In-Depth

Endpoint Management Tools To Tame a Universal Client World

Now that using multiple devices, apps and OSes is ubiquitous in the workplace, new unified endpoint management tools are introducing a common approach to configuration, security and administration.

• By Jeffrey Schwartz
• 10/10/2017

Capital One Financial Corp. wants to empower its workforce of nearly 50,000 employees to provide better customer service to its 65 million account holders by letting them use different devices. Embracing the trend toward creating a modern, virtual work environment means providing a common UX on multiple devices with a secure, unified endpoint management (UEM) approach that dynamically -- based on conditions such as location -- can enforce policies.

In many organizations such as Capital One, supporting multiple devices per user is no longer considered optional. "The expectations are changing in the workforce, driven largely by the experiences people have in their personal and consumer lives," said Jennifer Manry, VP of End-User Computing and Identity and Access Management at Capital One, speaking at the annual VMworld conference, held in late August. "They want to come into the enterprise and feel they can operate with their colleagues the same way they operate with their friends and family outside. We realized we needed to rip out and replace a lot of the technology that we have and provide much more modern capabilities to our associates, and part of that started with devices."

The bank, the eighth largest in the United States with $240 billion in holdings, earlier this year started rolling out VMware Workspace One, the company's new UEM platform, designed to provide secure access to applications and data with unified deployment, security and management, regardless of device or infrastructure. VMware showcased several customers that are using Workspace One, not just to provide mobile device management, but in a new release now rolling out this quarter, to configure and securely manage Windows 10 PCs, Macs, Chromebooks and applications, including Office 365.

Another customer showcased by VMware was the American Red Cross bringing its Horizon VDI environment into Workspace One, according to Dave Bullamore, the non-profit humanitarian aid provider's VP of IT End-User Services, who described how enabling UEM has made it easier to let employees and volunteers access its resources on their own devices. "It has allowed us to not only allow volunteers to use more of their own technology, but employees, as well, in a simple and secure way," said Bullamore, also speaking at VMworld, coincidently as Hurricane Harvey was descending on Texas.

Workspace One, launched last year, brings together VMware's AirWatch device and application management platform with the Horizon VDI and virtual application service environment. VMware claims the new Windows 10 device enrollment and management capability using Microsoft's Intune APIs, support for Macs, Chromebooks, Office 365 policies, analytic reporting and workflow capabilities coming to Workspace One makes it the first UEM offering that can configure and manage all of the major mobile and computing devices.

Also new is the addition of VMware Identity Manager to the Workspace One AirWatch console, which the company said gives administrators a common place to manage devices, context and identity. The new console now allows administrators to require enrollment through Workspace One for specified groups, an organization or specific operating system platforms.

That common user and management experience gives Workspace One a much broader capability than existing mobile device management (MDM) offerings, including Microsoft's Enterprise Mobility + Security (EMS) suite, said Mitch Berry, VP of Unified Endpoint Management at Mobi, which provides managed mobility lifecycle management services and software. "I think their technology is a lot more advanced than a Microsoft, or a MobileIron or Citrix in that the experience they are able to provide across multiple device types really gives them the lead," said Berry, whose company has partnerships with all the major MDM providers, including Microsoft.

Gartner Inc. Analyst Andrew Garver agreed. "Few vendors provide the breadth of Workspace One's offering, and VMware did a good job of telling a comprehensive EUC [end-user computing] transformation story at VMworld," Garver said. "Enterprises looking to shift to this more holistic approach to system and applications management, which he calls "unified workspaces," will find Workspace One appealing, according to Garver, because it provides "modern management across traditional and mobile endpoints, tight coupling with Horizon VDI and apps and a robust set of gateways for both cloud and on-premises."

Windows 10 Configuration and Management
In a demo at VMworld, the VMware officials showed the enrollment of a new Windows 10 PC. Once the user enters an e-mail address and password, Workspace One starts provisioning the PC based on the policies defined by IT for that employee. "In the background, drivers, DLLs, applications, everything that used to be in that golden image, now comes over the air to fully transform this device," said Jason Roszak, VMware's Windows 10 product manager, who gave the demo. Windows updates and patches can also be deployed based on how critical they are and when and where the user is connected.

VMware might be out in front in talking up advances to Workspace One, and while it's poised to become a leading UEM platform, the battle is just emerging. The most noted alternatives are Microsoft's EMS service, which consists of Intune, Azure Active Directory and Azure Information Protection services to provide data loss protection and Citrix Secure Digital Workspace, among others that offer different approaches but are all centered around common configuration, security and management of all devices.

