- SmartDeploy: Rethinking software deployment to remote workers in times of a pandemic - Thu, Jul 30 2020
- Outlook attachments now blocked in Office 365 - Tue, Nov 19 2019
- PolicyPak MDM Edition: Group Policy and more for BYOD - Tue, Oct 29 2019
I have yet to find a mobile device management (MDM) solution that is as feature rich as existing on‑premises solutions. Tools like Group Policy and System Center Configuration Manager (SCCM) have evolved huge feature sets that MDMs have yet to catch up to. This disparity is most noticeable when comparing simple tasks in Group Policy to an MDM. Tasks like modifying start menus, adding shortcuts, or running scripts—all of these are much more difficult with an MDM.
PolicyPak MDM Edition makes the impossible… possible. PolicyPak MDM enables you to extend all of your Group Policy settings to your MDM enrolled clients. This enables enterprise-level Group Policy control on any MDM Windows client, including non-domain-joined devices. If you find yourself with either corporate owned, or bring-your-own-device (BYOD) scenarios via MDM, this will be a huge improvement for you! PolicyPak MDM supports all of your administrative templates, security settings (user rights, AppLocker, etc.), and preferences (file/shortcut deployment, registry entries, etc.).
PolicyPak is much more than Group Policy in the cloud. Beyond enabling all the native Group Policy settings via MDM, it also enables granular application control, least-privileged administration, and a whole host of other indispensable management capabilities for Windows 10 .
In this article on PolicyPak MDM, we will cover how to bring your Group Policy settings to MDM devices and the extra goodies PolicyPak gives your remote devices.
Pushing Group Policy settings through an MDM ^
When reviewing how PolicyPak MDM Edition enforces your Group Policy configurations on devices, I was surprised with the simplicity of the initial configuration. I was expecting something SCCM-esque.
Deploying settings to remote clients requires two prerequisites. First, you must install the PolicyPak Client-Side Extension on the client. Second, you must tell the client that it is MDM configurable by installing a license file. Both actions take place through an .msi installation, easily deployable with your MDM (or deployed on premises for initial client setup).
Now that a client is ready to receive settings, you can prepare an on-premises Group Policy Object (GPO) for remote deployment by creating your settings and exporting them to an .xml file. You can convert existing traditional GPOs into PolicyPak collections with the included conversion tool. You can also create settings directly in the PolicyPak section of your GPO. In the screenshot, below, you can see the Browser Router rules I am about to export.
After exporting the Group Policy and PolicyPak settings as .xml files, you can convert them to a “wrapped up”.msi file, then deploy it as an application through your MDM. The PolicyPak Client-Side Extension simply picks up the MSI and treats them like newly deployed Group Policy and PolicyPak settings. Moreover, it enforces these settings regardless of location or domain membership. Instead of awkwardly trying to recreate Group Policy settings within the MDM (like a few other solutions do), PolicyPak just uses the MDM as the delivery mechanism for the settings you want to use.. The magic happens while converting your settings and when remote clients enforce your standards.
PolicyPak has already made it very easy to convert a traditional Group Policy environment into a PolicyPak-enabled environment. Whenever you make a change on premises, you still need to export those settings, convert them to an .msi, and deploy it through your MDM. As a sysadmin wearing many hats, it would be wonderful you could automatically capture those changes into an .msi, and depending on your MDM capabilities, make it ready for deployment.
How PolicyPak makes your MDM better ^
PolicyPak extends Group Policy, standardizes features across client-side extensions, and solves unique problems that all of your MDM Windows devices currently have.
Dispersed devices—especially those found in a BYOD environment—experience both configuration drift and a laxness around security. By taking the GPOs your on-premises devices already enforce and extending them into your MDM, all devices can have the exact same configuration. These remote devices often have regular users running as local administrators. PolicyPak features, like the Least Privilege Manager, allow you to elevate apps or settings granularly to an admin permission level without extending too many permissions.
PolicyPak's application features solve a standards gap that all MDMs have. Here’s some examples:
- PolicyPak Application Manager, the original PolicyPak component in the suite, locks down settings in third-party applications on your remote machines. For example, you can control specific options in virtually any window in any application.
- PolicyPak File Associations Manager enforces which apps can open which programs. As a huge OneNote fan, I love that I can ensure that users are using our preferred version of OneNote instead of an older preinstalled variant.
- PolicyPak Browser Router and Java Rules Manager can cut down on confusion by always opening websites in the correct browser or using specific Java versions only when needed.
These are the missing gaps which need to be filled in MDM.
Modern management with Group Policy ^
What do you think of when you hear the IT buzzwords "modern management"? Personally, I think I am about to see a tool that doesn't quite live up to what it promised. Nowhere do you hear those two words more than in the marketing of MDMs. Tools like MDMs have their places though. Depending on the environment, they might be the best solution available for you. MDMs, even Microsoft's, still lack the customization and power of existing on-premises solutions, namely Group Policy.
Subscribe to 4sysops newsletter!
PolicyPak MDM Edition brings that current Group Policy goodness plus extra PolicyPak goodness into your MDM. By using your MDM's deployment mechanism, you can take existing GPOs and apply those settings to machines anywhere in the world, even those that are not even domain joined! You can read more about PolicyPak MDM edition here.