Mobile and PC management: The tough but unstoppable union

One day, you'll manage all client devices from a central policy console, but it won't be a fast or easy journey

You know that a trend has peaked when the establishment jumps on board. That's happening in the world of mobile management, pioneered years ago by niche companies such as Good Technology and Zenprise and startups like MobileIron and AirWatch. Now, establishment companies such as CA Technologies, Citrix Systems (which bought Zenprise), Dell, EMC VMware (which bought AirWatch), IBM, and Microsoft are aggressively pushing their mobile management tools.

Mobile and PC management: The tough but unstoppable union
Credit: Oleksiy Mark

Just as the establishment is getting into mobile management (aka MDM), the field itself is poised for a shift away from mobile only. Tablets, both the category-defining iPad and the "deconstructed laptops" promoted by Microsoft and other Windows device makers, are both like smartphones and like laptops. For some people, they replace laptops; for others, they supplement them. In any event, the lines between computers and mobile devices are blurring.

Even where there are clear divisions, users are working with multiple devices. Suddenly, any separation on the management side gets hard to keep separate in reality -- password, access, and other policies overlap hugely, no matter if the tools don't.

That's why MDM is shifting away from mobile to encompass anything and everything a user might access: smartphones, tablets, computers, computers, even cloud desktop services. Some are personally owned, some are work-owned, most are mixed-use in practice. They cover a range of operating systems: multiple versions of Windows, OS X, iOS, and Android for sure, perhaps Linux, Windows Phone, Chrome OS, and BlackBerry OS as well.

But getting to that state of universal client management is not easy. Fundamental technology differences exist on these clients, affecting what can be secured and managed and how it can be secured and managed. Still, vendors are moving in that direction because, they say, large businesses have decided that in the not-too-distant future they would like to end the separate PC and mobile silos and manage devices collectively.

When it comes to management, Windows is not like the others

What would it take for a tool to truly be unified? The reality is that Windows is managed using very different technologies and assumptions than the other popular operating systems are. The reasons are historical and deep: "In the carrier context for mobile, you couldn't worry about the OS -- the carriers did it. But in Windows, you always had the control over it," recalls Neal Foster, executive director of product marketing for mobile management at Dell.

Outside of Windows and BlackBerry's traditional BES, the typical approach is to deliver a payload to a device containing policies. From there, the device implements those policies through its standard APIs. It's an approach that CA's Varadarajan calls simplex: You push out the policy package and it gets implemented whenever the device receives and "digests" the payload. When the device later tries to access your servers, a policy check is done to see if the correct policies are in place.

This payload approach is great for mobile devices because you can issue them whether or not you have a connection -- in fact, you can issue them when you don't have a connection, so you don't have to provide a safe space first to even deliver the policies. But you have no constant monitoring such as for compliance auditing; you only know when a device tries to connect what policies it reports are installed. Apple and others have made such payloads undeletable by users, but it lacks the constant assurance that some industries seek.

Windows assumes a very different world, one where computers are inside a trusted firewall, don't leave the trusted network, and in fact are treated as an attached node, not an occasional guest. That's the fundamental notion behind the domain join managed through Active Directory and System Center. Of course, over time as laptops became popular, Windows management had to adapt to handle access over outside networks, typically using VPNs to extend the trusted network through the Internet.

The domain-join approach allows for more active engagement between the client and the server, as well as for more constant auditing. But it does poorly in the in-and-out world of mobile devices, which explains why even Microsoft hasn't used the domain-join approach in Windows Phone and Windows RT. "The domain join for PCs implied a context for environment," says Dell's Foster, "but more and more, PCs are not connected via a domain, so that context is gone."

It's telling that Microsoft doesn't use domain joining in its mobile-oriented mobile management tool, Intune. Instead, it uses a client app on the PC that basically consumes the payloads, then configures Windows accordingly and acts as a safe space, similar to the sandboxes used natively in iOS and OS X and via third-party software in Android.

Over time, the payload approach may become the standard approach, even in Windows. Microsoft's Windows OS team declined to speak to InfoWorld about its views on management, and the server group didn't want to speak for the OS group. But "with Windows 8.1, it's possible to manage a PC like a mobile device, such as by laying down an agent to do System Center stuff or use a management API. Windows RT does that, too," says Andrew Conway, director of product marketing at Microsoft for Windows Server and System Center. Yet the forthcoming Windows Phone 8.1 will support domain joins, so Microsoft may also be trying to keep both approaches available as the market continues to experiment.

The path to unified management
Certainly, the MDM pioneers see the shift to unified management coming, and several have expanded their mobile offerings to include Macs, since Apple has unified many of the APIs across iOS and OS X to simplify the process. Many partner with other providers to offer not a truly integrated suite to cover PCs and mobile, but a twinned product set that allows some sharing or coordination of policies.

But it's the establishment providers who are most active in trying to reconcile the desktop and mobile worlds into a common management environment, covering everything from asset tracking to security policy enforcement, for a simple reason. These establishment providers typically have Windows-oriented tools, covering the vast majority of client devices in the workplace and providing a starting point most familiar to IT: Windows PCs. (Microsoft says that 70 percent of enterprises today use its System Center for that purpose.)

Their offerings run the gamut from pairing two separate tools with some commonalities, such as policy sharing or common admin console, to a single tool that handles client differences behind the scenes. Most organizations still have separate teams managing PCs and mobile devices, and the single-tool approach works only when an enterprise ends that separation.

