way, who's going to write an OMA-DM compliant interface for Mac OS X? That'd be rad.)

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

I think that MDM for Windows is effectively an admission by Microsoft that IT is no longer Windows centric, particularly for end-point devices. As a result, the management of Windows devices cannot be distinct and different from the management of iPads, Androids, etc. Yet another indication of the end of the Microsoft monopoly.

Also, as you wrote, in the context of BYOD, an MDM-type solution may be more palatable than domain join. But how much more palatable remains to be seen.

My experience, though, is that there is no such thing as partial ownership - once IT assumes any amount of control over end-user devices, these user will generally expect IT to manage the devices for them. Sure, users will want  to be able to install apps they want on their own, personal devices, but will also want IT to troubleshoot the devices when something goes wrong. After all "it worked great before you (IT) touched it."


I believe more than anything Microsoft wants to manage devices and apps via InTune. That is purely an SMB play, but recently they are making that available to SCCM customers as well. The API to me, is all about brining the eco system under control until MS decides they want to extend SCCM to do this also, or uplevel InTune with enterprise features to push management from Azure.