Welcome to Modern Device Management 2.0

Introduction

Greetings my mobile minions!

Recently, the fine people of Dell EMC approached me about speaking at DTW. It’s truly a humbling experience that my speaking engagements at VMWorld and AirWatch Connect have earned me enough respect that people ask me for my insight. I’ve been doing extensive work on Dell’s new provisioning technology which was the catalyst for Dell’s interest.

I started thinking about the marketing aspects of Dell provisioning, which led me to an interesting revelation.. We have a TON of buzzwords in mobility now:

  1. Digital Transformation
  2. Digital Workspace
  3. COPE, COBO, BYOD, CYOD
  4. Modern Device Management
  5. Unified Endpoint Management

There’s a TON more, but its 11:30 PM and I don’t want to list them all! Anyways, I started to think about the Dell Provisioning Program introduced at VMWorld last year. Where does this fit into the limitless list of buzz words that exist in the industry that I love? I’ve determined there isn’t a marketable word for this. I’ve decided to call it Modern Device Provisioning, which we will talk more about later. I also have a great blog post coming about Dell’s new program and how I have near perfected it.

I’m here to introduce my true revelation that I hope to discuss with many people at Dell’s conference next month: Modern Device Management 2.0. First, let’s discuss its father Modern Device Management.

What is Modern Device Management?

Microsoft unveiled the idea of modern management in Windows 10 as you can read here

A basic diagram can be seen below. Essentially the basic idea is that Windows 10 PCs can be managed in the same fashion that we manage iOS and Android devices today. The concept of modern device management, which focuses heavily on moving away from group policy, domain joining, and some of the rigidness of SCCM. Let’s be honest.. its there! I love SCCM as much as anyone else, but its a bit rough at times.

Screen Shot 2019-03-16 at 11.34.04 PM.png

Modern Device Management brought about another word called Unified Endpoint Management which is essentially a single pane of glass for all devices. It was a huge revelation that has brilliantly made the jobs of engineers easier. So, let me introduce you to Modern Device Management 2.0.

The Tenets of Modern Device Management 2.0

The mission statement of Modern Device Management 2.0 summarizes its true intentions.


Modern Device Management 2.0 builds on the core beliefs of 1.0 by introducing Modern Device Provisioning, the Deprecation of Manual Configurations, implementing the core principles of identity and access governance, and leverages artificial intelligence to deliver data-driven decision making and reducing the attack surface. 


 

We are going to start our journey together because no journey is worth traveling without others to share it with.

submarine.png

Modern Device Provisioning

Modern Device Provisioning is the concept of taking the old imaging process, the setup wizards, the deployment process in general and turning it on its head. It’s 2019 and its time that we started to be more progressive and work smarter. We can achieve this through a few different programs:

We aren’t going to go down these programs in-depth because that is not what we are focusing on. Modern Device Provisioning isn’t just about getting a DEP token and being done. Modern Device Provisioning is so much more. The characteristics of Modern Device Provisioning are:

  • Enterprise-grade enrollment program (like the ones mentioned above)
  • Achieving a true zero touch experience
  • Transformation of your on-boarding checklists to automation, scripting, and workflows for a seamless experience.
  • Eliminating the manual processes around provisioning

Often, people tend to accept a “mostly” zero touch experience or one where “it’s better than it used to be.” Modern Device Provisioning is about raising the bar and taking even the most mundane task like initial patching, removing bloatware, creating accounts, etc and eliminating the human component.

Typically, most companies only achieve 75% of their on-boarding process because of a lack of technical knowledge or out-of-date processes. Part of the spirit of Modern Device Management 2.0 is taking what you think you know about managing your fleet of devices and transforming it at scale seamlessly.

What’s worst than Manual Configurations?

Could there possibly be anything worst then manually configuring something? Let’s paint the picture.

  1. User calls the help desk saying I’m missing one of the department printers on my Mac
  2. Help desk person VNC’s to the user’s Mac
  3. The Printer is added manually
  4. User cheers!

So.. what’s wrong with this picture? SO MANY THINGS! Firstly, as we will discuss later the main principles of granting access would have given them this printer. You also could be automating this process with shell scripts on that Mac that the help desk person could push down from your UEM (Unified Endpoint Management) software. We have so many options when it comes to automation.

Automation is about defining a strong strategy and having a solid understanding of how your users work. Do you understand what people need to do their jobs? You should ask yourself a few questions:

  1. Who needs tablets?
  2. Who needs what printers?
  3. Are we delivering seamless experiences?
  4. Do I know what apps my users need?
  5. What’s most painful to them?
  6. Does my help desk understand how to use the tools we have in place?
  7. Do I understand the day-to-day for each type of person and each department?

