Low-power Windows 8 tablets will have features consumers want, and with a little effort can be adapted to use in corporate networks, too, IT pros were told at a TechEd 2012 educational session.
Windows RT devices that run on ARM processors boast long battery life, suitability for cloud applications, and playing games and music, said Hiroshi Sakakibara, a senior product marketing manager for Microsoft, making them attractive to consumers.
But convincing IT staff that they're a good idea isn't that easy. "Whenever we talk to the IT department we get a mixed response," he says.
That's because corporate decision makers are worried about securing and managing the devices in a business setting. But there are enough tools available to make Windows RT useful for some corporate work, he said.
Windows RT is a bundle of hardware and software that lacks some of the features of full Windows 8 devices, notably the ability to run traditional x86 applications - in other words traditional business applications. But they can still serve useful business functions, he says.
Despite their potential usefulness, IT may have restricted access to them given that the devices may be owned by employees who want to use them for work. That makes it challenging to secure them and manage them to a degree that makes them safe to connect with corporate networks.
First, security. Windows RT can connect to corporate networks via secure, built-in VPNs that support L2TP, PPTP, SSP and IPSec protocols. These VPNs can be configured manually or using Windows PowerShell scripts to automate the process, a good option when configuring more complex features such as multifactor authentication, multi-server VPNs or network access protection, Sakakibara says. Cloud-based tools could also push VPN connections to the devices.
Windows RT supports virtual smart cards, he says, which perform the function of two-factor authentication using the trusted platform module (TPM) chips that will be installed in Windows RT tablets as a stand-in for traditional RSA-style authentication tokens. The TPM holds a credential that Windows recognises as if it were an authentication token. So if someone steals a password, they still can't gain access to the network unless they possess the machine it is paired with.
Booting Windows RT tablets includes two kinds of protection against malware, secure boot and trusted boot. Secure boot uses the standardised unified extensible firmware interface to ensure the operating system being booted hasn't been corrupted. Trusted boot is a process that loads anti-malware before the operating system boots in order to head off malware that might try to disable it.
Data stored on the devices is encrypted by default.
The operating system supports picture passwords in which users are presented with a picture and have to touch certain areas in certain ways in a certain sequence in order to unlock the machine. Microsoft claims this is more secure than username and password.
As for management, businesses have to accept that if they let employees bring these consumer tablets to work, they can't control them the same way they can control corporate-owned machines. They have to settle for controlling access and authorisation. IT looks at what resource a user wants and determines what measures are necessary to protect that information. It may be that access is denied if the data can't be adequately protected.
So, for example, since they can't push applications to the devices as they could if they were corporate-owned, they can present users with a catalog of applications that are available for their use, says Mark Florida, a principal program manager for Microsoft.
Consumers are familiar with shopping for apps, so business apps can be presented as if they are in a store, he says. A prototype self-service portal he showed was populated with Windows 8 Metro style tiles grouped in categories - Engineering, Finance, HR. So an expense report application was grouped under Finance.
These portals can be built so just the apps the individuals are authorised to use appear. Clicking on a tile either grants access to the application remotely, installs it or directs users to the Windows Store where they can learn about it and install it if they choose, he says. The point is that the user is given the choice to use the app, and in doing so submits to corporate restrictions on it.
Windows RT still has no support for traditional applications that run on x86 machines. If the application is really necessary, it can be accessed remotely from a server. If the application needs to run locally on the end user device, it will have to be an x86 Windows device.
Remote applications appear as tiles on the Start menu in Windows RT, and clicking on them prompts a connection to the remote server, a process that can take several seconds. Once the connection is made and the session started, the application responds nearly as if it is running on the local machine.
In some scenarios Windows RT devices will be corporate owned, not part of a bring-your-own-device pool, Florida says. In such cases IT will have greater control over such things as use of networks, he says. If these mobile devices use 3G or 4G networks, background intelligence transfers, like location, device state, etc. can be blocked so less bandwidth is consumed by the device to prevent racking up big bills.
In a separate presentation for press, senior product manager Craig Ashley said AT&T has created a Metro style application that gives users a view of how much bandwidth they have consumed so far in a month so they can monitor whether they are close to going over their limit.
Also, Windows Update, which pushes fixes to devices, can be put off by the devices so that only critical updates are installed over broadband connections with less urgent ones waiting until the device is within range of a cheaper Wi-Fi connection.