Over the last year, I've often been asked by customers to explain the benefits of adopting Azure AD for device management, rather than on-premises Active Directory for Windows 10, and what the real differences are. In reality, the conversation is actually about Classic IT vs Modern IT. Rather than considering where your device is 'joined' to, as simply performing an Azure AD Join, on a Windows 10 device, without addressing how end-user apps and services are delivered, will likely result in a broken end-user experience.
Just so we're on the same page, let's define Classic IT and Modern IT.
Microsoft define Classic IT as:
But what does all that actually translate to?
Classic IT is what we (as IT admins) have been doing for the last 15 years; we issue corporate-owned devices to employees, and only allow these corporate-owned devices to join the corporate network and access corporate apps and services. With Classic IT, we have typically taken a device-centric rather than user-centric approach. This approach makes the most sense if an end-user is issued with a single device, and only that device can be used by the employee to get anything done! These corporate-owned devices are joined to an on-premise Active Directory domain and managed using Group Policy and System Center Configuration Manager - configuration is forced onto devices and applications are installed and controlled by IT.
This has resulted in a micro-managed device estate which, although desirable to some organisations, the on-going upkeep is costly and very static, with little end-user enablement (i.e. they have to ring IT whenever they want to do anything). A lot of effort is required to ensure configuration and applications are kept up to date, there is little or no user self-service (except perhaps password-reset) and identification. Remediation of IT issues tends to be very reactive, based on the end-user logging a ticket with IT when something undesirable occurs. As services are delivered from the on-premises datacentre, using legacy apps that are not accessible outside of the network (unless some form of VPN is utilised), they tend not to play nice when a user picks up their laptop and moves outside of the corporate network.
Finally, a key part of Classic IT tends to involve devices being taken out of the box, and then reimaged by IT, this is labour intensive, but has always been required. The steps are usually something similar to: dropping a fresh image onto the device, upgrading the OEM version of Windows (usually Pro) to Enterprise and removing any manufacturer 'bloatware', joining the device to the on-premises domain, installing some apps, running some configuration tasks, installing the ConfigMgr client, etc... (we all know the story here!). Although we've always seen device imaging as a necessary evil, it does come with problems. It costs a fortune and can take hours a day to perform. We normally wouldn't involve users and ask they re-image their own device, which means IT have to be involved during the imaging hours. It reduces agility, by requiring IT interaction for all corporate-owned devices and when an end-user's device breaks, they have to come into the head-office, drop their device off with IT for the day, while they reimage it – that usually results in the end-user losing days' worth of productivity!
Microsoft define Modern IT as:
But what does that all actually translate to?
Modern IT is a new approach to device management and the delivery of IT services to end-users, where we join Windows 10 to the cloud version of Active Directory (Azure AD), to provide Single-Sign-On (SSO) from anywhere, and use Mobile Device Management (MDM) tools to manage our devices, providing a more light-touch approach to management, this approach works well with both corporate and personally owned devices which is the new approach to device management and the delivery of IT services to end-users – its primary focus is on end-user enablement, allowing employees to be productive, regardless of their location or the device type/owner they are working from. The Modern IT approach takes a user-centric approach to delivering services. For example, policies are targeted at users rather than devices, as the end-user may have multiple devices. This results in configuration and applications being delivered in a similar fashion, providing end-users with a consistent experience, regardless of the device owner. As applications are delivered in a more modern way, they tend to be accessible when end-users are outside of the corporate network (using pre-authentication and conditional access to ensure certain compliance criteria is met before the access is granted). This approach is also designed to work well for remote workers, and typically supports offline working scenarios, supporting agile and flexible working – in addition, with services that exist outside of your datacentre (such as Office 365 and Salesforce) can be secured using the same conditional access and SSO controls as your on-premise applications, resulting in a consolidated secure end-user enablement platform for on-premises and cloud applications.
Device management is simpler, with less control over specific settings, taking the laborious management tasks away from IT. Self-service is encouraged in this scenario, to reduce the burden on IT support staff performing laborious tasks (such as group management and MDM enrolment). Remediation of issues can be performed proactively, by sending telemetry data about device health to cloud based monitoring services, such as the Microsoft OMS suite of products. These cloud-based monitoring services utilise machine learning algorithms, performing analysis on huge sets of data, allowing the solutions to identify patterns and trends across multiple organisations, providing insights into your IT estate - and as they're delivered from the cloud, end-user devices will submit data to these types of solutions, even when they're outside of the corporate network.
