Tag Archives: Intune

Managed Home Screen: A Configuration Guide

Posted on by
Reply

As a business, it’s important to always be on the lookout for devices and applications that can improve the way you carry out your business operations. With platforms such as Managed Home Screen (MHS), the benefits to your business will be clear to see for everyone.

What MHS offers is an application for corporate Android Enterprise devices. This works for those enrolled via Intune and running in multi-app kiosk mode. Once installed on these devices, MHS will function as a launcher for other approved apps to run on top of it.

In previous articles, we have gone over the new features that Microsoft has added to MHS. We’ve also covered their benefits to your organization. In this article, we’ll be discussing some of the key configuration aspects of the Managed Home Screen platform.

When do you configure the Managed Home Screen app?

Start by verifying if your devices meet the prerequisites. This is because Intune only supports the enrollment of Android Enterprise dedicated devices for Android devices running OS version 8.0. In addition, these devices should be able to connect to Google Mobile Services.

Likewise, MHS only supports Android devices running OS version 8.0 and above. If you find that the settings are available through device configuration profiles, then you should configure the settings there. This will be faster, limit errors, and give you a better Intune-support experience.

Also, note that there are some MHS settings only available via the App configuration policies pane in the Intune admin center. When using App configuration:

  • Head over to the Microsoft Intune admin center and select Apps > App configuration policies.
  • Add a configuration policy for Managed devices running Android.
  • Select Managed Home Screen as the associated app
  • To configure the different available MHS settings, select Configuration settings.

Selecting a Configuration Settings Format

To define configuration settings for MHS, there are two methods available:

  • Configuration designer – enables you to configure settings with an easy-to-use UI. It allows you to toggle features on or off and set values. With this method, you’ll find a few disabled configuration keys with the value type BundleArray. The only way to configure these keys is by entering JSON data.
  • JSON data – with this option, you can define all possible configuration keys using a JSON script.

Moreover, by adding properties with Configuration Designer, you can automatically convert these properties to JSON. Do so by selecting Enter JSON data from the Configuration settings format dropdown.

Using Configuration Designer

Configuration designer will enable you to select pre-populated settings and their associated values. In the table below, you’ll find a list of the MHS available configuration keys, value types, default values, and descriptions. The description gives you the expected device behavior based on selected values. Note that the BundleArray type of configuration keys disable in the Configuration Designer.

Configuration to customize applications, folders, and general appearance of Managed Home Screen