"Most companies don't manage desktop and mobile from the same team. Desktop management has been around a long time, and PC management is considered a normal activity, whereas mobile is considered something new and done by a separate team," notes Ram Varadarajan, general manager at CA. "We're not seeing a propensity to go to one management system in one shot, but as a phased evolution," says Dell's Foster.

That poses a chicken-and-egg dilemma for providers. Right now, mobile devices are managed by a different team than PCs are. Mobile devices quickly fell into the domain of Exchange admins as the early mobile use cases were around email, and Apple adopted Microsoft's Exchange ActiveSync protocol as its default management technology, which Google then did for Android.

Thus, IT organizations typically seek two tools even as they talk about eventual unification. "We're seeing a trend toward more unified management," notes Microsoft's Conway. "Most corporations don't want this island of mobile any more; they want to treat it all as one," says CA's Varadarajan.

But until they unify the IT teams, a unified tool doesn't make a lot of sense. The answer, of course, is for IT to centralize the management team first, bringing whatever tools are in place to that unified team. From there, IT can consider replacing those tools with a unified management tool as vendors begin to provide them.

CA, Dell, and Microsoft are good examples of how management providers are trying to move to a unified management approach. Chances are that the providers you're talking to or working with fall within the continuum they represent.

CA is looking to provide a single console for all management, notes Varadarajan. The platform differences get hidden behind the scenes, and the easiest places to unify are where platforms share policies even if their execution differs. "We do see already a common management tool for OS X and Windows. iOS and Android are not that different," he says, suggesting that the unification challenge is easier than you may assume because there's already some convergence across platforms on key attributes. "Sure, the measures and implementations we use might be different. For example, we have different agents on Windows, OS X, and mobile, but they do largely the same things."

In other words, providers will need to fork their tools internally. "Forking is a skill that is underrated, but it has to be embraced for higher goal of uniformity," Varadarajan says. As an example, "OS X and iOS use many of same APIs but different semantics. I expect the same thing in Android PCs over time, and I can see the possibility in Windows given Windows Phone's big differences with PC Windows."

Of course, some policies simply don't apply to some devices, but a unified tool would know that and would ignore irrelevant policies while flagging policies that are relevant but can't be deployed to a specific device. A crude example of that is Apple's OS X Server, whose management console arranges its policies in three groups: iOS, OS X, and iOS and OS X. Enterprise-class tools will treat these differences more elegantly, but they will exist.

Varadarajan also notes that the client isn't the only part of the equation. You have servers and network appliances, and they can do a lot of the work when devices connect, such as monitoring traffic, validating access, and enforcing policies on the server side directly. Back-end management is key to unified device management, because all the devices work through that back end, which is the gateway to the company information and services.

Microsoft is taking two paths: extending its traditional System Center to the new, more intermittent world and delivering a payload-oriented tool via Intune. But it's not an either/or proposition. Intune can be used to manage PCs, not just mobile devices, via a client app, though its primary use case is for mobile devices, notes Microsoft's Conway. The PC-focused System Center can be used in concert with Intune on mobile devices, so System Center handles the asset management and configuration and Intune handles the deployment of security and device policies.

Windows 8.1 starts Microsoft's PC OS down the path that Apple began with OS X Lion: using APIs for mobile-style payload-based management.

Dell's approach is the most traditional: It has a basket of specific tools for various management needs, some for mobile, some for PCs, some for both. Customers pick the tools they need, whether or not their teams are unified, and Dell offers consulting services to integrate the tools for the customer's specific needs. "We're finding that customers are all very different, so there's a lot of custom work, à la professional services," says Dell's Foster.

Unified management does not mean managing a unified technology stack
The computing world is one of heterogeneity, a mix of device types, operating systems, applications, and services. The notion that everyone uses a standard PC with a standard OS image and application set is quaint -- and on its way out. "You have to embrace heterogeneity. If you are angry with heterogeneity, you are doomed," says CA's Varadarajan.

Cloud storage is a great example of that notion, says Dell's Foster, citing Office 365, Google Drive, and Apple iWork. "But no one does it all well, so users tend to mix and match." That same mixing and matching applies to applications, devices, and other services because no single platform does everything well. That's going to be a true for a long time, especially because technology has gotten so personal that there is rarely one best set of tools even for people doing similar jobs.

Hoping to impose a common set of devices, applications, and services is a pipe dream. But that doesn't mean IT shouldn't seek unity. IT just needs to look elsewhere. Common policies are one place to look. But there are others. "The greatest thing that has been adopted are single-sign-on models like OAuth and SAML. So the way you get control is not by proxying but managing the access in the first place," Foster says. You pair that higher-level standardization with what Foster calls "endpoint posture" -- ensuring that permitted devices meet your standards on issues such as passwords, encryption, data isolation, and identity validation -- then you put both in a common policy framework on permitted access based on role and other factors.

Ironically, the path to unified management goes through an embrace of diversity and heterogeneity. There are enough commonalities to create a management fabric. But both the vendors and IT need to approach it that way.

This article, "Mobile and PC management: The tough but unstoppable union," was originally published at InfoWorld.com. Read more of Galen Gruman's Smart User blog. For the latest business technology news, follow InfoWorld.com on Twitter.

Copyright © 2014 IDG Communications, Inc.