South Central District Client Team

Microsoft Network Access Protection (Simple setup)

2013-05-14T17:42:00Z

Protecting the Network from consumer devices, Microsoft Network Access Protection (NAP) simple setup.

This is a blog post from the work that Kevin Saye completed...

Summary:

With the proliferation of consumer and non-enterprise devices on the corporate network, security and health of these devices is top of mind for security officers.

While there are many vendors out there who offer agent and appliance solutions, Microsoft has provided Network Access Protection (aka NAP) since Windows Server 2008. With NAP, you can provide device level health for devices using the proven capability of: 802.1x (port level authentication), VLAN (network level segmentation) and client posture assessment for client devices.

This document outlines how to setup NAP for enterprise and consumer devices, allowing corporate and non-corporate access secure access.

Overview of Solution:

One of the most secure implementations of network protection is via 802.1x, which is a capability of most if not all enterprise level network gear (both wired and wireless). NAP can use 802.1x as an enforcement point, providing end users ease of access and policy compliance with both enterprise and consumer devices. This is where policy meets enforcement, and the end users just plug in a device (or connect via wireless) and magically it gets to the correct network.

For my demonstration, I used HP Procurve switches with the latest firmware. With this firmware, the commands changed just a bit from Jeff’s 2008 blog post here (http://blogs.technet.com/b/nap/archive/2008/06/19/nap-802-1x-configuration-walkthrough.aspx).

For this solution, there are 3 types of devices: enterprise managed, 802.1x capable and other (insert your favorite device here).

For enterprise managed (joined to the domain), they have the correct configuration, client certificate and policy compliance that enables it to be on the corporate network. For the other 2, they are “restricted” to the guest network protecting sensitive data / systems from insecure systems.

To outline the solution, consider the diagram below, showing the logical flow and dependencies of a NAP solution using 802.1x.

Setting it all Up:

HP Switch:

The following settings are for an HP Procurve switch with a F.05.77 firmware.

vlan 1

; this VLAN is not used

name "DEFAULT_VLAN"

ip address dhcp-bootp

exit

vlan 243

; this VLAN is my internet only VLAN

name "243"

; Port 1 is my uplink port

tagged 1

exit

vlan 184

; this VLAN is my corporate VLAN

name "184"

; Port 1 is my uplink port, port 2 is my non NAP port.

tagged 1

ip address 10.7.184.250 255.255.255.0

exit

; This enables EAP, sets the NPS server and the shared secret, sets ports 2-24 to use 802.1x and activates it

aaa authentication port-access eap-radius

radius-server host 10.7.184.200 key secret

aaa port-access authenticator 2-24

aaa port-access authenticator 2-24 unauth-vid 243

aaa port-access authenticator active

This configuration uses port 1 as my uplinked, which is VLAN tagged for both VLAN 184 (corporate VLAN) and VLAN 243 (internet / Guest VLAN).

I am also using EAP authentication, as this is the most secure this switch provides.

The IP address of my NPS is 10.7.184.200 and the shared secret is “secret”. The HP switch does not forward request for non 802.1x capable devices, but instead it uses the “unauth-vid” setting to define VLAN 243 for them.

I am also using EAP authentication, as this is the most secure this switch provides.

NPS Server:

For the NPS server, I followed these summarized steps.

Step 1: After installing the Network Policy Server, select NPS (Local) and click “Configure NAP”.

Step 2: Select the connection method to be 802.1x wired.

Step 3: Add one or more of your switches (HP in my case).

Step 4: Determine what users or machine groups you want to allow connections to the corporate VLAN.

Step 5: Select the NAP Server certificate (if allowing non domain machine, it should be a public PKI cert), and the EAP type. For my environment, I wanted machine certs, so I used EAP-TLS. You could have had the users type in a password (PEAP), but that is not the experience I wanted.

Step 6: Define the VLAN attributes for the corporate VLAN (aka the compliant network / full access network)

Step 7: Define the VLAN settings for the guest VLAN (aka the non-compliant / restricted network)

Step 8: Define which validators you will use, if remediation is enabled and what to do with non-NAP computers.