Configuration KeyValue TypeDefault ValueDescriptionAvailable in device configuration profile
Set allow-listed applicationsbundleArrayYou can find it under the Enter JSON Data sectionEnables you to define the set of apps you see on the home screen form along with the apps installed on the device. Entering the app package name of the apps that you want visible allows you to define the apps. Any app that you choose to allow-list in this section needs to be already installed on the device to be visible on the home screen.Yes
Set pinned web linksbundleArrayYou can find it under the Enter JSON Data section  Enables you to pin websites as quick launch icons on the home screen. Using this configuration allows you to define the URL and add it to the home screen for the end-user to launch in the browser with a single tap.Yes
Create a Managed Folder for grouping appsbundleArrayYou can find it under the Enter JSON Data sectionEnables you to create and name folders and group apps within these folders. End-users can’t rename or move folders and neither can they move the apps within the folders. Folders will appear according to the order of creation and apps according to alphabetical order. If you have apps that you want to group into folders, they must first be assigned as required to the device and must have been added to the Managed Home Screen.Yes
Set Grid SizestringAutoEnables you to set the grid size for apps to be positioned on the managed home screen. Use the format “columns ; rows ” to set the number of app rows and columns to define grid size. When defining grid size, the maximum number of apps visible in a row on the home screen is the number of rows you set. Likewise, the maximum number of apps visible in a column on the home screen is the number of columns you set.           Yes
Lock Home ScreenboolTRUEEliminates the ability of the end-user to move around app icons on the home screen. Enabling this configuration key locks the app icons on the home screen. End-users can’t drag and drop to different grid positions on the home screen. When turned to false, end-users will be able to move around the  app and weblink icons on the Managed Home Screen.Yes
Application Order EnabledboolFALSETurning this setting to True will enable you to set the order of apps, weblinks, and folders on the Managed Home Screen. After it’s enabled, you can set the ordering with app_order.Yes
Application OrderbundleArrayYou can find it under the Enter JSON Data sectionEnables you to set the order of apps, weblinks, and folders on the Managed Home Screen. You can only use this setting if Lock Home Screen is enabled, the grid size is defined, and the Application Order enabled is set to True.Yes
Applications in folder are ordered by nameboolTRUEFalse enables items in a folder to appear in the order they’re specified. If not for this, they will be displayed in alphabetical order.No
Set app icon sizeinteger2With this, you can define the icon size for apps displayed on the home screen. Below are the values that you can use in this configuration for different sizes:   0 (Smallest),1 (Small), 2 (Regular), 3 (Large)4 (Largest).Yes
Set app folder iconinteger0With this, you can define the appearance of app folders displayed on the home screen. The appearance can be selected from the values below:   Dark Square(0)Dark Circle(1)Light Square(2)Light Circle(3)Yes
Set screen orientationinteger1Using this, you can set the orientation of the home screen to portrait mode, landscape mode, or allow auto rotate. The orientation can be set by entering the values below:   1 (for portrait mode),2 (for Landscape mode),3 (for Autorotate).  Yes
Set device wall paperstringDefaultBy using this, you can select a wall paper of your choice. All you need to do is enter the URL of the image that you want to set as a wallpaper.Yes
Define theme colorstringlightDecide whether you want Managed Home Screen app to run in “light” or “dark” mode.No
Block pinning browser web pages to MHSboolFALSEBy turning this restriction to True, you can prevent users from pinning web pages from any browser onto Managed Home Screen.No
Enable updated user experience     boolFALSESwitching to True will enable the updated app design to be displayed along with the improvements to user workflows for usability and supportability, for MHS. However, if you keep it as False, users will continue to see previous workflows on the app   An important thing to note here is that from August 2024 onwards, previous Managed Home Screen workflows will no longer be available and all devices will need to use the updated app design.No
Top Bar Primary Elementchoice This key helps you choose whether the primary element of the top bar will be the device Serial Number, Device Name, or Tenant Name. You can only use this setting when the Enable sign in key is set to false. Otherwise, the user’s name will be shown as the primary element when the key is set to True. If you want the top bar to be visible on users’ devices, you must set Enable updated user experience to true.  No
Top Bar Secondary Elementchoice This key helps you choose whether the secondary element of the top bar will be the device Serial Number, Device Name, or Tenant Name.  If you want the top bar to be visible on users’ devices, you must set Enable updated user experience to true.  No
Top Bar User Name Stylechoice This setting enables you to select the style of the user’s name in the top bar based on the following list: display name last name, first name first name, last name first name, last initial You can only use this setting when the Enable sign in key is set to True. If you want the top bar to be visible on users’ devices, you must set Enable updated user experience to true.No

Key things to note

Ensure the Managed Home Screen app seamlessly meets Google Play Store’s requirements. This is contingent on the app’s available update at the API level. However, doing it this way translates to a few changes to how Wi-Fi configuration works from Managed Home Screen. So, some of the changes you should expect to encounter include:

  • Users won’t be able to change the Wi-Fi connection for the device, whether it be enabling or disabling the connection. However, despite not being able to turn the Wi-Fi on or off, users can still switch between networks.
  • In addition, users also won’t be able to automatically connect to a configured Wi-Fi network with a first-time password requirement. Instead, after entering the password for the first time, the configured network will then automatically connect.

ANDROID DEVICES RUNNING OS 11

All those who are using Android devices running OS 11 should note another aspect. Whenever an end-user tries to connect to a network via the Managed Home Screen app, a consent pop-up prompt will appear. This pop-up is from the Android platform itself and therefore not specific to the Managed Home Screen app.

Furthermore, users will see a request to enter a password. This happens when attempting to connect to a password-protected network via the Managed Home Screen app.

You’ll notice that the network will only change if the device does not have a connection to a network. This includes instance when you have input the right password. All devices already connected to a stable network won’t connect to a password-protected network via the Managed Home Screen app.

ANDROID DEVICES RUNNING OS 10

For individuals using Android devices running OS 10, there’s another consideration. When an end-user tries to connect to any network using the Managed Home Screen app, they will receive a prompt with a consent via notifications.

Because of this prompt, users whose devices are running OS 10 must have access to the status bar. Also, notifications to be able to complete the consent step. Therefore, IT admins may need to use General settings for dedicated devices to avail the status bar. They’ll also do so for notifications to the appropriate end-users whenever necessary.