There are many more questions that you can ask yourself, but I think this is a nice foundation. It comes down to conceptualizing and mapping out how everyone operates to see how you can deliver operational efficiencies and empowering your people. My vision and strategy of end-user computing is as follows:


We owe our users a seamless and secure experience that is cross-platform and lightweight. Collaboration only exists when we are all working together toward a common goal and technology enhances our lives instead of creating roadblocks.


My belief is with the right resources, effort, and dedication you can eliminate the painful path that your users travel down every single day. Manual efforts is no longer acceptable and should not be tolerated. We must strive to be better and we cannot accept anything less than operational excellence.

Implementing the Core Principles of Identity and Access Governance

Wow.. that is a mouthful right? I’ll keep it really simple. We should only deliver access and applications based on a few specific guidelines:

  • The user’s department
  • The user’s title
  • A combination of the user’s department and title
  • The user’s role within the organization

For years, we have been focused on adding someone to an AD group and giving them access to all this stuff. We have learned in recent years that it’s an old way of thinking. People often get access to things they just don’t need. We also tend to see that people may deliver applications to users that don’t have access to them. These are things that make us look bad as technologists and just frustrate users overall.

I’m sure some people are like… we don’t have money to buy RSA’s IAG product or we don’t have the skills needed to achieve this. The truth is you just need to understand how to be creative. We all need to work within the confines of our technology. One of the benefits that I have using VMWare WorkspaceONE UEM is that I can build flexible LDAP groups to achieve this. I might create a group with a LDAP query like this below to give me everyone that is a director in the marketing department:

(&(objectCategory=person)(sAMAccountName={EnrollmentUser})(&(objectCategory=person)(|(Department=Marketing*)(Title=*Director*))))

We don’t all have the ability to leverage LDAP, but this is just one example. We could also use Active Directory to build role-based AD Groups:

Get-ADUser-SearchBase ‘OU=Users,OU=CORP,DC=domain,DC=local’ -filter {department -like Marketing*} | Foreach {Add-ADGroupMember “Marketing Users” $_.SamAccountName}

Most solutions are possible with the proper design. Sometimes we just don’t realize what the limits are and how we can push them toward delivering dynamic experiences. Windows 10 opened the door to the new evolution of management, user experience, and creativity in the unified endpoint world. It’s up to us to take advantage of all that it has to offer. I would implore you to come and talk to me if you need help designing something that can be powerful and scalable.

Leveraging Artificial Intelligence (AI)

I think we can agree that leveraging AI in your design is likely the hardest to achieve. The biggest problem that you encounter is that it is very daunting to deliver ROI when it comes to convincing hearts and minds on AI. We’ve seen this a bunch in recent years with the numerous companies abandoning Watson because of the challenges of justifying the cost around our friend Watson.

watson

Most platforms now capitalize on the benefits of AI in various ways. It could be as simplistic as you own Cylance, which is a great endpoint platform that uses AI to reduce the attack surface. Windows Defender ATP is another great example of an endpoint protection product leveraging artificial intelligence to protect your endpoints. As brilliant as these products are, they are not the spirit of Modern Device Management 2.0.

VMWare has recently introduced WorkspaceONE Intelligence. This is the true spirit of Modern Device Management. One of the amazing components of WS1 Intelligence as written by a colleague Sachin Sharma at VMWare.

ws1intelligence.png

WS1 Intelligence uses AI to automate remediation of zero day attacks  and other vulnerabilities quickly and seamlessly. They integrate with the CVE registry to address vulnerabilities, which is an outstanding advancement. This is just one example of how Artificial Intelligence raises you from old boring Modern Device Management to Modern Device Management 2.0! WorkspaceONE Intelligence despite the hefty price tag has so many layers and offers so much to tell our story.

In Closing..

Some might wonder why I didn’t bring SSO/Identity and Access Management into this concept. I was very much on the fence about that. My feeling is that they are parallel tracks but just detract from the real story we are trying to tell. Identity is substantial enough to stand out on its own. Modern Device Management focuses on the devices and how we manage/deliver them. Identity is essential to the story without question but just doesn’t belong at this point.

We must realize and remember that End User Computing is all about the story we tell and by achieving the sheer elegance of Modern Device Management 2.0 we can ascend to higher levels of excellence. I challenge you to be more progressive. You need to realize that SCCM, imaging, multiple management portals, and even some GPOs are now legacy technologies.

We can hold ourselves to a higher standard and prove to our organizations that we are progressive, daunting, and innovative. Over the course of my career, I have inherited some archaic infrastructure over the course of my career and I have never just accepted the status quo. Everything is a challenge ahead of us and by working together we can build something beautiful.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s