Rawpixel - Fotolia


The keys IT needs to manage Windows 10 Mobile devices

IT admins tasked with enrolling and managing Windows 10 Mobile devices can turn to the operating system's built-in mobile device management client.

IT administrators turn to mobile device management to oversee every mobile device in the enterprise, whether those devices run on Apple iOS, Google Android or Windows. Windows 10 Mobile, like all Windows 10 editions, has its own MDM client built into the operating system.

Any mobile device management (MDM) tool can access the client by leveraging a special set of configuration protocols that allows IT to deploy and manage both corporate and personal Windows 10 devices. The better admins understand the Windows 10 MDM client, the better they can decide how to manage Windows 10 Mobile devices in the enterprise.

The Windows 10 MDM client consists of two primary components: one for enrolling the device, the other for managing it. Each component uses a specialized protocol that facilitates connectivity between the MDM client and the MDM server. In addition, Windows 10 includes configuration service providers (CSPs) that allow the MDM client to interact with the Windows registry and OS files.

Enrollment component

Before IT admins can manage Windows 10 Mobile devices, they must enroll it into an MDM service that supports the MDM client. The client establishes a secure communication channel with the MDM server, which then authenticates the device to ensure IT can enroll into the service and subsequently manage it.

The better admins understand the Windows 10 MDM client, the better they can decide how to manage Windows 10 Mobile devices.

The enrollment process follows three general steps: First, the discovery process validates the existence of the service endpoint. The client then communicates with the security token service to obtain a security certificate and to authenticate with the enrollment service. Lastly, the client connects to the MDM server, enabling IT to configure and manage it.

To automate the enrollment process, create a runtime provisioning package that applies the necessary settings, profiles and file assets to the Windows 10 devices.

Microsoft recommends using the Azure Active Directory (AD) in conjunction with the MDM tool for identity management. Anyone who has incorporated Intune or Office 365 into their organization is already using Azure AD, however only the paid premium edition supports the autoenrollment and conditional access features built into the MDM client. IT can also enroll Windows 10 Mobile devices into a third-party MDM system without using Azure AD.

Communication between the enrollment component of the MDM client and the MDM server is based on the Mobile Device Enrollment Protocol Version 2, which facilitates the process of device enrollment through an enrollment service and makes it possible for the MDM server to manage the device.

Management component

IT teams can define and implement policy settings on any Windows 10 Mobile devices enrolled with the MDM service. They can configure email accounts, manage certificates, enable compliance monitoring, set device and account restrictions, control Wi-Fi and virtual private network access, and configure automatic update and remote wipe policies.

Put your Windows 10 know-how to the test

Microsoft has previewed several new mobility features in Windows 10, from a universal OS to better interactions on 2-in-1 devices. See if you've been paying close attention with this quiz.

The MDM client also supports extensive app-related capabilities. For example, administrators can install apps directly from Windows Store for Business or deploy their own line-of-business apps. In addition, they can inventory and uninstall apps as well as control updates.

Any Windows 10 Mobile device can support these management capabilities. However, Microsoft also offers a version of the OS known as Windows 10 Mobile Enterprise, which supports additional capabilities such as being able to postpone software updates or control telemetry collection levels.

Communication between the MDM server and client is based on the Mobile Device Management Protocol (MS-MDM), which supports a wide range of management capabilities. The MS-MDM is based on the Open Mobile Association (OMA) standard.

All management-related communications between the server and client must adhere to the OMA standard. However, for the MDM client to be able to carry out the operations requested by the MDM server, it needs a way to interface with the Windows 10 registry and OS files. That's where the CSPs come in, acting as the internal interface necessary to expose the Windows 10 core settings.

After the MDM client receives its commands from the server, the client forwards those requests to the CSPs, which then read and modify device settings. Because all Windows 10 editions include the MDM client, an organization could potentially enroll and manage any Windows 10 device.

Next Steps

Dive into Windows 10 Mobile features

Windows 10 Mobile enterprise apps and more

Does Windows 10 Mobile entice Microsoft smartphone adoption?

Dig Deeper on Microsoft Windows phones and tablets