Furthermore, users will see a request to enter a password. This happens when attempting to connect to a password-protected network via the Managed Home Screen app. You’ll notice that the network will only change if the device does not have a connection to a network. This applies even if you have input the right password.

BLUETOOTH CONSIDERATIONS

If a device is running Android 10+ and using Managed Home Screen, successful Bluetooth pairing on devices that require a pairing key requires certain conditions. IT admins will need to enable a few Android system apps and these are as follows:

  • Android System Bluetooth
  • Android System Settings
  • Android System UI

Managing troubleshooting issues

One of the best updates that Microsoft brought to Managed Home Screen is the introduction of enhanced troubleshooting features. Users now get access to a debug menu, which includes the pages for Get Help, Exit Kiosk Mode, and About.

This access aims to simplify the troubleshooting process for device users which can reduce downtime and thereby increase productivity. To help even further, you’ll find configurations in the table below. These help troubleshoot various problems that users can encounter on their devices:

Configuration KeyValue TypeDefault ValueDescriptionAvailable in device configuration profile
Exit lock task mode passwordstring Input a 4-6-digit code to use to temporarily drop out of lock-task mode for troubleshooting.Yes
Enable easy access debug menuboolFALSESwitch this setting to True and you can access the debug menu from the Managed Settings menu while in Managed Home Screen. If you want to exit kiosk mode, you’ll need to go to the debug menu to find the capability. With that done, you need to click the back button about 15 times. Alternatively, if you want to keep the entry point to the debug menu only accessible via the back button, you should keep the setting switched to False.Yes
Enable MAX inactive time outside of MHSboolFALSEIf you want to automatically re-launch Managed Home Screen after a set period of inactivity, you’ll need to switch this setting to True. Note that the timer will only count inactive time and, upon configuration, will reset each time the user interacts with the device while outside of MHS. To set the inactivity timer, use Max inactive time outside MHS. This setting is kept off by default. You can only access this setting if Exit lock task mode password has been configured.No
MAX inactive time outside MHSinteger180Specify the maximum amount of inactive time (in seconds) that a user can spend outside of MHS before it is automatically re-launched. Users will find this configuration set to 180 seconds by default. If you want to use this setting, Enable MAX inactive time outside of MHS must be set to true.No
Enable MAX time outside MHSboolFALSEIf you want to automatically re-launch MHS after a set period of time, you must set this setting to True. The timer considers both active and inactive time spent outside of MHS. You need to use MAX time outside MHS to set the inactivity timer. This setting is kept off by default. You can only use this setting after Exit lock task mode password has been configured.No
MAX time outside MHSinteger600You must specify the maximum amount of absolute time (in seconds) that a user can spend outside of MHS before it is automatically re-launched. Users will find this configuration set to 600 seconds by default. You can only use this setting if Enable MAX time outside of MHS is set to true.No

Microsoft ecosystem provides Android users with an optimal experience

Managed Home Screen and all its features are helping to enhance the user experience. MHHS supports Android users who rely on the Microsoft ecosystem for business purposes. For years, the relationship between Microsoft and Android has allowed for a better integration between the concerned platforms. It also provides end-users a better overall experience. All of this fits in perfectly with the evolution we have witnessed in the development of excellent mobility solutions.

Over the last few years, there has been a significant increase in those who appreciate the possibility of remote work. Plenty are enjoying the option of being able to work from home. There are additional benefits, including creating their own schedules. But they can also maintain or even increase their productivity levels.

Android users make up a decent portion of Microsoft clients. So, it’s not surprising that Microsoft aims to provide users with all the solutions they need. And Microsoft outfits users to be successful in their business operations. And with Managed Home Screen, Android users get an app that can further enhance their interaction with the Microsoft ecosystem.

The ability for organizations to customize and control user experiences is paramount. It enables them to ensure that end-users will have access to everything they need while simultaneously putting in certain restrictions.

Additionally, end-users can enjoy a much-improved experience. This is because MHS enables businesses to create consistent and simplified experiences across device types and OEMs.

End-users can expect continued innovations and improved features thanks to the global network of experts established by Microsoft and Google. These client specialists, with deep knowledge of Android devices and services, significantly contribute to the ongoing development of services. They will also further enhance the user experience.

