Windows 10 ENTERPRISE MOBILITY MANAGEMENT Tech Note Open the Window to Endless Possibilities Windows 10 shows a renewed focus on the Enterprise. It successfully harmonizes user experience and device management capabilities across all Windows endpoints; desktops, laptops, tablets and smartphones. Windows 10 makes many difficult business processes more convenient; operating system updates, enterprise app deployment, and mobile device management have all become easier. SOTI has been managing Windows mobile devices for almost 20 years, and as Windows evolves and grows we will continue to provide an industry leading mobility management solution to support it. Windows for the Enterprise There are many consumer-friendly features in Microsoft Windows 10; a new browser, a voice assistant (Cortana), and lots of user interface and user experience enhancements. In addition, for at least the first year upgrading to Windows 10 will be free for all Windows 7 and 8 users. However, it is clear that Windows 10 demonstrates a renewed focus on the enterprise market. Microsoft wants to make it easier for IT to deploy, manage and secure the operating system and applications across all devices used in the enterprise; desktops, laptops, tablets, and smartphones. Some of the key enterprise features of Windows 10 include: Universal App Experience Windows 10 introduces the concept of Universal Apps; applications that use the same basic code, but deliver a user experience optimized for each device form factor. In addition, The Windows Store will present a uniform app purchasing and upgrading experience for all devices. From an enterprise perspective, the new Windows Store will enable distribution and updating of authorized (signed) applications to company devices.
Windows 10 Versatile Windows Updating As we have come to expect with Windows, frequent security updates and patches will be applied automatically to all Windows users. This simplicity is Microsoft s preferred method for all updates, but enterprise customers are more conservative. They will have a couple of options to update their users. Long Term Service Branch (LTSB) - Companies with sensitive, high risk business environments can choose to apply security patches and updates, but freezes the feature set on their Windows 10 devices. Current Branch for Business (CBB) Allows the enterprise to test new releases in-house once they have been extensively tested by the general public in the Windows Insider Program and then deploy the approved update when they are comfortable with it. Whichever method the enterprise selects, in-place updating makes it easy to update the operating system without impacting any applications or settings. Security Improvements As part of their focus on the enterprise, Microsoft has enhanced device security and data privacy. A key addition is support for multi-factor authentication to allow a biometric device such as fingerprint reader to be used in conjunction with a conventional password. Also new, Enterprise Data Protection (EDP) allows automatic identification and dedicated management of enterprise and personal data. In addition, Windows 10 supports the automatic encryption of corporate apps, data, email and website content on the device and/or removable media. Mobile Device Management (MDM) As mobile devices become more commonplace in business, MDM becomes more important. Microsoft has identified MDM as an essential requirement for the secure and efficient management of Windows 10 devices. It enables IT Managers to configure and manage many features of Windows 10 devices remotely. In Windows 10, Microsoft expands the level of MDM support by adding EDP policies, support for managing multiple users, provisioning VPN and WiFi, full device wipe capabilities, and full control over the Windows Store. 2
SOTI MobiControl and Microsoft Windows 10 With SOTI MobiControl, it is fast and easy to get new Windows 10 users up and running. The first step is a simple selfservice enrollment process that uses enterprise Active Directory credentials for secure authentication. There are no special apps required, nor complex configuration as everything is taken care of automatically by the MDM system. For organizations that host their applications and content in the cloud, Azure AD authenticates and provisions the mobile device no matter where it is located. Windows 10 includes a built-in Device Management (DM) client that uses SyncML to interface with the MDM server via the standard OMA DM interface. Within the DM client, Windows 10 uses Configuration Service Providers (CSP) as an interface to read, set, modify and delete registry settings or files on the device. Each CSP envelops a distinct grouping of functionality. For example, the EMAIL2 CSP provides the interface to configure standard internet email including settings for SMTP, POP3 and IMAP4, whereas, the ActiveSync CSP is used to configure the settings for Microsoft Exchange email. SOTI MobiControl s agent in Windows 10: SOTI MobiControl s agent in Windows 10 SOTI MobiControl agent works alongsidewindows 10 s MDM APIs to provide added benefits, this includes: Remote Control Troubleshoot devices remotely without user interaction. Record the session for diagnostics purposes. Silent Legacy Application Deployment Install classic Windows Applications like MSI packages silently. Remove applications automatically on un-enrollment. Windows 10 CSP s supported by SOTI MobiControl include: RemoteRing & RemoteLock If you have lost your mobile device around the home or office, RemoteRing can be used to trigger an audible ringing sound on a device regardless of the device volume. If you still can t find you mobile device, it can be locked down and the PIN can be set/reset. EMAIL2 The EMAIL2 CSP is used to configure the Windows 10 device for internet email. Used primarily for Windows 10 Mobile devices, this CSP makes it easy for enterprise IT to setup SMTP for sending mail and POP3/IMAP4 for receiving mail. 3