Step 9: Lastly, I setup my Windows Security Health Validator to match my policy.

Client Device – Enterprise Managed:

On enterprise managed devices, you need to set at least 4 settings. These can all be set via GPO, but I wanted to show the exact settings here so you can fully understand what has to be set.

Step 1: Set both the “Network Access Protection” and the “Wired AutoConfig” service as automatic and start them.

Step 2: Open up an MMC, add the “NAP Client Configuration” and enable the EAP Quarantine Enforcement Client.

Step 3: Once the “Wired AutoConfig” service is started, in network connections right click on the Ethernet interface and select Authentication. Enable 802.1X and select PEAP.

Step 4: Click Settings of EAP, select “Validate server cert” and select your CA. Next set the Authentication method to “other certificate”.

Client Device – 802.1x capable not Enterprise Managed:

An 802.1x client, not completely configured, including not having a valid certificate, it automatically placed on the guest network.

Client Device – non 802.1x capable:

Non 802.1x capable devices are placed on the guest network.

Seeing it in Action:

Enterprise Managed:

Enterprise Managed Devices just connect as expected and without any noticeable change.

The network card looks normal (as a point of reference)

And if you run napstat.exe, you see the status of the machine. Notice how I changed the title, description and the image, you can too!

Other – 802.1x not configured:

On devices with 802.1x but misconfigured you will see the network card attempt to authenticate, but eventually fail. In the failed state, the will be on the guest network. If you change the NPS authentication from EAP certificate only, to something else, the use can get an authentication prompt and attempt to authenticate as the user. Not the experience I wanted, from a usability perspective.

Other – non 802.1x:

On devices without 802.1x, they will remain in a failed state, but the UI does not show this status. This device will be on the guest network.

HP Switch:

From the switch console, you will see that I have a device on port 4 that is nap capable and is on the VLAN 184. The device on port 3 is either not nap capable or not compliant and as such is on VLAN 243.

Auditing the Events:

You will see one of two type of audit logs, by default.

Success:

In the security log on the NAP server, you will see event 6278 with a success code as shown below:

Actual content:

Network Policy Server granted full access to a user because the host met the defined health policy.

User:

Security ID: KEVINSAY\MTC71$

Account Name: KEVINSAY\MTC71$

Account Domain: KEVINSAY

Fully Qualified Account Name: KEVINSAY\MTC71$

Client Machine:

Security ID: NULL SID

Account Name: mtc71.kevinsay.pvt

Fully Qualified Account Name: KEVINSAY\MTC71$

OS-Version: 6.1.7601 1.0 x64 Workstation

Called Station Identifier: 00-30-c1-a9-d7-a4

Calling Station Identifier: 88-51-fb-c9-36-fa

NAS:

NAS IPv4 Address: 10.7.184.250

NAS IPv6 Address: -

NAS Identifier: HP ProCurve Switch 2524

NAS Port-Type: Ethernet

NAS Port: 4

RADIUS Client:

Client Friendly Name: HP Procurve

Client IP Address: 10.7.184.250

Authentication Details:

Connection Request Policy Name: NAP 802.1X (Wired)

Network Policy Name: NAP 802.1X (Wired) Compliant

Authentication Provider: Windows

Authentication Server: NAP.kevinsay.pvt

Authentication Type: PEAP

EAP Type: Microsoft: Smart Card or other certificate

Account Session Identifier: -

Quarantine Information:

Result: Full Access

Extended-Result: -

Session Identifier: {DDA6D86C-E54C-4913-9E74-4E00B95F54FA} - 2013-05-14 17:19:27.053Z

Help URL: -

System Health Validator Result(s):

Windows Security Health Validator

Compliant

No Data

None[]

(0x0 - )

Failure:

In the security log on the NAP server, you will see event 6273 with a failure code as shown below:

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:

