PolicyPak: Deciding which version to purchase

PolicyPak has three editions: Group Policy, MDM and Cloud. Which one is right for you? Or maybe MORE than one version is right for you. Watch this video to learn about the differences between the versions and walk away knowing which one(s) you should trial.

PolicyPak: Deciding which version to purchase

Hi. This is Jeremy Moskowitz, Group Policy MVP and Founder of PolicyPak Software. In this video, we’re going to learn how to make the decision between the three product editions for the major suite. We have PolicyPak Group Policy Edition, PolicyPak MDM Edition and PolicyPak Cloud Edition.

Let’s figure out which is the right one or ones for you. How do we do that? First is, what can you do with it? The Group Policy Edition enables you to deliver all of our special PolicyPak settings. Actually, even the Group Policy Edition lets you do some magic that regular in-box Group Policy can’t do. We have other videos on this, so I’m going to fly by this pretty fast.

The first thing is that we can reduce the raw number of GPOs, which is pretty awesome. We can wrap up the Microsoft Admin Templates with item-level targeting. So you can say kill the Control Panel for this group of users, prevent run from start menu for this IP range and so on.

We also have this special magic called “Loopback without Loopback,” which provides you the ability to take user side stuff and jam it into computer side settings.

These are the enhancements that we do inside the Group Policy Edition, not to mention all the amazing PolicyPak stuff. You probably already know that: Browser Router, Application Settings Manager, Least Privilege Manager. All of our stuff and add stuff to the Microsoft Group Policy ecosystem.

The MDM Edition is popular for people who also love the PolicyPak stuff but also want to get the Group Policy settings to their endpoints. Because MDM doesn’t have it in its own way to deliver most Microsoft Group Policy settings, and people come to PolicyPak to help enable that.

That’s also why people come to us for PolicyPak Cloud. MDM Edition and PolicyPak Cloud is probably where we will spend a lot of our time here today so you can make the right decision on should you get PolicyPak Cloud or MDM and/or the Group Policy Edition. That’s where we’re going to spend most of our time. The Cloud Edition, again, helps people deliver all of our magical settings and all of the Group Policy settings at the same time.

Who should use what product? In other words, why did we design and build each product a little bit differently? You’ll probably want to use the Group Policy version when you have domain joined machines and you’re really using Group Policy. That’s why it’s called the Group Policy Edition. They have to be domain joined because Group Policy only works for domain joined machines, and it’s called the Group Policy Edition because it uses Group Policy.

Now the MDM Edition is probably better for when you are completely invested in, say, Intune, AirWatch, MobileIron, that kind of thing; if you’re a single company and you’ve invested in an MDM service; and mostly for Enterprise customers. If you are transitioning between Group Policy and MDM or you have a lot of Group Policy and you have some MDM, we’ll talk about that combination a little bit later.

For the Cloud people, the Cloud customer is best if you’re an MSP or if you’re managing multiple companies or customers. Or you can be an IT professional where you have people spread out all across the universe and you don’t have an MDM service. The Cloud is great for that. It’s also great if you need flexible yearly or monthly licensing. You can just put in your credit card and you can grow and shrink as you need to, per month even if you wanted to for the Cloud Edition.

Those are the three versions of the product and why we built them.

How do you deploy policy settings? In the Group Policy Edition, you simply use Group Policy, make your policy settings right there, click OK and we’ll save it as a GPO. When you run GP Update you’re ready to go and you’re consuming those policy settings. Of course, those policies will work for domain joined machines only.

For the MDM Edition, that’s where you’re going to use your MDM service to take the policies that you’ve created and export them and then deploy them using your MDM service. We’ll talk more about that a little bit later. Now this will work for domain joined or non-domain joined machines, but the catch is that the MDM version will not process domain joined GPOs or domain-based Group Policy Objects. So if you want to use the MDM Edition, it will only accept directives that are deployed using the MDM version.

The PolicyPak Cloud Edition is a little bit special. It lets you deploy policies either using PolicyPak Cloud and also using Group Policy if you wanted to. In that way, it’s somewhat more flexible than the MDM Edition. You can use domain-joined machines or non-domain joined machines. It works great for either one, and you can have a one-stop shop if that’s what you wanted to do.

