Examining the device landscape at Microsoft

Our employees’ devices are their primary productivity tools. They use a wide variety of devices to access their work and succeed in their roles. Our responsibility in the Microsoft Digital Employee Experience (MDEE) organization is to ensure that each of our employees, regardless of the device they use or the location from which they connect, can be productive and connected to Microsoft tools and corporate data.

Across the landscape of more than 750,000 devices in use at Microsoft, we support Windows, Android, iOS, and macOS devices. Windows devices account for approximately 60 percent of the total employee-device population, while iOS, Android, and macOS account for the rest. Of these devices, approximately 45 percent are personally owned employee devices, including phones and tablets. Our employees are empowered to access Microsoft data and tools using managed devices that enable them to be their most productive.

[Discover how we’re verifying device health at Microsoft with Zero Trust. Unpack how we’re reducing friction throughout our device lifecycle at Microsoft. Explore how we’re using Microsoft Azure Multi-Factor Authentication at Microsoft to enhance our security.]

Migrating device management to the cloud

As hybrid work becomes the norm—and the expectation—for our employees, how we provide access to the tools they need to innovate, create, and collaborate successfully has evolved. Users want a dynamic, device-agnostic experience that focuses on providing them with the data and tools they need from almost any location, using a wide variety of devices, including PCs, laptops, tablets, and smartphones.

This model has largely replaced a traditional, Windows-based, local-network-focused model. The hybrid work experience centers on the employee and their device as the primary determinants of how they access Microsoft tools and data. It also enabled employee-directed tasks such as self-serve device setup and remediation for devices from any location. We’ve been building capabilities for the hybrid work model long before the COVID-19 pandemic made it necessary, and our investments in hybrid work have allowed us to react with agility to workplace challenges in the recent past.

A sizable portion of the devices that we support continue to be corporate-owned traditional laptops or PCs, but our device landscape also includes many personally owned devices. Our device management practices, and even what we define as a device, have changed. Many devices that our employees use to do their work are smartphones from a variety of manufacturers, and these devices use a range of operating systems. This shift in device demographics has necessitated a change in how we manage employee devices and a migration from traditional, on-premises management systems to modern, cloud-based management systems that effectively support and secure this new device demographic.

Our migration—and any migration—from traditional, on-premises management to modern management involves three key management models that play a role in how devices are managed:

• Traditional management. Microsoft Configuration Manager has been the on-premises management system of choice at Microsoft for decades. In a traditional management model, most managed devices are Windows-based, connected to a local network, and joined to an Active Directory Domain Services (AD DS) architecture. Devices in the traditional model are typically purchased, procured, and managed corporately. We use Configuration Manager to manage devices using previous versions of Windows that are not supported by Intune and to assist in Configuration Manager product development.
• Modern management. Microsoft Intune supports the modern management model at Microsoft. Intune provides cloud-based device management capabilities across Windows, Android, iOS, and macOS devices. Devices are registered in and authenticated by Microsoft Azure Active Directory. Because it’s cloud-based, Intune removes the dependency on the local network and managed devices can connect across the internet from anywhere. Modern management includes and supports both corporate and personally owned devices, including mobile devices.
• Co-management. Co-management uses a combination of traditional management and modern management techniques and tools, allowing traditional and modern management models to coexist within an organization. Microsoft Intune allows us to operate both models through a single interface and combined toolset.

In our adoption of modern management through Intune, Microsoft Azure Active Directory (Azure AD), and internet-focused connectivity, we’re adopting more standard practices for device management and the configuration of our device management systems. How we configure and operate our modern management environment is much more standardized than past solutions have been. We use native functionality extensively—the flexibility of the Microsoft cloud management toolset replaces many of the engineered customizations we have had to implement.

We use Microsoft Intune, Microsoft Azure AD, and the rest of the modern management tools the same way that any other organization would. We use procedures directly from the Microsoft documentation website, and we’re adopting documented general best practices and architectural designs that Microsoft recommends to customers. The following figure illustrates using co-management to enable the migration from traditional management to modern management.

