These materials are © 2018 John Wiley & Sons, Inc. Any ... … · Distributing Software..... 19 Pushing and pulling software ... Mac, and Chromebook systems, all now with the potential

These materials are © 2018 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

www.vmware.com/go/digital-workspace


Modern PC Management

VMware Special Edition

by Kevin Strohmeyer, Aditya Kunduri, and Justin Grimsley


Modern PC Management For Dummies®, VMware Special EditionPublished byJohn Wiley & Sons, Inc.111 River St.Hoboken, NJ 07030‐5774www.wiley.com

Copyright © 2018 by John Wiley & Sons, Inc., Hoboken, New Jersey

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the Publisher. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748‐6011, fax (201) 748‐6008, or online at http://www.wiley.com/go/permissions.

Trademarks: Wiley, For Dummies, the Dummies Man logo, The Dummies Way, Dummies.com, Making Everything Easier, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc., is not associated with any product or vendor mentioned in this book.

LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ.

ISBN 978‐1‐119‐49153‐8 (pbk); ISBN 978‐1‐119‐49149‐1 (ebk)

Manufactured in the United States of America

10 9 8 7 6 5 4 3 2 1

For general information on our other products and services, or how to create a custom For Dummies book for your business or organization, please contact our Business Development Department in the U.S. at 877‐409‐4177, contact [email protected], or visit www.wiley.com/go/custompub. For information about licensing the For Dummies brand for products or services, contact BrandedRights&[email protected].

Publisher’s AcknowledgmentsSome of the people who helped bring this book to market include the following:

Development Editor: Elizabeth Kuball

Copy Editor: Elizabeth Kuball

Acquisitions Editor: Katie Mohr

Editorial Manager: Rev Mengle

Business Development Representative: Karen Hattan

Production Editor: Vasanth Koilraj

Special Help: Josue Negron, Faithe Wempen

http://www.wiley.com

http://www.wiley.com/go/permissions

mailto:[email protected]

http://www.wiley.com/go/custompub

mailto:BrandedRights&[email protected]


Table of ContentsIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1

About This Book ........................................................................ 2Foolish Assumptions ................................................................. 2Icons Used in This Book ............................................................ 3Beyond the Book ........................................................................ 3

Chapter 1: The Roots of Modern PC Management . . . . .5Surveying the Standard Operating Environment ................... 5Evolving into a Mobile Workforce ........................................... 7Continuing the Mobile-Centric Evolution

with Windows 10 .................................................................... 8

Chapter 2: The Rise of Unified Endpoint Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

Struggling Along with Silos and Point Solutions .................. 11Finding a Better Way: A Unified Management Platform ...... 12Looking at the End-User Benefits ........................................... 13Surveying the Benefits for IT Admins .................................... 14

Chapter 3: The Capabilities of Unified Endpoint Management . . . . . . . . . . . . . . . . . . . . . . . . . .15

Provisioning and Onboarding Hardware .............................. 15Windows 10 devices ...................................................... 16iOS, macOS, and tvOS devices ..................................... 17Android devices ............................................................. 18

Distributing Software ............................................................... 19Pushing and pulling software ....................................... 19Packaging and deployment .......................................... 20App virtualization .......................................................... 21Peer-to-peer distribution .............................................. 21

Updating Operating Systems and Managing Patches .......... 22Pushing patches and OS updates the OTA way ......... 23

Managing Security.................................................................... 24Integrating Employee Devices ................................................ 25Managing Assets, Reporting, and Analytics ......................... 26

Intelligent asset management ...................................... 26Tracking patch compliance .......................................... 27

Modern PC Management For Dummies, VMware Special Edition iv


Considering the Special Needs of Mac and Chromebook Devices ........................................................... 27

macOS High Sierra ......................................................... 28Chromebooks ................................................................. 28

Chapter 4: Getting Started with Unified Endpoint Management . . . . . . . . . . . . . . . . . . . . . . . . . .31

Considering the Key Planning Factors .................................. 31Policies for end-user devices ....................................... 32Virtualization of desktops and apps ........................... 32When to publish apps and when to provide

entire desktops .......................................................... 32The app catalog ............................................................. 33Security strategy ............................................................ 33Staff skillsets ................................................................... 34

Finding the Best Approach ..................................................... 35The “wait and see” approach ....................................... 35The hybrid approach .................................................... 36The cold-turkey approach ............................................ 37

Chapter 5: Ten Essential Traits for a UEM Technology Provider . . . . . . . . . . . . . . . . . . . . . .39

Unique Vision for Mobility Management .............................. 39Proven Technology .................................................................. 40Global Presence ....................................................................... 40Unified Platform ....................................................................... 40Integrated Apps and Content Management .......................... 40Management Framework for Bring Your Own Device ......... 41End-to-End Security ................................................................. 41Powerful Automation Tools .................................................... 41Scalability for Growing Businesses ........................................ 42Integrated Technology Ecosystem and Extensible APIs ..... 42

Appendix A: Resources . . . . . . . . . . . . . . . . . . . . . . . . . . .43Analyst Reports ........................................................................ 43White Papers ............................................................................ 44Blogs .......................................................................................... 44Infographics .............................................................................. 45Websites .................................................................................... 45

Appendix B: Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47


Introduction

W elcome to Modern PC Management For Dummies, your guide to effectively managing desktop, mobile,

and rugged devices in the heterogeneous world of today’s business IT.

First of all, what do we mean by “modern PC management”? In the context of this book, PC management refers to an IT department’s ability to effectively commission, support, and decommission computing devices assigned to individual users. The old methods that IT departments of the past have employed just aren’t cutting it anymore; modern solutions are needed to address today’s management issues.

And what do we mean by “PC”? Technically, PC stands for personal computer. The old‐time definition of a PC — a desktop computer tethered full‐time to an office worker’s desk — is grossly out of date, though. In this book, when we say “PC,” we’re referring to a broad range of devices, includ-ing Windows, Mac, and Chromebook systems, all now with the potential to be managed through a common digital work-space platform alongside the smartphones, tablets, and other mobile devices already managed from the cloud.

All that device diversity has made things a lot more com-plicated for today’s IT teams. You now need to integrate all these heterogeneous devices into critical business operations, secure them from unauthorized use, and manage them in a manner that allows your end users to enjoy a consistent, pro-ductive, and consumer‐like experience. This is where modern management enters the picture.

Modern management brings the efficiency of mobile device management (MDM) with the full breath of capabilities of PC lifecycle management (PCLM) to enable UEM via a digital workspace platform. The digital workspace collapses the silos between mobile and desktop management and even line‐of‐business application management to enable all devices

Modern PC Management For Dummies, VMware Special Edition 2


to be managed holistically. It allows you to take a consistent approach to managing and securing all your user endpoints and all the apps and data associated with them. Basically, we’re talking about homogeneous management of heteroge-neous devices.

About This BookIn this book, you see how modern PC management works and how it integrates with and complements traditional PCLM and MDM. We also make the case for all organizations to begin the process of moving to modern PC management, in part because it’s clearly the future and in part because some of the key tools for traditional management are already on an end‐of‐life road map.

Don’t let the compact size fool you. This book is loaded with information that can help you understand the ins and outs of modern PC management. In plain and simple language, we cover the following:

✓ The concept of modern PC management

✓ Key capabilities for UEM

✓ How to get started with modern management

Along the way, we debunk some myths, like these:

✓ Modern management is really just MDM.

✓ Modern management isn’t yet ready for prime time.

✓ Continuing with PCLM is the safe thing to do for the time being.

Foolish AssumptionsIn writing this book, we went out on a limb and made some assumptions about you:

✓ You’re an IT pro who is familiar with terms used commonly in IT shops.

