Simon May

Client and cloud

July, 2014

  • Edge Show 111: Azure AD Premium SaaS Apps, App Proxy and Reports

    On the Edge Show last week I interviewed Nasos about Azure Identity and AD Premium. We got to talking about some of the cool new features in Azure AD.

    The post Edge Show 111: Azure AD Premium SaaS Apps, App Proxy and Reports appeared first on Enterprise Devices and Infrastructure.

  • Setup Azure RMS File Protection (Encryption) and File Classification Infrastructure (FCI) with On-Prem File Servers

    In our new world of highly mobile access to loosely coupled services it’s far easier for a user, who has legitimate access to the data, to accidentally move it to a storage location that doesn’t have your corporate data protections: They move a file from the file server to their personal cloud storage for example. Through Enterprise Management Suite we have a solution to this problem, Azure RMS. Traditionally RMS was less than simple to deploy and required users to do something to protect their files. Thankfully Azure RMS is substantially different, there’s a ton of documentation you can read for more info on TechNet which helps you to deploy Azure RMS but here I’m bringing together the guides for building out File Classification Infrastructure and Azure RMS.

    Quick Azure RMS Primer

    Setup Azure RMS File Protection (Encryption) and File Classification Infrastructure (FCI) with On Prem File Servers Azure RMS allows you to protect documents (and now other types of files) with encryption, identity and authorization policies and those files can only be accessed as long as a connection to the Azure RMS service can be made and the user is authorized to read or write the document. A great example is in the Azure TechNet library:

    you can configure a file so that it can be accessed only by people in your organization, or control whether the file can be edited, or restricted to read-only, or prevent it from being printed. You can configure emails similarly, and in addition, prevent them from being forwarded or prevent the use of the Reply All option. These protection tasks can be simplified and streamlined for your end users by using standardized policy templates. Azure Rights Management is a cloud service, and is integrated into other Microsoft cloud services and applications for simple ease-of-use and persistent protection.

     

    Quick FCI Primer

    File Classification Infrastructure runs on Windows Server 2012 (R2) and looks for files that match specific rules that admins have configured. When a file matches your rule it is classified in terms you’ve set, such as in my example below when “Confidential” is detected in a document that document is classified as “High Impact”. File Classification runs on a schedule and when new files are created if you so desire. In addition to the Classification Rule a File Management Rule runs to take that classification and apply something to it, in our case RMS protection. The actual classifiers are passed down from AD on-prem using Dynamic Access Control, which can also provide conditional access rules – but that’s beyond the scope of this post.

    Configuring a Lab

    Here I’m explaining how I configured my lab, but it’s basically the same process for production. I’m assuming that Azure AD Premium licensing has been applied to the Azure AD tenenant. Trials are free. Azure AD Premium is required because the Azure AD RMS Connector is only available with this licensing option. I’m also using Windows Server 2012 R2 for my file servers and for my connector server. I configure my lab using PowerShell as below, everything can be done through the UI – I prefer the brave new world of Infrastructure as Code wherever possible.

    #Configure DAC in AD on-premises
    Invoke-Command -ComputerName dc.corp.contoso.com -ScriptBlock{
     
    Set-ADResourceProperty -Enabled:$true -Identity:"CN=Impact_MS,CN=Resource Properties,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com" -Server:"DC.corp.contoso.com"
    This first section will configure the AD Resource properties that we need to use for file classification. I do it using an invoke-command because I’m probably not running this on a domain controller, or somewhere with RSAT installed in my case.
    #Configure FSRM on App Server, including a classification rule and making a Wokfolders folder if needed
    Invoke-Command -ComputerName app.corp.contoso.com -ScriptBlock {
     
