With the release of Windows Phone 8.1 Microsoft is adding a large set of enterprise management functionality. This article lists the new features and gives examples of how businesses can benefit from them.

What exactly is "Enterprise Management Functionality"?

What I mean by this is the possibility for corporate IT to control, configure and secure a mobile device remotely over the air. To achieve such functionality, operating system vendors need to make APIs available into which vendors of MDM (Mobile Device Management) software can hook in their MDM controls. Compared to other mobile operating systems like Android or iOS, Microsoft has been far behind, but that is going to change with the release of Windows Phone 8.1.

What do I need to use it?

To take advantage of enterprise management functionality, enterprises need to utilize MDM software and pay attention that it supports Windows Phone and specifically version 8.1 of it.

AirWatch just announced same-day Windows Phone 8.1 support which means that the new functionality of WP 8.1 will be available to AirWatch customers on the same day, Microsoft releases the operating system to the public as Microsoft and AirWatch have been working together to maximize AirWatch functionality for WP 8.1 devices.

Additionally the MDM vendor should have "Discovery Services" available to allow for simplified enrollment of WP 8.1 devices, which is optional for WP 8, but required for WP 8.1 (via new Workplace feature). Simplified enrollment ensures that users can enroll their own devices by just needing to provide their e-mail address and AD password. Our blog article for WP 8 simplified enrollment shows how the simplified enrollment process looks like.

Update: If you are interested in seeing the enrollment process for Windows Phone 8.1, please have a look at this blog article: MDM enrollment with Windows Phone 8.1

New enterprise management functionality in Windows Phone 8.1

All of the below functionality can be setup and controlled via AirWatch profiles

In Windows Phone 8.1 all of the enterprise management functionality can be pushed via push notifications to the devices. This is a huge benefit over Windows Phone 8 which required the device to request new policies on a schedule.

Device VPN and per-app VPN

WP 8.1 supports IPSec (IKEv2) and SSL-VPN with the possibility for single apps to trigger a specific VPN connection, when the app starts. This allows for single-sign on to corporate resources without additional user input, assuming that the VPN configuration has been pushed to users devices through an MDM solution.

The possibility to configure multiple VPN connections and link those to different apps is a huge benefit in a corporate environment which has solutions from different vendors/suppliers and wants to give secure access for certain apps only.
So a user who opens up a CRM app could be automatically connected to the corporate VPN to retrieve required data, while the opening of a suppliers app with stock data will automatically trigger the creation of the VPN tunnel to the supplier.
Only one VPN connection can be open at the same time and WP 8.1 automatically terminates an existing VPN connection, if an app which is configured to utilize a different VPN connection is opened.

With AirWatch MDM functionality, customers can also provision complex VPN configurations which require certificates, including dynamically -per device- created certificates via SCEP.

Enterprise Wi-Fi support

While WP 8 supports basic Wi-Fi setups with GDR3, WP 8.1 adds support for the below authentication methods with the option of server certificate validation.

  • PEAP-MSCHAPv2
  • EAP-TLS
  • EAP-TTLS
  • EAP-SIM
  • EAP-AKA

Additionally administrators can enforce restrictions which disable internet sharing over Wi-Fi and can prevent users to manually connect to (unmanaged) Wi-Fi networks.

Advanced Certificate Management

Certificate Management has been enhanced for SCEP based certificates which allow the real-time provisioning of certificates for enrolled devices to utilize certificate-based authentication for Wi-Fi, VPN connections, browser sessions, e-mail and apps. E-mail configuration now also supports S/MIME configuration.

With the integration of AirWatch and an in-house or external certificate authority, certificates can be requested, generated and automatically provisioned to devices.

This allows enterprises to remove the need for user-name and password authentication and in the example of e-mail authentication, can prevent the lockout of user accounts due to expired/changed credentials. More information can be found in our blog article.

Device Security and Restrictions

Passcode policies and passcode remote lock and reset

With WP 8.1 corporate passcode policies can be applied to enforce a certain passcode length, complexity, maximum age and automatic lock. If users forget their passcodes, administrators can remotely reset the passcode (with WP 8 a full device wipe is required). If a user has lost the device, administrators can remotely lock the device to enforce the passcode. With AirWatch also enduser can be granted the permission to the AirWatch web based self-service portal from which endusers can perform the above action on their own devices.

Device Restrictions and Privacy Settings

IT can enforce restrictions on devices to simplify device usage or to implement data loss prevention (DLP). The following features can be turned on or off via corporate profiles:

Device Functionality

  • Allow Camera
  • Allow screen capture
  • Allow Storage Card
  • Require Device Encryption
  • Allow Browser
  • Allow App Store
  • Allow Copy-paste
  • Allow Bluetooth
  • Allow Telemetry
  • Allow NFC
  • Allow USB Connection

Network

  • Allow Wi-Fi
  • Allow Manual Wi-Fi Configuration
  • Allow Wi-Fi Hotspots Reporting
  • Allow Wi-Fi Off-Loading
  • Allow Internet Sharing
  • Allow VPN Over Cellular
  • Allow VPN roaming Over Cellular
  • Allow Cellular Data Roaming

Security and Privacy

  • Allow Location
  • Allow Microsoft Account Connection
  • Allow Adding Non-Microsoft Accounts Manually
  • Allow Manual Root Certificate Installation
  • Allow Developer Unlock

Application Management

Administrators can now install, update and remove internal apps silently/without user interaction which are targeted dynamically to devices and users. Additionally it is possible to create white and blacklists for internal and public apps.

To gain additional control, it is possible to disable the Microsoft store and Internet Explorer. This allows corporations which utilize AirWatch to distribute the secure AirWatch browser and AirWatch app catalog to their users.

Additional functionality with AirWatch

Organizations who utilize AirWatch to manage Windows Phone 8.1 devices can also install additional apps from AirWatch to increase the set of management functionality beyond MDM. Currently the following apps and functionality is available:

  • "AirWatch Secure Content Locker" for distribution and synchronization of documents from various repositories (including Sharepoint)
  • "AirWatch Secure Browser" as an alternative browser with bookmark distribution and data loss prevention (DLP)

Overview of Windows Phone 8.1 functionality with AirWatch

The below video gives a quick overview of the benefits