Evolving the device experience at Microsoft

|

An open laptop sits on a low table in front of a bookshelf in a sitting room.
Microsoft is migrating its employee devices from a traditional management model to one that works well with modern device management.

Microsoft Digital PerspectivesAt Microsoft, we’re embracing and empowering hybrid work by adopting modern device-management practices, which is enabling our employees to split their time between working in the office and working from home. The tools and processes that we use to manage, secure, and monitor devices that access Microsoft data are being migrated out of a traditional management model to coexist with and make way for modern device management using Microsoft Intune. As this migration continues at Microsoft, our employees will be better enabled to be productive from anywhere on any device.

Examining the device landscape at Microsoft

Our employees’ devices are their primary productivity tools. They use a wide variety of devices to access their work and succeed in their roles. Our responsibility in the Microsoft Digital Employee Experience (MDEE) organization is to ensure that each of our employees, regardless of the device they use or the location from which they connect, can be productive and connected to Microsoft tools and corporate data.

Across the landscape of more than 750,000 devices in use at Microsoft, we support Windows, Android, iOS, and macOS devices. Windows devices account for approximately 60 percent of the total employee-device population, while iOS, Android, and macOS account for the rest. Of these devices, approximately 45 percent are personally owned employee devices, including phones and tablets. Our employees are empowered to access Microsoft data and tools using managed devices that enable them to be their most productive.

[Discover how we’re verifying device health at Microsoft with Zero Trust. Unpack how we’re reducing friction throughout our device lifecycle at Microsoft. Explore how we’re using Microsoft Azure Multi-Factor Authentication at Microsoft to enhance our security.]

Migrating device management to the cloud

As hybrid work becomes the norm—and the expectation—for our employees, how we provide access to the tools they need to innovate, create, and collaborate successfully has evolved. Users want a dynamic, device-agnostic experience that focuses on providing them with the data and tools they need from almost any location, using a wide variety of devices, including PCs, laptops, tablets, and smartphones.

This model has largely replaced a traditional, Windows-based, local-network-focused model. The hybrid work experience centers on the employee and their device as the primary determinants of how they access Microsoft tools and data. It also enabled employee-directed tasks such as self-serve device setup and remediation for devices from any location. We’ve been building capabilities for the hybrid work model long before the COVID-19 pandemic made it necessary, and our investments in hybrid work have allowed us to react with agility to workplace challenges in the recent past.

A sizable portion of the devices that we support continue to be corporate-owned traditional laptops or PCs, but our device landscape also includes many personally owned devices. Our device management practices, and even what we define as a device, have changed. Many devices that our employees use to do their work are smartphones from a variety of manufacturers, and these devices use a range of operating systems. This shift in device demographics has necessitated a change in how we manage employee devices and a migration from traditional, on-premises management systems to modern, cloud-based management systems that effectively support and secure this new device demographic.

Our migration—and any migration—from traditional, on-premises management to modern management involves three key management models that play a role in how devices are managed:

  • Traditional management. Microsoft Configuration Manager has been the on-premises management system of choice at Microsoft for decades. In a traditional management model, most managed devices are Windows-based, connected to a local network, and joined to an Active Directory Domain Services (AD DS) architecture. Devices in the traditional model are typically purchased, procured, and managed corporately. We use Configuration Manager to manage devices using previous versions of Windows that are not supported by Intune and to assist in Configuration Manager product development.
  • Modern management. Microsoft Intune supports the modern management model at Microsoft. Intune provides cloud-based device management capabilities across Windows, Android, iOS, and macOS devices. Devices are registered in and authenticated by Microsoft Azure Active Directory. Because it’s cloud-based, Intune removes the dependency on the local network and managed devices can connect across the internet from anywhere. Modern management includes and supports both corporate and personally owned devices, including mobile devices.
  • Co-management. Co-management uses a combination of traditional management and modern management techniques and tools, allowing traditional and modern management models to coexist within an organization. Microsoft Intune allows us to operate both models through a single interface and combined toolset.

In our adoption of modern management through Intune, Microsoft Azure Active Directory (Azure AD), and internet-focused connectivity, we’re adopting more standard practices for device management and the configuration of our device management systems. How we configure and operate our modern management environment is much more standardized than past solutions have been. We use native functionality extensively—the flexibility of the Microsoft cloud management toolset replaces many of the engineered customizations we have had to implement.

We use Microsoft Intune, Microsoft Azure AD, and the rest of the modern management tools the same way that any other organization would. We use procedures directly from the Microsoft documentation website, and we’re adopting documented general best practices and architectural designs that Microsoft recommends to customers. The following figure illustrates using co-management to enable the migration from traditional management to modern management.

Graphic showing traditional management, co-management, and modern management tools.
Using co-management to migrate from traditional to modern management.

Connecting traditional and modern models with co-management

Modern management is the goal for all client devices at Microsoft. However, moving from traditional device management to modern management is a journey, and it’s one that can’t be made overnight. Our journey to modern management began several years ago, and it’s ongoing.

We’ve embraced co-management as the first step in moving to modern management and as a long-term bridge between traditional management and modern management models. By using Microsoft Intune, we’ve been able to manage our traditional on-premises devices alongside newly deployed devices that are modern managed.

Addressing migration challenges

Microsoft Azure Active Directory is central to modern management. Azure AD is the first point of contact for most of our mobile devices and the default directory for new devices. Moving devices from AD DS to Azure AD is at the core of traditional-to-modern migration, as the two directory services provide identification, authentication, and authorization services for on-premises and cloud resources, respectively.

