Last year I wrote an article about a new ability that allows us to manage MacOS Devices through MDM. With the ITMS 8.7 release Symantec extends this cababilities to manage Windows 10 and Windows 11 through MDM. This new cababilities allows us to manage Devices through MDM only or in combination with the Symantec Management Agent.
The new Modern Device Management capabilities can be viewed when opening the SMP Console and navigating to SMP Console ->Home -> Windows Modern Device Management
Symantec added a new MDM – Windows Workspace: it looks very similar to the previously released MDM for MacOS.
MDM Server Deployment Options
Symantec provides you with two options to install the MDM Server. You have to make a decision which one fits best for your environment.
The first option is to deploy the MDM Server within your internal network. You have to upgrade your Internet Gateway to version 8.7 to get this working because you need to add a Windows MDM Server on your CEM Internet Gateway Application (see screenshot).
Internal Network deployment
The second option is to install the MDM Server in your DMZ (like your currently existing Internet Gateway).
DMZ Deployment
In this screenshot I assume you also have an Internet Gateway installed which isn´t necessary if you want to manage Devices through MDM only.
DMZ Deployment (second option):
Before you can deploy Configuration Profiles or Applications through MDM, you have to configure your Windows MDM Server and Certificate. You have to use a certificate from trusted certificate authority to enable devices without the Symantec Management Agent to trust the Internet Gateway. If you already have a CEM Gateway running, you might use the same certificate for your Windows MDM Server if you have a Wildcard (*.YourDomain.com) certificate for your Domain.
Please make sure you do not have SSL (Deep) Packet Inspection enabled on your Firewall.
Install a Windows Server or a Windows 10 /11 Client OS (I prefer a Windows Server) in your DMZ and install the Symantec Management Agent and the newly introduced Windows MDM Server Plugin on this device. You have to create a Target for this. The currently existing Policy doesn´t provide a target.
Internal Network deployment (first option): only for customer which want to install a Symantec Management Platform Internet Gateway if not already existing…
If you decided to install an MDM Server on your internal Network you can install the MDM Server on a Windows 10 / 11 Client OS or deploy a new Windows Server (2016 / 2019 or 2022). After installing the Server or Client – rollout the Symantec Management Agent and deploy the Windows MDM Server Plugin. After the installation of the SMA and the Windows MDM Server Plugin make sure you have installed / upgraded your CEM Gateway with the 8.7 CEM Installation package. Otherwise you aren´t able to configure the „internal Network deployment“ option.
On your Server hosting the CEM Gateway open the 8.7 Symantec Management Platform Internet Gateway click Servers tab and as Server type select Windows MDM Server. Add your internal Servername here.
Installing and Configuring Windows MDM Server
For the MDM Server you can use Windows 10 oder Windows 11 Client OS or you could use a Server OS. I prefer to use a Server OS. This is necessary to push profiles and applications using policies to your Windows 10 / Windows 11 Clients that are enrolled into Windows MDM.
In addition to certificates you need to install the MDM Server Plugin on the MDM Server. To do this you can push the Plugin to the MDM Server using a Policy (Settings -> Modern Device Management -> Server for Windows MDM – Install Policy).
On your Windows MDM Server you should see the Altiris WMDM Agent Plugin installed.
Enroll Windows 10 / 11 Clients into MDM
To be able to manage Clients through MDM you have to enroll them into (W)MDM. To do this you need to add a Work or School Account using the Windows Settings. Another option would be to customize the landing page on your MDM Server (<InstallDir>:\Program Files\Altiris\Altiris Agent\Agents\WMDM\MDMServer\www\index.html). To use the landing page send a link with the following URL for enrollment to the user(s): https://your_Public_Server_Name.yourDomain/MDM. To enroll devices without the landing page add a Work or School Account click (Windows) Settings button and select Accounts or you could use the Deeplink (https://your_Public_Server_Name.yourDomain/Deeplink).
For full management capabilities you could enroll into Windows MDM and use the Symantec Management Agent in combination. When managing your Devices only through MDM is sufficient, you do not need to install the SMA. But be aware that you are limited with available Payloads in the Windows MDM Workspace.
What I really like is the ability to create Additional payloads and the ability to import ADMX and ADML files. This allows greater flexibility. I recommend to use ADML files in EN-US language.
Some settings are only possible if you create a Custom Profile (OMA-URI). OMA-URI´s provide a very flexible option when a payload isn´t available. Here is an example:
Conclusion
I hope we will see an expansion of the MDM system very soon with support for iOS in one of the next releases. The currently available profiles are limited in the capabilities compared to the possibilities using the Symantec Mangement Agent with all Plugins.
Feature Requests
Mass Enrollment into MDM: Allow mass enroll of devices into MDM without manually enrolling for each user!
Allow to install the Windows MDM Server on the SMP Server for smaller environments (when using the „internal Network deployment“ method).
Please provide the CEM Offline Installation as .MSI extension to be able to manage devices using the „full“ Agent if MDM capabilities are not sufficient. So we can use the Windows MDM to rollout the SMA even when the devices aren´t in the office without creating an Offline CEM Installer .EXE. The Windows MDM currently only allows us to distribute .MSI Files.
Allow multiselection to delete imported Additional payloads (ADMX/ADML)
Create a folder for each ADMX/ADML import instead of a constantly growing list of profiles. Think about importing 10 ADMX Files with each of 30 configuration options…… This list will get longer and longer during the years.
Endpoint Management 