The Citrix XenMobile update also offers Apple's latest iOS security policies and integration between the Google Play store, which lets admins apply Android for Work policies to managed Android apps from the XenMobile console. Citrix Essentials, which offers Windows 10 as a desktop or app service, uses the Citrix Cloud and runs in Microsoft Azure. Citrix and Microsoft have longstanding partnerships and last year created their latest pact toward providing native Intune support in the Citrix XenMobile device management platform and enabling XenEssentials in Azure.

"Sure, the APIs are available to everyone, they have to be that way, but the engagement between Citrix, Microsoft and the customer will deliver a differentiated value by taking advantage of Microsoft Graph, but then also extending that to all areas of the workspace are really important," said Calvin Hsu, speaking at an event in August with Brad Anderson, Microsoft's corporate VP, overseeing the company's Enterprise Client and Mobility Group.

"Everything we do in Enterprise Mobility + Security is exposed to the Microsoft Graph. Citrix is doing the work to deeply integrate with those Graph APIs," Anderson said. "What that means is, if you're a Citrix XenMobile customer today, you can actually set all of the EMS policies through the XenMobile console, which will then, for example, set the Intune MAM [mobile application management] policies on any of the applications. So you get this single point of administration, this single console, with the work that Citrix is doing to integrate with the Microsoft Graph."

In a sign of just how strategic UEM is becoming, the new Microsoft 365, launched in July, is a bundle that brings together Windows 10, Office 365 and EMS as a subscription. It remains to be seen whether IT decision makers heed Microsoft's advice that EMS offers the core UEM capabilities organizations need to manage all their Windows and mobile devices. But there's a strong case that many enterprises will see EMS as a baseline and despite the competitive rhetoric, Microsoft is fostering a UEM ecosystem.

Enabling UEM with Microsoft Graph APIs
Microsoft has played a key role in advancing UEM with the release of the Microsoft Graph APIs, which include the Intune interfaces, as Redmond has reported over the past year. Still in preview in mid-­September, the expectation is Microsoft will release them at any time, which is why some of the key platform players such as Citrix, MobileIron Inc., Jamf, BlackBerry Ltd. and IBM Corp., among numerous others are also expected to support them shortly.

Sumit Dhawan, senior VP and general manager heading the VMware End-User Computing group, said that VMware has "leveraged those public APIs extensively." By "extensively," Dhawan explained that their use goes beyond just enrollment and providing policy management; it's about integrating identity management and applying context, while striking a balance between providing user control and privacy and ensuring that corporate data remains secure.

Dhawan said Workspace One has evolved to meet its mission of bringing mobile, desktop and application management together. The addition of the VMware Identity Manager into its AirWatch console provides a common interface for managing devices, context and identity, he said. It also has a simplified mobile single sign-on interface and, using the Microsoft Graph API, it can apply Office 365 enrollment and management, as well as support for other Software-as-a-Service (SaaS) apps. The new Workspace One release will manage and enforce security polices and provide Office 365 data loss prevention (DLP) upon release of the Office APIs by Microsoft.

It's to Microsoft's benefit to share the Intune APIs, said Ojas Rege, MobileIron's chief marketing officer. "This move toward opening up the APIs to a graph is really good for Office 365, because otherwise, the majority of customers would not be able to apply the new DLP controls to Office 365," Rege said. "Only Intune customers would've been able to do that. That ends up hurting and not helping Microsoft's position with Office 365, because the best thing for Office 365 is no matter which EMM [enterprise mobility management] solution you pick, you can secure Office 365 fully. Having a secure Office 365 service is a competitive advantage of Office 365 versus other productivity tools."

The shift to UEM provides a common approach "of unifying the experience across all applications and one place to unify your management across all devices," Dhawan said. "This, we believe, is a massive change and we think it is a great opportunity."

Workspace One to Gain Intelligence
VMware also plans to offer an add-on service to Workspace One that provides reporting and analytics designed to help administrators utilize the Windows Update Service. The new service, called Workspace One Intelligence, will include a rules engine that will allow automated actions to address real-time security and performance issues. It will offer reporting templates to give views on how vulnerable an organization is and provide automated remediation, said Andrew Levy, VMware's senior director of product management, who joined the company last year following its acquisition of mobile performance management provider Apteligent.