✓ You’re familiar with the concepts of either PC management or MDM.

Introduction 3


✓ You’re concerned about managing a mix of mobile devices alongside traditional PCs or Macs — some owned by the company and some not.

✓ You’re going to love the capabilities of a modern management platform.

Icons Used in This BookTo make it easy to navigate to the most useful information, these icons highlight key text:

Take careful note of these key takeaway points.

Follow the target for tips that can save you time and effort.

Beyond the BookFor more information on modern PC management, head to www.vmware.com/go/digital‐workspace.

http://www.vmware.com/go/digital-workspace




The Roots of Modern PC Management

In This Chapter▶▶ Exploring the roots of the standard operating environment

▶▶ Highlighting the need for a new approach to management

▶▶ Introducing the mobile‐friendly Windows 10 operating system

I n this chapter, we begin by looking back at the evolution of Windows PC management. Then we look at the rise of

the mobile workforce and the proliferation of heterogeneous mobile devices in the workplace. Finally, we explain how Windows 10 changes the ground rules for managing PCs and mobile devices.

Surveying the Standard Operating Environment

Years ago, when PCs came into the workplace, the concept of a standard operating environment (SOE) took root in IT shops. With an SOE, an IT organization buys just one type of computer, or a very limited number of types, from a single hardware vendor. The IT shop then leverages a “golden disk image” to install a standard software package on each of the devices.

Typically, an SOE includes an operating system, service packs, software updates, and a package of applications used

Chapter 1



throughout the organization. The use of a golden image — locked down and installed in the IT shop or through a third‐party kitting company — enables IT admins to consistently provision systems and apply common policies across the user base. The SOE also simplifies support and system updates, because all systems can be managed in the same way, with the same IT processes and the same set of tools for PC life-cycle management (PCLM).

SOE obviously has many benefits, but it also has some limita-tions. Here are some of the most significant ones:

✓ Architecture: SOEs are built for desktops that are on domain and on the company network — and never on the go. That’s just not the way it is in today’s highly mobile world, where people can work just about anywhere and use just about any device.

✓ Windows Updates: In the past, Windows updates were once every three years via service packs, so IT had to build new images every three years. Today, windows updates are released every six months.

✓ Deployment and onboarding: For IT shops, SOEs are a high‐touch and time‐intensive proposition. Each system getting an SOE must be handled directly. With all the manual steps in the process, it can take hours to image a device and weeks to onboard a new user.

✓ Patching: When it comes time to patch systems, the devices must be on the network. And even at that, legacy tools are notorious for poor visibility into patch compli-ance. And if systems aren’t patched, the business can be at risk of costly security breaches.

✓ Apps: Packaging and distributing apps is resource‐ intensive and unreliable. IT pros must build complex app packages and then stand up expensive infrastructure to distribute the software to end users at local and remote sites.

The problems with SOEs don’t stop there. The reality is that different types of users need different types of systems. Today, a large organization might support hundreds of images to meet the needs of different business units and their users. A lot of IT staff time is required to produce and maintain all those images and to install them on the end‐user devices.

Chapter 1: The Roots of Modern PC Management 7


And after an image is installed, the IT shop puts in passwords, configures the system, and then ships the PC to the user. In a large enterprise, this labor‐intensive process may be repli-cated tens of thousands of times a year. And when it comes time to update systems — for example, to install a new ver-sion of Windows — the IT shop has to rip and replace images.

Here’s the bottom line: Traditional approaches to managing the lifecycle of a PC are complex, labor intensive, and costly. How costly? It’s not uncommon for operational costs to repre-sent nearly 40 percent of all PC‐related costs!

Yet despite their downsides, conventional approaches to PC management got the job done well enough in the past, in part because all things PC‐related used to change more slowly than they do now. And then came the proliferation of mobile devices in the workplace, the rise of a mobile workforce, and the advent of the mobile‐friendly Windows 10 operating system. Collectively, these trends are rewriting a lot of the rules for PCLM.

Evolving into a Mobile Workforce

Workers just don’t sit still anymore like they used to. The trend toward using mobile devices for corporate work got going in a big way with BlackBerry devices, and then it gained even more momentum when the iPhone entered the work-place. The stable ground under the IT shop began shifting.

IT pros had to quickly figure out how to enable executives and employees who were using these new devices. Early on, Apple helped by releasing application programming interfaces (APIs) for mobile device management (MDM); later, Google did the same for its Android operating system. Pretty soon, an entire industry was built around mobile device management and more employees were choosing to use their own devices in the workplace (a trend known as BYOD — short for “bring your own device”).



MDM offered many important benefits for IT admins when it came to managing mobile phones in the workplace. They could now provision settings, distribute applications, wipe devices, and carry out other administrative tasks with the click of a button, regardless of where the user was.

As technology evolved, the more narrowly focused MDM evolved to the more broadly focused enterprise mobility management (EMM). EMM encompasses the following:

✓ Mobile device management (MDM)

✓ Mobile email management (MEM)

✓ Mobile application management (MAM)

✓ Mobile content management (MCM)

EMM enables your IT organization to securely manage the growing proliferation of mobile devices, while also laying the foundation for mobile business application delivery and infra-structure. It helps your organization gain control over mobility by unifying security and management.

Continuing the Mobile‐Centric Evolution with Windows 10

The evolution to a mobile‐first world continued with the arrival of Windows 10. With this latest version of Windows, Microsoft introduced a consolidated operating system plat-form that changed the management of end‐user computing environments.

Windows 10 incorporates many features that streamline the management of PCs using the same principles, technologies, and mobile‐cloud approach used for managing the diverse mix of mobile devices that today’s workers now use. In Windows 10, mobile management APIs enable easier, faster, and less complex management opportunities than in prior versions of Windows.

Chapter 1: The Roots of Modern PC Management 9


Enhancements in Windows 10 include features that enable dynamic and continuous operating system updates and universal applications that work across different devices. These advances change Windows from a PC‐centric operating system to one that is device‐agnostic and a critical enabler of the digital workplace. This new way of managing Windows is more closely aligned to the MDM‐based approaches found in today’s mobile management tools than to the traditional PCLM tools found in a desktop world.

But you need more than MDM for Windows. That alone isn’t enough. You still have complex Win32 app packaging and delivery, group policies, and other traditional Windows con-cerns to consider. This is where unified endpoint management (UEM) comes into play. Windows 10 represents changes and opportunities for IT. Updates are coming faster, new secu-rity and data protection features can be leveraged, and new deployment options can simplify operations, but Windows 10 does represent change. The advances in Windows 10 should create a catalyst for moving to UEM. Sure you can treat it the same as Windows 7, but you will miss many of the new capabilities and struggle more than ever with the frequency of updates.

Collectively, the rise of EMM and the advances that came with Windows 10 pave the path to modern PC management — in which all endpoints are managed in a unified manner.

The arrival of Windows 10 presents an opportunity for your organization to rethink how you do Windows management. With the EMM features in Windows 10, you now have the chance to manage PCs as if they are mobile devices. You can now manage PCs and all other end‐user computing devices with a common set of tools, regardless of the operating system. Better still, EMM allows for anywhere/anytime management, even off the domain.




The Rise of Unified Endpoint Management

In This Chapter▶▶ Moving beyond point solutions

▶▶ Unifying management with modern PC management

▶▶ Simplifying life for end users and IT admins

M odern PC management allows your IT team to manage desktops and laptops over the air in the same way you

manage mobile devices, using a common management platform, called unified endpoint management (UEM). In this chapter, we explain UEM at a high level and summarize the benefits for end users and IT admins.

