We’ve been following VMware’s work on Windows 10 management for years, but the last few months have been especially active and interesting.
At VMworld Europe, VMware announced a new offering called VMware Workspace ONE for Microsoft Endpoint Manager.
Microsoft Endpoint Manager—which represents the integrated future of Microsoft Intune and SCCM—had just been announced the day before at Microsoft Ignite 2019. This was big news, and Microsoft also declared that SCCM isn’t going away, and that co-management (using Intune and SCCM together on the same device) isn’t just a bridge, but rather, it can be a destination.
On top of all this, earlier this year, Microsoft made a change to SCCM that made it more difficult to use third-party MDM connections (e.g., MDM enrollment in Workspace ONE) on devices managed by SCCM.
I already wrote about Microsoft Endpoint Manager (or MEM, as folks are starting to call it); today we’ll look at Workspace ONE for Microsoft Endpoint Manager and what it means.
The background on Workspace ONE and SCCM
Digging back in the archives, you can review VMware’s work on Windows management over the last five years. In 2014, they offered MDM plus an agent on Windows 8.1; in 2015, they were talking about doing AppVolumes on physical devices; and 2016, they were partnered with Tanium for VMware Trustpoint.
It was after VMworld 2017 when we felt that things were getting quite serious. Gabe Knuth (then an independent blogger here at BrianMadden.com) wrote this about VMware and Windows management:
“The general sense that I have coming out of VMworld is that VMware, perhaps more than anyone else, understands exactly what has to happen to get enterprises to switch to UEM. Without a doubt, there is more to do to make this appealing to all enterprises, but with their foot on the accelerator, VMware can get their pretty quickly.”
By this time, AirWatch (as it was still called) could deploy GPOs and join machines to a domain; and VMware used Adaptiva for software distribution. AirWatch could even connect to machines that were managed via SCCM (before the co-management days).
On Microsoft’s side, at Ignite 2017, they announced a change in Windows 10 1709 that would allow devices to be enrolled in both SCCM and MDM at the same time.
Microsoft built an integration between SCCM and Intune to coordinate the handoff of management tasks from one side to another, and called this “co-management.”
Other vendors, including VMware, could take also take advantage of the changes in Windows 10 1709, and enroll SCCM-managed devices into their own MDM servers. Microsoft called this “coexistence,” though the rest of the world calls this co-management.
A few months later, VMware introduced AirLift, their product for pulling configuration data out of SCCM, and coordinating management with Workspace ONE. At the time, I wrote: “I don’t think anybody is ready to turn off SCCM any time soon, but the battle lines on this front have been drawn.” VMware was off and running on a super ambitious path.
At VMworld 2019, we got a progress report: VMware had enrolled 1 million Windows 10 devices in the first half of 2019. It’s almost the end of the year, and I haven’t seen any more recent numbers, but they did say that they were enrolling a Windows 10 device every 16 seconds. So, they should be closing in on 2 million devices for 2019.
Co-management gets harder
Now, there was one wrinkle in all of this. The SCCM 1902 update rollup made an interesting change for co-management and coexistence: If an SCCM-managed device is enrolled into an MDM server other than Intune (i.e., Workspace ONE and any other third-parties), the SCCM agent reverts to a read-only mode.
So, this essentially kills a whole swath of co-management (or coexistence in Microsoft’s terms) scenarios. This did cause problems for some customers, and it sounds like it wasn’t communicated very well.
Microsoft’s justification is that they did this to avoid potential conflicts, but this seems a little odd to me. VMware had AirLift to keep things coordinated; and also I thought that the DeviceManageability CSP was supposed to help with this, too. So, the changes to the SCCM agent seem a bit old-school Microsoft to me, but that’s business.
Enter Microsoft Endpoint Manager and Workspace ONE for MEM
As I covered in my article about Microsoft Endpoint Manager, Microsoft is now all about enabling customers to use SCCM and co-management as long as they want, and they’re connecting SCCM to Intune in a new cloud-based management plane.
Now we can finally get to the whole point of this article: Workspace ONE for Microsoft Endpoint Manager will be VMware’s recommendation for customers that are using both products.
As Shanker Iyer wrote, “Workspace ONE will build value on top of Microsoft Endpoint Manager for management of Windows 10 devices.”
