Improvements in the Microsoft Endpoint Manager (MEM) management solution were part of Tuesday’s Microsoft Ignite online event.
Remote worker support continued as a big Ignite theme, both in the Nadella CEO keynote talk, as well as in Microsoft’s tech announcements. A few improvements in Microsoft Endpoint Manager (formerly knowns as “System Center Configuration Manager”) fit that theme, although not all of these capabilities are available yet.
Most of the details are covered in this announcement by Corporate Vice Presidents Brad Anderson and Takeshi Numoto.
MEM Virtual Endpoint Support
Perhaps the most interesting MEM feature described is the ability to use it to manage Windows Virtual Desktop endpoints or endpoints that run using “third-party [non-Microsoft] VDI solutions.” It can be done simultaneously with managing “your physical PCs within the same console,” the announcement promised.
MEM support for managing devices using virtual desktop infrastructure services is still a few months off, though. The capability is expected to be at the preview stage “by the end of calendar year 2020,” Microsoft indicated.
Shared iPad Support in Azure AD
MEM already has the ability to add shared device support using the Azure AD identity and access management service for Android Enterprise, iOS, Zebra and Windows devices. Now there’s support for iPad devices, which Microsoft calls its “Shared iPad for Business” feature.
Shared iPad for Business lets end users log into an iPad using separate passcodes, if the Azure AD service is used. IT pros can “deploy shared iPad devices to your users and have them log in with their Azure Active Directory (AAD) accounts into separate partitions of the device,” Microsoft’s announcement explained.
Shared iPad for Business in MEM “is now generally available,” meaning it’s commercially released by Microsoft.
MEM Support for macOS
Microsoft is promising to deliver a “first-class management experience on the macOS” when using MEM. Specifically, it’ll be possible to use scripting for devices and leverage lifecycle management for apps. It’ll also be possible to set up single sign-on access to applications.
These new MEM capabilities for macOS devices are currently available at the preview stage.
Microsoft Endpoint Manager will be getting new “Microsoft Tunnel” support for connecting mobile devices (Android and iOS) to an organization’s network for remote access to apps and resources. Microsoft Tunnel has support for virtual private network configurations. It also supports security measures such as the Conditional Access service for checking device compliance with policies.
“Microsoft Tunnel supports full-device and per-app virtual private networks (VPN), split tunneling, and ties into Conditional Access to ensure your users and devices are compliant with policy before allowing access to your network,” Microsoft’s announcement explained.
Microsoft Tunnel is currently at the public preview stage in MEM.
MEM ‘Comanagement’ Additions
MEM Configuration Manager now includes support for Autopilot, Microsoft’s service (in collaboration with PC device makers) that lets end users self-provision new PCs out of the box. Autopilot previously was just a Microsoft Intune capability. This MEM Configuration Manager addition could be useful for IT pros when they need to support remote workers, as the provisioning work now takes place in the cloud.
Comanagement is Microsoft’s term for being able to use Intune capabilities within MEM Configuration Manager. Microsoft has removed a requirement to use Azure AD during device enrollment when using comanagement. This change is deemed as being helpful for organizations that have invested their time in using Configuration Manager.
“This [removal of the Azure AD requirement] is important for you because it enables you to move to modern provisioning and retain and use the investments you have made in your ConfigMgr application library,” the announcement explained.
MEM Configuration Manager support for Autopilot and the removal of the Azure AD requirement both apparently are at the public preview stage.
MEM Support for the Edge Browser
Microsoft is building the mobile application management capabilities of MEM into its Microsoft Edge browser. It’ll let organizations set controls over where Web app data resides. These mobile application management capabilities will work across all of the platforms that can run the Edge browser. The timing wasn’t described, but it was characterized as being a preview feature.
Apparently, the mobile application data protection happens via Microsoft Endpoint Data Loss Prevention service, as explained in this Windows blog post. Organizations using Edge with Enterprise Mode turned on to use Internet Explorer technologies also will soon be able to manage their Site Lists from the cloud, Microsoft promised. Internet Explorer 11 is falling out of support, which will happen at the end of November.
Microsoft is also planning to add the ability to use Intune just to manage app configurations, rather than the whole device, which is explained in this Microsoft video. It allows control over apps used for work purposes, without affecting other non-work app experiences. Here’s how the Windows blog explained it:
If on a personal device, end users can login with their work identity and the organization will only manage that experience. IT departments get the control they want for compliance, and end users can work from the device that best suits them — even if it’s their personal device — without handing over the keys.
Microsoft also announced an Edge browser version rollback capability that lets IT pros go back to the previous Edge version if things aren’t working. This rollback feature is currently available.
Edge Comes to Linux
Big ancillary news this week is Microsoft bringing the Edge browser to the Linux operating systems. It’ll be available as a preview in October, and can be downloaded at the Microsoft Edge Insiders site. Alternatively, it’ll be possible for Linux users to download Edge “from the native Linux package manager.”