I work on the Windows MDM client…Ok, is that Intune?
This was the top question/comment that I received when talking to folks at Ignite. What exactly does "Windows Mobile Device Management (MDM) client" mean? This was also one of the points of feedback I received during my presentation there, that I add a slide or two to really position what this means to clear out confusions about if this was related to Intune, if so how etc.
So here it goes. A couple weeks after the amazing conversations at Ignite, here goes my first in a series of posts addressing some of the comments and feedback I heard.
Feel free to drop me a comment here or on Twitter (@jananivasudevan) if you have a specific topic you'd like to hear more about.
So what exactly is the Windows MDM client and how is it related or not related to Microsoft Intune?
The Wikipedia link for Mobile Device Management defines it as this - "Typically solutions include a server component, which sends out the management commands to the mobile devices, and a client component, which runs on the device and receives and implements the management commands. In some cases, a single vendor may provide both the client and the server, in others client and server will come from different sources".
The Mobile Device Management client for Windows (we'll refer to this as "MDM client for Windows" in this post for the future), is this client component that runs on all Windows devices. It receives commands from any MDM server (be it Microsoft Intune, Airwatch, MobileIron etc.) and implements these commands. The advantage is that each of the MDM servers don't have to implement their own client component now to manage Windows devices. Instead, they only need to adhere to the syntax that the MDM client for Windows publishes and can start managing Windows devices straight out of the box.
So there you go, the MDM client for Windows is that operating system component that is intended to make Windows easily manageable through any MDM server out there, be it Microsoft Intune or any of the 3rd party MDM servers.
Every Windows 10 device (and also Windows 8.1 device) has this mobile device management client that ships along with the operating system. And the syntax that MDM servers need to use to manage Windows devices using this agent is what we call the Windows Mobile Device Management protocols. There are two such protocols – one governing how a Windows device registers with the server so it can start managing the device called MS-MDE, and the second called MS-MDM governing how an MDM server can send down commands to manage the different settings (and which settings) on the Windows device.
For those of you familiar with group policy, the Windows MDM client is like the group policy service which receives the different group policy settings and redirects it to the right handler to have the policy applied.
- The group policy client receives GPOs as commands to implement management of devices while the MDM client for Windows receives SyncML messages as commands to implement management.
- The device once domain joined is subject to receive commands through group policy; a device has to "enroll" with the MDM server to receive commands through MDM channel. (This enrollment can either be done by the user separately or as part of Azure AD join in Windows 10)
- When Group Policy is applied to a user or computer, the group policy client side extensions interprets the policy and makes the appropriate changes to the environment. When an MDM server sends down a SyncML message for configuration, the Windows MDM client hands this off to similar extensions/providers on the device called "Configuration service providers" to interpret the SyncML commands and make configuration changes.
There is a "Configuration service provider" (sometimes shorthanded as CSP) for each different component or feature that needs to be configured. There is one for all "policies" and "simple setttings" called the "Policy configuration service provider", there is one to configure VPN profiles and so on.
The list of the different providers (and hence the settings you can manage) for the Windows MDM client are here - https://aka.ms/ayw20h
So now coming back to my session at Ignite (and //Build), when I talked about the enhancements to the MDM client in Windows 10, it was about these different settings and features that can be managed by any MDM server on a Windows 10 device straight out of the box (ie. not requiring a client side agent from the MDM server product).
You may ask "Why is this important to me if I am using group policy today to manage Windows PCs". If you are using group policy today for PCs, you can definitely continue to use it. However, for Windows phones and tablets that employees use nowadays at work which they cannot or do not want to domain join, Mobile device management is becoming popular as the tool to manage these.
Hopefully, this post helped you understand a little more about the Windows MDM client. Please do leave your comments and any unanswered questions that pop to your mind, and I'll answer them here.
-------- -------- -------- --------
Links to my "Windows 10 MDM client enhancements" sessions at Ignite and //Build: