ENTERPRISE MOBILITY MANAGEMENT

Windows 10 Tech Note

Open the Window to Endless PossibilitiesWindows 10 shows a renewed focus on the Enterprise. It successfully harmonizes user experience and device management capabilities across all Windows endpoints; desktops, laptops, tablets and smartphones. Windows 10 makes many difficult business processes more convenient; operating system updates, enterprise app deployment, and mobile device management have all become easier. SOTI has been managing Windows mobile devices for almost 20 years, and as Windows evolves and grows we will continue to provide an industry leading mobility management solution to support it.

Windows for the EnterpriseThere are many consumer-friendly features in Microsoft Windows 10; a new browser, a voice assistant (Cortana), and lots of user interface and user experience enhancements. In addition, for at least the first year upgrading to Windows 10 will be free for all Windows 7 and 8 users. However, it is clear that Windows 10 demonstrates a renewed focus on the enterprise market. Microsoft wants to make it easier for IT to deploy, manage and secure the operating system and applications across all devices used in the enterprise; desktops, laptops, tablets, and smartphones.

Some of the key enterprise features of Windows 10 include:

Universal App ExperienceWindows 10 introduces the concept of ‘Universal Apps;’ applications that use the same basic code, but deliver a user experience optimized for each device form factor. In addition, The Windows Store will present a uniform app purchasing and upgrading experience for all devices. From an enterprise perspective, the new Windows Store will enable distribution and updating of authorized (signed) applications to company devices.

Versatile Windows UpdatingAs we have come to expect with Windows, frequent security updates and patches will be applied automatically to

all Windows users. This simplicity is Microsoft’s preferred method for all updates, but enterprise customers are more

conservative. They will have a couple of options to update their users.

Long Term Service Branch (LTSB) - Companies with sensitive, high risk business environments can choose to apply security patches and updates, but freezes the feature set on their Windows 10 devices.

Current Branch for Business (CBB) – Allows the enterprise to test new releases in-house once they have been extensively

tested by the general public in the Windows Insider Program and then deploy the approved update when they are

comfortable with it.

Whichever method the enterprise selects, “in-place” updating makes it easy to update the operating system without

impacting any applications or settings.

Security ImprovementsAs part of their focus on the enterprise, Microsoft has enhanced device security and data privacy. A key addition is

support for multi-factor authentication to allow a biometric device such as fingerprint reader to be used in conjunction

with a conventional password. Also new, Enterprise Data Protection (EDP) allows automatic identification and dedicated

management of enterprise and personal data. In addition, Windows 10 supports the automatic encryption of corporate

apps, data, email and website content on the device and/or removable media.

Mobile Device Management (MDM)As mobile devices become more commonplace in business, MDM becomes more important. Microsoft has identified MDM

as an essential requirement for the secure and efficient management of Windows 10 devices. It enables IT Managers to

configure and manage many features of Windows 10 devices remotely. In Windows 10, Microsoft expands the level of

MDM support by adding EDP policies, support for managing multiple users, provisioning VPN and WiFi, full device wipe

capabilities, and full control over the Windows Store.

2

Windows 10

3

Windows 10

SOTI MobiControl and Microsoft Windows 10With SOTI MobiControl, it is fast and easy to get new Windows 10 users up and running. The first step is a simple self-

service enrollment process that uses enterprise Active Directory credentials for secure authentication. There are no

special apps required, nor complex configuration as everything is taken care of automatically by the MDM system. For

organizations that host their applications and content in the cloud, Azure AD authenticates and provisions the mobile

device no matter where it is located.

Windows 10 includes a built-in Device Management (DM) client that uses SyncML to interface with the MDM server via

the standard OMA DM interface. Within the DM client, Windows 10 uses Configuration Service Providers (CSP) as an

interface to read, set, modify and delete registry settings or files on the device. Each CSP envelops a distinct grouping of

functionality. For example, the EMAIL2 CSP provides the interface to configure standard internet email including settings

for SMTP, POP3 and IMAP4, whereas, the ActiveSync CSP is used to configure the settings for Microsoft Exchange email.

