Modern Device Management is a term that has been used for many years now. I’ve seen it labelled “Device Transformation” and “Modernise Endpoints”. But in my opinion Modern Device Management is not just about the devices. Yes, devices play a large part. Of course they do! But for proper Modern Device Management, we also need to think about user personas and the applications that are in use.
User Personas
A user persona is a profile that represents the needs and wants of a subgroup of people within your organisation. A user persona will differ between organisations, but the premise is the same. When thinking about Modern Device Management, we need to think about the wants and needs of these groups of people. The following type of questions need to be asked:
- What do they need to access to be able to perform their role?
- Applications
- Device Types
- Where do they primarily work from?
- Data Types that are accessed
- What challenges do they currently have performing their role?
- Any issues accessing applications/data?
- Application performance
- Issues with the device
The answers to the types of questions above helps us to understand more about what the people in the organisation need to have access to to perform their roles efficiently and any existing issues they are facing. This information can then be input in to the decisions made for a Modern Device Management solution.
Applications
In the modern workplace, applications are accessed by various methods. Years ago, all applications would be hosted in an on-premises network, hidden behind a firewall. Now, we have cloud-based applications (SaaS), hosted applications (IaaS and PaaS) and the traditional applications hosted on-premises. The way these applications are accessed and by which personas can have an impact on how your Modern Device Management strategy may look.
Many organisations I have worked with have a good grasp on the applications that are directly installed on to their devices. But with more and more cloud-based applications in use, it is becoming more difficult to manage and keep on top of.
From the user persona discovery, we should have a very good idea on the applications in use across the organisation. The next step is the discover more about these applications:
- What type of application is it?
- Installed on device
- SaaS
- PaaS
- IaaS
- How is it accessed?
- Browser
- Installed Client
- Mobile App
- What type of data is accessed?
- Confidential / Sensitive
- PII
- Who manages the application?
- Internal Dev Team
- 3rd Party
- Is there potential for the application to be transformed?
- Is there a cloud-model available?
- Can it be accessed via a different method?
Once the above information is captured it is used alongside the user personas and is also used as input for decisions on the Modern Device Management solution.
Devices
Now we come to part that most people focus on, the devices! Typically my focus is Windows devices. However, this shouldn’t be our only focus for a Modern Device Management solution. Using the information gathered for user personas and applications, we can identify the best device for that group of people to use. As an example:
- User Persona A needs access to Microsoft 365 services, particularly email and Microsoft Teams and uses two line of business applications. One of them is a SaaS based application accessed via a browser and the other is hosted on-premises, but also accessed via a browser. User Persona A is considered a hybrid worker as they spend most of their time on the road and when in the office, they are primarily in meetings, not working at a desk.
- User Persona B needs access to Microsoft 365 services, including email, Teams, SharePoint and PowerBI. They also use five line of business applications. 2 of these applications are SaaS based and accessed through a browser. The other 3 apploications are hosted on-premises. One is accessed via a browser and the other 2 use GUI based front-end systems with clients installed on to a Windows device. User Persona B mainly works in the office, but since the pandemic has been spending more time working from home.
From the information gained above we could easily just say that every user gets a Windows device to access their content and is will be managed by Microsoft Endpoint Manager (MEM) as a Hybrid Azure AD Joined device. This is a traditional modern deployment for managing Windows devices. But it still includes a heavy reliance on Active Directory and access applications through a VPN type solution. With the modern tools available to us through Microsoft 365 and Azure, the above personas could be looked at in a different way:
User Persona A could be provided with a managed mobile device. This would allow for access to Microsoft 365 services through the native mobile apps. Access will be secured through App Protection Policies and the device managed by MEM. Access to the SaaS based application is possible through the web browser. This can be further secured by integrated the app with Azure Active Directory (AAD) and enforcing device restrictions or MFA using Conditional Access. The on-premises application could be made available through the AAD Application Proxy. Access to the application is them made publicly available and is also secured through the use of Conditional Access policies. Now, we have the opportunity to provide User Persona A with a mobile device, phone or tablet, iOS or Android (or Windows) and they can access all of the services they need to, securely. Now they have a device that is lightweight, portable and easy to use (similar to what they may use at home).
By reviewing User Persona B, a Windows device feels like it would fit their role perfectly. However, there are also options here, using a Windows device in this scenario:
- Traditional Windows Laptop – Providing a traditional domain-joined Windows laptop that is managed by MEM (in the cloud) would meet the requirements for User Persona B. With a VPN installed providing remote access to the applications hosted on-premises the user can work from anywhere with an Internet connection. Traditional challenges can be met here though, the VPN must be stable and connected at all times for the user to work and the user must carry the laptop around when travelling to the office. There are also ongoing management and cost challenges of Active Directory and the VPN for the IT team.
- Modern Windows Laptop – A modern Windows laptop is Azure AD joined only. It is not joined to the local domain, therefore removing the reliance on AD for device management. However, the requirement of a VPN would remain, unless the applications are themselves transformed in some way or provided via a different method. For instance, the on-premises application access via a browser could be published through the AAD Application Proxy, making it accessible from non-domain joined devices but still secured by using Conditional Access. Depending on the make up of the GUI based applications, they too could be published via the AAD Proxy. However, this is likely to be much more complex. Instead they could be published via Azure Virtual Desktop (AVD) and make available as remote apps. Now the user has access to everything they need on a securely managed device, that can be used from anywhere with an Internet Connection.
- Windows 365 – Windows 365 provides the same Windows experience on a laptop but the device is hosted in Microsoft’s datacentre. By configuring the Windows 365 devices and managing them in the same way through MEM users could have Cloud PC that can be accessed from any device with a browser (or the app) from any location. Using any of the above combinations of device join type and application access, Windows 365 is able to provide User Persona B with everything they need to perform their role. Using thin clients or similar devices in the office, the users can connect to their Windows 365 PC and when from home, they can connect using their own personal device with some added security included through Conditional Access. Windows 365 has benefit of picking up where you left off, without having to travel with a physical device in your bag.
Summary
To summarise, Modern Device Management is now more than just can we move our Windows devices to be managed by the Cloud. By gathering the suggested information we can provide a Modern Device Management strategy, using the power of Microsoft 365 and MEM, that can cater for many different situations and provide end users with a better user experience. We can also make IT life’s simpler by removing traditional and (sometimes) costly services such as a VPN.
Now I know the above examples do not fit every organisation and it may very well be that upon review, the best thing to do IS to move current managed devices in to a cloud managed solution. However, in my opinion the above should be thought about and investigated at a minimum to see what could be achieved.