Security ID: NULL SID

Account Name: mtcvaioexec\mtcadmin

Account Domain: MTCVAIOEXEC

Fully Qualified Account Name: MTCVAIOEXEC\mtcadmin

Client Machine:

Security ID: NULL SID

Account Name: -

Fully Qualified Account Name: -

OS-Version: -

Called Station Identifier: 00-30-c1-a9-d7-b0

Calling Station Identifier: 54-42-49-97-42-8d

NAS:

NAS IPv4 Address: 10.7.184.250

NAS IPv6 Address: -

NAS Identifier: HP ProCurve Switch 2524

NAS Port-Type: Ethernet

NAS Port: 3

RADIUS Client:

Client Friendly Name: HP Procurve

Client IP Address: 10.7.184.250

Authentication Details:

Connection Request Policy Name: NAP 802.1X (Wired)

Network Policy Name: -

Authentication Provider: Windows

Authentication Server: NAP.kevinsay.pvt

Authentication Type: PEAP

EAP Type: Microsoft: Smart Card or other certificate

Account Session Identifier: -

Logging Results: Accounting information was written to the local log file.

Reason Code: 7

Reason: The specified domain does not exist.

Managing Mac Computers with Configuration Manager 2012 (with pictures)

2013-05-06T13:38:00Z

I am going to detail some of the scenarios on managing Mac Computers with System Center 2012 Configuration Manager.

Key links to get started:

You can download the Mac Client from - http://www.microsoft.com/en-us/download/details.aspx?id=36212

The following Mac versions are supported in this release:

Mac OS X 10.6 (Snow Leopard)
Mac OS X 10.7 (Lion)
Mac OS X 10.8 (Mountain Lion)

How to Install Clients on Mac Computers in Configuration Manager - http://technet.microsoft.com/en-us/library/jj591553.aspx which includes the following steps:

Steps to install and configure Site Server Roles to support Mac Clients

Management point
Distribution point
Enrollment point
Enrollment proxy point

Steps to install Client on Mac Computers

Installing the client
Enrolling the client
Upgrading the client
Uninstalling the client

Here is a screen shot of the Mac Client:

The Mac Client can be configured using Client Agents Settings: Enrollment (Default Client Settings), Computer Policy, Compliance Settings and Hardware Inventory.

Here are some of the features that Configuration Manager supports on Mac computers with screen shots:

Discovery – Discovers Mac OS X system in Active Directory and through network discovery

Hardware Inventory – Provides hardware inventory and auditing of computers running Mac OS X, including a list of installed software similar to add/remove programs for Windows systems.

Settings Management – Ensures computers running Mac OS X comply with company policies using scripts and preference list management.

This is an example and screen shots for Detecting if Security Update is applied. Create necessary Compliance Items, add them to a Baseline, then deploy Baseline to a Mac Collection(s).

Image below is a screen shot of Configuration Item Setting to detect if Security Update 2013-001 (Lion) is installed. You can get the Application ID from Package or get Application ID and Key from the installation XML file using pkgutil command.

Configuration Item Rule to report if Security Update 2013-001 (Lion) is NOT installed and create a Noncompliance Severity Warning for Reporting.

I also created Compliance Settings to detect if System Center 2012 Endpoint Protection for Mac is installed and another to detect if it is running. You can create Compliance for just about anything using a Shell Script and/or Preference List.

Application Deployment – Distributes required software via app model.

To create an application, you have to run the CMAppUtil on a Mac Computer to create the .cmmac file. In my example, I created an Application package for System Center 2012 Endpoint Protection. Once the package is created, you can import it using Application Model in Configuration Manager Console.

Configuration Manager does not support the deployment of Mac applications to users; these deployments must be to a device. For more information on deploying Software to Mac Computers, please visit How to Create and Deploy Applications for Mac Computers in Configuration Manager - http://technet.microsoft.com/en-us/library/jj687950.aspx

You can create a Device Collection based on Operating System by using the following: Mac OS X%, Mac OS X 10.7%, or ClientEdition = 5 in your query.