Struggling Along with Silos and Point Solutions

With the rapidly changing IT requirements brought by the proliferation of heterogeneous devices in the workplace, many IT organizations continue to add incremental capabili-ties, tools, and specialized teams. This path leads to platform‐specific management silos with different teams of specialists using different processes and different tools.

For example, some IT shops have

✓ One team and set of tools for PC lifecycle management (PCLM)

✓ Another team and set of tools for mobile endpoints

Chapter 2



✓ Another team and set of tools for Mac systems

✓ Another team and set of tools for any rugged or purpose‐specific devices

✓ Another team and set of tools for access, password, and identity management

✓ Another team and set of tools for virtual desktops

This approach is neither scalable nor sustainable. Every new operating system, every new device, and every new app adds to the marginal cost of a fragmented approach to man-agement. Employees, too, pay a price, when all those siloed teams are focused on managing discrete things rather than working to streamline and simplify the end‐user experience.

Clearly, a new management approach is needed to solve the problems brought by silos and point solutions. That’s UEM.

Finding a Better Way: A Unified Management Platform

UEM is a key part of any digital workspace strategy. With a digital workspace approach, your IT organization can securely deliver and manage any app on any device by integrating access control, application management, and multi‐platform endpoint management.

UEM is the backbone for the digital workspace. It negates the need to use a potpourri of point solutions to manage mobile, desktop, and Internet of Things (IoT) devices. With a com-prehensive UEM solution, you can use a single platform to manage every device and every operating system, across any organizational use case, with a consistent set of policies across all device types and operating systems.

UEM solutions provide a holistic and user‐centric approach to managing all your endpoints. They combine the traditional client management capabilities for desktop PCs — such as operating system deployment, configuration management, software distribution, and operating system patching — with a modern enterprise mobility management (EMM) framework that includes efficient mobile device management (MDM)

Chapter 2: The Rise of Unified Endpoint Management 13


capabilities. A comprehensive UEM solution enables your IT team to deliver a consistent experience across all endpoints, to secure and manage the full device lifecycle, and to do it all from a central console.

Through its ability to break down the technology silos and consolidate the management capabilities of point solutions, UEM delivers benefits that span the enterprise.

Looking at the End‐User Benefits

Let’s start with the benefits for employees. With a universal digital workspace platform for managing every device and every operating system, your IT team can give your end users a consistent experience regardless of the devices they use to access the corporate environment. Via this single platform, they gain secure access to cloud, mobile, web, and Windows apps on any smartphone, tablet, or laptop. Everything is made available through a single catalog and a consumer‐simple single sign‐on (SSO) experience. They can get a new device up and running in minutes and take care of many of their own needs.

Better still, UEM allows your IT team to personalize access to specific applications and content based on business pro-cesses and business roles, usage history, and context, without regard for who owns the device — the user or the company. Tying endpoint management to the user rather than the device also simplifies self‐service and automatic provisioning, while still leaving IT in control of the things that matter to IT.

With UEM, you can eliminate disjointed user experiences by ensuring that applications and business processes look and function the same on different endpoints. This consistency allows users to work in whatever ways are most conven-ient for them — which, in turn, drives up application adop-tion, improves end‐user engagement, and ultimately boosts productivity.



Surveying the Benefits for IT Admins

Meanwhile, back in your IT shop, UEM helps you reduce administrative overhead, reduce help desk and deskside sup-port, minimize potential points of failure, and harden security by applying consistent policies across all endpoints. You can consolidate the number of management tools your team uses and limit the amount of integration between device manage-ment and back‐end systems, such as cloud‐based applications and virtual private networks (VPNs).

Modern PC management also minimizes the need to track vendor‐service level agreements (SLAs) and product updates, because everything passes through a unified platform. Moreover, this new approach to management enables you to consolidate the many processes your IT team needs to learn and follow to support a large, growing, and heterogeneous inventory of devices and operating systems.

With the process improvements driven by modern manage-ment, you can cut costs across the lifecycle of endpoints. Capabilities like zero‐touch onboarding and over‐the‐air updates to end‐user devices help you avoid a lot of manual steps that drive up the costs of IT operations.

Put it all together, and you have a management platform that enables enormous efficiency gains for your IT organization while giving your end users more of what they want — a con-sistent, seamless experience across all the devices they use.

Modern PC management enables your IT team to

✓ Manage users across all endpoints

✓ Provide a consistent user experience

✓ Secure and manage the full device lifecycle

✓ Consolidate PC and MDM into a single, unified platform


The Capabilities of Unified Endpoint Management

In This Chapter▶▶ Onboarding with “zero touch”

▶▶ Distributing software, updates, and patches

▶▶ Protecting security and privacy

▶▶ Managing the asset lifecycle

I n this chapter, we walk through the capabilities of a com-prehensive platform for unified endpoint management

(UEM). We summarize the processes that span the lifecycle of a device, including hardware provisioning and onboarding, software distribution, updates and patch management, and security management. We also look at capabilities related to asset management, reporting, and analytics.

Provisioning and Onboarding Hardware

Today’s employees expect to unbox a new smartphone, set it up, and be ready to start using it in just a few minutes. Why shouldn’t they be able to do that with their laptops and all other devices they use in the workplace? Now they can with UEM.

UEM enables your IT organization to introduce rapid, auto-matic, self‐service, and on‐demand capabilities for first‐time setup. Instead of going through an expensive onboarding process, you can do a simpler and cheaper provisioning that

Chapter 3



minimizes a lot of pre‐employee‐handover steps. You can push out all the necessary configurations and software via a secure connection to any Wi‐Fi network, wherever the employee hap-pens to be. We’re talking about zero‐touch setup.

It’s all pretty simple. When a device first registers with IT, the rules and roles associated with the user’s login trigger the UEM system to launch a seamless onboarding process that automatically installs and configures all appropriate corpo-rate resources and applications.

A full‐bodied digital workspace platform enables zero‐touch setup for a wide range of devices used in the workplace, including Windows 10 and Mac laptops and Android and iOS mobile devices.

Windows 10 devicesCompared to prior versions of Windows, Windows 10 dramati-cally streamlines the process for device enrollment and pro-visioning. It introduces new methods and tools that greatly simplify enrollment activities. Collectively, these run‐time pro-visioning tools enable users to enroll their devices simply and easily, via self‐service functions, without the assistance of an IT administrator. They allow configuration of new off‐the‐shelf devices without re‐imaging. Better still, they work indepen-dently of network types and they’re compatible with existing tools.

These capabilities are enabled by a new toolkit called Windows AutoPilot. In a VMware environment, AutoPilot enrolls the device into management with Workspace ONE, the VMware digital workspace platform. Windows AutoPilot gives IT organizations with an Azure Active Directory Premium license a great deal of control over the onboarding experience for users. With Windows AutoPilot, your IT team can custom-ize the onboarding experience for new Windows 10 PCs to enable an end user to have a fully configured device within minutes of unpacking the box — without any involvement from your IT shop.

It’s all pretty simple for your end users. When they connect a new Windows 10 PC to the network, Windows prompts them to sign in with their Azure Active Directory email

Chapter 3: The Capabilities of Unified Endpoint Management 17


address and password. After they’re authenticated, the new device joins the Azure Active Directory and they’re automati-cally enrolled by your UEM solution. Users also get a unique first boot experience with the right work profiles, operat-ing system customizations, security policies, and apps they need — all deployed over the air.

