What is Modern Desktop Management?
Desktop management is a mature administrative IT task that goes back at least 20 years, with the advent of Group Policy. It filled a key need: enabling IT administrators to enforce user and computer policies at a large scale for network-connected devices. Administrators were able to control features like desktop wallpaper, access to command prompts, printer assignments, drive mappings, storage definitions, and more. However, the emergence of cloud computing, consumerization of IT, and mobility have changed the way end users access their desktops.
Microsoft Group Policy launched many years before end-users came to expect anywhere, anytime access to their corporate network. It wasn’t built for a cloud-first, mobile-first, non-domain-joined world. Yet these modern problems required modern solutions, and thus, modern desktop management was born.
Modern Desktop Management Defined
The term “modern desktop” can be defined as any interface in which end-users access the corporate network, via non-domain-joined or domain-joined machines, the cloud, or virtualization. Accordingly, modern desktop management would be defined as the consistent configuration, security, and management of these workspaces.
Maximize Your MDM and Autopilot Investment
PolicyPak MDM Edition can supplement your MDM service, like Microsoft Intune, VMware Workspace One, or MobileIron, with features those MDM services don’t have. If you want to augment your Windows 10 management capabilities significantly, deliver nearly 100% of Microsoft Group Policy settings, as well as provide lockdown security protection for your users and devices, then this paper is for you. In this paper, we show you how PolicyPak MDM Edition can maximize the investment you made in your MDM service, and give you control over your Windows 10 computers in a way you didn’t think possible.
Modern Desktop Management Platforms
Group Policy is the gold standard for managing desktops and has the most granularity, familiarity, reliability, and flexibility. However, it only works in a domain-joined environment and doesn’t work well with modern cloud services. In contrast, MDM platforms like Microsoft Intune, Citrix Endpoint Manager, and VMware Workspace ONE can manage non-domain-joined computers, but they don’t have nearly the policy breadth nor depth as Microsoft Group Policy.
The Path to Modern Desktop Management: A Hybrid Approach
Organizations shouldn’t have to choose between “traditional desktop management” and “modern desktop management” because the two paradigms have very different use cases. For example, a fleet of traveling salespeople who are hardly in the office is more heavily reliant on cloud services and mobile devices than financial accountants and human resources personnel who are expected to log in at the office every day. In these use cases, all of which may belong to the same organization, a hybrid approach works best so that each device could be managed with the model that fits best.
Figure courtesy of Microsoft <<original link>>
Modern Desktop Management or Traditional Desktop management: A Simple Flowchart
How do you know whether or not modern desktop management is the right approach for your organization? First, you must understand how, when, and where users in your organization will access their corporate desktops. Here’s a quick flowchart that can help you quickly determine which approach is right for you and your users. In general, devices that are not used on the go or are mobile but are already domain-joined will not need modern desktop management, while on the go devices that are not domain-joined will require this management type.
Figure courtesy of Microsoft <<original link>>
Flexibility vs. Policy Depth: You Don’t Have to Choose
Traditional desktop management and modern desktop management are sometimes at odds because modern desktop management solutions like Microsoft Intune, Citrix Endpoint Manager, and VMware Workspace ONE don’t provide nearly as many policies as Microsoft Group Policy. This deficiency can create a disparity in user experience, security, compliance, and standardization. Fortunately, PolicyPak MDM edition bridges this gap and allows you to apply nearly any Group Policy setting to an MDM-enrolled Windows 10 device.
The way PolicyPak MDM Edition works is simple. First, you export a Group Policy setting as an XML. Then you wrap it up in an MSI. Finally, you deploy it to your MDM-enrolled devices and manage them just like you would traditional desktop management and traditional desktops.
MDM vs Group Policy: Where MDM Still Comes up Short
As more organizations consider implementing an MDM solution, an obvious question arises: does MDM replace Group Policy? After all, both of these tools deliver managed settings and can deploy applications. So do you need both, or can you retire your GPOs and replace them with MDM profiles?
Overcoming Native Desktop Management Limitations
No matter which approach you choose, you’re going to need to add a turbo-booster to your management technology of choice. It doesn’t matter if you decide on Group Policy, or Config Manager, or Intune, PolicyPak adds on functions that none of these options have.
Many of the go-to applications for your users no longer reside in the Program Files Directory. They live in the cloud and run in a browser. Now consider the fact that desktops typically have more than one browser. PolicyPak Browser Router gives you complete control of today’s multi-browser environments, securing all browsers in the process. Choose a default browser and pair browser-based applications and websites with the browser of your choice. You can even match sites and internet applications with their required Java versions using Java Rules Manager.
Local Admin Rights and Malware Management
A modern desktop solution that doesn’t enforce security is of little value today. Since hackers don’t attack the perimeter anymore, securing the desktop is everything, yet too many organizations make it easy for attackers by allocating local admin rights to standard users.
PolicyPak Least Privilege Manager has one purpose – increase the security of Windows. It enables you to remove local admin rights but give standard users the ability to perform select privileged tasks. It also stops users from inadvertently clicking on executables and unauthorized applications in a way that is similar to application whitelisting, without the hassles of managing whitelists. With a few clicks of the mouse, you can prevent users from opening downloaded or transferred files. With PolicyPak Least Privilege Manager, users can do everything they are supposed to do without the significant security risk.
Customizing Windows Rollouts
Thanks to deployment tools today such as Windows Autopilot, admins no longer need to customize machines before the user logs on. So how does one perform customization? It is easy with PolicyPak. Whether a machine is on-prem or off-prem, user deployed devices can receive all of their customized setting configurations as soon as they connect to any network. Use PolicyPak Start Screen and Taskbar Manager to give you complete tile placement and lockdown control of the Windows 10 Start Screen and the ability to pin or remove items on the Windows Taskbar.
Complete Control with Modern Desktop Management
With so many facets to the Windows desktop today, it can be challenging to find a modern desktop solution that offers complete manageability. It needs to enable users to work wherever they need to yet keep them secure regardless of location. It also needs to deliver customized settings yet lock them down as well. Finally, it needs to be able to manage complex desktop environments but do so with minimized overhead.
Modern desktop management must meet all of these stringent demands today, and PolicyPak gives you the solutions to achieve all of them. Security, predictability, customization, protection, and control. This is what modern desktop management is all about, and it’s what PolicyPak delivers.
Accelerate your transition to MDM with real Group Policy and additional PolicyPak settings for MDM enrolled devices.
Extend and enhance your MDM service with the power and flexibility of Group Policy. PolicyPak works with and strengthens your MDM system (like Intune, Workspace ONE or MobileIron) to increase security and management of your domain-joined and non-domain-joined devices.
*** This is a Security Bloggers Network syndicated blog from Blog Posts – PolicyPak authored by Ryan Oistacher. Read the original post at: https://www.policypak.com/pp-blog/modern-desktop-management