Now they all use the same bits. Where are the bits, what the heck are they, how do you download them? We call them the client-side extension. You get this in the PolicyPak Portal. You have to get it out there, or else none of the magic happens.

In the Group Policy Edition you’re going to install, as you can see here, the PolicyPak Client Side Extension.MSI. You can use SCCM or whatever you want to roll it out.

For the MDM Edition, you’re going to use your MDM service to roll out the client-side extension. That’s the magic that makes it work.

Then PolicyPak Cloud is a little bit different. You’re going to install the PolicyPak Cloud CLIENT.MSI which is unique to your instance of PolicyPak Cloud, and then we automatically download the PolicyPak Client Side Extension.MSI for you. So you don’t have to manually do that to get the client-side extension out there, but you do have to get the cloud client installed on the endpoints.

How do you keep things updated? The bits, how do you keep those updated? In the PolicyPak Group Policy Edition you simply keep the client-side extension MSI up-to-date using whatever tool you want like SCCM or PDQ Deploy or whatever.

In MDM land you’re going to download the latest client-side extension from the portal and then tell your MDM update it everywhere I already have my client-side extension MSI. That works great.

Then the Cloud Edition, we’re always automatically updating the client-side extension and give you the tools to say I want it to go on these machines and those machines and so on. So that’s how you keep things updated.

Now we get this question a lot: “Do I need a DC in order to create an edit policy?” The answer is yes. The idea is on some machine somewhere you’re going to install the PolicyPak Admin Console, and that’s what’s going to give you this here on the right. That’s what’s going to give you the PolicyPak node that you can see on the computer side and the user side as soon as you install the admin console.

For the Group Policy Edition you already have a domain controller, so this is easy. You just install the admin console on your machine. It doesn’t have to be a domain controller. It can be just a beautiful Windows 10 machine that’s joined, or to the DC. Then that’s where you create and edit GPOs from.

In MDM and Cloud land it’s kind of the same deal. You still need a real or a fake domain controller to store the policies during your editing process. Then at that point, you’re ready to right click and export those policies for the next step. So you do need a domain controller to be able to create and edit policies even in MDM or Cloud land such that you can export your policies for later.

Now in PolicyPak Cloud coming soon we are working on letting your create some policies without a domain controller. We probably will not be able to do all of them, but coming soon in PolicyPak Cloud you will be able to create and edit some policies without a domain controller. So that’s coming soon, but not right now. Or maybe it is by the time this video shows up.

Now do you really need a DC? Yes, you really need a DC because as you can see here on the right, this is the “Local Group Policy Editor.” If you’re just installing the PolicyPak admin tools on your machine, you actually don’t get all the best stuff. There’s no Group Policy Preferences here. Not all the Group Policy security settings are here.

The idea is that if you’re using the PolicyPak Group Policy version, you already have a domain controller so that’s not really an issue. But in MDM land and in Cloud land, again, there are a bunch of things you can’t do if you don’t have a domain controller as the scratchpad location with which to create real GPOs to then later export.

So that’s the deal. You need to have a fake domain controller. You can have it in VMware Workstation. You can have it in Hyper-V. It just has to be a pretend domain controller for the sole purpose of creating and editing these GPOs for the PolicyPak stuff or for the Microsoft stuff. Then when you export, you have it ready to go and ready to use in either MDM land or Cloud land.

Now this is the question: “Can I just buy one PolicyPak product? And I hope the answer is yes.” Here are a couple of scenarios. Scenario 1 is all of my machines are domain joined. Some of them are roaming and they get VPN or the DirectAccess. Great. Then you are the perfect candidate for PolicyPak Group Policy as the only product you need because it fits all the criteria. Domain joined? Check. Group Policy? Check. Roaming using VPN or DirectAccess? Check. You’re ready to go. That’s the one product you need.

The other time where you can use exactly one product (Scenario 2) would be if you’re all-in with MDM. You can have a mix of domain joined and non-domain joined machines with MDM. That’s fine. What you’ll do then is use PolicyPak MDM for all your machines. The only catch is that you must use MDM for those directives. We will not process PolicyPak directives that are stored inside GPOs. If you’re all-in on the MDM version, that’s fine but you won’t process the Group Policy directives. You have to have those directives being delivered using the MDM product of your choice. So this is where you can use just one product to do everything.

