can perform a type of network access control on Windows RT devices as a way to protect corporate networks from harm these devices might inflict if put to corporate use, making them a cut above iPads and Android tablets in this regard.
The newly announced capability can check the devices for compliance with corporate policies surrounding passwords, encrypting data, antivirus, anti-spyware and auto updates, according to the Building Windows 8 blog. This is similar but less comprehensive than what some NAC schemes do in order to keep devices that don’t comply from connecting to networks.
Previously Microsoft had announced four flavors of Windows 8 — Windows 8, Windows 8 Pro, Windows 8 Enterprise and Windows RT — with Windows RT lacking many of the features included in the Enterprise edition that might make the devices more palatable to businesses.
Windows RT is the name Microsoft has given to a Windows 8 operating system that is packaged with ARM-based hardware such as power-efficient tablets. They are expected to ship later this year or early next. The devices don’t support applications that run on standard x86/64 machines, and until now, would accept Metro-style applications designed for Windows 8 only directly from Microsoft.
None of this made Windows RT seem any more BYOD-friendly than Android tablets or iPads.
But a client announced by Microsoft will monitor the security posture of the devices and enable downloading proprietary business applications to them. The client will communicate with an undefined cloud-based management platform that will be announced later by the team working on Microsoft’s System Center.
The client’s main function is to download and install Windows 8 Metro-style applications that are designed to work on both x86/64 and ARM devices. Without the agent, owners of Windows RT devices can only download applications that are stocked in the Windows Store or via Windows Update or Microsoft Update.
But Microsoft recognizes that businesses will create their own Windows 8 Metro apps that they want to deploy to personal Windows RT devices that employees might want to use for work, according to the blog.
The client makes this possible by connecting to the corporate management infrastructure and to a self-service portal, which displays applications that are available for each user to download. This provides a mechanism to download proprietary line-of-business Metro apps to employees without placing them in the public Windows Store. As the blog says, “… there is no reason to broadcast these applications to others or to have their application deployment managed through the Windows Store process.”
If the business or the owner of the device decides to remove it from corporate management, the client wipes out the proprietary apps.
Before users can connect their Windows RT devices to the management service, their Active Directory settings must be changed to allow it and to specify how many devices they are allowed to connect via SSL authentication. The process involves registering the device with the network.
Each user authorized to use the management service must be specified within Active Directory as someone allowed to connect devices. Once connected, the client makes daily maintenance reports about the hardware, applies changes to settings policies on the devices, reports on compliance with those policies and updates the proprietary apps as needed.
The client also informs the management platform whenever users initiate application installation from the self-service portal, the blog says.
Administrators can set security parameters the devices must comply with such as maximum failed logins, lockout after a maximum period of inactivity, requiring passwords of specified length and complexity, imposing enabled and expired dates on passwords and maintaining password history.
The agent can also set up VPN connections automatically to the management infrastructure so users don’t have to do it manually. The client also reports the status of drive encryption, auto update, antivirus and anti-spyware.
“Leveraging this compliance information, IT admins can more effectively control access to corporate resources if a device is determined to be at risk,” the blog says. “Yet once again, the user’s basic experience with the device is left intact and their personal privacy is maintained.”