Here is a picture of what the Mac User will see when deploying software:

Software Updates Management – Distributes patches utilizing Software Distribution and Settings management features.

There are a couple of way to accomplish this. Create the software update packages using CMAppUtil, import them into Configuration Manager Application Model and then use Compliance Settings to detect if they are installed and remediate if desired.

Another option is to use the built-in command softwareupdate on Mac Computers.

NOTE: I have not finished testing this, but this is what I am targeting...

You can use a Discovery Shell Script to run softwareupdate -l | grep 'update' - (Update - the script is taking too long and timing out, set the script to run on a set schedule and not during the client connect).

and

Then use a Remediation Shell Script to run softwareupdate -i -a (or other appropriate switched).

Finally, set the Compliance Rule to look for The value returned by the specified script: Contains "No new software available"

Reporting - You can report and monitor all the features listed above using standard reports and built-in monitoring tools in Configuration Manager Console.

Internet-Based Client Management - Internet-based client management allows you to manage Mac clients when they are not connected to your company network but have a standard Internet connection.

Configuration Manager 2012 SP1 now support Mac OS 10.8 (Mountain Lion)

2013-04-03T15:10:00Z

Microsoft System Center 2012 Configuration Manager SP1 supports the management of Apple Mac clients. The client for Mac computers allows you to discover, collect inventory, manage settings, and deploy applications and patches using your Configuration Manager environment.

Mac Client:
The following Mac versions are supported in this release:

Mac OS X 10.6 (Snow Leopard)
Mac OS X 10.7 (Lion)
Mac OS X 10.8 (Mountain Lion)

The following scenarios are supported through the Mac client in Microsoft System Center 2012 Configuration Manager SP1:

Discovery – Discovers Mac OS X system in Active Directory and through network discovery
Hardware Inventory – Provides hardware inventory and auditing of computers running Mac OS X, including a list of installed software similar to add/remove programs for Windows systems.
Settings Management – Ensures computers running Mac OS X comply with company policies using scripts and preference list management.
Application Deployment – Distributes required software via app model.
Software Updates Management – Distributes patches utilizing Software Distribution and Settings management features.

You can download the Mac Client from - http://www.microsoft.com/en-us/download/details.aspx?id=36212

Supported configurations and hardware requirements for Mac: See the Client Requirements for Mac computers section in the Supported Configurations for Configuration Manager topic. http://technet.microsoft.com/en-us/library/gg682077.aspx

Mac Client Installation:

Download the Mac client msi file to a Windows system
Run the msi and it will create a dmg file under the default location “C:\Program Files (x86)\Microsoft\System Center 2012 Configuration Manager Mac Client” on the Windows system
Copy the dmg file to a network share or a folder on a Mac computer
Access and open the dmg file on a Mac computer and install the client using instructions in the online documentation. http://technet.microsoft.com/en-us/library/jj591553.aspx

Surface Pro

2013-02-25T16:16:00Z

Surface Pro is here - http://www.microsoft.com/Surface/en-US/surface-with-windows-8-pro/home

A laptop in tablet form, Surface Pro brings together the best of Microsoft in one awesome new device.

Here are the specifications:

OS	Runs current Windows 7 desktop applications and integrates with your existing enterprise management infrastructure. Use the programs and the apps available in the Windows Store.
Exterior	10.81 x 6.81 x 0.53in 2lbs VaporMg casing Dark Titanium color Volume and Power buttons
Storage	64GB, 128GB System software uses significant storage space. Available storage is subject to change based on system software updates and apps usage. 1 GB = 1 billion bytes. See Surface.com/storage for more details.
Display	10.6" ClearType Full HD Display 1920x1080 pixels 16:9 (widescreen) 10-point multi-touch
Pen Input	Pen input and pen (included with purchase)
CPU	3rd Gen Intel Core i5 Processor with Intel HD Graphics 4000 4GB RAM—Dual Channel Memory
Wireless	Wi-Fi (802.11a/b/g/n) Bluetooth 4.0 Low Energy technology
Battery	42 W-h
Cameras and A/V	Two 720p HD LifeCams, front- and rear-facing with True Color Microphone, Stereo speakers
Ports	Full-size USB 3.0 microSDXC card slot Headset jack Mini DisplayPort Cover port
Sensors	Ambient light sensor Accelerometer Gyroscope Compass
Power Supply	48W power supply (including 5W USB for accessory charging)
Warranty	1-year limited hardware warranty
Apps (included)	Windows Mail and Messaging; SkyDrive; Internet Explorer 10; Bing; Xbox Music, Video, and Games.

