The latest version of Windows Phone was released yesterday at an event here in San Francisco. While everybody was admiring the new phones (with their indeterminate release dates), I was talking to the folks at AirWatch, learning how mobile device management (MDM) works for Windows Phone 8.
For those of you familiar with MDM in iOS, you’ll find that MDM in Windows Phone 8 is very similar. There are essentially three forms it can take: the device management features that accompany the Exchange ActiveSync mail protocol; device management applications; and—here’s the big news for today—a set of dedicated MDM APIs that were just released as part of Windows Phone 8.
The old stuff: Exchange ActivSync and agent apps
Older versions of Windows Phone were managed with just Exchange ActiveSync (EAS) or an agent app. EAS device management is pretty light, but it covers the basics. Controls include password policy, encryption, remote-wipe, and the ability to block a device’s camera or built-in browser. There are a lot of other management functions in EAS that used to work with Windows Mobile (the name for earlier versions of Windows Phone), but they were never utilized in any newer devices.
MDM agent apps were another option previously available for managing Windows Phone. Even though they’re not that powerful on their own, they do add more sources of information and actions for MDM solutions.
New MDM features in Windows Phone 8
Now Windows Phone 8 has introduced a dedicated, built-in device management agent, similar in concept to Apple’s iOS MDM configuration profiles. The agent allows MDM servers to interface directly with management APIs in WP 8, without the need for EAS or an app on the phone. Some of the APIs and management features are the same as those used by EAS, while others are new, including the ability to query the device for installed applications or more detailed information about hardware.
Control over third party Windows Phone 8 apps is also pretty similar to iOS and Android. The main methods of recourse for controlling public apps is through suggesting apps to users; blacklisting and whitelisting apps has to be through compliance policies. For example, if you don’t want your employees to have Angry Birds (if it’s even available for WP 8), you can’t outright stop them from downloading it, but you can query the device for a list of all the apps that are installed, discover its presence, and then remediate by threatening to remove network or email access or even wipe the device. On the other side of things, an end user will always be able to remove corporate management controls from a device, though of course the user would likely also lose the right to access corporate resources. Remember, though, we’re used to similar limitations with iOS and Android.
There will be a little more control over in-house corporate apps. Since Windows Phone 8 apps in general will be tightly controlled (again, like iOS apps), in-house apps will have to be signed with a corporate developer certificate issued by Microsoft. In addition, individual devices will require a company-issued token to run corporate apps; taking away that token would act as a kill-pill for those apps.
Since the Windows Phone 8 SDK was just released today, and we don’t know yet if Microsoft will release a management utility (something like the iPhone Configuration Utility would be great), it’s hard to say anything else more specific about what other management APIs exist, or which ones will or will not be exposed to third-party apps or MDM products.
All of the new device APIs should be controllable through Windows Intune and SCCM, but of course they’re open to third-party MDM providers like AirWatch, who announced support yesterday. All of the general information in this article came from my briefing with them—AirWatch is always among the first to support MDM for any version of any platform. The list on their website is impressive: it includes all the big platforms, all the old ones, plus every custom version of Android that I know of. Their Windows Phone 8 offering works with both EAS and the new APIs; they have an optional agent app that allows users to access corporate apps and do some of their own device management; and a Windows Phone 8 version of their Content Locker feature is on its way.
Symantec also announced support for Windows Phone 8 MDM yesterday, and I’m sure there were other vendors that I missed or that will be coming soon.
What does this mean for Windows Phone 8? For now I’ll say great, they have put up table stakes, and now we can move on to debating how to manage BYOD, MDM versus MAM, app wrapping versus SDK, HTML5 versus native Windows Phone 8 apps... yikes! Seriously, though, Windows Phone 8 brings mobility management vendors all the same opportunities as iOS and Android, except with a smaller market share.