If you’re deploying select Dell Windows 10 devices, you can take advantage of zero‐IT touch cloud provisioning of pre-configured systems shipped straight from the factory to the user. This Windows 10 Provisioning Service, available via the VMware Workspace ONE platform, powered by AirWatch UEM technology, gives you a true drop‐ship experience. It helps your IT organization reduce the time and costs associated with device deployment, setup, and asset tracking and inven-tory. Windows 10 Provisioning is available worldwide on Dell Latitude, OptiPlex, and select XPS PCs, and Dell Precision workstations. The Windows 10 Provisioning Service works across Active Directory and Azure Active Directory environ-ments and does not require any additional licensing.

iOS, macOS, and tvOS devicesApple streamlines and accelerates the onboarding process with its Device Enrollment Program (DEP). This program helps businesses easily deploy and configure iOS, macOS, and tvOS devices, including organization‐owned iPad and iPhone devices, Mac computers, and Apple TV devices that are pur-chased directly from Apple or participating Apple‐authorized resellers or carriers.

DEP simplifies initial setup by automating mobile device management (MDM) enrollment and supervision of devices during setup. It allows your IT team to configure iPad, iPhone, and Mac devices without touching them. When users activate their devices, you can immediately configure account settings, apps, and access to IT services over the air.

Supervision is a mode that allows a Mobile Device Management solution to control additional functions on an iOS device. This feature is intended for institutionally‐owned devices. The best way to utilize Supervision is to enroll devices with Apple’s Device Enrollment Program (DEP).



This is all a game changer for your IT team. Legacy deploy-ment techniques like imaging are no longer needed when you provision macOS devices, because onboarding is now driven largely via MDM application programming interfaces (APIs). With the capabilities of modern management, you can lever-age DEP as the default way to streamline onboarding for all your iOS and macOS devices. With DEP, you can give users an easy out‐of‐the‐box experience — so they can get down to business right away.

To help accelerate the move from legacy imaging for Macs to modern PC management, you can create and use “bootstrap packages,” available on the VMware Workspace ONE platform, powered by AirWatch unified endpoint management technol-ogy. These packages make it easier to deliver install pack-ages immediately upon enrollment and to customize the DEP onboarding experience. They enable you to make end‐user devices usable sooner after the device enrolls than you could with a traditional enrollment process.

Android devicesGoogle make it easy to onboard Android devices with its zero‐touch enrollment capabilities. With the latest zero‐touch enrollment capability, work‐managed devices can be provi-sioned just by turning them on out of the box, enabling instant security and access to business apps and resources.

Android zero‐touch enrollment streamlines the onboarding experience for both IT and end users. By removing manual processes, zero‐touch enrollment allows devices to be set up quickly — without a lot of help‐desk requests. IT setup is simple. Your preferred zero‐touch supporting carrier will help you get the Google zero‐touch portal populated with your devices. From there, you can add enrollment configuration for these devices so enrollment is initiated during device setup.

So, how does this work? After turning on an Internet‐connected Android device, the enrollment process automatically kicks off. Your digital workspace platform installs a profile on the device, and — like that — you’re off and running. When enrollment completes, apps and policies deployed from the UEM console are automatically pushed to the device, making it ready for use. This helps you ensure that end‐user devices have all the



right corporate policies in place and that users don’t have to struggle with manual configuration.

If you use Samsung devices, there’s another easy enrollment option: Samsung Knox Mobile Enrollment. It provides an easy and efficient way to enroll large numbers of corporate‐owned devices, while keeping end‐user interaction to a minimum. With this tool, you can enroll up to thousands of Samsung devices via your UEM console without manually configuring each device.

Modern management enables your IT team to implement zero‐touch enrollment for a wide range of devices, including Windows 10 and Mac laptops and Android and iOS mobile devices.

Distributing SoftwareSoftware distribution is an ever‐growing challenge for your IT organization. Every year, you need to distribute more soft-ware and more updates to more endpoints and more types of devices. And you need to do it all quickly to keep operat-ing systems and apps up to date. A UEM solution helps you streamline the process of getting the right software on your end‐user devices.

Pushing and pulling softwareWith the modern management capabilities of a robust digital workspace platform, some software may be installed as part of the onboarding process (pushing upon setup), some may be later pushed to users, and some may be made available on demand via a unified app catalog (pulling). Modern manage-ment enables you to deploy public, internal, or bulk‐purchased apps to devices automatically or to an enterprise app catalog for on‐demand install.

Apps that are pushed to devices as part of the onboarding process typically include those that everyone in the organiza-tion needs, such as the Microsoft Office Suite for day‐to‐day work and Adobe software for working with PDFs. Other apps pushed out in the onboarding process include those that are tied to a particular user profile, such as apps used by employ-ees in engineering or finance.



Apps that only certain users might need or want can be made available via an enterprise app catalog. The app catalog gives your users a one‐stop shop to view and download applica-tions. Access to individual apps is based on settings you establish in the UEM console.

When you select desired apps from public app stores for distribution, you simply configure the assignment to your cor-porate devices smart group and then select your deployment option to automatically push the app to the enrolled devices or your app catalog.

Packaging and deploymentWhen you deploy apps on iOS or Android, they’re delivered via an app store. It’s harder on PCs. A lot of Win32 and Mac apps might be gigabytes in size and very complex. They often require custom configurations and settings, depend on cer-tain software libraries for execution, and may be contingent upon other software being installed previously to run in the first place. This creates packaging complexities that have to be dealt with in the packaging process. When you distribute Microsoft Outlook, for example, you may need to add various plugins, such as a WebEx plugin and plugins for other apps people use with Outlook. That makes the package bigger and the process harder.

To package and deploy Win32 and Mac apps to remote worker and branch office endpoints, IT organizations typically rely on costly distribution servers, which are both capital‐ and labor‐intensive, with dedicated teams focused on maintaining them.

In contrast, a UEM platform enables a more efficient, cloud‐first and enterprise‐scalable software deployment experience that reduces bandwidth, infrastructure, and labor costs. It allows you to seamlessly deliver all Windows and Mac appli-cations as reliably and easily as a modern app in a unified catalog. UEM takes a simple workflow‐driven approach to streamline packaging and distribution of apps. This allows your admins to upload Win32 apps, define custom install criteria, automatically populate app metadata for reporting and identify dependent libraries, even associate required app updates/patches, and finally assign them to desired user groups in a simple workflow and remove the complexity of packaging.



App virtualizationWhen you virtualize applications with Remote Desktop Session Host (RDSH), a Microsoft Server technology made popular through VMware Horizon and Citrix XenApp, you can make them available to your end users without installing them directly on the endpoints. That’s a benefit of abstracting the application from the underlying operating system. The app becomes more portable and more operating system agnostic.

Why would you want to do this? Here are a few potential use cases for app virtualization:

✓ Avoiding compatibility issues: If you have a homegrown Win32 app that isn’t compatible with Windows 10, you have a problem on your hands. The app is going to cause things to crash on Windows 10 systems. But if you vir-tualize the app, you can deliver it to the endpoint as a virtual app or as an app within in a virtual desktop. You can then continue to use the app without reworking the underlying code.

✓ Improved performance for resource‐intensive applica-tions: You may want to virtualize an app that is extremely graphic intensive or resource intensive, like Adobe design tools or AutoCAD software. You can then run the virtual app from endpoints that otherwise wouldn’t be able to process it.

✓ Dealing with unsupported endpoints: App virtualization may also be a good solution for cases in which you have contract workers or users working on unsupported end-points. In these use cases, the untrusted endpoint never needs to touch the enterprise network and no files or other data may be left behind on the device.

Peer‐to‐peer distributionThe majority of Windows enterprise software consists of classic Win32 applications that are large — some may be gigabytes in size — and complex to package, deploy, and maintain. To deploy apps to remote worker and branch office endpoints in a global enterprise, organizations may need thousands of costly distribution servers, lots of storage devices, and dedicated teams that manage and maintain the distribution infrastructure with labor‐intensive processes.