SOTI MobiControl’s agent in Windows 10:

SOTI MobiControl’s agent in Windows 10SOTI MobiControl agent works alongsideWindows 10’s MDM APIs to provide added benefits, this includes:

Remote ControlTroubleshoot devices remotely without user interaction. Record the session for diagnostics purposes.

Silent Legacy Application DeploymentInstall classic Windows Applications like MSI packages silently. Remove applications automatically on un-enrollment.

Windows 10 CSP’s supported by SOTI MobiControl include:

RemoteRing & RemoteLockIf you have lost your mobile device around the home or office, RemoteRing can be used to trigger an audible ringing

sound on a device regardless of the device volume. If you still can’t find you mobile device, it can be locked down and

the PIN can be set/reset.

EMAIL2The EMAIL2 CSP is used to configure the Windows 10 device for internet email. Used primarily for Windows 10 Mobile

devices, this CSP makes it easy for enterprise IT to setup SMTP for sending mail and POP3/IMAP4 for receiving mail.

4

Mandates and configures device password rules (complexity, length, and expiration), inactivity lockouts and allowable password attempts.

Enables/disables many different features on the device that impact the user experience, i.e. Cortana, Cut/Copy/Paste, screen capture and voice recording.

Enables/disables Windows Updates Services and configures how the device will handle updates. Do updates need to be signed? When should they be installed?

Device Lock

Experience

Settings

Update

Policy CSPThe Policy CSP enables enterprise IT to configure many different policies on Windows 10 devices. Some policies are

applicable for all devices, others only for mobile devices or just for desktops. Within the CSP there are many categories

of policies.

Policies that allow/disallow apps from being installed from the Windows Store or elsewhere and how installed apps are treated on the device, i.e. shared vs. restricted.

Enables/disables different modes of connectivity, i.e. Bluetooth, NFC, Cellular roaming, VPN over Cellular.

Configures Enterprise Data Protection mode and defines where the device can connect to and what type of data it can exchange.

Enables/disables Windows Defender and configures intrusion protection and which data stores can be scanned (cloud, email and/or local archives) and when they will be automati-cally scanned (days and times).

Application Management

Browser

Certificate Management

Connectivity

Data Protection

Defender

Enables/disables the browser, and configures features like cookies, autofill, and popups.

Deploy SCEP, Root and Client certificates; target the certificates to the device or user; specify the exact certificate store.

Enables/disables the user from being able to configure many different system settings, i.e. date/time, language, power and sleep).

Windows 10

VPN and VPNv2VPN and VPNv2 perform the same function, but VPN is for Windows Mobile devices otnly and is being de-emphasized.

VPNv2 is the preferred CSP for configuring the VPN profile of the device and it is usable for desktop, laptop, tablet and

mobile devices. In addition to basic configuration of VPN’s, Windows 10 will also enable and configure application specif-

ic VPN to restrict application access to a specific IP address/port.

5

Going Forward with SOTI MobiControl and Windows 10According to the experts, Windows 10 should see a significant increase in enterprise market share over Windows 8.

Improved authentication, security and easy management of Windows across all device form factors are compelling reasons

to consider adopting Windows 10. By refocusing on the enterprise and making it easy to upgrade, many enterprises that

never upgraded to Windows 8 should be looking to test and deploy Windows 10 as a part of an enterprise mobility strategy.

SOTI is working closely with Microsoft to make ensure that all of the new MDM features are working as expected. SOTI will

continue to expand the scope of our MDM support for all form-factors of Windows 10 devices. For more information about

SOTI MobiControl please contact sales@soti.net.

The DeviceLock CSP configures device lock and password related policies.

The DevInfo CSP is based on the OMA DM standard. At the beginning of each OMA DM session, the MDM uses unique device information as a form of handshake to identify the client to the server.

The DMClient CSP uses key settings is used to help identify the client in the enterprise domain. It allows security mitigation for certificate renewal, and server-driven MDM unenrollment.

