Transforming On-premise to Modern Cloud first Infrastructure
Over the past decade, the world has changed due to digitization and more and more Corporates are moving towards adopting Cloud platforms for their business solutions. COVID-19 has speeded the adoption of digital technologies for several years. A significant increase in remote working and customer preferences for remote interactions has made remote teams a new reality and On-premise is the new legacy. Thus the devices they use tend to be either internet-focused or interconnected.
In the current situation, all types of the business environment and many enterprises face security and mobility challenges. Employees don’t want their work to be limited to their desks; they want to be productive across a variety of devices with constant access to the applications. Microsoft Digital has upped its cloud service portfolio with the inclusion of Microsoft Intune (Microsoft Endpoint Manager), Windows 10, Azure Active Directory, and a wide range of associated features to enable and empower Businesses to leverage mobile device management, mobile application management, and PC management capabilities. By using Microsoft Solution, organizations can provide the employee’s access virtually to data, resources, and corporate applications from anywhere in the world to almost all devices, ensuring that the data remains safe and secure.
Why is there a need for Modern Management?
‘Modern management’ is the term Microsoft has chosen to describe its suggested approach to managing Windows 10 devices and users. The aim is to make it easier to manage Windows 10 devices, throughout their lifecycle and with a smaller infrastructure footprint. So, less time spent on management and less time spent managing management tools. There are more than 264,000 Windows 10 active devices used daily by Microsoft employees around the world.
In the past 30 years, the corporate network has been the basic fundamental foundation of Microsoft operations. Their technical past was built on Active Directory Domain Services (AD DS) and the accompanying identity and access management principles that work well within a tightly controlled and regulated on-premises network. However, over the past 10 years, the world changed due to digitization and hence the Microsoft devices being used have changed significantly. Corporates use Cloud platforms for their business solutions. Thus the devices they use tend to be either internet-focused or interconnected.
What are the benefits of modern management?
The significant advantage of adopting a modern management approach is that there is no requirement for on-premises infrastructure since all management is performed through cloud services. The content and management are all delivered securely over the Internet. This enables organizations to drastically simplify their infrastructure and reduce the cost and effort involved with maintaining a traditional management solution. Modern management also includes the ability to replace OS deployment with a user-centric approach to device delivery in the form of Windows Autopilot, Microsoft Azure Active Directory (Azure AD), and Microsoft Intune.
Windows Autopilot is a cloud service from Microsoft that enables zero-touch deployment of new Windows 10 devices. It can be used to set up and pre-configure new PCs, as well as to reset, and recover devices. Instead of maintaining custom images and re-imaging new devices, Autopilot applies your settings and policies to the OEM-optimised version of Windows 10 that’s pre-installed. It can even change the edition of Windows 10 in use from Pro to Enterprise.
Azure AD is Microsoft’s cloud-based identity and access management service that helps users sign in and access applications. If you’re already using Office 365 or Microsoft Azure, you’ll already be using Azure AD. If you’re using on-premise Active Directory, the implementation of Azure AD Connect will enable synchronization with Azure AD.
Microsoft Intune is a cloud-based unified management solution for mobile devices and operating systems. The aim is to protect the corporate data on both corporate and BYOD equipment. With Intune, you can manage the devices and apps of your employees as well as their access to your company data. To use this Mobile Device Management (MDM) system, devices must first be registered for the Intune service. You can set up policies to control access to your corporate data. It provides you flexibility and control for securing your data, no matter whose device it is in.
What are the IT Initiatives enabled by modern management?
As part of the migration towards modern management, we are moving to a wireless first, internet first environment by decommissioning private corporate networks.
What are the steps to be implemented in Modern Device Management?
In order to complete the move to fully modern management, Microsoft started with a Proof of concept of approximately 1% of devices, and these early adopters were already inside the IT Group or the very people engineering changes in Intune. They call it a co-management model and this enables side-by-side functionality of both traditional and modern infrastructure. The advantages of the co-management model include:
1: Conditional access with device compliance.