It’s because of collaborations like these and the expertise obtained that MHS users can access features that address issues on-device. It’s also how they painlessly equip Microsoft support to troubleshoot issues on-device. So, as the improvements continue to roll out, businesses and individuals will take a keen interest. All of these changes can improve how they do business.

Wrap up

If there is anything that we can expect with regard to technology, it’s that we will continue to see changes. Most intend to improve the end-user experience. The features that Managed Home Screen offers, as well as the available improvements, are a testament to Microsoft’s goal. Microsoft continuously aims to create the optimal experience for Android users.

With feedback from Android experts being a key part of development, end-users can expect ongoing improvements. They can also expect to reap the many benefits of an ever-improving Microsoft ecosystem. One only has to take a look at the depth of products and services available to Android device users. It’s then evident that businesses have plenty to benefit from with these programs and features.

Microsoft Is Launching A New Intune Suite

Posted on by
1

Endpoint management is critical to the way that organizations can utilize and safeguard their resources. By using endpoint management solutions, IT teams can identify, monitor, and control the level of access that end users have to corporate resources. And it’s what inspired Microsoft’s new Intune Suite.

Endpoint management solutions enable IT professionals to improve the security of corporate data and significantly reduce the risk of security breaches. The importance cannot be overstated especially now when some research suggests that as a direct result of the pandemic there has been a 600% rise in cybercrime.

This is why Microsoft is looking to make changes to its array of endpoint management solutions to better cater to the needs of all organizations.

Recent developments

Microsoft has been working on improvements for endpoint management to strengthen corporate data security and increase efficiency. To that end, the company has just announced that a new suite of advanced endpoint management solutions will be launched in March 2023 together in one, cost-effective plan. This new plan has several benefits that will be offered to clients.

IT is going to be equipped with products that will improve endpoint management and also offer increased security to your hybrid workforce. This is ultimately going to deliver a better overall experience across your organization as well as increased operational efficiency. This new development is something that Microsoft had already talked about earlier this year.

The journey towards a bundled suite of advanced endpoint management solutions began with the rolling out of Remote Help for Windows. By using this service, the process of getting assistance for users on Windows devices is made easier.

Because of the integration with Microsoft Endpoint Manager, remote assistance can be rendered to managed devices. It also integrates with Azure AD ensuring that authentication and compliance information can be provided.

According to the announcement by Microsoft, in addition to Remote Help, this new bundled plan which will be introduced in March 2023 will also bring together Microsoft Tunnel for Mobile App Management, Endpoint Privilege Management, advanced endpoint analytics capabilities, and more advanced management capabilities in Microsoft Intune.         

Changes are coming

There was plenty to talk about at the Microsoft Ignite 2022 but one of the key areas would have been undoubtedly to do with Microsoft Endpoint Manager. As you would have noticed by now we are talking about a new Intune suite.

And that is because Microsoft announced that going forward the Microsoft Endpoint Manager brand will be replaced by Microsoft Intune. This change is not one for the future but something that has already been implemented. If you head over to the Microsoft Endpoint Manager landing page, you’ll notice that the name Microsoft Intune has already taken over.

It would appear that as far as endpoint management development is concerned, Microsoft is looking to place greater focus on cloud services. However, it’s worth noting that Intune, Configuration Manager, and the Co-management capability will still be retained. But, Microsoft Intune will be taking over as the main platform with regard to future development. Microsoft said in its announcement:

“Today, we’re announcing that Microsoft Intune will be the name of the growing product family for all things endpoint management at Microsoft…. The name Microsoft Endpoint Manager will no longer be used. Going forward, we’ll refer to cloud management as Microsoft Intune and on-premises management as Microsoft Configuration Manager.”    

Embracing the cloud

Although cloud-based services come with plenty of well-known benefits, it’s not everyone who has adopted the cloud approach. This is why Configuration Manager is still available to allow organizations to operate the way they want.

However, Microsoft continues to try and encourage migration to the cloud. And the cloud attach capability is one that is being talked about as something that could help facilitate the transition to the cloud. Most are already familiar with co-management and tenant attach so what exactly is cloud attach?

Cloud attach is a capability that allows for the enabling of both co-management and tenant attach. If your organization uses Configuration Manager, this gives you a way to have even more flexibility in managing endpoints without having to choose between security, compliance, and supporting new work realities.

Explaining the vision   

Inevitably, a lot of people will be rightly wondering why Microsoft is moving in this direction. Why the need for a suite of advanced solutions for endpoint management? Well, the answer is pretty simple.