The EMAIL2 configuration service provider (CSP) is used to configure Simple Mail Transfer Protocol (SMTP) and Internet Message Access Protocol (IMAP) email accounts.

DeviceLock2

DevInfo

DMClient

EMAIL2

The ActiveSync configuration service provider is used to set up and change settings for Microsoft Exchange Email. This CSP configures email address and password information, and what exchange content should be allowed on sync (Email, Contacts, Calendar, and Task List).

The Assigned Access configuration service provider (CSP) is used set the device to run in kiosk mode and run the application specified.

The Certificate Store CSP is used to add root and CA certificates, secure socket layers (SSL), intermediate, and self-signed certificates. This is a significant increase in capability from Windows 8.x MDM.

The DevDetail CSP is based on the OMA DM standard. It provides detailed device infor-mation to the MDM server, i.e. Hardware or Firmware version, OS version, and hardware information such as Processor type, screen resolution, MAC address.

The DeviceInstanceService configuration service provider delivers device inventory infor-mation (Phone number, IMEI, IMSI). Additionally, this CSP supports querying two different phone numbers in the case of dual SIM devices.

ActiveSync

SOTI MobiControl Supported Windows 10 Configuration Service Providers

Assigned Access1

Certificate Store

Dev Detail

DeviceInstance Service

Windows 10

The EnterpriseAppManagement CSP is used to handle enterprise application management tasks such as installing enterprise applications, inventorying installed enterprise applications (name and version), auto updating already installed enterprise applications, and removing all installed enterprise apps.

The Maps CSP configures what maps (map packages) to download to the device.

The Policy configuration service provider enables the enterprise to configure policies on Windows 10. Use this configuration service provider to configure any company policies. There are hundreds of possible policies, such as; Access to App Store, Enabling connections types (Bluetooth, WiFi, NFC, VPN, Roaming over cellular), Enabling on-device data encryption.

The RemoteLock CSP supports the ability to lock a device that already has a PIN set on the device or reset the PIN on a device that may or may not have the PIN set.

The RemoteRing configuration service provider can be used to remotely trigger a device to produce an audible ringing sound regardless of the volume that is set on the device.

The RemoteWipe configuration service provider can be used by mobile operators DM server or enterprise management server to remotely wipe a device. The RemoteWipe configuration service provider can make the data stored in memory and hard disks difficult to recover if the device is remotely wiped after being lost or stolen.

The Storage enterprise configuration service provider is used to configure the removable storage card settings. Currently, the only setting that is available is to Enable/Disable storage cards.

The Reporting CSP is used to retrieve the Enterprise Data Protection (EDP) logs and any other logs for security auditing.

Enterprise App Management2

Maps

Policy

RemoteLock2

RemoteRing2

RemoteWipe

Storage

Reporting

Windows 10

6

Protect access to corporate data, with the option to specify what applications can access this data, and also block sharing of corporate data. Finally, revoke access to corporate data upon un-enrollment.

Windows Information Protection

Windows 10

The WindowsSecurityAuditing CSP is used to enable/disable logging of security audit events.

Windows SecurityAuditing

Update virus and malware definitions on Windows Desktop devices, and initiate real-time virus scanning

Windows Defender Integration for Active Scanning

The VPN configuration service provider allows the MDM server to configure the default VPN profile(s) of the device.

The Wi-Fi CSP delivers the functionality to add/replace/delete Wi-Fi networks on a Windows device. Certain authentication methods may require certificates that must be configured using the CertificateStore CSP.

VPNv2

Wi-Fi

SOTI is a proven innovator and industry leader for mobility and IoT management. Globally, over 17,000 companies depend on SOTI to transform their business by taking mobility to endless possibilities.

Copyright 2017 SOTI Inc. All Rights Reserved. All product and company names are trademarks™ or registered® trademarks of their respective owners.

The use of these trademarks does not imply any affiliation with SOTI or endorsement by the trademark holder.. | S-103

soti.net