What does this mean? The first round of features all appear to be about using Workspace ONE Intelligent Hub on top of MEM, and Shanker highlighted newer features like the employee onboarding experience, and Digital Employee Experience Management. Apps managed by MEM can show up in Intelligent Hub, and customers can use Workspace ONE Tunnel. VMware expects a preview to be out in early 2020.
There were a few more clarifying details in the “Definitely Not Official VMware EUC Podcast” with Brian Madden (the person) and Gabe Knuth. (So, remember that this is not official, and while both Brian and Gabe used to work at BrianMadden.com, they’re both VMware employees now.)
Under Workspace ONE for MEM, MEM will be doing the actual device management, via whatever combination of SCCM and Intune you want. (I’ve heard other sources describe it this way, too.) VMware will take their Windows agent, which can both act as the management authority and do a bunch of other things (like analytics, security, user experience, crash reporting, baseline configuration reporting, etc.) and make it so that it can be just do all of the latter tasks. So when it comes to device management, the VMware agent gets out of the way, and lets MEM do the management.
Again, this is early, not completely official information; but it makes sense given the coexistence changes in SCCM 1902. We’ll try to get more technical details as we get closer to the preview.
So what does this mean?
As I wrote last week, the fundamental question for customers is when and how you want to get off of SCCM.
On the podcast, Brian and Gabe (with the “definitely not official” disclaimer) laid out a description of VMware’s position: VMware never had SCCM to fall back on, so they had additional incentive to make Workspace ONE’s Windows 10 capabilities richer, with things like GPO support and more app distribution capabilities. (Jumping back into my thoughts: So that year and a half where co-management with SCCM actually worked was more like a temporary gift.)
Brian went on to say that basically, VMware wants to be flexible here. Workspace ONE is a very broad portfolio with a whole range of use cases, so if customers want to use MEM for Windows 10, that’s fine. With the Workspace ONE for MEM offering, the Windows 10 devices will still be part of the Workspace ONE environment, and users will still have the Intelligent Hub.
For customers that do want to go ahead and have Workspace ONE be the device management authority on Windows 10, the SCCM 1902 changes around third-party MDM just mean that the intermediate option of managing some tasks via Workspace ONE MDM and others via SCCM isn’t available anymore.
Customers will still be able to use AirLift, though. In fact, at VMworld US 2019, VMware announced AirLift 2.0, which can automatically migrate GPOs from SCCM. (Check out Jon Towles’ article on AirLift for an overview. )
Back on the Microsoft side, to be fair, I should point out that for all the talk about how co-management can be a destination, Microsoft also said in an FAQ (PDF) that customers can really do what they want. And in several presentations at Ignite, Microsoft recommended choosing a date where customers decide that all new devices will be managed from the cloud side (i.e., Intune) of MEM only. So they also get that cloud-based management is going to be an important goal for many customers.
What’s your path?
At this point, I’m starting to wonder how many customers are going to want to mess around with co-management anyway. There’s a lot of value in at least making a traditionally managed device show up in some form or another in your cloud UEM platform, especially around conditional access. But full on co-management is more complicated.
In some ways, we can think of this like doing Windows migrations. Remember how much talk there was when Windows 10 came out about how you could do relatively smooth in-place upgrades without re-imaging machines? And how many people actually did that? Migrating via attrition as part of hardware refresh cycles was a lot easier.
We’re just over a month away from January 14, 2020, the Windows 7 end of life. Digging back into the BrianMadden.com archives again, back in 2017 Gabe wrote an article called “Migrating to Windows 10 and modern management at the same time sounds nice, but is it practical?” His conclusion, now proven correct, was that the answer was no. Instead, he wrote that January 15, 2020 was when we should all be ready for a change in Windows management. (Well, maybe we should take a week or two to rest.)
Getting rid of SCCM is going to be a long process, and now I’m wondering whether migrating laptops to all-cloud, SCCM-free management will happen via attrition during hardware refresh cycles. This way, you can start with a clean slate, provisioning devices with AutoPilot or the out-of-box experience.
Customers will still have to decide between Workspace ONE and MEM for Windows 10, but it should be a slightly less complicated decision. They won’t be worrying about co-management, coexistence, or migration paths—they’ll just be concerned about what you can do with the platform alone.
Regardless of when and how you decide to jump into modern management, VMware customers have AirLift to ease their migration from SCCM, or Workspace ONE for MEM if they plan on keeping SCCM or MEM around for a while. Modern management can mean different things to different people, so the more options and flexibility that are available, the better.