However, the AD DS-to-Azure AD-migration process isn’t simple on a device-to-device basis, and coordinating large-scale directory migration is time-consuming and potentially tedious. We’re using Hybrid Azure AD joined devices as a primary enabler of co-management to facilitate a smooth transition of devices from traditional to modern management. Hybrid-joined devices connect to both AD DS and Azure AD. This dual function lets us maintain existing on-premises Group Policy objects and settings for a device while we work to replicate those settings in modern management using Intune and Azure AD. We completed an analysis using the Intune Group Policy analyzer to determine which policies could be supported in Intune.

New devices are onboarded as modern-managed devices using Autopilot for Windows devices and Apple Business Manager for corporate-owned MacOS and iOS devices. However, we don’t prevent our users from joining AD DS domains if they require it. This strategy gets devices under the modern management model but allows us to continue using traditional management methods where necessary.

As old devices are replaced with new ones, traditionally managed devices decrease in number, and modern-managed devices increase. For large enterprises, a full-scale switch from traditional to modern management without co-management is almost impossible. The time it takes to migrate devices and support systems would severely reduce business efficiency and technical capability for any organization. Users must have uninterrupted access to tools and data from their devices. We anticipate that co-management will remain part of our management environment into the near future.

Supporting the Zero Trust model with verified devices

Based on the principle of verified trust—in order to trust, you must first verify—Zero Trust eliminates the inherent trust that is assumed inside the traditional corporate network. The ability to effectively verify devices is a critical part of the Zero Trust model, and management is mandatory for any device accessing corporate data.

The Microsoft Intune platform enables us to enroll devices, bring them to a managed state, monitor the devices’ health, and enforce compliance against a set of health policies before granting access to any corporate resources. Our device health policies verify all significant aspects of device state, including encryption, antimalware, minimum OS version, hardware configuration, and more. Microsoft Intune also supports internet-based device enrollment, which is a requirement for the internet-first network focus in the Zero Trust model.

We’re using Microsoft Intune to enforce health compliance across the various health signals and across multiple client device operating systems. Validating client device health isn’t a one-time process. Our policy verification processes confirm device health each time a device tries to access corporate resources, much in the same way that we confirm the other pillars, including identity, access, and services. We’re using modern Microsoft Intune protection configuration on every managed device, including pre-boot and post-boot protection and cross-platform coverage.

Managing the device experience in the cloud

Modern-managed devices at Microsoft fall under two main categories: corporate owned devices that our employees use for business purposes, and personally owned devices that our employees bring into the workplace and use to access Microsoft resources.

Corporate owned devices

Corporate owned devices at Microsoft are most commonly Windows devices that Microsoft purchases for our employees to use. Our corporate devices come from a specific set of Windows PCs, laptops, and tablets that our employees can select from a variety of manufacturers. In modern management, these are the devices that we exercise the most control over. All corporate devices in the modern management model are registered in Microsoft Azure AD and managed by Intune.

Microsoft Azure AD, Microsoft Intune, Windows Autopilot, and Windows Update for Business deployment services enable us to take a device from the manufacturer using a standard image and directly apply our policies and management measures without requiring direct interaction from our support personnel. The employee powers on their device, signs in with their Azure AD credentials using multifactor authentication, and the device is joined to Azure AD and enrolled in Intune. Corporate policies and apps specific to the user or department are automatically deployed to the device, and the device is always managed and kept up to date, throughout its entire life cycle.

We’re also using Apple Business Manager to directly manage corporate purchased macOS and iOS devices. Apple Business Manager interfaces with Intune and provides a fully managed experience like the one we have for our corporate owned Windows devices. We can control the Out Of Box experience (OOBE) for Apple devices, reducing the number of screens users need to go through during initial setup. When the user completes the OOBE, the device will already have Intune Company Portal, Microsoft Defender for Endpoint, and other device-related corporate apps installed, simplifying the setup process. We also have the capability to push additional applications or security patches using Intune and Apple Business Manager to devices in the future.

Personally owned devices

Bring your own device (BYOD) scenarios are commonplace in the hybrid work model. Personal devices enable flexibility in the hybrid workplace. Employees can enroll their own Windows, Android, iOS, and macOS devices in Intune using Azure AD Workplace Join. Workplace Join creates a device identity in Azure AD and Intune and enforces device state and configuration through native operating system methods and management apps.

Personally owned devices don’t experience the same level of control as corporate owned devices, but modern management using Intune and Workplace Join grants us the capability to restrict access to resources based on device state and health. With this level of control, we can safely manage access to corporate data and apps stored on the device based on the user of the device and the device operating system.

Next steps

We’re continuing to move toward modern management while using co-management as a bridge to traditionally managed devices. We’re working on several modernization efforts, including migrating our corporate wireless network to internet-first and reducing the number devices using virtual private network connections. We’re also consolidating device management controls to a single interface, improving migration capabilities for domain-joined devices, and hardening device health definitions with new compliance policies. As our migration continues and the modern management environment matures, our employees will be better enabled to be productive in the hybrid work model from anywhere and on any device.

Key Takeaways

  • Modern management enables your organization to embrace hybrid work practices while helping to control access to tools, data, and the devices used to access them.
  • Co-management offers a bridge between traditional and modern management that’s flexible and scales to your organization’s pace and structure.
  • The move toward modern management empowers employees to be productive when using any device, whether it’s their personal device or corporate owned device, on a variety of operating system platforms.
  • Modern management enables the Zero Trust model, which uses a multipronged approach to help detect, manage, and prevent security breaches from inside and outside an organization.
  • Large enterprises such as Microsoft can use Microsoft Intune to implement modern management without requiring significant custom integrations and solutions.

 

Related links

 

Recent