VPN and VPNv2 VPN and VPNv2 perform the same function, but VPN is for Windows Mobile devices otnly and is being de-emphasized. VPNv2 is the preferred CSP for configuring the VPN profile of the device and it is usable for desktop, laptop, tablet and mobile devices. In addition to basic configuration of VPN s, Windows 10 will also enable and configure application specific VPN to restrict application access to a specific IP address/port. Policy CSP The Policy CSP enables enterprise IT to configure many different policies on Windows 10 devices. Some policies are applicable for all devices, others only for mobile devices or just for desktops. Within the CSP there are many categories of policies. Application Management Policies that allow/disallow apps from being installed from the Windows Store or elsewhere and how installed apps are treated on the device, i.e. shared vs. restricted. Browser Enables/disables the browser, and configures features like cookies, autofill, and popups. Certificate Management Deploy SCEP, Root and Client certificates; target the certificates to the device or user; specify the exact certificate store. Connectivity Enables/disables different modes of connectivity, i.e. Bluetooth, NFC, Cellular roaming, VPN over Cellular. Data Protection Configures Enterprise Data Protection mode and defines where the device can connect to and what type of data it can exchange. Defender Enables/disables Windows Defender and configures intrusion protection and which data stores can be scanned (cloud, email and/or local archives) and when they will be automatically scanned (days and times). Device Lock Mandates and configures device password rules (complexity, length, and expiration), inactivity lockouts and allowable password attempts. Experience Enables/disables many different features on the device that impact the user experience, i.e. Cortana, Cut/Copy/Paste, screen capture and voice recording. Settings Enables/disables the user from being able to configure many different system settings, i.e. date/time, language, power and sleep). Update Enables/disables Windows Updates Services and configures how the device will handle updates. Do updates need to be signed? When should they be installed? 4
Going Forward with SOTI MobiControl and Windows 10 According to the experts, Windows 10 should see a significant increase in enterprise market share over Windows 8. Improved authentication, security and easy management of Windows across all device form factors are compelling reasons to consider adopting Windows 10. By refocusing on the enterprise and making it easy to upgrade, many enterprises that never upgraded to Windows 8 should be looking to test and deploy Windows 10 as a part of an enterprise mobility strategy. SOTI is working closely with Microsoft to make ensure that all of the new MDM features are working as expected. SOTI will continue to expand the scope of our MDM support for all form-factors of Windows 10 devices. For more information about SOTI MobiControl please contact sales@soti.net. SOTI MobiControl Supported Windows 10 Configuration Service Providers ActiveSync The ActiveSync configuration service provider is used to set up and change settings for Microsoft Exchange Email. This CSP configures email address and password information, and what exchange content should be allowed on sync (Email, Contacts, Calendar, and Task List). Assigned Access 1 The Assigned Access configuration service provider (CSP) is used set the device to run in kiosk mode and run the application specified. Certificate Store Dev Detail Device Instance Service The Certificate Store CSP is used to add root and CA certificates, secure socket layers (SSL), intermediate, and self-signed certificates. This is a significant increase in capability from Windows 8.x MDM. The DevDetail CSP is based on the OMA DM standard. It provides detailed device information to the MDM server, i.e. Hardware or Firmware version, OS version, and hardware information such as Processor type, screen resolution, MAC address. The DeviceInstanceService configuration service provider delivers device inventory information (Phone number, IMEI, IMSI). Additionally, this CSP supports querying two different phone numbers in the case of dual SIM devices. DeviceLock 2 The DeviceLock CSP configures device lock and password related policies. DevInfo DMClient The DevInfo CSP is based on the OMA DM standard. At the beginning of each OMA DM session, the MDM uses unique device information as a form of handshake to identify the client to the server. The DMClient CSP uses key settings is used to help identify the client in the enterprise domain. It allows security mitigation for certificate renewal, and server-driven MDM unenrollment. EMAIL2 The EMAIL2 configuration service provider (CSP) is used to configure Simple Mail Transfer Protocol (SMTP) and Internet Message Access Protocol (IMAP) email accounts. 5
Enterprise App Management 2 The EnterpriseAppManagement CSP is used to handle enterprise application management tasks such as installing enterprise applications, inventorying installed enterprise applications (name and version), auto updating already installed enterprise applications, and removing all installed enterprise apps. Maps The Maps CSP configures what maps (map packages) to download to the device. Policy The Policy configuration service provider enables the enterprise to configure policies on Windows 10. Use this configuration service provider to configure any company policies. There are hundreds of possible policies, such as; Access to App Store, Enabling connections types (Bluetooth, WiFi, NFC, VPN, Roaming over cellular), Enabling on-device data encryption. RemoteLock 2 The RemoteLock CSP supports the ability to lock a device that already has a PIN set on the device or reset the PIN on a device that may or may not have the PIN set. RemoteRing 2 The RemoteRing configuration service provider can be used to remotely trigger a device to produce an audible ringing sound regardless of the volume that is set on the device. RemoteWipe The RemoteWipe configuration service provider can be used by mobile operators DM server or enterprise management server to remotely wipe a device. The RemoteWipe configuration service provider can make the data stored in memory and hard disks difficult to recover if the device is remotely wiped after being lost or stolen. Reporting The Reporting CSP is used to retrieve the Enterprise Data Protection (EDP) logs and any other logs for security auditing. Storage The Storage enterprise configuration service provider is used to configure the removable storage card settings. Currently, the only setting that is available is to Enable/Disable storage cards. 6
VPNv2 The VPN configuration service provider allows the MDM server to configure the default VPN profile(s) of the device. Wi-Fi The Wi-Fi CSP delivers the functionality to add/replace/delete Wi-Fi networks on a Windows device. Certain authentication methods may require certificates that must be configured using the CertificateStore CSP. Windows Defender Update virus and malware definitions on Windows Desktop devices, and initiate real-time Integration for virus scanning Active Scanning Windows SecurityAuditing The WindowsSecurityAuditing CSP is used to enable/disable logging of security audit events. Windows Information Protection Protect access to corporate data, with the option to specify what applications can access this data, and also block sharing of corporate data. Finally, revoke access to corporate data upon un-enrollment. SOTI is a proven innovator and industry leader for mobility and IoT management. Globally, over 17,000 companies depend on SOTI to transform their business by taking mobility to endless possibilities. soti.net Copyright 2017 SOTI Inc. All Rights Reserved. All product and company names are trademarks or registered trademarks of their respective owners. The use of these trademarks does not imply any affiliation with SOTI or endorsement by the trademark holder.. S-103