VPN

Years ago, Windows Mobile had many built-in methods that an IT administrator could use to restrict the device when used in a corporate setting. This was a good thing. Then Windows Phone was introduced and almost all of those administrator features were removed. Microsoft stated that Windows Phone would be a consumer device, and not meant for the enterprise. As time passed, it seems that Microsoft realized that they really did need to address the enterprise as the Bring Your Own Device (BYOD) movement took off. However up until now, the few restrictions that were added have not satisfied IT administrators.

Recently Microsoft announced Windows Phone 8.1 that provides some Mobile Device Management (MDM) improvements over Windows Phone 8.0. These features are part of what is called the 'enterprise pack'. Windows Phone 8.1 will likely be pushed out near the end of June, but we already know what will be included. Lets take a look at whether Windows Phone is now more acceptable as an enterprise device.

If we refer to the MDM Matrix, we can see that it compares all current mobile operating systems, and their MDM features. Windows Phone 8.0 and 8.1 are shown, as well as Windows RT 8.0 and 8.1.

On the device password front, with the exception of the missing MDM feature of "Grace period before device lock", everything is there, as you would expect for enforcing device passwords. The feature for "Unlock using fingerprint" is missing but that is because right now there are no Windows Phones with fingerprint readers. One strange thing we can see in the matrix is that Windows RT tablets cannot enforce a device password as is confirmed in Microsoft's official MDM feature set for InTune, their MDM product. Apparently only once the user has manually set a password, can device passwords be enforced.

MDM features that have been added that were not in Windows Phone 8.0 are good. They include the ability to block device screen captures (great for preventing data leakage), disable GPS, disable the Wi-Fi radio, and/or disable the device's ability to act as a Wi-Fi Hotspot. In addition, you can disable the NFC and Bluetooth radios, both restrictions not found in Windows Phone 8.0.

Windows Phone 8.1 now also allows an administrator to disable the ability to use your phone as a USB mass storage device (a very good way to prevent company data leakage), and they can prevent you from accessing the SD card.

Another good addition that can prevent company data leakage is the ability to disable copy/paste. The ability to disable the official Windows Phone app store allows an administrator to restrict what apps are installed, and the ability to disable the built-in Internet Explorer web browser, allowing IT administrators to force the use of another browser.

Some strange browser restrictions missing from Windows Phone 8.1, but that are included in Windows RT 8.1 are restrictions like blocking scripting, auto fill, and popups.

The ability to prevent corporate documents from opening in non-corporate approved apps is also missing, and if this was present it would go that much further when preventing data leakage.

Some other restrictions that are missing that some IT administrators will want are the ability to restrict the microphone, voice assistant (Cortana), availability to use the voice assistant (Cortana) while the device is locked, powering off the phone or putting it into airplane mode (both of these are useful if the device is stolen and the thief/hacker wants to prevent a remote wipe), and the ability to stop the device from accepting untrusted TLS certificates.

Workplace Windows Phone 8.1

What is not shown in the matrix is an important new feature in Windows Phone 8.1 that allows for corporate VPN usage. Some IT administrators want to doubly ensure that data is protected while in the air, and Windows Phone 8.0's non-support for VPNs was a limiting factor.

Overall I think that Microsoft has added the correct mix of MDM restrictions to satisfy most IT administrators. Compared to out-of-the-box Android, it is definitely ahead, and on a par with iOS. Vendors like Samsung and LG have added more restrictions that make their implementation of Android safe for the enterprise, however this means that companies will need to mandate the purchase of devices made by a specific vendor. This is fine for company purchased devices, but when you want to adopt a Bring Your Own Device (BYOD) policy, restricting what devices you employees buy for themselves will not go over very well.

Apple, BlackBerry, and Microsoft build the MDM features into the OS. In the case of Windows Phone, the user can choose to buy devices from multiple vendors, which means that the same level of protection and restrictions would apply no matter what device is purchased.

What do you think? Will your company start allowing Windows Phone 8.1 devices? Is Microsoft's implementation going far enough?