When it comes to endpoint management, Microsoft is the biggest player in the game and so there is a need to continuously improve the services on offer. The countless millions of managed devices that Microsoft is responsible for require solutions that adapt to the changing environment.

As mentioned above, cybercrime has shot up at alarming levels in recent years. So endpoint management solutions need to strive to stay ahead of the threats. Microsoft received a lot of feedback from CTOs in recent years explaining how the needs of hybrid work are changing. This is leading organizations to combine security solutions from different providers to meet the security needs of their operations. As one would expect, this complicates life for IT staff and potentially adds massive costs to your overall expenditure.

This obviously will not go over well with management. And corporate security may end up suffering if the organization fails to meet the skyrocketing costs of the necessary solutions. IT departments feel pressure to cut corners and put in place temporary measures just to try and keep operations running.

Most would probably agree that this is not an ideal scenario and is a very tedious way of operating. So the announcement by Microsoft to introduce a bundled suite of advanced endpoint management solutions comes as welcome news. Clients can get a more comprehensive solution that can do what they currently need multiple products to do.

Enhancing endpoint management

The new Intune Suite intends to allow organizations to bring together in one place all the tools needed for securing their corporate data as well as managing their endpoints. In addition, this combined service will eliminate the risks of local admin users and give clients access to remote assistance. Not to mention that IT will be thrilled to see an improvement in the health and performance of Windows endpoints. The capabilities that we’ll discuss below will potentially change your IT environment for the better.

Remote Help for Windows and Android       

As I mentioned earlier, the initial version of Remote Help for Windows launched in April of this year. So what we can expect with the March 2023 release is an addition of enhancements to the Windows experience as part of the advanced management suite. The capabilities you get include ServiceNow integration that helps to provide service management incident information to Intune so that users’ technology issues can get a swift resolution.

Clients will also benefit from an improved messaging platform. It intends to simplify the process of viewing the reasons for device noncompliance, as well as how the IT Helpdesk staff hears the audio from the users who require remote assistance. Furthermore, there is enhanced elevation that will provide for quicker resolution. It’s especially helpful with issues that require alternate admin credentials because of the interaction with the User Account Control prompt.

Microsoft will also be looking to introduce support for Android. The addition of this capability will enable admins to serve their Frontline workers remotely with greater ease. This will offer a massive advantage to Android users because they can have any issues resolved a lot quicker. Admins can contact these users (who can also contact admins themselves), remotely diagnose the issue, and collaborate with the user to find a solution to the problem. This allows the user to quickly get back to work.

Endpoint Privilege Management

This is something that beginning in early 2023 Microsoft will be offering in public preview to clients with Microsoft Intune subscriptions. What this service will do is help you to automate and manage when workers have permission to use admin privilege for specific tasks on both Windows cloud-connected and co-managed endpoints.

According to Microsoft, by using Endpoint Privilege Management you’ll be able to give your users standard account privileges without making them local admins. With the use of these standard account privileges, users can be dynamically elevated to admin privilege for specific admin-approved tasks, based on the specific policies of your organization.

The advantage here is twofold. On one end, the organization will have a significant improvement in its security posture. And on the other end, users can become more productive. The objective is to ensure that IT admins have all the necessary tools to furnish employees of the organization with the capability to self-serve should the need arise.

To maintain a high level of security, this needs to follow Zero Trust principles hence the need for least privileged access. Furthermore, Endpoint Privilege Management will allow your organization to define the rules and parameters in Intune. Additionally, it will allow for configuration of a standard user’s permissions to be automatically elevated, be self-managed, or set to require authorization.

This is something that is going to impact operational efficiency massively by enabling users to perform tasks securely. These tasks include actions like adding approved apps, printers, or other peripheral devices. And all of this without the assistance of the IT helpdesk. Intune Endpoint Privilege Management will become generally available as part of the suite of advanced endpoint management solutions. It’s also available as an individual add-on to your Intune Suite subscription.

Microsoft Tunnel for Mobile Application Management

Microsoft Tunnel for Mobile Application Management (MAM) is a great service that is designed to bring convenience to end-users. In an era when employees are often carrying multiple devices to separate the personal from the professional, this feature will allow employees to use just a single device.

The beauty of the service is that there is no enrollment necessary. Corporate data will remain secure without end-users having to hand over control of their personal devices to IT. I’m sure many will like this the most about Microsoft Tunnel. So for organizations, this is going to address several issues.

