Considering System Center, Enterprise Mobility + Security and Operations Management Suite

May 17, 2017   //   Cloud Security, ,

The way to link System Center Configuration Manager (SCCM) up to EMS and OMS is done via connectors.  There is one Connector for Microsoft Intune (part of the Enterprise Mobility + Security Suite Bundle) and another Connector for Operations Management Suite; the latter was first introduced as a pre-release feature in the v1606 release, so you have to be on the Current Branch to use it and go to your Hierarchy Settings to enable early adoption.  SCCM presently sits at v1610, with new in-place upgrades occurring roughly every quarter.  The next one is anticipated soon and will support the forthcoming Windows 10 Creator’s Update v1703.

All that is implementation, and it seems relatively straightforward to do, except that all the necessary pieces have to first be in place.  SWC can help get you there if the infrastructure is not ready.  But what’s not so straightforward is the licensing arrangements and types of services required to get all of that squared away from a business perspective.  There are multiple bundles and packages available, and navigating them takes a little bit of digging.  This post attempts to provide some high-level guidance when considering a corporate purchase of SC2016, EMS or OMS.

It is time to take on the approach of Cloud First Management!

What is EMS?

Let’s start off with a history lesson.  Enterprise Mobility + Security (EMS) was introduced in mid-2016.  This is an extension of the original Enterprise Mobility Suite, which has always included Microsoft Intune, Azure Active Directory Premium, and Azure Rights Management (this last has now been renamed AIP – Azure Information Protection).  Shortly thereafter, the EMS bundle was expanded to include Advanced Threat Analytics (ATA), adding exceptional value given the vast range of security functionality it entails.  SWC’s dedicated security team can guide you in leveraging this investment.

There are different pricing levels with all the Microsoft cloud offerings.  For instance, both EMS E3 and E5 include Client Access Licenses (CALs) but only E5 gives you the premium features.  With either choice, the whole package consists of a powerful set of identity and device management tools – all delivered straight from the cloud!  See the EMS Datasheet for more information.

One important distinction to note: the Intune Datasheet indicates you only get the rights to manage client computers with EMS Intune (workstations/desktops/laptops/devices).  When bundled with EMS, Intune includes the SCCM console and the ability to manage five workstations per user, and all features related to client systems – SCEP, OSD, USMT, and WSUS are all included.

In general, all this also applies to Intune Standalone. The main caveat is that both models assume that you will primarily run cloud-based features because neither EMS nor Intune grant on-premises SQL rights for SCCM – you’d have to procure that license separately. If you want the ability to run SCCM on-premises with an included SQL license, plus the ability to leverage other products in the suite, then SWC recommends going with a System Center Suite volume license rather than Intune Standalone or EMS. But if you don’t need the on-premises tools and want to go cloud-only, EMS or Intune Standalone can be a more appropriate option in that scenario.

Also note that an EMS/Intune subscription does not include licensing or support for server infrastructure (save for installing the SCCM server console itself). Nor does it permit use of any other parts of the System Center Suite. The non-perpetual piece is probably obvious, but it should be called out that every user would need to be licensed in Intune in order to be properly licensed for SCCM.

What is OMS?

So how do you extend SCCM’s powerful management capabilities to cover servers too?  That is the purview of Operations Management Suite (OMS).  In some ways, OMS is a larger conversation that needs to be considered distinctly beyond just client-server management.  It is an important tool, but with benefits and tradeoffs that need to be weighed against various other IaaS and hybrid cloud strategies.  Talk with your SWC Engagement Manager on how to best navigate this course so as to decide on the best-fit solution.

For instance, OMS is an important consideration if you are thinking about leveraging System Center Endpoint Protection (SCEP) across the board to replace another antivirus solution.  It is also a bargain if you want to increase your Return on Investment (ROI) with the synergies provided by the other traditional System Center products.

OMS is a subscription bundle released at Ignite in August 2016, comprising of both cloud-offerings and on-premises products.  Both OMS E1 and E2 licenses extend rights to use the full System Center 2016 suite of management agents on servers.  Yet the robust Disaster Recovery and Compliance features require purchasing the E2 suite, as per the pricing guide.

