Microsoft Enterprise State roaming – public preview
Writing and updating the UEM Smackdown is challenging as vendors bring out new technology while you sleep. Microsoft was one of the vendors that was pretty stable on this, not much changed over the year, GPO, GPP, UE-V, USV, we all knew how it worked and where it came from.
Microsoft was the first company to bring us UEM. When they brought roaming profiles to Windows we had the ability to roam our settings across devices as long as the devices were running the same operating system, bit level etc.
Times changed and Microsoft failed to adopt to the new world leaving space for emerging UEM vendors to take a bit of that market. With the release of Windows 8, 8,1 and not 10 it seems Microsoft has realised they got to move. Feels like back in the 90s with Internet Explorer, once they move they move fast. Let’s see how they handle it this time.
So a few days ago Microsoft released a public preview of Enterprise State Roaming. Let’s call it Microsoft ESR from now on. I’m gonna do a quick overview of Microsoft ESR, it’s no deep dive as I haven’t gotten the chance to test it myself yet.
Enterprise State Roaming (ESR)
In Microsoft Windows 8 and 8.1 the ability was there to roam certain Windows and apps settings between your devices. Your personal Microsoft account as well as your OneDrive was used for that. It worked fine for the basic thing you could do with it.
I’m a Windows Phone user (yes they exist, it’s not a fairy tale) and I sync things between my phone and my Fusion Pro ran Windows vm running on a Mac book Pro.
There are limited thing I could sync there,
- app settings,
- Internet explorer
This is all cool but I’m using a personal account and not an Enterprise account and I’m using my personal Onedrive and not our Enterprise one.
Now with the new ESR feature things are changing.
If your are administrating a desktop environment where users are working on mobiles and virtual desktops, you want to know what is being synced. You don’t want certain passwords to be synced just like that, your business might be hurt it someone gets a hold of that. As Microsoft in their blogposts write, your corporate WiFi password should not be out in the open, I think that’s a simple but clear example.
Personal and Enterprise split
In Windows 10 this is solved by using Azure AD identities backed by using storage in the azure cloud. So your personal data which was synced before is still synced but now the Entries part is synced on a different level, no more mixing your high score with Enterprise data.
The data before it leaves your device is encrypted by Azure Rights Management (RMS) and will stay that way until it reaches the other device. This is utmost important for no customer will allow their data to be store anywhere with guaranteed safety. There are exception to what is encrypted and what is not, namespaces and Windows app names are not encrypted (no clue why not).
Azure Right Management Services (RMS) is free for Enterprise use of ESR. It says in the announcement that it’s offered “free limited”, I’m not sure if that’s a typo or so. I’m gonna check that one out and will edit this article once I know. If it is limited in some way, I want to know what is the limitation. Perhaps it’s only limited because you are only allowed to use it for Enterprise syncing.
A very important factor in acceptation by administrators and security officers is if you can control what is being synced. Microsoft is offering more visibility in who is syncing what to what device. All of course from the Azure admin console/portal.
We Europeans don’t like our data anywhere near the, so Microsoft Azure is storing the data in the country where that is associated with the AD directory. For now, with the preview it is only available in Europe and the US.
What do you need to deploy this?
- You will need to have an Azure Active directory premium subscription, users will require to have a premium licenses assigned to the device
- You will need Microsoft Windows 10, version 1511 and build 10586 or greater
- Devices need to be Azure AD joined or AD joined with automatic registration to Azure AD
If you want to learn abut automatic registration to Azure Ad, read this blog here.
Setting it up
Set up seems pretty easy, everything is done from the Azure Admin portal. With the following steps you are syncing:
- Go to Active directory
- Click on configure tab
- Go to “Users may sync settings and Enterprise app data”
Now you have the chance to select all or a selected group of users.
#Note: If you don’t see this in your Azure Admin portal, you probably don’t have a premium subscription.
#Note2: If you are unable to save what you setup the feature is not available in your region
(all info from Microsoft blog posts)
Once you set this up your users devices that are Azure Ad joined will be syncing. Users can select themselves what they want to sync and what not. On their devices they can select what settings are synced, the selection they have is bigger than in 8 or 8.1.
- Ease of access
- Internet explorer settings
- Language preferences
- Other Windows settings
Syncing with what account?
Now comes the difficult part, I’m trying to write it as clear as possible..
In Windows 8 and 8.1 everything was synced with your personal account to your personal Onedrive.
In Windows 10 with Enterprise State Roaming this is different, it’s still possible but there are some differences. read on…
With Windows 10 and the devices joined to Azure AD, Enterprise State Roaming is using that account to sync OS settings between devices. That’s a major difference, your Azure Ad account is syncing OS settings and not your personal account. You can however add you personal account as a secondary account to sync your personal data and apps.
#Note: Remember that your OS settings are ALWAYS synced by the primary account and App state data is roamed based on the identity of the app acquisition.
The hardest part to understand will be that depending on which account acquired to app is depending on where it is synced to and if it is roaming. That’s something to think about, that might need some development.
#Note:Multiple account roaming is missing from this first release, which is pity of course.
Hope this gave you an idea of what Microsoft is working on, interesting move I think. Not close to UEM for an Enterprise but perhaps for certain scenarios this might work.
now I got to think whether or not to include this in the UEM Smackdown, I think it depends on the speed Microsoft is thinking of releasing it to GA.