What Is Modern Device Management?

A brief background

One post-legacy-models approach to modernizing device management introduced by operating system (OS) vendors? The concept of the Active Directory (AD) with centralized Group Policies (GPOs). Another approach involved third-party vendors adding device management solutions that supplied capabilities or functionalities the OS vendor couldn’t provide.

These approaches to device management were limited by three things:

• Device connectivity to the corporate network to push GPOs (group policies), scripts and software.
• User permissions. If the end user had local administrator rights, they could manually override any restrictions sent by legacy management, including those applying to an Active Directory. Since legacy management tools can impact other software inside the device, including OS patches, this could cause obvious problems, and create a key pain point for IT teams.
• Provisioning of a device by IT. There was no way to pre-provision devices automatically without IT interaction, and the most-used tactic for provisioning them was imaging. But imaging is a costly and repetitive task that requires infrastructure and constant updates.

Learn More: Ivanti Mobile Device Management Solutions

The evolution to EMM

The MDM concept evolved into enterprise mobile management (EMM) due to an initiative by Gartner in 2014 to merge several existing strategies, as laid out in their 2014 Magic Quadrant for Mobile Device Management (MDM).¹

This new term merges other sub-categories and strategies that were previously considered separate:

• MAM (Mobile App Management), which is management-focused to control the lifecycle of software on a device.
• MCM (mobile content management), which is management-focused to control the lifecycle of data on specific apps, agnostic to device,
• MIM (mobile information management), which is management-focused to control the lifecycle of data, agnostic to device,

Google eventually adopted an EMM management model with the launch of Android 5 and Android Enterprise (AE), providing native capabilities in their OS to manage it, deploy software, apply restrictions and safely allow access to corporate services.

Although there are different AE deployment models like iOS models, the high-level idea of centralized management and a sandboxed app model is the same. This is meant to ensure that an app cannot compromise the kernel of the device OS.

This approach to device management proved to be more efficient and compelling; usually, a single solution could provide the right level of security, control and visibility across all devices. At the same time, the organization can still provide its employees with secure access to corporate services, especially in the field.

Mobile device management vs Modern device management

The truth is, MDM and MDM are as close as Siamese twins. It’s a term that has changed, and with good reason.

Remember the architecture Apple launched upon the IT world with the introduction of iOS? It was developed with education organizations in mind, but Apple plainly intended to jump into the enterprise market that had been ruled by historical players like Microsoft.

As part of this strategy, the iOS model has been gradually extended to macOS devices like desktops and laptops, and the device management API has been evolving on each version. Apple has increasingly moved macOS toward becoming a mobile-like managed OS with embedded security and managed native APIs.

The result of this (and similar moves by other providers, as we’ll see below) has been a nomenclature shift: what had been called “mobile device management” was now being applied within a network ecosystem where MDM tools were managing other (often remote) endpoints that weren’t mobile.

So today, devices like laptops and desktops — including those that are part of “bring your own device” (BYOD) scenarios — are enrolled in what we call “modern device management” systems that apply to all endpoints, not just mobile devices.

How did Windows 10 impact MDM?

When Windows 10 was born, it was a shrewd approach on the part of Microsoft to introduce an “MDM/EMM”-like management model to modernize how IT has been managing devices since olden times. This was significant because Windows, despite inroads from competitors like Apple, is still installed on over 36% of endpoint devices.²

Windows 10 was not an evolution of Windows 7 and 8. Rather, it was an evolution of Windows Phone 8 and 10, where an MDM API was available to manage all aspects of a device, such as DLP, restrictions, software distribution and so on.

What was the sea change here? Windows 10 had adopted the approach taken by mobile OS to alleviate the task of onboarding and provisioning devices to its EMM solution. Suddenly, IT admins could manage Windows, macOS, iOS and Android devices from the same centralized platform.

What is unified endpoint management (UEM)?

At the same time, when Internet of Things (IoT) device providers started to adopt the “big four” OS for their purposes — such as Windows IoT, which also provides MDM/EMM capabilities, and Android AOSP, used in TVs, boxes, kiosks, dedicated devices and so on — the same device management capabilities began applying.

This is the point at which EMM evolved into unified endpoint management (UEM), where an IT department uses the technologies we’ve mentioned to centralize management of all devices across its network and display all insights and information about them through “a single pane of glass,” meaning from a single console.

That’s possible because UEM platforms are open to interacting with other solutions that use APIs to integrate into the UEM model.  This allows solution providers to extend the services that modern managed devices can consume without compromising its sandboxed OS.

The importance of being able to manage varied devices that use varied operating systems becomes apparent when one considers the chart below.

How can MDM optimize the workload of IT?

