Managing Windows 10 through UEM / EMM Overview part 2

< Terug naar blog overzicht

In this blog

In this blog I will try to assist you by informing you on the choices you get to make with UEM. I will explain how UEM works with Azure AD and office 365. Also i will touch on BYO for Windows 10. Lastly, I will close the blog with other 3rd party integrations you can consider.

Welcome back

Welcome back to the managing Windows 10 through EMM / UEM series. Last week I published an overview of what EMM could look like. Today I will discuss several of the choices you get to make when you go for management with UEM.

Use Azure AD (AAD)?

What does UEM / EMM have to do with Azure AD? Well you could leverage Azure AD to present the users with a “user-friendly” enrollment experience. Users only have to enter their mail address / User principal name (UPN) and the enrollment is on its way. Azure is configured with the specifics of your UEM and your UEM knows accepts Azure as an Identity provider. The users UPN needs to correspond with the users e-mail address(user friendly) or at least indicate the users company so AAD knows what to do when the user comes in with an authentication request.

Here is a schematic on how enrollment would look like when using AAD:

If you don’t use AAD, enrollment would look like this:

There is also a YouTube video showing the enrollment experience with AAD for the user, you can find it here. In this case VMWare airwatch is demonstrated, but it looks the same for other vendors. It is not mandatory to enroll during OS installation, you can also enroll through this menu: “Accounts > Access work or school > Connect to work or school”.

If the UEM vendor has an Autodiscovery feature, Azure AD is not required to get a user friendly enrollment experience. In this video an enrollment using autodiscovery into the XenMobile UEM is demonstrated by Jeroen Lebon. The experience is simular to when you have Azure AD configured.


The biggest benefit for using AAD in combination with UEM is a more user friendly enrollment experience. If you already have Azure AD premium, I would recommend using these features! If you do not have AAD yet , here are some “gotcha’s”:

  • The company is required to have Azure AD premium
  • User needs to have an UPN that corresponds with his mail address
  • There are alternative ways to give you this benefit, you will have to check with the UEM vendors to find out if they have ones available

Setting this up

To set this up every vendor has his documentation available. Here are some links:

  • Citrix
  • VMWare
  • MobileIron (couldn’t find an actual manual, but here you see MobileIron is also capable. I’m sure they have manuals when you log into their website)

To BYOD or not to BYOD?

You could allow users to bring in their own Windows 10 or MacOS devices and enable access through these devices. Through sandboxing on IOS and Android this is relatively easy to set up. My feeling on Windows 10 isn’t completely combfy yet. With a small company you are able to do a lot based on trust, but with bigger company’s this gets harder. There are options tough… You can use Windows information Protection to assert control on your data and EMM agent to check compliance.

Be careful when setting this up. Users are easily spooked when you mess with their devices. The essence of BYO and user owned devices is that the user is in control, he should be able to enter or leave at will. When the user leaves the BYO program, the data should also no longer be accessible to the user from that device. So instead of locking the device down for the user, you check if the device is compliant with your security policy (E.G. up-to-date, AV, ETC) and based on the result you make your data accessible.

What does BYOD look like for Windows 10?

A user comes in with his device and enrolls it. The IT department ensures the device is compliant with company policies and enables the user to be productive on the device by making company resources available.

For a long time now Microsoft has made API’s available to enable management through a trusted source. With Windows 7 and older the primary source of management went through the registry and 3rd party applications (for example DesktopNow and RES). You would join the device to AD and you could virtually do everything with it.

The management control needs for a BYO scenario are different than the needs for traditionally managed devices.

As an IT admin, I dont want user owned devices in Active Directory, also I want control over the data flow and access.  As a user, I want to be sure that my private data is safe and I still have my privacy.

With Windows 10 Microsoft has added a new dimension to this by complying with the OMA standard. This enables for an extra trusted source to be added to the device other than Active Directory. EMM vendors can expand their products to support Windows 10. The OMA standard gives you tons of extra options on top of the ones you already have. These options enable you to manage the device without actually adding it to AD. You manage devices based on the user.

With the OMA standard you can apply and unapply company policies on demand. Here are some examples on how these are used:

  • Selective wipe to remove all company data for when the user leaves the company
  • Full wipe to remove all data for when the device is stolen
  • Inventory device to see if it is compliant

So policies and managing the device is not the problem for Windows 10. The problem I see lie in the company data access. For making resources available on Windows 10 devices you have several options.

  • You can opt for published applications by Citrix or VMWare products. This can be done securely. But the application would be running in a datacenter on a server your IT needs to maintain.
  • You can opt for installing applications on the endpoint. This is user friendly, but harder to secure. Because of the Windows 10 Architecture Sandboxing is not working like on Mobile devices.

In section 5 I will get into detail on securing company data on a Windows 10 device.


I recommend looking up BYO communication strategies. Often vendors have a lot of experience in this area and are able to supply you with tips on this matter.

While implementing this, keep the end goal for BYO in mind. The end goal is to boost user productivity by allowing them to control their work environment and reduce hardware / IT management costs.

Office 365

So does UEM work with office 365? Yes it does. But you need to understand that this is a Microsoft product and UEM vendors have to work with what is available to them. Luckily Microsoft gives the UEM vendors a lot of controls.

For smartphones and tablets UEM vendors developed their own productivity apps that enabled the users to edit office documents. The vendors made these apps because the office apps lacked the controls to include them in the sandbox. The sandbox is the mobile application management part of an UEM / EMM. For more information about MAM you can follow this link.

Recently Microsoft released the controls for Windows information protection (WIP), this enables you to control data flow by encrypting it. Whitelisted applications can decrypt and consume the data. In section 5 I will get into this with more details.

So what can a UEM do with office 365 on Windows 10?

  • Using UEM you are able to deploy the applications
  • UEM enables you to apply registry settings / XML files to configure office
  • UEM can apply WIP policies to control the flow of data

3rd party vendor integrations

A UEM gives you a lot of options to integrate with 3rd party products. A lot of these 3rd party products allow you to reduce the on premise infrastructure and to globalize the reach of IT.

Here are some examples:

  • Desktop / applications as a service
    An example of this is to globally deliver a published desktop or application through Citrix cloud and Azure without hosting the servers in your own datacenter. You can easily scale up and down as you please.
  • Software deployment as a service
    No longer maintaining your own software deployment infrastructure. No more Distribution points in every office. The UEM vendor takes care of it. All your users need is an internet connection. An example of this VMWare airwatch application distribution.
  • Windows updates as a service
    Allow Microsoft to handle the deployment infrastructure for you Windows updates while you select the updates to deploy. Here is a link for more information.
  • Identities as a service
    You can use Azure AD as an identity provider. Azure AD is compatible with a lot of services, UEM is one of these.
Jeroen van Keimpema (Consultant IT)

Meer nieuws

Meer weten?

Laat uw gegevens achter en wij zullen zo snel mogelijk contact met u opnemen om uw vragen te beantwoorden.

Ik geef toestemming om mijn gegevens te verwerken op de manier zoals omschreven in de privacy verklaringIk geef toestemming om mijn gegevens te verwerken op de manier zoals omschreven in de privacy verklaring