Connecting traditional and modern models with co-management

Modern management is the goal for all client devices at Microsoft. However, moving from traditional device management to modern management is a journey, and it’s one that can’t be made overnight. Our journey to modern management began several years ago, and it’s ongoing.

We’ve embraced co-management as the first step in moving to modern management and as a long-term bridge between traditional management and modern management models. By using Microsoft Intune, we’ve been able to manage our traditional on-premises devices alongside newly deployed devices that are modern managed.

Addressing migration challenges

Microsoft Azure Active Directory is central to modern management. Azure AD is the first point of contact for most of our mobile devices and the default directory for new devices. Moving devices from AD DS to Azure AD is at the core of traditional-to-modern migration, as the two directory services provide identification, authentication, and authorization services for on-premises and cloud resources, respectively.

However, the AD DS-to-Azure AD-migration process isn’t simple on a device-to-device basis, and coordinating large-scale directory migration is time-consuming and potentially tedious. We’re using Hybrid Azure AD joined devices as a primary enabler of co-management to facilitate a smooth transition of devices from traditional to modern management. Hybrid-joined devices connect to both AD DS and Azure AD. This dual function lets us maintain existing on-premises Group Policy objects and settings for a device while we work to replicate those settings in modern management using Intune and Azure AD. We completed an analysis using the Intune Group Policy analyzer to determine which policies could be supported in Intune.

New devices are onboarded as modern-managed devices using Autopilot for Windows devices and Apple Business Manager for corporate-owned MacOS and iOS devices. However, we don’t prevent our users from joining AD DS domains if they require it. This strategy gets devices under the modern management model but allows us to continue using traditional management methods where necessary.

As old devices are replaced with new ones, traditionally managed devices decrease in number, and modern-managed devices increase. For large enterprises, a full-scale switch from traditional to modern management without co-management is almost impossible. The time it takes to migrate devices and support systems would severely reduce business efficiency and technical capability for any organization. Users must have uninterrupted access to tools and data from their devices. We anticipate that co-management will remain part of our management environment into the near future.

Supporting the Zero Trust model with verified devices

Based on the principle of verified trust—in order to trust, you must first verify—Zero Trust eliminates the inherent trust that is assumed inside the traditional corporate network. The ability to effectively verify devices is a critical part of the Zero Trust model, and management is mandatory for any device accessing corporate data.

The Microsoft Intune platform enables us to enroll devices, bring them to a managed state, monitor the devices’ health, and enforce compliance against a set of health policies before granting access to any corporate resources. Our device health policies verify all significant aspects of device state, including encryption, antimalware, minimum OS version, hardware configuration, and more. Microsoft Intune also supports internet-based device enrollment, which is a requirement for the internet-first network focus in the Zero Trust model.

We’re using Microsoft Intune to enforce health compliance across the various health signals and across multiple client device operating systems. Validating client device health isn’t a one-time process. Our policy verification processes confirm device health each time a device tries to access corporate resources, much in the same way that we confirm the other pillars, including identity, access, and services. We’re using modern Microsoft Intune protection configuration on every managed device, including pre-boot and post-boot protection and cross-platform coverage.

Managing the device experience in the cloud

Modern-managed devices at Microsoft fall under two main categories: corporate owned devices that our employees use for business purposes, and personally owned devices that our employees bring into the workplace and use to access Microsoft resources.

Corporate owned devices

Corporate owned devices at Microsoft are most commonly Windows devices that Microsoft purchases for our employees to use. Our corporate devices come from a specific set of Windows PCs, laptops, and tablets that our employees can select from a variety of manufacturers. In modern management, these are the devices that we exercise the most control over. All corporate devices in the modern management model are registered in Microsoft Azure AD and managed by Intune.