You can overcome these challenges with modern manage-ment that includes integrated peer‐to‐peer (P2P) software distribution technology. With P2P distribution, one machine downloads an app or operating system update and makes it available locally to other peers, or endpoints, that need the same software. The peers can then access the software locally, without tying up bandwidth on the corporate network. And because software is distributed locally among peers, remote worker and branch office users receive apps and updates faster — at local area network (LAN) speeds.

With the P2P approach, you can create a robust, reliable, and cost‐effective software distribution system that scales much faster than conventional approaches. And even better, soft-ware gets distributed to end users without the need for on‐premises software distribution and storage servers that are costly to buy and costly to maintain. It’s a whole new model for software delivery.

Peer‐to‐peer software distribution:

✓ Solves persistent distribution challenges

✓ Improves delivery speeds

✓ Drives down capital expenditures (CapEx) and operating expenditures (OpEx)

Updating Operating Systems and Managing Patches

With the rise of the mobile workforce came a rise in the num-bers of corporate laptops without the latest operating system updates and security patches. When users today are con-stantly moving in and out of company buildings and working on and off the company network, IT teams struggle to keep endpoints up to date. As a result, in many organizations a per-centage of devices won’t get patched, even weeks or months after critical updates are available and pushed down by IT.

In a time when security threats are rising in number and severity, this is an unacceptable state of affairs. You can’t leave systems unpatched for weeks or months after a



threat has been identified. Just consider the impacts of the WannaCry ransomware attack that swept the globe in a matter of days in May 2017, causing panic in IT shops and C suites around the world. Microsoft released a patch for the vulnerability exploited by WannaCry well before the virus became widespread. If companies had the technology in place to get that patch onto end‐user devices right when it was released, they could have saved themselves a lot of pain.

In today’s world of constantly evolving cybersecurity threats and constantly moving users, the traditional management model for updating PCs is broken, painful for IT, and risky for businesses. This is another argument for a modern manage-ment platform.

Pushing patches and OS updates the OTA wayWith UEM, you can push patches and operating system updates from the cloud to wherever your end users are and whatever networks they’re on. This over‐the‐air (OTA) approach to patching and updating endpoints leverages new capabilities in Windows 10 systems that enable OTA updates as a service. Apple offers similar capabilities that enable your IT team to push patches and updates to macOS laptops. This is no different than the way we have seen Apple update iOS for each version. As users, we update them seamlessly over the air at the click of a button. OTA updates for Windows fol-lows the same approach, but with more enterprise controls to select updates that are pushed out based on your org’s sensi-tivity to feature and security updates.

There are many obvious advantages to this cloud delivery and servicing model for keeping systems up to date. Nevertheless, your IT team is probably fearful of losing control over which patches are distributed as part of these rollups and of poten-tially breaking the operating system with a patch that hasn’t been fully tested internally. Adding to the challenges is the large sizes of the cumulative update rollups that are released frequently and the major upgrades that may be released a couple times a year. When you push these files to endpoints, you have to deal with any network and bandwidth constraints in wide area networks (WANs).



A modern management platform gives you a way to address these concerns. From your UEM console, your IT admins can pull in all the updates that are relevant for a particular end-point and then either auto‐approve them if they’re security or vulnerability related, or hold them back and test them before they’re pushed to endpoints. Or you may auto‐approve or disallow certain update groups based on a targeted group’s sensitivity to feature and security updates. With UEM, you’re always in control.

With a modern management platform, you get the best of both worlds:

✓ The ability to update endpoints in a timely and automate manner

✓ The flexibility to make updates on your terms

Managing SecuritySecurity is a huge concern when your IT organization is pro-viding services to remote and mobile workers. You need new strategies to protect corporate data at rest, in transit, and cached or stored on mobile devices. A modern management approach helps you put these strategies in place.

With UEM, you can secure enterprise data with settings, poli-cies, and rules to keep users and devices compliant, all con-figured and enforced from your central management console. You can restrict access to enterprise resources to authorized users, apps, and compliant devices by using conditional access controls and per‐app virtual private network (VPN) segmentation. You can even force device encryption using BitLocker in Windows 10 or FileVault in macOS. Encryption makes the data in the systems unreadable to unauthorized users — which is critically important in scenarios where a device is lost, stolen, or retired with data still on the drive.

You can also create compliance rules and link them with automated, escalating actions that notify users to self‐correct their compliance issues and, if necessary, limit or remove access to corporate resources — all without any hands‐on IT involvement. You can even create compliance policies with custom whitelists and blacklists that allow only apps from



trusted publishers and locations to be installed or run on end‐user devices. That helps you ward off malware and malicious applications.

Better still, as we note earlier in the patch discussion, remote management and over‐the‐air configuration capabilities enable you to push critical security patches at any time, with real‐time visibility into compliance status and device health — all through your UEM management console. Those are really important capabilities in a time of highly sophisticated attacks on corporate systems. You want to make sure all the doors are locked, night and day.

Integrating Employee DevicesMany employees now use their personal devices for com-pany work — a trend known commonly as BYOD, short for “bring your own device.” UEM enables your IT organization to implement a BYOD strategy without sacrificing security or employee privacy.

To enable BYOD policies, modern management provides sepa-ration of work and personal data on the device. This separa-tion enables your IT team to manage and secure only the work‐related data on an employee‐owned device. If a device is ever compromised, or if an employee leaves the company, you can remove only the corporate data from the device, leaving the employee’s personal information and apps intact. That means both sides get what they want: Your IT team can enable BYOD in a manner that protects the company’s interests, and the employees can use their preferred devices without worrying that IT may one day wipe out their personal information.

How do you secure corporate data on BYOD devices? Data on the endpoints is protected through device restrictions, encryption, passcodes, data loss prevention (DLP) policies, and remote lock‐and‐wipe capabilities — for cases in which a device is compromised. You can do it all using the over‐the‐air device configuration capabilities in your modern management platform.



Managing Assets, Reporting, and Analytics

A modern platform simplifies asset management and report-ing by providing full visibility into connected endpoints. Centralized hardware and software inventory management for Chrome OS, macOS, and Windows gives you real‐time visibil-ity into your laptop deployments, right alongside the mobile devices used in the organization. UEM gives you this visibility regardless of whether a device or user is on the network and regardless of who owns the device. That’s a big contrast with the way things were done in the past, when the reports would just tell you what the devices were running the last time they were on the network.

Intelligent asset managementThe core power of UEM can be extended with a consolidated pool of data and analytics tools that enable smarter endpoint management. This next‐generation approach gives your IT team the ability to leverage data captured from across the dig-ital workspace environment — from the device to the apps to the identity of each user — to gain deep insights into what’s really going on out there.

From the UEM console, you can search and query your envi-ronment to analyze data, identify patterns, and detect anoma-lies. With custom dashboard views and historical reports, you have quick access to the information you need to make the right data‐driven decisions based on a clear view of the following:

✓ Device types

✓ Operating system distribution

✓ App deployment

✓ App adoption

✓ App usage

✓ App versions

✓ App licensing

✓ And much more



With a modern management platform, your IT admins can easily run reports to identify assets with patch vulnerabilities, monitor critical Windows security status across your environ-ment, see the installation progress for app deployments, and perform software and device inventories.

Tracking patch complianceWith conventional approaches to asset management and reporting, IT admins struggle to get any on‐demand visibil-ity into the installed updates on end‐user systems. They may even have to write massive SQL queries to get simple reports on update status.

A modern management platform solves this problem with patch intelligence and reporting that helps you stay on top of your information‐security requirements. For example, you can now receive detailed reports on inventory and perform com-pliance auditing of individual Windows updates across a fleet of end‐user devices.