Here are two more scenarios where you can use one product to do everything. Scenario 3 is you’ve got mostly domain joined machines and some non-domain joined machines and roaming machines. Perfect. You can use PolicyPak Cloud and license all those machines and use PolicyPak Cloud to deliver policies to all those machines. One product to do everything for domain joined and non-domain joined machines. PolicyPak Cloud is perfect for that.

Here’s another scenario a lot of customers are using (Scenario 4) which is mostly domain joined machines and some non-domain joined and roaming machines. You can use PolicyPak Cloud to license all the machines just like what we said earlier. But check it out, you can use PolicyPak Cloud to deliver directives to some machines and use Group Policy to deliver it to other machines because the Cloud Edition enables you to do both Group Policy directives and Cloud directives. In this way, you can have one product, PolicyPak Cloud, and use the Group Policy method and the PolicyPak Cloud method. That’s another way that you can use just one product.

Why might you need two PolicyPak products? There are two very common scenarios. The first one is you might want to use PolicyPak Group Policy for all of your domain joined machines using Group Policy and then add on some PolicyPak Cloud for your non-domain joined machines. That’s very common. We get a lot of customers who are doing that. We also have this scenario: use Group Policy and domain joined GPOs with the PolicyPak Group Policy Edition and then add on some PolicyPak MDM for your non-domain joined and MDM enrolled machines.

In other words, there’s no downside to having two products. It’s the same bits. It’s the same policy directives. You’re just getting them over and using the transport. What you’re buying with PolicyPak is the way to get it transported, either Group Policy or Cloud or MDM Edition.

Now you might still be struggling with, should I use PolicyPak Cloud or PolicyPak MDM? Here’s how you might get to that decision. First, do you already have an MDM solution? If the answer is no, PolicyPak Cloud all the way. If you do though, you still might want to make a decision point. Here’s the inflection. For me it’s, do you want everything in one console? If the answer is yes, then you can use PolicyPak MDM Edition with your MDM solution.

On the other hand, if you want things more flexible, you can use your MDM solution for MDM items and PolicyPak Cloud for everything else because what’s nifty about PolicyPak Cloud is that it’s just like the Group Policy GPMC. You can take a directive, upload it and link it over to a gaggle of computers. Then you can change your mind. It’s very simple.

In MDM land, everything is wrapped up as an MSI so you have to reopen the MSI – we give a utility for it – kick out a policy, put it back in and reupload it. It’s a little bit longer to do things in the MDM land, but the advantage is that you have everything in one console.

There’s no right or wrong way to do it. There’s just which way do you like it. Do you want maximum flexibility or everything in one console? Here’s the cheat sheet if you’re still on the fence. PolicyPak Cloud is definitely easier unless you need to be all-in with an MDM solution.

In fact, let’s continue down that road and let’s explain a couple more things about the decision tree here. Remember, in both scenarios, in MDM and in Cloud, you get everything. You’re not somehow hobbled because you are buying one version. Same thing, both versions, MDM and Cloud Edition.

MDM works with Windows 10 only because only Windows 10 machines can enroll in an MDM service. PolicyPak Cloud lets you join Windows 10 and 7 machines if that’s what you wanted to do.

PolicyPak MDM will only accept policies from your MDM service. PolicyPak Cloud is more flexible. It will accept policies from both PolicyPak Cloud and your on-prem GPOs. So if you want to be more flexible, PolicyPak Cloud can do that.

Remember, you’re using the in-box MDM enrollment here with MDM, and with Cloud you’re using the cloud client installer that’s unique for your instance of PolicyPak Cloud.

In MDM land, the user can be just a user during enrollment, which is nice. But with PolicyPak Cloud, the user must be an admin during enrollment. In other words, we can’t join PolicyPak Cloud unless that person doing the joining is an admin.