2: Intune-based remote actions such as restart, remote control, and factory reset.
3: Centralized visibility of device health.
4: The ability to link users, devices, and apps with Azure AD.
5: Modern provisioning with Windows Autopilot.
Three-phase transition to modern device management:
1- Phase one: Establishing the foundation for modern management.
2- Phase two: Simplifying device onboarding and configuration.
3- Phase three: Moving from co-management to modern management.
Phase one – Establishing the foundation for modern management
This phase includes installing Microsoft Defender ATP (Advanced Threat Protection) to control applications and that’s how they control which applications can or can’t run on devices inside the Microsoft network.
The primary task took part during the first phase included the following list:
1: Configuring Azure Active Directory: Azure Active Directory provides the identity and access functionality that Intune and the other cloud-based components of their modern management mode which including Office 365, Dynamics 365, and many other Microsoft cloud offerings.
2: Deploying and configuring Microsoft Intune: Intune provides the mechanisms to manage configuration, ensure compliance, and support the user experience. For this, two Intune components were considered as critical to modern management which are a policy-based configuration management and application control.
3: Establishing co-management between Intune and Configuration Manager: They have configured Configuration Manager and Intune to support co-management, enabling both platforms to run in parallel and configuring support for Intune and Configuration Manager on every Windows 10 device. They also deployed Cloud Management Gateway to enable connectivity for Configuration Manager clients back to their on-premises Configuration Manager infrastructure without the need for a VPN connection.
4: Translating Group Policy to mobile device management (MDM) policy: Policy-based configuration is the primary method for ensuring that devices have the appropriate settings to help keep the enterprise security and enable productivity-enhancement features. They evaluated which settings were needed for their devices within an internet-first context and built their MDM policy configuration from there, using Group Policy settings as a reference.
5: Configuring Windows Update for Business: Windows Update for Business was configured as the default for the operating system and application updates for the modern-managed devices.
6: Configuring Windows Defender and Microsoft Defender Advanced Threat Protection (ATP): They have configured Windows Defender and Microsoft Defender ATP to protect devices, send compliance data to Intune Conditional Access, and provide event data to the security teams.
7: Establishing dynamic device and user targeting for MDM policy: Dynamic device and user targeting were enabled to provide a more flexible and resilient environment for MDM policy applications. It allowed us to start with a smaller standard set of policy settings and then roll out more specific and customized settings to users and devices as required.
Phase two – Simplifying device onboarding and configuration
This phase of configuration is comparatively simple because, as new devices are purchased and brought into the environment, they are deployed and managed by using the modern management model. This is the approach for the entire device-rollout process; it enables gradually onboard devices in a relatively controlled manner and avoids the extra effort required to create in-place migration paths for existing devices.
Simplifying with Windows Autopilot
This is the mechanism that they are using to roll out their modern management initiative. AutoPilot provides the out of box experience (OOBE) customized for your corporate users. Autopilot provides several critical enablers to the deployment process which including:
1: Automatically join devices to Azure Active Directory.
2: Auto-enroll devices into Intune.
3: Restrict Administrator account creation.
4: Create and auto-assign devices to configuration groups based on a device’s profile.
5: Simplify the out-of-box experience (OOBE) and reduce user involvement in the deployment process.
Phase three – Moving from co-management to modern management
Microsoft Endpoint Manager gives Microsoft Digital a platform that enables simplified and efficient management and configuration for their devices in an environment that supports and drives the digital transformation. Moving to modern management with Intune and Azure Active Directory is a process. Start with a small pilot to learn about the issues you may face. Security group management using Azure Active Directory can be challenging too.
If you are interested in managing Windows 10 Updates using Microsoft Intune or if you are interested in using Microsoft Intune to manage your business, don’t hesitate to contact us. We can assist you to assess your current environment, determine a strategy for how to manage your devices, what is the best device for you, etc.