Windows 8 offers desktop teams an opportunity to take advantage of a sea-change in the management of enterprise endpoints that originated in the smart-phone segment and is a direct consequence of the consumerization of devices. And no, I don’t mean MDM, MIM or MAM. These are also required – for a superb introduction you should read Jack Madden’s recent book on the topic.
The opportunity is this: Get out of the business of maintaining a your own enterprise Windows image. Let Microsoft patch the OS – as consumers do. We expect this for our Smartphones and tablets today, and Microsoft does a superb job of update management. Getting out of the business of image management will allow you to focus your IT efforts on empowering users, and need not pose a risk:
- Start down this path with the goal of empowering users for mobile use cases first, focusing only on the use of modern, mobile-ready applications rather than trying to get every legacy app that you have had to support in the past to also work on Windows 8. In other words, treat the device as you would a BYO iPad: You don’t maintain an enterprise iPad image, and there’s no need to have a Windows 8 image for ultrabooks, convertibles and tablets when the goal is to empower users to deal with email, access documents and the web, and deal with the vast majority of standard workflows that don’t require your legacy apps to be tested on the new OS.
- Legacy applications that are required for specific users can then be added on an as-needed basis, assuming security and compliance constraints are met, and that the application runs on Windows 8.
- There are also other ways to deliver legacy apps: For example Remote Desktop Services/ Citrix XenApp allows a server-hosted app to be delivered to a connected client.
- I also think that app-compat is an over-blown concern: Microsoft has done a fantastic job of application compatibility from Windows Vista onwards. It is my firm belief, after meeting hundreds of enterprise IT folk, that in the vast majority of cases, the reason IT chooses Windows 7 32bit, is because XP was 32bit and nobody really had time to test all apps to see if they would work on 64bit. These same IT folk assume that they would have to manage a Win8 device as yet another (32 or 64 bit) PC, and that therefore the traditional nightmare of desktop management and app compat would make this cost prohibitive, given the momentum of Windows 7 adoption.
Here’s another bet: If you treat a Win8 device like an iPad that comes with Enterprise manageability and awesome app compat built in (and not like another PC), you will realize that for the vast majority of use cases, having the OS maintain itself will have no downside. Moreover it will reduce costs and increase security by getting patches installed quicker. Why not just go for BYOD iPads and be done with it? Well, productive users also need apps that will run happily on Win8 devices: Office, for starters. And the device needs to be a productive form-factor: keyboard and mouse, USB… you name it. An iPad is a (useful) consumption device, and real users need more.
As you adopt this path, you will realize that one of the biggest benefits of consumerization is its approach to device management – provided that you can ensure that the device remains secure. Bromium will* certainly be able to help with the latter: A vSentry equipped device will defeat all malware, and need never be remediated – even if it is attacked. And you can manage the user and device the way you do today using AD/SCCM. You will adopt MDM to deliver applications and manage data on devices, and will be able to jettison non-strategic enterprise IT activities such as image management. Benefiting from consumerization of devices does not mean you have to adopt BYOD – which should still be considered to mean BYO Disaster – again until the device can defend itself independent of any enterprise controls, and can attest to its security when used for enterprise purposes.
(*vSentry for Windows 8 is not yet available. That’s not the point – we’ll support it soon. The point is this: A Win8 device is not another PC to manage)