You can now comfortably implement BYOD policies without worrying about the security of corporate data or user privacy. Switching to a BYOD program is also financially advantageous for organizations, as they no longer need to constantly invest in corporate-owned devices.

In addition, unenrolled iOS and Android devices get secure access to on-prem apps and resources using modern authentication, Single Sign On, and conditional access. This is because of how Microsoft Tunnel for MAM extends the VPN gateway to these devices. So this will enable the users of these unmanaged devices to also get secure access to corporate resources.

Because no device enrollment is needed the currently available capabilities of Microsoft Tunnel will be expanded. A good example of this is how Android apps won’t need integrating with any SDKs. Other than the MAM SDK, which is used to auto-start VPN for apps, applies if desired or to retrieve trusted root certs.

Advanced Endpoint Analytics

Endpoint Analytics aims to enable IT in optimizing the user experience and improve productivity. Endpoint Analytics provides insights that can help IT admins be proactive in their tasks, as well. This feature offers both IT staff and end-users a system that obtains detailed and granular data on the organization’s endpoints. Additionally, it improves insights into how the business is performing.

IT can leverage this data to provide proactive assistance to end-users. And it establishes a greater degree of working efficiency. This new suite that Microsoft is bringing to its clients will include several advanced endpoint analytics features. These seek to better equip IT to have a better analytical overview and understanding of how the end-user experience is going. And with these capabilities, the end-user experience can be optimized regardless of where the employee may be working from.

How it’s going to help

The introduction of improved drill-down capabilities is also going to help admins better cater to the needs of devices under their management. By using these capabilities, it becomes easier for IT to assess any areas that require improvement. And it will assist to prioritize targeted actions for specific people in your organization.

The insights that one can get are also invaluable for comparison purposes. For instance, some employees prefer working remotely. Organizations can take advantage of the detailed information they have to compare the experiences of workers in different working environments.

Microsoft has also talked about a new anomaly detection capability that will combine real-time visibility, AI, and machine learning. This capability intends to simplify the life of IT admins by eliminating the need to consistently monitor custom dashboards. It also eliminates complicated alert systems to assess the performance of endpoints in your care.

What anomaly detection will offer them, instead, is a system that delivers an early warning mechanism. This allows for proactive learning about user-impacting issues rather than relying on various other channels such as support for these reports. Anomaly detection helps to streamline the process and minimize any loss of productivity.

Additional benefits

This platform will enable the automatic identification of issues, including unexpected machine reboots, app crashes, and hardware and peripheral failures. It helps IT admins better analyze the issues at hand. And the anomalies are categorized based on severity and come with any relevant information. Once the information is available, IT can carry out a thorough analysis of the anomalies and implement the necessary measures.  

The new enhancements that Microsoft is introducing are going to make the organizations operate a lot more efficiently. By leveraging automations and proactive remediations, potential issues can be resolved before end-users are even aware that there’s an issue.

IT and support staff can look forward to plenty of new features in the new advanced endpoint management suite. They will now be able to run customized remediation scripts on individual devices on-demand and in real-time. This is something that happens within their troubleshooting sessions. Additionally, it offers instant fixes or change the device configuration to ensure devices are always performing optimally.       

Wrap Up

Going forward more and more organizations are embracing the hybrid workforce model as potentially the way to go. It’s not surprising as several surveys show that plenty of employees want to have the option of working remotely.

So if organizations are going to adopt this model, as well as put in place BYOD policies, it’s essential to have endpoint management solutions that make this a viable option. And this is just what Microsoft is aiming to do with the new advanced endpoint management solutions suite. This should give IT admins everything they need for effective endpoint management in one place.

No longer will you need to stitch together products from multiple vendors that will cost you dearly. If this new suite of products delivers as promised, then organizations will have an invaluable tool to add to their arsenal.

Why Cloud Management Gateway Is So Important Now

Posted on by
Reply

With the prevailing global situation requiring more and more people to work from home, businesses need to ensure that productivity does not suffer. And to do that, you need to effectively manage remote devices. Hence the need for technology such as the Cloud Management Gateway (CMG).

By utilizing the CMG, your business has an alternative to IBCM that most would consider a significant upgrade. This creates a favorable environment that allows your organization to eliminate the obstacles of having a remote workforce. Needless to say but the CMG can play a massive role in your organization and its importance is certainly worth discussing.

