The Perfect Use for the Surface Duo: Dedicated Work Device

After I put up my thoughts about the Surface Duo after a month of using it, the question I got most often was “what would you say the Duo would be good for?” I wanted to take a minute and write up how I ended up using my Duo, and why.

As a Microsoft employee, I feel like the company is a good example of how IT security is changing to react to folks working from home full time. That means there are more people than ever using personal devices to connect to company resources, and that has forced some changes in how IT manages that process.

undraw_two_factor_authentication_namyAs little as two years ago, I can remember being able to count on one hand the number of use cases that required MORE than two-factor authentication (2FA) to access. Getting on the VPN was usually reserved for resolving internal links, where I needed the DNS servers more than anything else. In fact, because my work laptop was joined to the AD domain that covers Redmond employees, I had to set a reminder to myself to log in and let AD refresh the local security certificates on my laptop, because once they expired the only fix was to rejoin the domain! From my personal workstation I could access almost everything, and the only gateway was the 2FA process.

Since then, a lot has changed. Personal devices now require encrypted disks, Microsoft Intune gets pushed out and installed without notice, and more and more resources, even basic ones like SharePoint sites and logging into Teams requires not just 2FA, but also a device that’s “registered” for approved access. These are the choices that Microsoft has made, and I accept them.

But, I don’t have to necessarily be excited about it.

undraw_Devices_re_dxaeFrom a personal device standpoint, I have options. The easiest one is simply to use a virtual desktop. Microsoft gives me the ability to use a persistent virtual desktop that’s hosted in any of four different regions around the globe. It has full access to all of the company resources, and I can connect to it from anywhere. Because it connects to OneDrive, I can sync files across devices, as well as sync my browser profile. Is it as responsive as my personal workstation? Of course not. But, if this is how my employer wants to protect their environment, I respect that and will work within that framework.

With cell phones, it’s trickier. Exchange/Outlook users have always had the overhead of having to consent to a situation where the company can remote wipe your phone if they feel the need to, which has always felt….bad. Even if the number of times I’ve ever seen that ability used is low, and even if I understand the logic, it’s unsettling to know  that your employer has that kind of control over a device they didn’t pay for, and sometimes don’t even fully pay for the service.

undraw_android_jr64Android has made a decent attempt to work around this with their new “Android Work Profile” setup. It creates a logical partition on the phone, and lets your employer publish an app store that only works on that partition. Both “sides” of the phone are surfaced on the regular desktop (kind of like you used to be able to run apps that appeared native even thought they were installed and running in a local VM) so you don’t have to keep switching contexts. I appreciate what the solution is trying to do, but in practice it was a pretty terrible experience. I don’t think that’s Android’s fault so much as Microsoft’s, but here’s an example.

Microsoft owns SwiftKey. They’ve shipped what appears to be a special version of SwiftKey with the Duo to fit nicely into some of the dual-screen use cases. On the standard Android side you can replace this with any other keyboard you want, just like always. On the Android Work Profile side….there are no other keyboards in the Work App Store. So you are stuck either using SwiftKey everywhere, or have to adapt to multiple keyboards being used depending on where the app is coming from. Having to use one keyboard for work e-mail and one keyboard for personal e-mail, even though both are using Outlook feels really, really bad.  You also can’t cut and paste across the logical boundary, so no pulling a link from personal Edge and pasting it into work Teams. Even the file systems are separate, so if you take a picture with work Camera, you can’t see that picture from personal Photos. So….not ideal.

It’s also notable that you don’t have the option of not using Android Work Profile. It’s mandatory, or your phone can’t access any work systems (which, on mobile let’s be honest, is e-mail and Teams and maybe OneNote at times). So, here’s where the Surface Duo comes in.

undraw_add_file_4gfwAt this point I have two devices. The Surface Duo is work only. I created a separate Google account to log into the device and set it up, installed the Android Work Profile, and set up access to all of the work apps I need. It doesn’t have cellular service, only wifi, and it has worked great so far. I’ve also done the same thing with my home workstation. I reinstalled Windows, and removed all of the Intune software, and will only access work resources through the virtual machine, or through my (extraordinarily slow) work-issued laptop.

It’s been a few weeks since I put this system in place, and there’s been one amazing upside: I work much less obsessively. I close my VM or laptop, I plug the Surface Duo in to charge in the office, and I’m… of work. I don’t see e-mail or Teams notifications. I don’t doom-scroll Yammer because I’m bored. For me, personally, this has been a huge benefit. As a natural workaholic, the pandemic, quarantine and work-from-home parts of 2020 have been pretty terrible. There were weeks I felt like I never left the office. Having a clear separation of work from the devices I’m on for personal use makes this much easier to manage. I means that blogging, something I love to do, doesn’t feel like work because it’s being done from a device where I’m not going to be doing work. Hobbies feel like hobbies again. There are some adjustments that need to be made, mostly to do with not having access to my work calendar all the time, but those things I’ve gotten used to.

undraw_young_and_happy_hfpeThe elephant in the room here is: of course this makes me less productive. No, I can’t answer your e-mail in the middle of the night. I can’t use the most powerful systems in my house to work on documents that I need to connect to the corporate network to access. Yes, I work fewer hours.


I’m 100% okay with it, and I am okay with the same behavior from everyone who works for me. The easiest way I’ve found to avoid burn-out is to simply have a good firewall between work, which is only supposed to be the way to earn income to take care of your family, and the rest of your life. That’s gotten so much harder during the pandemic because we don’t have a commute to de-stress on, and we don’t have an office to go to, I don’t have a plane trip to take, so in a roundabout way the increased security posture of my employer has really given me the opportunity to put some of those boundaries back in place.

How have you put appropriate limits in place for your mental wellbeing this year? I’d love to hear your ideas.