As we’ve just seen, MDM allows a network to automatically register and provision devices connected to the network. This removes a huge amount of repetitive work from the IT team, unburdening them to focus on other, more strategic challenges. Other benefits of MDM?

• If a device is also part of an automated device enrollment program, such as MS AutoPilot or Apple Automated Device Enrollment (ADE), IT can send the device directly to the end user, and the program will carry out provisioning automatically.
• Onboarding, management, software distribution, security enforcement and so on don’t require a direct connection to the corporate network to be triggered. This only requires an Internet connection, and the MDM integrates countermeasures to ensure a device is not being provisioned only for personal use.

These latter benefits became vital when the pandemic arrived in early 2020. Most companies had to pivot fast and adopt a BYOD and laptop-based strategy (versus a historical fixed-desktop workplace) across the corporate network, protected by corporate perimetral security.

Today, users are still working remotely and demand the ability to connect from anywhere, anytime.  So there’s a growing demand for secure network access to a mix of SaaS and on-premises solutions that can deliver service 24/7. 

Because of this, other MDM-related concepts have taken center stage, such as Zero Trust Access, which dictates that a strict security level should be maintained regardless of whether a device is inside of the corporate network, or partially or fully managed.

What’s a key concept to know about MDM?

The important concept to understand about modern device management as it’s applied to a desktop/laptop OS such as Windows or macOS? It’s that any restriction applied by the network administrators will always win out, even if the user has local admin rights.

This is a big point since most software is developed to run smoothly on any OS. When user permissions are restricted, this adds complexity in figuring out how to make software work properly without having to decrease the level of security.

Just as a network admin can set which apps are allowed to run on iOS and Android and provide different levels of autonomy for the user (depending on profiles), today’s Windows 10/11 and macOS admins can do the same. This removes the complexity of limiting user permissions to adopt the desired security.

The result is that Windows and macOS devices are automatically provisioned upon registration, allowing only the right software to run and removing any need for “hands-on” interaction from IT.

For example:

• Imagine we’re sending a set of restrictions, based on a native MDM API, to allow only regular Windows software and corporate apps to run on a networked laptop.
• If users try to install or run any non-approved software, the OS will decline to open it and will tell the user that the administrator has disabled this app.
• The same logic applies to the command line interface, PowerShell console, task manager, et cetera.

What’s next for modern device management?

Right now, many vendors already provide apps that aim to complete MDM/EMM-focused management. The intention? To extend the level of control, provide more features, retrieve and analyze security data and fill in the gaps a modern device management API can’t address alone.

As with other device management advances, many of these innovations made their debut in the mobile OS realm, most notably in the form of management agent apps that provide capabilities such as:

• Device posture: detect, monitor and remediate compromised OS.
• Notifications: for direct communication of alerts or messages to end users within the agent app.
• Location: when relevant, the management agent app can provide location insights and interact with the device.
• Mobile threat defense: protection against cyberattack based on device, app, network and anti-phishing attack surfaces.
• Private app store: a resource where users can obtain optional apps.

In the case of Windows and macOS, these apps work in tandem with UEM-native configurations, accomplishing tasks that are critical but not included as part of the MDM API. This is especially conspicuous on desktop/laptop OS, such as Windows 10/11 and macOS, where several key actions still aren’t available as part of their MDM API. Examples include:

• Custom management profiles (custom configurations, custom payloads, etc.)
• Scripts.
• Task sequence-based software distribution.
• Flexible patching.
• Risk-based vulnerability management.
• Risk-based access control to services.

What is MDM 2.0?

The solution to this disparity between mobile and desktop/laptop modern device management is to develop and deploy a mixture of both models. One that’s optimized to run smoothly wherever it’s deployed and includes even greater functionality. It’s what some analysts and vendors have predictably anointed “MDM 2.0.”

In this model, every device within the network is registered to a single, centralized UEM solution. Active and passive scans automatically discover, provision or patch them all, detecting any devices that aren’t managed or aren’t securely up to date and presenting security risks. The device fleet is also optimized to operate seamlessly with all the company’s service providers such as Office365, Salesforce, SAP and so on.

_{¹ Messmer, Ellen. “Gartner Magic Quadrant Shifts Focus from MDM to Enterprise Mobility Management.” Network World, June 10, 2014. https://www.networkworld.com/article/2361467/gartner-magic-quadrant-shifts-focus-from-mdm-to-enterprise-mobility-management.html.}

_{² Taylor, Petroc. “Enterprise Device OS Distribution 2022.” Statista, February 27, 2023.
https://www.statista.com/statistics/741497/worldwide-enterprise-endpoint-operating-system-distribution}