Device management evolution

Using a device management model, many large organizations have adopted Microsoft Endpoint Configuration Manager (MECM), formally known as System Center Configuration Manager (SCCM), which has been the standard for many years. Configuration Manager is a fully mature device management solution also used for image building and deployment. To operate effectively, an Configuration Manager hierarchy requires resources and the deployment of infrastructure either on-premises or in IaaS. As new PC hardware is purchased and new Windows builds are released, a lengthy and complex life cycle process to support the new requirements typically follows. This traditional model can make organizations less agile regarding staying up to date with the latest updates and security trends. Recently, we have seen disruption to this model and a shift that is changing the dynamics of device management. Throughout the book, we may refer to Configuration Manager as MECM, SCCM, and ConfigMgr. All are common acronyms used to reference Configuration Manager.

In recent years, this shift has come with the adoption of MDM tools that evolved with the growth of iOS and Android. This growth has shown two parallel environments within enterprises. One for phones and tablets, and the other for desktops and laptops. This generates a lot of overhead and a unique skill set to support, manage, and operate two separate environments. It also adds overhead to your security strategy as both your platforms need to meet the security requirements of your policies. Validating security within multiple environments can create challenges and adds its own complexity.

A major advantage of using an MDM solution is a shift from primarily an imaging model to an out-of-the-box approach. The ability to take your device out of the box, turn it on, and receive your policies, configurations, and security settings layered on top of your original OS is a game changer. This approach has been well-received and adopted for corporate-owned iOS and Android devices. With the release of Windows 10, Microsoft has followed suit and enabled the ability to enroll Windows into an MDM tool, allowing a shift away from traditional imaging and the overhead it brings. More recently, Windows 10 with Intune also allows the merging of two separate enterprise tools into one unified management approach for your device management program with Intune and SCCM co-management.

As the model continues to evolve, we are slowly seeing a transition to unified endpoint management. Unified endpoint management is essentially bringing together the management of all endpoint devices into one management solution, as shown in the following diagram:

Figure 4.1 – The evolution of device management

For most organizations, this shift isn't going to happen overnight, but the good news is Microsoft has built a solid foundation and avenue to make the journey from the old to the new a reality. In the next section, we are going to discuss the classic device imaging model. Although it's been around for a while, device imaging is still tried and true and an important component for hardening your Windows systems with your security baselines.