Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Group policies, meet EMM: New and old Windows 10 management unite

Galen Gruman | Oct. 12, 2016
MobileIron Bridge lets IT apply familiar group policy objects to Windows 10 PCs via enterprise mobile management, filling a big gap in Win10's new APIs

One of Windows 10's biggest internal changes is support for management and security APIs à la enterprise mobile management (EMM). It uses APIs similar to those in iOS, Android, and MacOS. But Windows 10's EMM policies are limited compared to what traditional Windows management tools can do. Thus, a lot of what IT does to manage PCs today can't be done in Windows 10 via EMM, such as set up kiosk mode or enable local encryption. Instead, old-school tools like System Center Configuration Manager (SCCM) must be used instead.

EMM provider MobileIron has an answer: MobileIron Bridge, an add-on to its EMM tools that lets IT apply their familiar -- and often extensive -- group policy objects (GPOs) to Windows 10 PCs managed via EMM. Applying GPOs via EMM lets IT manage Windows 10 PCs using both legacy and modern techniques from one console (MobileIron's EMM), filling in the API gaps Windows 10 currently has.

Some vendors let IT install listener apps on PCs to locally apply some GPOs, a technique that could be used with traditional Windows 10 tools in parallel with an EMM tool. But MobileIron is the first to provide GPO support directly via EMM -- there's no local client app to install, and all the GPO settings go through the same channel as the other EMM policies.

MobileIron Bridge's support of GPOs is done by supporting PowerShell, VBScript, and registry scripts. IT can take existing scripts, as well as create new ones, and bundle them into policies that MobileIron Bridge then deploys like any EMM policy. 

For example, Windows 10's EMM APIs can detect a PC where BitLocker encryption is disabled, rendering the PC noncompliant with corporate security policy. But those APIs can't be used to enable BitLocker. With MobileIron Bridge, PowerShell-driven GPOs can be used to enable BitLocker remotely, so IT can detect noncompliant PCs, then turn them compliant -- all remotely.

mobileiron bridge encryption enable
MobileIron Bridge lets IT run bundled scripts to implement group policy objects and other system management commands on Windows 10 PCs managed via EMM. Here, BitLocker encryption is enabled on a noncompliant PC.

As another example, MobileIron Bridge can be used to run scripts to set up kiosk mode on Windows 10 PCs, which essentially locks a specified user to specified apps and can seal off their data from that of other people using the same PC. A retailer might use kiosk mode for a shared Windows laptop or tablet, giving each employee a separate kiosk account and retiring the accounts as employees leave.

Another scenario that MobileIron Bridge supports is setting up multiple user accounts on a PC, such as one used by contractors, for job-sharers, across shifts involving different departments in a "hoteling" workplace, or even by employees working from home on a personal PC. Working in concert with Azure Active Directory, IT can use MobileIron Bridge to remotely set up the multiple accounts, determine which accounts can share data with each other, and which accounts run in kiosk mode, then retire accounts as users leave.


1  2  Next Page 

Sign up for CIO Asia eNewsletters.