Runs current Windows 7 desktop applications and integrates with your existing enterprise management infrastructure. Use the programs and the apps available in the Windows Store.

Exterior

10.81 x 6.81 x 0.53in
2lbs
VaporMg casing
Dark Titanium color
Volume and Power buttons

Storage

64GB*, 128GB
*System software uses significant storage space. Available storage is subject to change based on system software updates and apps usage.
1 GB = 1 billion bytes. See Surface.com/storage for more details.

Display

10.6" ClearType Full HD Display
1920x1080 pixels
16:9 (widescreen)
10-point multi-touch

Pen Input

Pen input and pen (included with purchase)

CPU

3rd Gen Intel Core i5 Processor with Intel HD Graphics 4000
4GB RAM—Dual Channel Memory

Wireless

Wi-Fi (802.11a/b/g/n)
Bluetooth 4.0 Low Energy technology

Battery

42 W-h

Cameras and A/V

Two 720p HD LifeCams, front- and rear-facing with True Color
Microphone,
Stereo speakers

Ports

Full-size USB 3.0
microSDXC card slot
Headset jack
Mini DisplayPort
Cover port

Sensors

Ambient light sensor
Accelerometer
Gyroscope
Compass

Power Supply

48W power supply (including 5W USB for accessory charging)

Warranty

1-year limited hardware warranty

Apps (included)

Windows Mail and Messaging; SkyDrive; Internet Explorer 10; Bing; Xbox Music, Video, and Games.

Windows To Go - My favorite Windows 8 Enterprise feature

2013-01-31T16:10:00Z

Included with Windows 8 Enterprise

Windows To Go is your own fully manageable, corporate image installed on a bootable certified USB drive. It is a new feature of Windows 8 Enterprise to help businesses address a wide range of mobility and travel light requirements.

Be productive with or without network connectivity

Windows To Go is different from other mobility solutions because people can be productive from almost any location they choose to work. Simply insert a drive into a compatible computer and boot into a personalized Windows 8 image, network connectivity not required.

Windows To Go is Windows 8, to go

All of the great technologies you use with Windows 8 Enterprise work with Windows To Go: Group Policy, BitLocker, BranchCache, AppLocker, App-V, UE-V, and DirectAccess. Windows To Go is literally Windows 8 Enterprise in your pocket. Read the feature overview

While Windows To Go is not intended to be a replacement option for all enterprise devices, it offers employees a new way to stay fully productive and connected to resources across a variety of work scenarios.

Work from home

Employees travel light with their corporate image, apps, and policies provisioned on a Windows To Go drive for use on their home PC.

Bring your own device to work (BYOD)

Contractors or employees access the enterprise network at work from a personal device, allowing them to stay productive whatever their choice of PC.

Up and running on Windows 8

Help employees test, evaluate, or take advantage of Windows 8 on their existing hardware before it's deployed on their PC.

Maintain business productivity

Provide Windows To Go to maintain business productivity during unexpected events that compromise primary PCs or work locations.

Windows To Go certified drives pass a battery of certification tests, including self-hosting and boot compatibility across a variety of PCs. The certification process ensures that drives are built for the high random read / write speeds required for running Windows smoothly. Additionally, certified drives are backed with manufacturer warranties, with a focus on continuing to operate under normal working conditions. Microsoft only supports drives certified for Windows To Go.