E1 includes Insight & Analytics, Automation & Control, and on-premises software for Operations Manager, Service Manager, and Orchestrator.

E2 includes everything in E1 and adds both Security & Compliance and Protection & Recovery services, plus on-premises software for Virtual Machine Manager and Data Protection Manager.

See the OMS Datasheet for more details.

What About SQL Server?

This is perhaps the most common question that comes up, since all the System Center products require dedicated SQL instances to run the software.  As mentioned above, even though EMS/Intune and OMS do grant rights to use their on-premises software counterparts SCCM and SCOM, neither cloud offering provides an SQL Server license – you have to bring your own.  As an alternative, the System Center 2016 Datasheet clearly indicates that the full suite has always included use rights for SQL Server Standard Edition as part of its offering.

“The System Center 2016 licensing model for Standard and Datacenter will be the same as 2012 R2 with server and client management licenses. As with System Center 2012 R2, the 2016 editions will be differentiated by virtualization rights only. Licenses are required only for the endpoints being managed. No additional licenses are needed for the management server or SQL Server runtime.”

What’s historically not included is SQL Server Enterprise Edition, such as if you need to make Always On clusters for HA of the System Center databases, or for increased scalability regarding SQL Server Analysis Services jobs to perform data warehouse processing.  If that is a requirement, prepare on procuring enterprise CALs too.

In short, if you’re considering a cloud-first solution, then the EMS/Intune and OMS offerings are the best bet.  However, if you want to couple that with the accompanying set of on-premises tools, yet need some extra SQL instances to run them, then you should consider adding a System Center Suite volume license to your Enterprise Agreement as well.  This may be more cost-efficient than just buying individual SQL Server licenses to run System Center.  SWC’s reselling team can offer additional licensing guidance to best fit your targeted implementation model.

Office 365 and Azure?

If your organization is considering a move to Office 365 or Azure, SWC strongly encourages you to consider the benefits that EMS and OMS can bring to the table, regardless if you are currently running System Center or not.  For instance, I’m moving a bunch of servers up to Azure.  How am I going to monitor and secure things?  How do I backup cloud-based VMs?  OMS can help there!

Or consider this: you want to onboard users to Office 365 for Exchange, but you know you are running older versions of MS Office applications like Word, Excel, and Outlook which are out-of-date and no longer supported.  How are you going to roll out MS Office 2016 Click-to-Run (C2R) to all those endpoints?  Intune can help you do that if you don’t have a tool.  Plus, you’ll eventually need to get your PCs upgraded to Windows 10, in order to take advantage of the latest features.  SCCM policies can manage the versioning of C2R and Windows 10 to keep things more consistent going forward.

Hybrid Cloud Management?

When it comes to deploying management infrastructure, there are various scenarios to consider.  A large part of it has to do with the site topology of physical locations.  These days, workforces can be largely distributed across the WAN and users are not always connected via VPN – this is what the cloud-first approach was designed for.  But in more centralized settings like a campus, where devices have direct connectivity to Active Directory, and finer degrees of role-based access are required, then the on-premises tools make more sense – plus you can still use the cloud avenues as secondary resources while you gradually transition in that direction.  A multi-site or multi-national organization definitely needs both toolsets at its disposal to achieve maximum flexibility with the greatest range of options.

For now, the safe answer in the immediate term still seems to be “do Hybrid” with your management tools.  Integrate EMS and OMS into your SCCM console if that is designated your primary pane-of-glass for managing endpoints.  But if you want to go lightweight with just the web-based cloud portals and reduce your on-premises footprint further, that’s fine too!  Use one or the other, or both, whichever best meets the needs of your organization.

If you need help, ask SWC about how to determine the best overall management strategy.  Our Managed Services offerings can put System Center and its related cloud services to work for you in a meaningful way.  Make no mistake, the paradigm of Cloud First Management will certainly continue advancing further and faster over the next few years!