Microsoft Azure AD, Microsoft Intune, Windows Autopilot, and Windows Update for Business deployment services enable us to take a device from the manufacturer using a standard image and directly apply our policies and management measures without requiring direct interaction from our support personnel. The employee powers on their device, signs in with their Azure AD credentials using multifactor authentication, and the device is joined to Azure AD and enrolled in Intune. Corporate policies and apps specific to the user or department are automatically deployed to the device, and the device is always managed and kept up to date, throughout its entire life cycle.

We’re also using Apple Business Manager to directly manage corporate purchased macOS and iOS devices. Apple Business Manager interfaces with Intune and provides a fully managed experience like the one we have for our corporate owned Windows devices. We can control the Out Of Box experience (OOBE) for Apple devices, reducing the number of screens users need to go through during initial setup. When the user completes the OOBE, the device will already have Intune Company Portal, Microsoft Defender for Endpoint, and other device-related corporate apps installed, simplifying the setup process. We also have the capability to push additional applications or security patches using Intune and Apple Business Manager to devices in the future.

Personally owned devices

Bring your own device (BYOD) scenarios are commonplace in the hybrid work model. Personal devices enable flexibility in the hybrid workplace. Employees can enroll their own Windows, Android, iOS, and macOS devices in Intune using Azure AD Workplace Join. Workplace Join creates a device identity in Azure AD and Intune and enforces device state and configuration through native operating system methods and management apps.

Personally owned devices don’t experience the same level of control as corporate owned devices, but modern management using Intune and Workplace Join grants us the capability to restrict access to resources based on device state and health. With this level of control, we can safely manage access to corporate data and apps stored on the device based on the user of the device and the device operating system.

Next steps

We’re continuing to move toward modern management while using co-management as a bridge to traditionally managed devices. We’re working on several modernization efforts, including migrating our corporate wireless network to internet-first and reducing the number devices using virtual private network connections. We’re also consolidating device management controls to a single interface, improving migration capabilities for domain-joined devices, and hardening device health definitions with new compliance policies. As our migration continues and the modern management environment matures, our employees will be better enabled to be productive in the hybrid work model from anywhere and on any device.

• Modern management enables your organization to embrace hybrid work practices while helping to control access to tools, data, and the devices used to access them.
• Co-management offers a bridge between traditional and modern management that’s flexible and scales to your organization’s pace and structure.
• The move toward modern management empowers employees to be productive when using any device, whether it’s their personal device or corporate owned device, on a variety of operating system platforms.
• Modern management enables the Zero Trust model, which uses a multipronged approach to help detect, manage, and prevent security breaches from inside and outside an organization.
• Large enterprises such as Microsoft can use Microsoft Intune to implement modern management without requiring significant custom integrations and solutions.

• Discover how we’re verifying device health at Microsoft with Zero Trust.
• Unpack how we’re reducing friction throughout our device lifecycle at Microsoft.
• Explore how we’re using Microsoft Azure Multi-Factor Authentication at Microsoft to enhance our security.

The post Evolving the device experience at Microsoft appeared first on Inside Track Blog.

In short, the point at which our administrator responsibilities intersect with the experience our employees have with their devices has historically been full of friction.

We are in a moment of massive transition. We went from everyone in the office to everyone remote, and now everyone is hybrid. Our expectation and goal is that every user can work from whichever device they want from wherever in the world they want. But we must accomplish this while fending off thousands of attacks every day on our devices around the globe.

—Senthil Selvaraj, principal product manager, Frictionless Devices, Microsoft Digital Employee Experience

For years, we at Microsoft have been transforming the way we manage our company––a long road of good work that has led us to where we are today that’s enabling our employees to access their information whenever and wherever they need it.

Our continued shift towards empowering our employees to work anywhere enabled them to stay engaged and productive during the pandemic. Now that a new era of hybrid work has emerged, the necessity for seamless access to company resources is more important than ever, and the challenges of maintaining security in this new paradigm are ever-present.