In a modern management platform, the data from endpoint audits is tied to a powerful rules engine that enables you to

✓ Automate compliance: Immediately quarantine noncom-pliant endpoints from company resources.

✓ Automate remediation: Deploy patches over the air to get the endpoint into a compliant state.

Considering the Special Needs of Mac and Chromebook Devices

There are likely some Macs and Chromebooks in use in your organization that may or may not already be managed. Integrating devices that run the High Sierra version of macOS or Google Chrome OS can be challenging in a traditional man-agement environment, but a modern UEM takes them on like a champ.



macOS High SierraWith the introduction of macOS High Sierra, Apple continues to evolve the Mac operating system toward more efficient, modern management, much like iOS devices. For example, Apple released the new Apple File System (APFS) in macOS High Sierra. The change to APFS makes traditional manage-ment through imaging much more difficult. The new file system basically requires a modern approach to Mac manage-ment through the Apple DEP and MDM profiles and APIs.

A modern unified management platform offers DEP APIs to streamline enrollment and get devices into management with an easy “out‐of‐the‐box experience” (OOBE) and easy account configuration, reducing the high touch for IT. For macOS High Sierra, a modern platform builds on that OOBE with “bootstrap packages” that help you move away from legacy, imaging‐based deployment and adopt DEP as your new standard for enroll-ment. Your IT shop can deliver these simple installer packages during DEP enrollment to customize the onboarding experi-ence with specific operating system configurations and tools.

At enrollment, you can also enable key security features in macOS — such as FileVault encryption to protect application data and Gatekeeper to prevent malicious application down-loads. And while you’re at it, you can use the compliance engine in your UEM solution to set up automated actions for specified security or system events and compliance violations to further protect the business data on the endpoints.

ChromebooksYou can now manage and secure Chromebooks from the same UEM console that you use to manage the rest of your end‐user devices. With the Chrome OS device management capabilities in the modern management platform, you can easily onboard Chrome devices to have them ready to go right out of the box. You can configure them for desired use cases, management policies, and apps that are delivered over the air.

Via the UEM console, your IT team can give users consumer‐simple access to all apps, including virtual Windows apps and desktops, via an identity‐enabled, consolidated app catalog.



UEM also allows you to take advantage of the many enterprise‐ grade Chrome security features, including auto‐updates of the operating system, tamperproof hardware, conditional access polices, DLP, and even remote wiping of a lost or stolen mobile device or ruggedized peripherals like industrial scanners or data tablets used in the field.

Via the UEM console, you can

✓ Push Chrome extensions, Chrome apps, and Android apps to Chromebooks

✓ Change power management profiles to maximize battery life

✓ Customize the browser experience for users

✓ Configure single sign‐on (SSO) settings to determine how users gain access to devices

✓ Configure restriction settings to determine who can access Chrome OS devices

✓ Configure update settings




Getting Started with Unified Endpoint Management

In This Chapter▶▶ Looking at the key planning considerations for unified endpoint management

▶▶ Examining three approaches to getting started

▶▶ Learning tips for getting it right

A ll IT shops are going to move to modern PC manage-ment. The question is when and at what speed. In

this chapter, we look at key planning considerations and three approaches to getting started with modern endpoint management.

Considering the Key Planning Factors

There are significant operational differences between the management of traditional desktops and the management of digital workspaces. A digital workspace requires new IT pro-cesses and new admin skills that build on existing IT skillsets.

In this section, we look at some of the key considerations in the process of implementing and operating a digital workspace strategy.

Chapter 4



Policies for end‐user devicesA digital workspace might include both corporate owned off‐the‐shelf devices and devices chosen by the end user under a “bring your own device” (BYOD) model. Regardless of the device source, the applications on them must be governed by the organization’s IT policies. Permission to access corporate information may require compliance with policies governing device context, location, authentication strength, and other factors.

Individual users’ digital workspaces are defined by the set of applications they have access to and a set of policies that manage their usage. Regardless of the device, the user is managed with policies that IT defines. Rules are set based on policy configuration.

Virtualization of desktops and appsA digital workspace requires that apps be portable across operating systems and devices. Although modern web‐based applications and mobile development platforms abstract between iOS and Android, and Windows Modern apps can be provisioned over the air to Windows 10 devices, most orga-nizations still have hundreds of Windows 32‐bit applications tied to a specific Windows operating system and a tested, standardized image. These legacy apps create the require-ment for virtualization.

One of the key steps in implementing a digital workspace strategy is to identify which apps and desktops should be virtualized and hosted in the data center and which apps can be installed natively on devices. These decisions are highly dependent on the work environment.

When to publish apps and when to provide entire desktopsTo deploy a digital workspace environment to employees who are dependent on traditional Windows 32‐bit apps, you

Chapter 4: Getting Started with Unified Endpoint Management 33


need to determine when to provide apps to users and when to provide entire virtual desktops. You’ll probably want to publish apps to employees who spend a great deal of their time with productivity applications and/or web‐based applica-tions. You may want to push an entire desktop to employees who will interact with many applications throughout the day that revolve around core enterprise system‐of‐record applica-tions. These employees may be primarily based in an office or home‐office setting and may include many backend business personnel, software developers, customer support or service employees, and healthcare workers using clinical desktops.

The app catalogIn a digital workspace environment, apps are delivered through a catalog. Web, Software as a Service (SaaS), and virtual apps may be accessed through the catalog as book-marks, while other apps are natively installed and activated if or when the user needs them. This catalog doesn’t have to be built all at once or replace your existing PC management process.

You can begin with some key apps and grow your catalog over time. At some point, you’ll find that you’ve reached a critical mass or a tipping point, where line‐of business orga-nizations and users will ask and request that new apps be added to get the convenience and simplicity of the catalog. At that point, you’ll know you’ve been successful.

Security strategySecurity concerns are heightened with a mobile workforce. With the right policies and technologies in place, your digital workspace environment can offer all the security assurances of a traditional desktop environment.

Here are some of the key considerations in establishing a security strategy:

✓ Application virtualization: The most foolproof way to manage data loss and protect corporate systems. It’s used for the most sensitive or regulated data protection.



✓ Micro‐segmentation: In recent years, network virtu-alization has been added to application and desktop virtualization to provide micro‐segmentation within the corporate network. Micro‐segmentation can be used to separate one user’s processes from another’s. Micro‐ segmentation can also build virtual tunnels from the application all the way to its data services, assuring that an attack launched from the virtual app or desktop can’t be used to launch attacks from east to west inside the network.

✓ Policy and patch management: Beyond virtualization, a digital workspace environment also improves security and compliance by offering instant push‐based policy and patch management for devices across any network. This capability helps your IT organization keep end‐user devices up to date and compliant, thus increasing security.

✓ Data encryption: A policy could be developed to limit the download of files within a virtual desktop to permit only devices using the BitLocker Drive Encryption data protection feature, available in all editions of Windows Server and certain editions of the Windows operating system. BitLocker encrypts hard drives to provide enhanced protection against data theft or exposure on computers and removable drives that are lost or stolen.

✓ Multi‐factor authentication: Built with enterprise‐level security in mind, the VMware digital workspace solution includes multi‐factor authentication, providing stronger security than a password. Multi‐factor authentication can leverage an employee’s personal device to act as an addi-tional, unique factor of authentication, requiring a simple “swipe‐to‐accept.”

Staff skillsetsA digital workplace strategy changes the skillsets required for IT staff. They do far less laptop imaging and asset manage-ment, and focus more on maintaining app catalogs, policies, and mobility management tools that govern configuration, app lifecycle management, and policy enforcement.

