What Windows 8.1 can do for BYOD
9th Aug 2013 | 07:00
The functions that support 'bring your own device'
One of the big questions around the prospects for Windows 8.1 in the workplace is how well it will fit into the management of employees' mobile devices. Many businesses are ready to go along with the trend towards 'bring your own device' (BYOD), and they will have to think seriously about how they can manage devices that run on the new operating system.
The core issues are how existing mobile device management (MDM) systems will be able to manage Windows 8.1, and what else can be done if you also have Windows Server 2012 RS, the accompanying server and cloud platform.
IT admins will probably be encouraged by the provision of a lot more management options within Windows 8.1 than Windows 8. Some need upcoming versions of Windows Server, but Microsoft is building key mobile device management standards into Windows 8.1 (including Windows RT 8.1 for mobile devices), so it should provide more control for any MDM system.
This includes those already widely used to manage smartphones and tablets, such as MobileIron, AirWatch or Microsoft's own Intune service, but there will be an advantage with Windows 8.1.
- Check out the security improvements for Windows 8.1.
Using such systems usually involves installing a management client on a device, and Windows RT devices will only work with Intune. But Microsoft is building an agent that supports the open OMA-DM standard and the Simple Certificate Enrolment Protocol (SCEP that Apple uses for iOS management). The agent will be within Windows 8.1 and Windows RT 8.1, which will make it possible to manage the systems through the same software, and in many cases with the same policies.
This will include using the agent to change some settings in Windows, and although Microsoft hasn't yet revealed which ones, it will be possible to distribute wireless and virtual private network settings, including the certificates needed for virtual private network connections. There will also be a function to run reports on which devices are connecting, and whether they have up-to-date anti-virus software and the latest Windows updates.
If a business has apps that it wants its employees to use, such as an expenses reporting tool, it will not have to go through the Windows Store but can sideload them into Windows 8.1 and Windows RT 8.1 devices and send out any updates.
If it runs Active Directory it can use it to manage 8.1 systems at two levels: it's possible to simply place a certificate on a device to control access to company resources; or allow users to register their device with Active Directory through the new Workplace Join feature in PC Settings. Workplace Join also works with iOS devices and will support Android in time.
The Web Application Proxy in Windows Server 2012 R2 can make file sharing on a server available over a secure HTTPS connection, so users can sync files through the Work Folders function to their devices and save them back to the server when they're on the road. Admins will be able to back them up with the normal processes.
The main limitation of Work Folders is that everything has to be synced, rather than choosing which files to copy to a device as is possible with SkyDrive syncs. On a tablet that could take up a lot of space.
But there is a big positive in that, when anyone leaves the company or loses their device, it's possible to wipe the synced files remotely – without having to wipe the whole system and their personal content – and to remove certificates, VPN profiles and apps.
Both Workplace Join and the Web Application Proxy require the use of Active Directory Federation Services, which is easier to work with in Windows Server 2012 R2. If a business makes use of two factor authentication, it can make employees use it every time they connect from outside the company network, or just the first time they register on Workplace Join to prove their device is trustworthy.
Unlike Active Directory, which makes it possible to apply group policy to control almost every setting on PCs owned by a company, Workplace Join doesn't provide for the control of any settings. For that, users have to allow the PC Settings function to turn on the built-in MDM agent.
This is the same on iOS and makes Windows 8.1 devices much more like other smartphones and tablets widely used in BYOD.
Overall, IT admins will get more tools to control employees' devices that use Microsoft's operating system, and this will help it fit more comfortably into a BYOD environment.