Moving Policy to Modern Management
Windows 10 is essentially a mobile operating system and should be managed in a modern way. Users are no longer tethered to physical office locations with domain joined, always on corporate network systems. We need to be able to manage these systems over the air from anywhere, much like we do with our other mobile devices today. We will now review how Windows was managed traditionally, and how we can manage policy in a modern way with Configuration Service Providers (CSPs).
1. Traditional Policy Management
Traditional policy management methodologies are based on Domain Joined, corporate network tethered systems. This does not provide a lot of flexibility for the way that the mobile workforce operates today. Microsoft Policy management has been around for over 25 years and has the following management methodologies today:
Group Policy (GPO)
- Centrally managed domain based policies
- Over 4000 GPOs available, many very obscure
- Can lead to long log in times
- Can’t be easily retrieved unless logging in on corporate network
- Must be domain members to receive group policy
Local Policy (LGPO)
- Distributed GPO management for non-domain joined machines
- Can emulate GPO settings
- Difficult to control as there is no centralized management
2. Modern Policy Management
Windows 10 is essentially a mobile operating system and can be managed over the air in the same way as your other mobile devices are. It has interfaces that allow settings which affect the registry and file system to be pushed over the air. These
2.1. Configuration Service Providers Overview
What is a CSP and why is it important?
Configuration Service Providers (CSP) are the interfaces used to read or set policies on the Windows device.
CSP capabilities have continued to grow with each release of the Windows 10 operating system. More capabilities can now be managed over the air using modern methods reducing the dependency on traditional methods like the requirement to log on to the domain network to get updated policies or the need to a desk at a branch location. Configuration on devices can be updated in real time ensuring security and compliance at all times.
How can I use a CSP?
The Workspace ONE UEM console allows admin to configure policies through Profiles. Those policies that are used often and across industries and provide easy configuration through the GUI. The admin can simply toggle switches or use the text fields to set up these policies. The Workspace ONE UEM console also provides a Custom Settings profile that is extensible to any custom xml that can be sent to the device leveraging the existing infrastructure to securely communicate with the device. Admins can leverage the Custom Settings profile to configure any CSP and publish those settings to devices. The xml used to configure a CSP which the Open Mobile Alliance Device Management (OMA DM) client in the operating system can understand parse to apply the appropriate settings is called SyncML.