Other useful IT skills in a digital workplace include user experience design, performance, and usage monitoring, and even business process optimization, as your IT organization



partners with the business. For example, you might partner with the business to build new micro‐apps that simplify tasks once processed from a desktop and move them to employees who are in the field or in front of customers. None of this is hard to do. It’s just a mind‐set change.

Finding the Best ApproachHere are three possible approaches to getting started with unified endpoint management (UEM). Which one works best for your organization? Read and find out.

The “wait and see” approachWhen the talk turns to changing an organization’s approach to managing PCs, IT managers can get a little nervous. And that makes sense, because you’re talking about adopting new management tools and new processes and developing new IT skill sets. All that can make the status quo sound pretty okay. So, why not hang back and wait to see what new tools may become available to manage your legacy systems in much the same way you manage them today?

However, there are downsides to doing nothing. One of them is the security risks that come from end‐user systems that don’t have all the needed operating system updates and security patches and aren’t configured to use all the available security features on the operating system, like data encryp-tion. To keep systems safe, you really need to be able to push operating system updates, patches, and policy‐driven security configurations to your PC endpoints.

Another downside of putting off the move to UEM is the end‐user experience. With UEM, you can unify the end‐user expe-rience across all endpoint platforms while giving your users more choices about the devices and apps they use.

And on the IT side of things, without UEM, you can’t keep up with ongoing innovations for PC management in a mobile‐first world. A modern management platform integrates application programming interfaces (APIs) from major endpoint platform providers to help you stay in lockstep with the latest innova-tions in devices and applications.



The hybrid approachWith a hybrid approach, you do a little of both — some tra-ditional management and some modern management — to merge the processes of the past with the processes of the future. Here are a couple of examples that illustrate the range of possibilities:

✓ A light client approach: For devices that don’t need heavy image management today, a light client approach can be beneficial. This approach leverages UEM for end-points that don’t need a high‐touch, image‐driven man-agement model. Examples include executive companion devices, remote workers, contractors who need access to just the cloud apps, and sales executives. This isn’t about imaging and adding UEM, but rather identifying the use case that fully supports a “cloud‐first” approach.

✓ A customizable base image: You may have a base image, including fundamental apps, that is factory installed on all your end‐user PCs. You can use your modern man-agement platform to configure end‐user systems and add certain apps that are tied to user roles, such as apps used in marketing, sales, or engineering. This pro-vides some of the benefits of modern management and removes some of the burdens that come with maintaining different images for different types of users. Along the way, you put your organization on the path to a broader UEM deployment.

✓ An iterative approach: This approach involves moving key payloads to UEM to co‐manage with the existing PC lifecycle management (PCLM) solution. It enables your organization to migrate workloads to a modern manage-ment approach over time. For example, you might iden-tify workloads that cry out for modern management, such as patch management, and start there. Over time, you can expand the reach of your modern management solution to encompass app packing and distribution. This phased approach can help you ease the pain of man-aging remote PCs while moving to UEM on a timeline that is right for your organization.



Certain UEM solutions, such as VMware Workspace ONE, allow co‐existence of MDM with existing PCLM solutions to enable the iterative approach. Customers can leverage UEM to manage key payloads such as OS patching, BitLocker encryption, compliance policies, and so on and transition other workloads that may need more engineering effort, such as app management, at a later date using a phased approach. To help accelerate the move to modern management, certain UEM tools provide open source tools that can help migrate legacy OS, policies, and apps to Windows 10 and modern management.

In 2017, Microsoft unveiled the availability of co‐management features in Windows 10 systems. These features enable you to manage Windows 10 systems with a combination of the capa-bilities in Microsoft System Center Configuration Manager (SCCM) and a cloud‐based unified endpoint management platform.

The cold‐turkey approachWith this approach, you just say “no” to traditional manage-ment. You move fully into modern management for all your end users or at least for certain types of end users who could benefit greatly from over‐the‐air device management.

For example, mobile employees are a “no brainer” start-ing point for your move to cloud‐based modern manage-ment, because they aren’t consistently on the network. As they refresh their machines, you can move them to modern management.




Ten Essential Traits for a UEM Technology Provider

In This Chapter▶▶ Reviewing the benefits of unified endpoint management

▶▶ Choosing the right unified endpoint management provider

W hen you start down the path to modern PC manage-ment, you want to make sure you’re going to realize

the full range of potential benefits. You can do that only if you choose the right unified endpoint management (UEM) technology provider for your organization’s needs. With that thought in mind, in this chapter, we outline ten essential traits for a UEM technology provider.

Unique Vision for Mobility Management

Your solution provider should bring together industry‐leading identity, productivity, and collaboration solutions to enable end users with a seamless digital workspace across any device. The provider should empower IT with a future‐proof digital workspace platform that provides the flexibility to manage multiple use cases. The platform should provide unified man-agement of endpoints, end‐to‐end security from devices to data center, and seamless integration across enterprise systems.

Chapter 5



Proven TechnologyBefore you give your trust to any technology, the solution provider must earn it. Look for a company that has well‐established relationships with customers around the world, recognition from industry analysts, and respect from strategic partners — including device manufacturers, operating system providers, mobile operators, system innovators, distributors and resellers, and independent software vendors.

Global PresenceFor many enterprises, the marketplace now spans the world. To meet the needs of a worldwide business, you need a digital workspace platform that is built to support global deploy-ments within a single console and to support a multitenant architecture. The platform should provide localized solutions, in local languages where possible, to accommodate a global workforce. Additionally, your platform should be backed by a global network of services professionals and data centers for hosted deployments.

Unified PlatformEnd users now gravitate toward the devices that make them most comfortable — and consequently most productive. That means they’re choosing from smartphones, tablets, laptops, and rugged devices across Android, Apple iOS, BlackBerry, Chrome, Mac, and Windows platforms. To meet the realities of the way that people live and work in a mobile world, your digital workspace solution should include broad operating system and device support, including capabilities like support for same‐day updates.

Integrated Apps and Content Management

To help your end users stay productive, your digital work-space solution should include integrated productivity and

Chapter 5: Ten Essential Traits for a UEM Technology Provider 41


collaboration apps, along with centralized content manage-ment. Better still, your platform should provide a path for transitioning key business processes to mobile devices through productivity applications and an app ecosystem, along with a centralized app catalog that your users can easily access to get the apps they need.

Management Framework for Bring Your Own Device

End users want the freedom to choose their own devices. This means you need a management framework that sup-ports all major mobile platforms in addition to PCs, Macs, and Chromebooks. This framework enables your IT organi-zation to establish a comprehensive and secure bring your own device (BYOD) program. It should additionally empower employees to self‐manage their devices, reducing the need for additional IT resources.

End‐to‐End SecurityDigital workspace platforms that foster access to corporate resources must also protect those resources. To meet this requirement, your platform should include a unified identity management framework and end‐to‐end security, from devices to the data center.

Powerful Automation ToolsWhen you’re in the IT game, you’re continually challenged to deliver more services for the business without adding budget or resources. To meet this challenge, you need a digi-tal workspace platform that eases the IT burden with pow-erful automation engines that continuously monitor devices and perform escalating actions to enforce compliance. Your platform should also simplify reporting tasks with real‐time mobile analytics, interactive dashboards, and preconfigured reports.



Scalability for Growing Businesses

Modern management demands a platform that scales to sup-port new processes and an increasingly mobile workforce and customer base. With the right digital workspace platform, you can seamlessly scale as your business grows and your mobile initiatives evolve. Ideally, your platform should enable you to support your entire global deployment within a single console and delegate management across geographies, divisions, and departments with role‐based access controls.

