Microsoft Showcases Azure Active Directory Sync Services and Windows 10 MDM Features
Editor’s Note: In addition to all of the other news coming out of Microsoft TechEd Europe 2014 (TEE14) — including news about Windows 10 Enterprise, Windows Server vNext, and Windows Server vNext Hyper-V — Contributing Editor Russell Smith gives us a quick run-down of changes and updates to Microsoft Azure Active Directory, the Windows Store, and new mobile device management (MDM) features that will be baked into Windows 10.
Azure Active Directory Sync Services
Quietly slipping out the door mid-September, Azure Active Directory Sync Services (AAD Sync) replaces DirSync, which many organizations use to synchronize on premise AD with Office 365. The new tool aims to make the synchronization process easier to set up and manage, and supports both Azure Active Directory (AAD) and Office 365.
Though Microsoft has its Forefront Identity Manager 2010 R2 product for complex environments, AAD Sync has advanced provisioning, filtering and mapping rules for AD objects and attributes. Organizations can control which object attributes are synced to the cloud, and choose between synchronizing password hashes to AAD, and setting up Active Directory Federation Services (ADFS) so that users are always authenticated locally.
AAD and on-premise AD can be combined to work together, or organizations can choose to use one or the other technology exclusively. Windows 10 devices can be joined directly to AAD, so there’s no dependency on local AD and domain controllers, essentially providing businesses with a manageable version of how consumers use Microsoft accounts (MSAs) to log in to Windows 8 for setting up and synching email, Windows Store apps, personal information and settings.
Say Goodbye to Traditional PC Lifecycle Management
Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.
Windows Store Business Portal
AAD will be a requirement for the new business portal feature of Windows Store in Windows 10, which will allow ISVs to publish apps that are only visible to chosen organizations. IT can choose how public Windows Store apps are licensed and distributed, along with support for private apps in the curated business portal, and B2B payments using purchase orders, PayPal, credit cards, invoices, and mobile operators among others. Companies choosing to disable the Windows Store can download apps and sideload them directly into Windows images for deployment, or deploy apps using Mobile Device Management (MDM) via direct integration with the business portal.
The Windows 10 Store has a new feature that allows administrators to approve app updates before they are distributed, much like what is possible today in Windows Server Update Services (WSUS). License management is also new, but third-party MDM solutions can also access the Store and take over that role. The Store licensing model is still per-user, but per-device licensing is a possibility in the future if customer feedback indicates there is sufficient demand.
Windows 10 Mobile Device Management
Windows 10 aims to offer a consistent set of MDM capabilities across the supported range of devices. There will an extended set of policies bringing Windows 10 in line with what’s available in Windows Phone 8.1, including the ability to push policies when users are not logged in, email provisioning, kiosk mode and Start screen/menu configuration, enterprise WIFI, and direct install of .pfx certificates. Organizations will also be able to unenroll devices, remove corporate apps and encrypted data.
Not only will MDM be able to manage the Windows Store and business portal, but also Win32 desktop programs. Application whitelisting utilizes AppLocker so administrators can tightly control user environments and help protect corporate data. Windows 10 supports capabilities traditionally only found on smartphones and tablets, such as full device wipe, remote lock, PIN reset etc. While not quite yet a reality, Microsoft’s vision is to provide an administration experience that’s similar to a single pane of glass, no matter what the management technology (i.e. Group Policy or MDM via System Center Configuration Manager) or platform (Windows, iOS or Android).