Finally, device imaging in Modern IT can potentially be removed, almost entirely! As services such as Windows AutoPilot can be used to provision corporate-owned devices over-the-air, allowing end-users to take a brand-new device out of the box and be up and running in no time, as the device is automatically joined to Azure AD and enrolled in your MDM solution. As Windows 10 Enterprise can now be targeted at users (similar to the way an Office 365 license is applied) – the latest version of Windows 10 will upgrade from Pro to Enterprise without a restart, it will just seamlessly upgrade. The MDM that the device is enrolled into during the Azure AD Join will push down configuration settings and applications from the cloud, resulting in end-users receiving their required apps over the internet.
The 'bloatware' issue can be tackled by purchasing Surface devices (as they come without it, and run a secure, acceptance-tested image out of the box) – other vendors have embraced this too, and deliver 'Signature' edition devices (also Windows 10 'S' is worth a look at). Finally, when an end-user's device has issues that require a rebuild of the operating system, they can simply use the 'Reset my PC' feature in Windows 10 and there's a good chance that'll solve the problem, if not they need to bring it into IT for a re-image.
At Softcat, we feel that it is important to deliver apps and services, to end-users, using the most effective methods. With this in mind, it's highly likely that most organisations will contain a mixture of both Classic IT and Modern IT, throughout their estate, for the foreseeable future. The following sections provide examples of where each approach might be a good fit.
Classic IT is usually a better fit for end-users that:
Modern IT is usually a better fit for end-users that:
Armed with all of the above information, I am then usually asked the following:
Modern IT sounds great, for a subset of our organisation – how can we adopt it? What needs to be in place? Can the adoption/rollout be staged? How much will this cost me?
Adoption of Modern IT will potentially require some additional services to support device management, such as an EMM solution (Microsoft EM+S is an example of an EMM solution). We tend to find that most larger organisations have an EMM in place, or are already paying for EM+S but haven't deployed it. I'd encourage all organisations to check what their current Microsoft licensing entitles them to. If you have other third party MDMs, such as Airwatch, those can sometimes be integrated with Azure AD (part of EM+S), meaning you won't have to re-enroll all of your devices!
In the past, the adoption/rollout of Modern IT has been difficult for organisations to embrace, as it required a vertical split (based on user suitability) – for example, a device could not be traditional IT and modern IT managed at the same time, it was either one or the other! This created some interesting roadblocks when organisations wanted to adopt Modern IT for certain user types (typically due to some settings or apps that simply do not play well with MDMs), and has inevitably slowed down the adoption of Modern IT throughout organisations.
Fear not though! Microsoft announced some changes at Ignite that will remove some of the roadblocks to Modern IT adoption, by allowing Co-Management of a device – this allows a device to be joined to both the on-premises Active Directory and Azure AD, and as a result, managed by both ConfigMgr and Intune at the same time! Organisations then use a slider in ConfigMgr to decide which services are delivered by Traditional IT (ConfigMgr and Active Directory) and which services are delivered by Modern IT (Intune and Azure AD) - this allows organisations to deliver Modern IT services via a horizontal split, based on technical functions, removing some of the roadblocks to adoption. Over time, the end-goal is to move more and more services to Modern IT as they become suitable for the transition.
To support this transformation, a certain amount of technical assistance is required to get the new way of working up and running. Moving to an 'as a service' (aas) model has an ongoing operational impact (i.e. rather than sitting around a table every 6 years, and spending a fortune migrating from Windows XP to 7, and then 7 to 10), the model requires processes and people to be in place, allowing organisations to proactively stay on top of any upcoming changes - the emphasis is placed on knowing what's coming, rather than fixing problems that have arisen as a result of a change being forced upon your organisation. Here at Softcat we understand the challenges adoption of Modern IT can bring, but know the tangible benefits it will bring to your organisation, and we are here to help!
If you'd like help understanding how Microsoft's Modern IT can benefit you, or to know the next steps to get you on the road, please get in touch with your Softcat Account Manager.
We would love to hear any comments you have about this article!