“We are in a moment of massive transition. We went from everyone in the office to everyone remote, and now everyone is hybrid,” says Senthil Selvaraj, principal product manager of the Frictionless Devices team within Microsoft Digital Employee Experience, the company’s IT organization. “Our expectation and goal are that every user can work from whichever device they want from wherever in the world they want. But we must accomplish this while fending off thousands of attacks every day on our devices around the globe.”

Microsoft’s approach to the frictionless device initiative is multi-faceted and has required us to update our thinking on how we approach procurement of hardware and software, our help desk solutions, and utilization of advances in AI technology.

We divide this approach into three primary pillars: device experience, vulnerability management, and device lifecycle. Our mission is to produce efficiencies for our admins and business while demonstrably improving the experience of our employees across the globe.

[Unpack how we’re evolving the device experience at Microsoft. Discover how we’re verifying device health at Microsoft with Zero Trust. Explore how we’re harnessing first-party patching technology to drive innovation at Microsoft.]

Self-managed help desk

At Microsoft Digital Employee Experience, the organization that powers, protects, and transforms the company, we oversee the IT function for the whole company. This includes managing the help desk experience for our employees, which is a common touchpoint for all users seeking help with their devices.

However, the help desk is a key driver of financial and opportunity cost. In the traditional model, we would have one support person helping one user with an issue at a time. This approach is inefficient and often misses out on the network effects that can be gained with sharing solutions not just with a single user but with the whole community. Why help one person at a time when you can help the whole community at once?

We found that 40 percent of all helpdesk tickets, especially from non-Windows devices, required user education rather than a hardware or software fix. So we have built a SharePoint site that contains all the information users need to set up their applications on their own.

We see a compounded effect of savings: employees are not losing productive time while waiting for the help desk to assist them, and we reduce helpdesk costs by reducing the overall number of tickets. We can reallocate our resources to the true issues that need fixing.

In the very near future, we will see even further gains in efficiency and cost reduction by utilizing the latest generation of AI automations at Microsoft. We anticipate that tools like a Helpdesk Copilot will enable employees to access information that enable them to solve device problems without needing to escalate to a help desk engineer. This will decrease the amount of time they use searching for solutions and the amount of time our help desk engineers will need to spend working on common solutions.

The benefits of native Zero Trust and virtualization

The hybrid work environment requires us to provide flexibility to our employees who may be logging in to company resources from any number of locations. Our security needs to flexibly and securely meet employees wherever they are. Zero Trust architecture is our modern approach to this device environment that allows us to effectively secure our devices and our networks. And virtualization of devices is the next frontier for ease of use.

By centralizing and simplifying security in the cloud we are saving money and becoming more secure than ever. No longer are we relying on a castle-and-moat strategy whereby once you are logged in you’ll have free access to all resources on the network. We’re now limiting users and accounts by a concept called least-privileged access. Your login is verified at each step and each resource is thus secured individually.

A great example of this Zero Trust initiative appearing in the device management role are the peripherals that we use in our joint conference rooms. Alongside devices like printers, conference rooms are extremely common touchpoints for employees coming into a Microsoft office. We need and want their experience in using these resources to be as seamless as possible, but––because they’re shared resources––they remain a security vulnerability. Now, users are accessing these resources under their own credentials on a Zero Trust protocol.

“If you’re looking for security, speed, and ease of access, your answer is the cloud,” Selvaraj says. “The ultimate expression of this modern security posture will be coming through opportunities in virtualized devices.”

The problem and opportunity of software management is two fold: How do we provide ease of access to users while reducing friction for our security and support teams? We are moving the goal posts to make sure all apps are pre-approved and are known entities before being installed.

—Sean Cottrille, senior product manager, Frictionless Devices

We recently announced new ways of delivering employees’ desktop experiences with virtualization solutions such as Windows 365 and Microsoft Dev Box. With Windows 365 Cloud PCs, users can access their personalized Windows apps, settings, desktop, and data—securely hosted in the Microsoft Cloud and accessible on any device—wherever and whenever they work. Cloud-based solutions like these aligned to Microsoft Zero Trust principles are key in reducing friction for everyone in the modern flexible workplace.