Windows 8 support with Configuration Manager 2007 Service Pack 2

2013-01-14T15:22:00Z

Update adds support for Windows 8-based client computers in System Center Configuration Manager 2007 SP2 - http://support.microsoft.com/kb/2750782

An update is available that adds support for Windows 8-based client computers in Microsoft System Center Configuration Manager 2007 Service Pack 2 (SP2).

Additionally, this update adds Windows 8 and Windows Server 2012 to the supported platform list in the following features:

Software distribution
Software update management
Desired Configuration Management (DCM)

This update also fixes the following issues:

Discovery Data Manager (DDM) does not create Client Configuration Requests (CCRs) for Windows 8-based computers that are discovered by using the Active Directory System Discovery.
When the system processes a new power profile, the SMS Agent Host service (Ccmexec.exe) or the WMI Provider Host service (Wmiprvse.exe) stops unexpectedly.

App-V 5.0 Client Prerequisites

2013-01-10T22:28:00Z

The following are Prerequisites for App-V 5.0 Client on Windows 7:

Microsoft Windows .NET Framework 4.5. This eliminates the Microsoft Windows .NET Framework 4 requirement.
Windows PowerShell 3.0
Update for Windows KB2533623

I first enabled the Quick Fix Engineering Inventory Class, then I created a Configuration Manager 2012 Application and used the following PowerShell query to Detect if Update for Windows KB2533623 is installed.

Get-WmiObject Win32_QuickFixEngineering | where {$_.HotFixID -eq "KB2533623"}

This worked great until KB2567680 was released and superseded KB2533623 so I had to update my Detection Script to the following:

Get-WmiObject Win32_QuickFixEngineering | where {$_.HotFixID -eq "KB2533623" -or $_.HotFixID -eq "KB2567680"}

I then set the Update as a Dependency for the App-V 5.0 Client Deployment.

Microsoft Desktop Optimization Pack (MDOP) overview by versions

2012-12-10T20:53:00Z

Microsoft User Experience Virtualization (UE-V) captures settings to apply to computers accessed by the user including desktop computers, laptop computers, and VDI sessions.

UE-V 1.0 (http://go.microsoft.com/fwlink/?LinkId=267626)

Microsoft Application Virtualization (App-V) provides the administrative capability to make applications available to end user computers without installing the applications directly on those computers.

App-V 5.0 - (http://go.microsoft.com/fwlink/?LinkID=271502)

App-V 4.5 and 4.6 - (http://go.microsoft.com/fwlink/?LinkId=232982)

SoftGrid - (http://go.microsoft.com/fwlink/?LinkId=232981)

App-V Whitepapers on the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=231902)

Microsoft BitLocker Administration and Monitoring (MBAM) provides an administrative interface to enterprise-wide BitLocker drive encryption.

MBAM (http://go.microsoft.com/fwlink/?LinkId=217222)

MBAM Whitepapers on the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=231905)

Microsoft Diagnostics and Recovery Toolset (DaRT) helps troubleshoot and repair Windows-based desktops.

DaRT 8.0 supports Windows 8 and Windows Server 2012.

DaRT 7.0 supports Windows 7 and Windows Server 2008 R2.

DaRT 6.5 supports Windows 7 and Windows Server 2008 R2.

DaRT 6.0 supports Windows Vista and Windows Server 2008.

DaRT 5.0 supports Windows 2000, Windows XP, and Windows Server 2003.

Microsoft Advanced Group Policy Management (AGPM) extends the capabilities of the Group Policy Management Console (GPMC) to provide change control and improved management.

Overview of Microsoft Advanced Group Policy Management - (http://go.microsoft.com/fwlink/?LinkId=232980)

AGPM Whitepapers on the Microsoft Download Center - (http://go.microsoft.com/fwlink/?LinkId=232275)

AGPM 4.0 supports Windows Vista SP1, Windows 7, Windows Server 2008, and Windows Server 2008 R2.

