With Microsoft continually developing the MDM capabilities of Windows 10 devices, it seems more and more likely that entire enterprises can be managed from a single location (see my post about UEM here). This is a goal that more and more companies are striving for, in order to cut costs and improve efficiency. What is Microsoft’s stance on this? Do they consider best practice for companies to switch over to a 100% MDM solution? The answer is: maybe.
Here is a Microsoft article that details their point of view on how enterprises should manage their devices. They specifically coin the term “modern management” and show that in a more modern scenario, all devices are managed without GPOs, without on-premise SCCM, and without AD. Instead, all devices are managed by Microsoft’s cloud service EMS.
Here’s an explanation of the logic:
- MDM is great for managing devices when you don’t care about how configurations are installed. From an administrative standpoint, you choose a configuration that you want, such as “passcodes should expire after 180 days,” and push it out. It doesn’t matter what device you push out the configuration to, the responsibility lies upon the vendor to take this information and configure the device correctly. MDM administrators push out a more generic/agnostic level of control, which then gets interpreted by devices.
- GPOs and SCCM is great for managing devices when you need to control exactly how configurations are installed. This includes the multiple thousands of configuration options that come with GPO policies. If this granular control is important to you, then MDM will not be powerful enough to meet your needs.
So, yes, you can push out standard MDM configuration policies to all your corporate devices if MDM control is enough to meet your needs. This is possible today using Microsoft services like EMS. However, if MDM control is not granular enough for you, then you will have to continue using GPOs and SCCM to manage your devices. MDM is not designed to take over GPOs at this time; MDM actions and configurations are meant to control a large variety of devices right now and the technology isn’t at a feasible point where vendors can accommodate everything that AD/GPOs/SCCM can. Microsoft supports both options, as well as a hybrid option that allows for both environments to exist simultaneously.