    Get-WindowsFeature *fs-resource* |Install-WindowsFeature -IncludeManagementTools
     
    if(-not (test-path d:\WorkFolders -PathType Any)){New-Item -Path d:\WorkFolders -ItemType Directory}
    Note: I’ve split this scriptblock to better explain it. First I invoke to run this section on my file server (called APP in my case). I then add the File Server Resource Manager feature to the server. Finally above I check to see if the folder I want to monitor exists, if it doesn’t I create it…I kind of love the simplicity of this line.
    Update-FSRMClassificationPropertyDefinition
    $date = Get-Date
    $AutomaticClassificationScheduledTask = New-FsrmScheduledTask -Time $date -Weekly @(3, 2, 4, 5,1,6,0) -RunDuration 0;
    Set-FsrmClassification -Continuous -schedule $AutomaticClassificationScheduledTask
    New-FSRMClassificationRule -Name "High Business Impact" -Property "Impact_MS" -Description "Determines if the document has a high business impact based on the presence of the string 'Confidential'" -PropertyValue "3000" -Namespace @(“D:\WorkFolders”) -ClassificationMechanism "Content Classifier" -Parameters @("StringEx=Min=1;Expr=Confidential") -ReevaluateProperty Overwrite
    Here I pull the updated properties from AD, set todays date and setup an automated FSRM task to run  my classification rules. I then define my rule to run “continuously”, i.e. on new file write, add it to the scheduled task. Finally I define the new rule…this last part is actually easier through the UI since the syntax is long, but the documentation on it is on TechNet.
    #Now download and install the connector on the connector server
    #http://go.microsoft.com/fwlink/?LinkId=314106
    # authorize the app server if not already done
    The above commented section cannot be done in PowerShell. The connector needs to be downloaded and installed on your connector server (there should be two of them, and they should be balanced with NLB for availability) – in the next section the sync.corp.contoso hostname should be the DNS name of the NLB cluster. Of course for a lab you only need one server to run as the Azure RMS Connector.
    # Run this line on the APP server
    & '\\dc\c$\DemoContent\GenConnectorConfig.ps1' -ConnectorUri http://sync.corp.contoso.com– -SetFCI2012
    Above again is almost manual. I run this script on my file server so this works for me. The GenConnectorConfig script is downloaded at the same time as the Connector software from the same link. What we are doing here is configuring the file server to look to the Azure RMS Connector server (which in turn looks to Azure RMS) for RMS templates. The –setFCI2012 switch sets things up for FCI but the script can also be used to configure on-prem SharePoint and Exchange to use Azure RMS via the connector. Almost done.
    # Now configure the Management Task in FSRM (the following will work too or use as a backup)
     
    $fmjRmsEncryption = New-FSRMFmjAction -Type 'Rms' -RmsTemplate 'FakeURLUSA - Confidential'
    $fmjCondition1 = New-FSRMFmjCondition -Property 'Impact_MS' -Condition 'Equal' –Value '3000'
    $date = get-date
    $schedule = New-FsrmScheduledTask -Time $date -Weekly @('Sunday')
    $fmj1=New-FSRMFileManagementJob -Name "High Business Impact" -Description "Automatic RMS protection for high business impact documents" -Namespace @('D:\WorkFolders') -Action $fmjRmsEncryption -Schedule $schedule -Continuous -Condition @($fmjCondition1)
    Above finally sets up the file management task to apply RMS protection, using the FakeURLUSA Confidential RMS template to any files classified as High Business Impact.
    Start-FsrmClassification
    Start-FsrmFileManagementJob -Name "High Business Impact"
    Finally the above two lines will run the required classification and management jobs on-demand.

    File Protection.Done. < 20 lines of PowerShell

    That’s all there is to it. Now any Office file saved into that folder with “Confidential” in the body will be encrypted, but it strikes me that in our highly mobile world you might want to be able to protect every file in the folder if they are company information – of course once a file is protected with RMS the file can no longer be parsed by FSRM and FCI. Because this is RMS the files can be opened anywhere the user tries to open the file and contact Azure RMS to read them…of course if a cloud storage service that doesn’t support RMS tries to read the files (to sell Ads or something) they will be corrupted…which is kind of the point.

    The post Setup Azure RMS File Protection (Encryption) and File Classification Infrastructure (FCI) with On-Prem File Servers appeared first on Enterprise Devices and Infrastructure.

  • Last week in Enterprise Devices and Infrastructure July 15 to 21

    Last week was a very interesting week in the world of enterprise devices and infrastructure: the Apple / IDM announcement, a great BYOD post on LinkedIn, Azure AD SaaS apps in the spotlight and many more useful bits.

    Business Stuff

    Apple and IBM signed an exclusive deal for IBM to start selling Apple devices along with it’s software deals and for IBM to produce exclusive business apps for iOS. This is a great move for both companies and will give Apple an instant enterprise sales force. I spotted this very interesting post on Linked In that questions how you terminate someone’s employment when they use BYOD. Of course the answer is “containers” but the question is always going to be who controls the container. It definitely shows how important it is to have a multi-layered approach to enabling mobility today.

    Device Apps

    We announced the App Portals tool for Windows 8.1. The tool lets you create a curation of enterprise apps and use it in very interesting ways, using Assigned Access in Windows 8.1 you can replace the Start Screen with App Portals or simply run the app from the Start Screen.

    SaaS Apps

    SaaS apps are a big part of most organizations app portfolio these days but management of them can be a little choppy with many requiring disparate, non-integrated or centralized credentials to make them work. We have a solution though and Gartner reported a little about it last week meanwhile Brad Anderson explained all in a great blog post (scroll to the bottom for a great video too). Last week in Enterprise Devices and Infrastructure July 15 to 21

    Remote Apps

    My good friend Andrew Fryer released his excellent VDI book this week. Take a look at Getting started with Windows VDI.

    Device Security

    BitLocker PIN on Surface Pro 3 and Other tablets lists the technical approaches that you can put in place for when you’re company still won’t accept that you probably don’t need a PIN on a Windows 8.1 device with BitLocker – such as the Surface Pro 3.

    The post Last week in Enterprise Devices and Infrastructure July 15 to 21 appeared first on Enterprise Devices and Infrastructure.