Here’s the key thing for me: policies are wrapped up as an MSI and are targeted using your MDM service. That’s fine. That’s just a little bit more involved. In PolicyPak Cloud, it’s a lot easier. Policies are simply directly uploaded to PolicyPak Cloud, and real soon policies are just going to be able to be created directly within PolicyPak Cloud so there’s a slight advantage there for PolicyPak Cloud.

With MDM, you must license 100% of those Windows machines of Windows 10 and MDM. You have to show us how much you’re about to use in MDM land. In PolicyPak Cloud, however, you buy a pool of licenses and you can grow and shrink the pool as needed.

You must license you’re intended use in MDM land. So if you know that during this year you’re going to grow to 1,000 seats, you have to prepay for those 1,000 seats. In PolicyPak Cloud, like I said, you’re going to consume licenses from the pool, which is great. You can grow and shrink as you need to.

PolicyPak MDM is really meant for if you have very few customers to support. By customers I mean big organizations. The MDM solution itself, an MDM provider like InTune, AirWatch or MobileIron, is really not meant for that kind of scenario but PolicyPak Cloud is. So if you have lots of little customers that you’re supporting and you’re growing, like if you’re an MSP, this is a good scenario for you. Or if you have lots of different offices, it works out great that way too for PolicyPak Cloud.

The way that licenses are cut is that in MDM we cut a license per e-mail domain. If you have 20 little universes, you’re going to have 20 little different license files that you’re going to have to get to the various machines. Of course, you’ll use your MDM service to get there, but it’s more complicated for everybody.

Then in PolicyPak Cloud land, licenses are a pool that you can grow into. Like I said, you would simply consume a license from the pool. So there’s no licensing really to worry about. There’s just a pool of licenses that you consume and you’re ready to go.

A little bit more on this is how you get licensed. In the Group Policy version, you’re going to run the licensing tool. I’ll show you that in a second. In MDM land you’re going to show us a picture of your usage, and then in PolicyPak Cloud land you’re going to purchase a pool of licenses.

Let’s see what that looks like. This is the LT or Licensing Tool. This is the on-prem tool where you run it and it counts the number of computers and Terminal Server licenses that you’re going to need. It gives you a count at the end, and that’s what you’re going to pay for. That’s the Group Policy version.

For MDM, you’re going to take a screenshot of how many Windows 10 computers are currently in your MDM service and also your proposed usage. That’s how MDM works.

Then Cloud, you buy in advance a pool of licenses and you consume those licenses as needed. Again, you can use the PolicyPak Cloud licenses for your roaming or your on-prem machines because the cloud license will work for non-domain joined and domain joined machines. That’s important to note.

Other things to think about. Do you have RDS and Citrix? Well, there are some rules here. It’s definitely licensed and will work perfectly with the PolicyPak Group Policy Edition. It will work in the PolicyPak Cloud Edition, but you do have to let us know. We do have to have a special handshake on that. RDS and Citrix is not licensed for the PolicyPak MDM Edition, so that’s not a thing you can do.

Do you have VDI? If you do, it will definitely work with the Group Policy Edition. Will it work with that Cloud Edition? Yes, it should work just fine if they can talk to PolicyPak Cloud and claim a license. With MDM, yes, it should work also, again, if it can talk to your MDM server. So it should work just fine with regular VDI.

The trick is nonpersistent VDI. If you have nonpersistent VDI, well then, those machines are kind of losing their mind every time they’re rebooted and there’s a little bit of special sauce that has to happen here.

In Group Policy land, that’s fine because you’re licensing the OU or the whole domain and they’ll just light up again just fine. PolicyPak Cloud, it will work but there’s a post-Sysprep script that has to be run. It’s not a big deal. We have a tech note article on it. You just have to get that run. For MDM, yes, it will work just fine if it can talk to your MDM and claim the cloud license. Not much more to it than that.

That’s it. I hope this gives you some direction about which product or products you would need. PolicyPak Group Policy Edition is mostly for when you’re using the Group Policy method to get things accomplished. PolicyPak MDM is if you’re all-in with an MDM solution. And PolicyPak Cloud is the most flexible that lets you do Internet-based directives through the cloud and also Group Policy directives on-prem.

I hope this video helps you out. Looking forward to getting you started with PolicyPak real soon.

Thanks so very much.

Back