Requirements

Before you can use the Cloud Management Gateway you need to meet the following requirements:

  • An Azure subscription to host the CMG,
  • You need a Full administrator or Infrastructure administrator user account in Configuration Manager,
  • During the initial creation of certain components, the participation of an Azure admin is needed,
  • You need at least one on-premises Windows server to host the CMG connection point,
  • A server authentication certificate for the CMG,
  • There needs to be an integration of the site with Azure AD to deploy the service with Azure Resource Manager,
  • Depending on your client OS version and authentication model, other certificates may be required,
  • Clients are required to use IPv4.

When is it useful?

There are several scenarios where the CMG could come in handy and they include the following:

  • For management of traditional Windows 10 clients using modern identity which can either be hybrid or pure cloud domain-joined with Azure AD.
  • For management of traditional Windows clients with Active Directory domain-joined identity. The clients included are Windows 8.1 and Windows 10.
  • For installation of the Configuration Manager client on Windows 10 devices over the internet.
  • For new device provisioning with co-management.

Benefits to your business

CMG enables your Enterprise admins to perform several actions. Among the things they can do, they can manage the following over the internet:

  • Push software updates and enable endpoint protection,
  • Inventory and client status,
  • Compliance settings,
  • Software distribution,
  • Windows 10 in-place upgrades,
  • Manage branch office devices over less expensive internet instead of across expensive WAN or VPN connections.

Eliminates complications

Although Internet-based client management (IBCM) has been around for years, a lot of users tend to find it complicated. CMG aims to be a simpler solution. It is an Azure-hosted service that manages internet-based clients through a new role called the cloud management gateway connector point.

By adding the CMG to your environment, you’ll get an intermediary cloud solution. And this can be your bridge to a full cloud management solution of your Windows 10 devices through Microsoft Intune.

Also, your organization doesn’t need to expose on-premises infrastructure to the internet and neither will you require additional infrastructure. So by using the CMG, you get rid of a lot of what users don’t like about IBCM.

Manage internet clients

Cloud Management Gateway helps you to easily and effectively manage clients that are on the internet. Often, there are going to be events in your environment that will require a swift response.

However, previously this was problematic for clients that would not be currently on-premises. By leveraging the CMG, you can manage clients all over the world as long as they have an internet connection.

Furthermore, it doesn’t require you to buy any additional IT infrastructure. So unlike IBCM that would need additional hardware that you need to maintain, for the CMG you just need to have Azure.

Strengthen your security

The moment you have systems that are not directly connected to your IT infrastructure, your data security is at an increased risk. This is particularly evident with remote work.

Although a lot of businesses have responded by using VPNs, you cannot adequately protect workstations through VPN channels. Hence the importance of the Cloud Management Gateway.

With it, you can better manage devices connected to the Internet and thus improve your corporate security posture. This is further enhanced by the fact that you can leverage Microsoft Azure services so that there is no need to expose your infrastructure to the internet.

Cost management

Whenever you use cloud services, you will incur costs associated with your usage. And the Cloud Management Gateway is no exception. Fortunately for clients, Microsoft intends to help you to keep those costs under control. You can do this through client settings, for instance, where you can determine which clients can access the CMG.

Another feature you can leverage is virtual machine configuration. The latter enables you to choose between 1 and 16 virtual machines per instance of Cloud Management Gateway. Also, if you want to, you can stop the CMG so that it’s no longer serving clients.

Therefore, to optimize user experience for all clients, the CMG helps to reduce the unavoidable costs that come with cloud services.

Constantly evolving

Another reason why the CMG is so important is how the technology is constantly evolving. There has been a lot of innovation taking place such as the ability to automatically do a client install through the CMG.

This is a great option to have because it eliminates the need for the client to be on the intranet. In addition, the platform is adaptable to your organization’s needs. So it can handle several scenarios such as:

  • Traditional PC management (Windows 7, 8.1, 10),
  • Modern PC management (Windows 10 with modern identity),
  • Internet client installs.

Wrap up

Every organization should be looking for ways to make the most of its IT investments. Thus from the information available, we can see that every environment that uses ConfigMgr can benefit from using the Cloud Management Gateway. And you can leverage the CMG for clients all across the globe. The convenience that this provides you cannot be overstated. As the world changes and technology evolves, we need platforms that can help organizations to become more efficient and enhance productivity.