Device Management in Windows 11/10
Mobile Device Management (MDM)
Windows is more fun on mobile devices with touchscreens compared to PCs. Nevertheless, it promises to provide a good experience on all type of devices using its auto-detection capabilities and thereby restricting or increasing the number of features available for a device. Not all the features in a full-fledged computer will be available on lower configuration machines such as phones and tablet. There will be one Windows 10 version that will adapt itself to the device being used. Mobile device management policies in Windows 11/10 are based on Windows 8.1, but are extended to provide different experiences to different users. For example, MDM capabilities for enterprise users will be much different from a personal license. The features for enterprise versions could include: Multiple user management, extent of control over Windows store to different user groups, management of virtual private networks and so on. This will be made possible via the Configuration Service Provider in Windows 11/10. It is an interface to create, read, modify, and delete configuration settings on a device. Using this, the OS will apply different configurations to different devices. For example, the Storage enterprise configuration service provider is used to enable or disable memory cards. Based on the device type, MDM will allow or disable the storage enterprise configuration. Because PCs won’t have memory cards inserted, this service will not be present, and because mobile phones will contain such cards, the service will be available. This would not only help in configuring the devices better, it would also save on resources of the device in question.
Enrollment and removal of users in Windows 11/10
For enterprise users, Microsoft is banking on the usage of Windows Azure Active Directory as a base for user groups. It would be easier for enterprises to enroll and de-enroll people using the directory. If an employee leaves or moves to another department, his or her device needs to be cleaned. This happens using the auto-configuration system. When you remove a user from MDM, it removes all data from related devices. Data that could be otherwise be used to compromise or utilize the enterprise resources is removed when a user is deleted from the mobile device management system. It will not however, remove data personal to the user and his or her own apps. Only corporate data that had been configured through MDM would be removed, so that the user is not inconvenienced after he or she leaves, or moves to other departments of the enterprise.
Conditional Access to Enterprise Servers
You will now have the facility to provide conditional access in Windows 10, to different users or their devices. You can make sure that the device is following the organizational policies before it can connect to the enterprise servers. You can restrict the access to only the devices that follow the policies of the organization. This includes both hardware and software evaluation for policy compliance.
Restricted Access to Enterprise Data
Using Mobile Device Management (MDM), you can restrict certain devices to certain areas of corporate data. For example, if you wish to restrict a kiosk in the lounge to show only the product information, you can do so using the device management features in Windows 10. You can give access to route tracking, to only your company drivers, so that other information is safe with the company. Microsoft calls it, “Lockdown of devices in Windows” and MDM is pretty good at configuring the lockdowns as intended by the enterprise policies and decisions. Head over to TechNet, if you need more details. You might want to read about Device Guard in Windows 10 too.