Maintaining the approved software Rolodex

Modern software like Microsoft Teams is incredibly powerful and enables a new world of collaboration through its associated apps and APIs. However, each of these exit points where one piece of software or hardware connects with another is a vulnerability. One approach we are taking to more effectively secure this software ecosystem is by centralizing permissions for all applications.

We have effectively created an internal database of known and trusted apps. These are software applications that our IT team can, to a certain degree, guarantee will work and be secure. Previous generations of application management were extremely open. Each user had nearly complete access to installing new applications. Obviously, while this approach may be popular with users who can use whatever software they wish, if paired with the pre-Zero Trust security environment, we would face greater risk to the network.

“The problem and opportunity of software management is twofold: How do we provide ease of access to users while reducing friction for our security and support teams?” says Sean Cottrille, senior product manager on the Frictionless Devices team. “We are moving the goal posts to make sure all apps are pre-approved and are known entities before being installed.”

This new approach to applications ensures that we have a structure in place that answers the questions and needs of the user in advance. Now we can provide a solution to the user more quickly than ever before.

When you’re making a change to the user experience, you must make sure it’s well communicated. If we see problems with the rollout of a new feature, it’s usually because we haven’t communicated enough or in the right channels. You need to go to multiple places where employees gather information to make sure the correct information is meeting them.

—John Philpott, senior product manager for seamless access, Microsoft Digital Employee Experience

Managing expectations and building for success

Any change to how an employee gets their daily work done requires clear communication about expectations and flexibility from all involved. Employees rely on their hardware and software to work correctly to be able to get work done and quickly become frustrated if there is an unexpected change to their workflow.

“When you’re making a change to the user experience, you must make sure it’s well communicated,” says John Philpott, a senior product manager for seamless access in Microsoft Digital Employee Experience. “If we see problems with the rollout of a new feature, it’s usually because we haven’t communicated enough or in the right channels. You need to go to multiple places where employees gather information to make sure the correct information is meeting them.”

We always test and analyze changes before implementing them, and we are sure of the worth of these updates and upgrades before we roll them out broadly. With this confidence we can go to our team, clearly communicate what the changes are going to be while knowing that the effort of the transition period will be worth it.

The overall benefit of our frictionless devices initiative is that our employees are more connected and enjoy a more seamless device experience. We have developed disruption free updates and ensuring seamless access to the tools and services that users need to get their work done wherever they’re working, whether at home, at the office, or on the road. We are doing all of this while gaining time and financial efficiencies by centralizing procurement, optimizing automation, and improving the virtualization technology.

“Our goal with device management is to make the whole experience frictionless and to help our employees remain productive with less downtime,” Selvaraj says. “This doesn’t have to conflict with our parallel mission of keeping our company safe. We’re making the employee and admin experience easy but secure.”

• Adapting your IT approach to the modern hybrid work environment means flexibly adjusting your security and device management protocols to account for the new ways your employees are accessing company data. You need to balance your approach to security concerns with a desire to make accessing the information and tools they need as frictionless as possible.
• Zero Trust security architecture is enhancing security and flexibility, and new efforts on virtualization of devices will provide further opportunity for efficiency, security, and ease of use.
• Rationalizing procurement of hardware and software and rolling out new automations and efficiencies in help desk solutions are further speeding up our employees’ experience of getting new tools up and running while reducing overall IT expenditure.

Try Microsoft Intune at no cost.

• Unpack how we’re evolving the device experience at Microsoft.
• Discover how we’re verifying device health at Microsoft with Zero Trust.
• Explore how we’re harnessing first-party patching technology to drive innovation at Microsoft.

The post Make it easy but secure: Our journey to frictionless device management at Microsoft appeared first on Inside Track Blog.