Integrated Technology Ecosystem and Extensible APIs

The best digital workspace platforms enable you to integrate your existing technology investments through extensible application programming interfaces (APIs). Your technology provider should have a robust independent software vendor (ISV) ecosystem composed of leading device manufacturers, network access control (NAC), certificate authorities, con-tent repositories, directory services, email infrastructures, mobile threat prevention, and more. This integrated eco-system allows you to easily deliver enterprise‐ready apps. A digital workspace solution that integrates with your existing infrastructure will help you gain the greatest value from your current investments and seamlessly extend those systems to mobile devices.


Appendix A

Resources

R eady for a deeper dive into the technologies that enable unified endpoint management (UEM)? Check out the

following resources.

Analyst ReportsIDC MarketScape: Worldwide Unified Endpoint Management Software 2017 Vendor Assessment (http://learn.vmware.com/43405_REG?touch=1&src=so_5a0c4f8e 0617a&cid=70134000001SigC ) : This IDC MarketScape study analyzes the unified endpoint management (UEM) market, taking into account vendor support for Windows 10 and macOS management, support for iOS and Android, and capabilities that help customers bridge the gap between traditional PC lifecycle management (PCLM) and UEM platforms.

Gartner: Critical Capabilities for Enterprise Mobility Management 2017 (www.air‐watch.com/lp/gartner‐ critical‐capabilities‐for‐enterprise‐mobility‐ management‐2017 ) : Read Gartner’s evaluation of critical capabilities for enterprise mobility management (EMM) vendors. Vendors are critiqued based on their ability to support a wide range of platforms and advanced features.

Gartner: Magic Quadrant for Enterprise Mobility Management Suites (www.air‐watch.com/lp/gartner‐magic‐ quadrant‐for‐enterprise‐mobility‐management‐ 2017 ) : Learn what Gartner has to say about vendor strengths and cautions in the EMM market.

http://learn.vmware.com/43405_REG?touch=1%26src=so_5a0c4f8e0617a%26cid=70134000001SigC



https://www.air-watch.com/lp/gartner-critical-capabilities-for-enterprise-mobility-management-2017



https://www.air-watch.com/lp/gartner-magic-quadrant-for-enterprise-mobility-management-2017





White PapersUnified Endpoint Management: The Next Step in the Evolution of Device Management (www.air‐watch.com/lp/unified‐endpoint‐management‐the‐next‐step‐ in‐the‐evolution‐of‐device‐management ) : Learn more about UEM and how it helps you take a consistent approach to managing and securing every endpoint, any app and content, and across deployment use cases, all from a single holistic platform.

Modernize Windows 10 Management and Security with VMware AirWatch UEM (http://learn.vmware.com/ 42436_REG ) : Read this IDG white paper to learn how your organization can leverage UEM to support a modern approach to Windows 10 management and security.

Blogs10 Best Practices for Migrating From Windows 7 to Windows 10 (https://blogs.air‐watch.com/2017/10/ 10‐best‐practices‐windows‐10‐migration ) : Get tips from a subject matter expert on best practices to adhere to prior to and during migration to Window 10.

6 New PCLM Capabilities for Windows 10 + Unified Endpoint Management (https://blogs.air‐watch.com/2017/09/new‐pclm‐windows‐10‐unified‐endpoint‐management ) : Learn how a robust UEM offering combines modern mobile device management (MDM) efficiencies with traditional PCLM requirements.

https://www.air-watch.com/lp/unified-endpoint-management-the-next-step-in-the-evolution-of-device-management



http://learn.vmware.com/42436_REG

http://learn.vmware.com/42436_REG

https://blogs.air-watch.com/2017/10/10-best-practices-windows-10-migration

https://blogs.air-watch.com/2017/10/10-best-practices-windows-10-migration

https://blogs.air-watch.com/2017/09/new-pclm-windows-10-unified-endpoint-management

https://blogs.air-watch.com/2017/09/new-pclm-windows-10-unified-endpoint-management

Appendix A: Resources 45


InfographicsWindows Management: A Modern Makeover (www. air‐watch.com/uploads/global‐media/vmware_ windows_10_infographic.pdf ) : Walk through five key management enhancements in Windows 10. Get a “before and after” view of Windows 10. Learn how a modern platform draws out the distinctive traits of Windows 10.

WebsitesVMware Unified Endpoint Management (www.air‐watch.com/solutions/unified‐endpoint‐management ) : Explore the technologies and solutions for a comprehensive approach to UEM.

https://www.air-watch.com/uploads/global-media/vmware_windows_10_infographic.pdf



https://www.air-watch.com/solutions/unified-endpoint-management

https://www.air-watch.com/solutions/unified-endpoint-management




Appendix B

Glossary

T his book uses lots of specialized terms relating to unified endpoint management (UEM). As you read through, it’s

easy to forget a definition or two, so here’s a handy summary.

API: See application programming interface (API).

application programming interface (API): APIs enable soft-ware developers to write applications that work with an oper-ating system. Windows 10 includes a unified set of APIs that enables developers to write a single code base that can be run and managed on any device.

bring your own device (BYOD): BYOD is an IT policy that allows employees to use their personal devices for work pur-poses. Modern management enables organizations to support BYOD without sacrificing security or employee privacy by providing separation of work and personal data on the device.

BYOD: See bring your own device (BYOD).

digital workspace platform: A digital workspace platform enables IT administrators to simply and securely deliver and manage any app on any device by integrating access con-trol, application management, and multi‐platform endpoint management.

EMM: See enterprise mobility management (EMM).

enterprise mobility management (EMM): A device‐ and platform‐agnostic solution that centralizes the management, configuration, and security of all the devices used in an organization, both user owned and corporate owned. EMM goes beyond traditional device management to include man-agement and configuration of enterprise apps and content. A fully featured digital workspace platform includes EMM capabilities.



endpoint: A blanket term that refers to the computing devices that end users employ, such as mobile devices, laptops, desktops, and Internet of Things (IoT) devices.

Internet of Things (IoT): The network of physical devices, vehicles, home appliances, and other items embedded with electronics, software, sensors, actuators, and network connec-tivity that enables these objects to connect and exchange data.

IoT: See Internet of Things (IoT).

MAM: See mobile application management (MAM).

mobile application management (MAM): MAM technologies apply management and policy controls to individual apps instead of the entire device. MAM solutions typically offer a custom app store that enables control and delivery of both internally developed and third‐party apps.

MDM: See mobile device management (MDM).

mobile device management (MDM): MDM is a device lifecycle management technology that enables IT to deploy, configure, manage, support, and secure mobile devices through MDM profiles installed on the devices. Unified endpoint manage-ment (UEM) includes MDM capabilities.

P2P (peer‐to‐peer) software distribution: See peer‐to‐peer (P2P) software distribution.

peer‐to‐peer (P2P) software distribution: With P2P software distribution, one machine downloads an app or operating system update and makes it available locally to other peers, or endpoints, that need the same software.

PC lifecycle management (PCLM): PCLM encompasses all the management tasks for traditional PCs, such as operating system deployment, configuration management, software distribution, and operating system patching. Modern manage-ment includes PCLM capabilities.

Appendix B: Glossary 49


PCLM: See PC lifecycle management (PCLM).

UEM: See unified endpoint management (UEM).

unified endpoint management (UEM): UEM provides a holistic and user‐centric approach to managing all mobile, desktop, and IoT endpoints. UEM combines the capabilities of PCLM, MDM, and EMM to enable unified management of all endpoints.



http://Dummies.com

WILEY END USER LICENSE AGREEMENTGo to www.wiley.com/go/eula to access Wiley’s ebook EULA.

http://www.wiley.com/go/eula

Documents

These materials are © 2018 John Wiley & Sons, Inc. Any ... … · Distributing Software..... 19 Pushing and pulling software ... Mac, and Chromebook systems, all now with the potential