AGPM 3.0 supports Windows Vista SP1 and Windows Server 2008.

AGPM 2.5 supports Windows Vista and Windows Server 2003

Asset Inventory Service (AIS) reduces application management lifecycle cost of ownership by scanning and translating inventory data into useful, readable information.

AIS Online Help (http://go.microsoft.com/fwlink/?LinkId=226726)

Microsoft Desktop Enterprise Monitoring (DEM) monitors and reports enterprise-wide desktop application and system failures.

DEM 3.5 (http://go.microsoft.com/fwlink/?LinkId=232985)

DEM Whitepapers on the Microsoft Download Center - (http://go.microsoft.com/fwlink/?LinkId=232276)

Microsoft Enterprise Desktop Virtualization(MED-V) uses Microsoft Virtual PC to provide an enterprise solution for desktop virtualization.

MED-V 2.0 supports Windows 7.

MED-V 1.0 supports Windows Vista and Windows XP.

App-V 5.0 Connection Groups

2012-12-04T02:38:00Z

My favorite feature of Microsoft Application Virtualization (App-V) 5.0 is Connection Groups. In previous versions of App-V 5.0, Connection Groups were referred to as Dynamic Suite Composition. Connection Groups allows businesses to connect separately packaged App-V applications, enabling them to communicate with each other and with traditionally installed applications. This gives businesses the best of both worlds, providing isolation – reducing conflict and time spent regression testing – yet allowing applications to interact and communicate when needed.

The Microsoft Application Virtualization (App-V) 5.0 Management Console allows you to create connections between applications. It allows the applications to communicate with each other while they run in the virtual environment.

Use the following procedure to create and publish App-V 5.0 connection groups.

To create a connection group

Open the App-V 5.0 management console and select Packages.
Select CONNECTION GROUPS to display the Connection Groups library.
Select ADD CONNECTION GROUP to create a new connection group.
In the New Connection Group pane, type a description for the group.

Click EDIT in the CONNECTED PACKAGES pane to add a new application to the connection group. In the PACKAGES Entire Library pane, select the application to be added and click the arrow to add the application.

To remove an application, select the application to be removed in the PACKAGES IN pane and click the arrow.
You can reprioritize the applications in your connection group by using the arrows in the PACKAGES IN pane.
After you have added all the applications and configured AD access, click Apply.

To publish a connection group

Open the App-V 5.0 management console and select Packages, and then select CONNECTION GROUPS.
Right-click the connection group to be removed and select Publish.

Metered Internet Connections with Configuration Manager 2012 Sp1

2012-11-26T17:29:00Z

Metered Internet Connections

For Configuration Manager SP1 only, you can manage how Windows 8 client computers communicate with Configuration Manager sites when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection.

NOTE: The configured client setting is not applied to Windows 8 client computers in the following scenarios:

The computer is on a roaming data connection: The Configuration Manager client does not perform any operations that require data to be transferred to Configuration Manager sites.
The Windows network connection properties is configured as non-metered: The Configuration Manager client behaves as if this is a non-metered Internet connection and so transfers data to the Configuration Manager sites

Client Setting - Specify how clients communicate on metered network connections (Configuration Manager SP1)

From the drop-down list, choose one of the following for Windows 8 client computers:

Allow: All client communications are allowed over the metered Internet connection unless the client device is using a roaming data connection.

Limit: Only the following client communications are allowed over the metered Internet connection:
- Client policy retrieval
- Client state messages to send to the site
- Software installation requests by using the Application Catalog
- Required deployments (when the installation deadline is reached)
Important: If a user initiates a software installation from Software Center or the Application Catalog, these are always permitted, regardless of the metered Internet connection settings.

If the data transfer limit is reached for the metered Internet connection, the client no longer attempts to communicate with Configuration Manager sites.

Block: The Configuration Manager client does not attempt to communicate with Configuration Manager sites when it is on a metered Internet connection. This is the default value.