Simon May

Client and cloud

August, 2014

  • Top 3 remarkable reasons modern app practices rock for IT Pros

    Modern apps are different from the old exe based applications that have been around for the past 20 years they really aren’t just about full screen apps! There are real advantages to embracing them for IT that solve some of the biggest app headaches we in IT have faced for years. What benefits can the container based approach deliver for you and why is it a good idea to adopt a modern app pattern?

    I spent the first while of my career as an application packager building SMS installer packages and Orca with MSI files just at the time when the “installer” revolution was kicking off. Prior to this time install and uninstall of applications was far from smooth or trouble free. Much, much harder than it is today. At the time Microsoft Installer delivered a best of both worlds approach in which deep integration with the operating system, Windows, and made uninstallation easy(er). Also to a certain extent it helped prevent apps from overwriting each others system files (DLLs) which was common by tracking all the files used by an app. It was also easy to see where potential conflicts could arise and people built entire solutions around this.

    Looking at the state of play today containers are the new big thing and it’s easy to see why: they solve the biggest headaches we’ve had in the app space for years. Almost all OSes today implement containers in some form with modern applications, Windows 8.1 is a great example, so containerization at the client is now the app development practice of choice. It comes down to three top reasons for me:

    Lifecycle and Modern Apps

    The application lifecycle has been a challenge for IT Pros and developers for many years, both have had different but similar problems with the lifecycle of install, upgrade, uninstall. For us IT guys install normally meant spending tons of time customizing the installation process (repackaging) so that install locations were exactly correctly, the right options got installed and the right dependency applications like middleware were installed.

    All those options should lead to a more predictable installation but upon upgrade we often found that the developers were building under the assumption of a standard install and we’d again have to transform the upgrade install. Finally uninstall always leaves some stuff behind because the automated uninstall wouldn’t know if it was safe to delete something that could *potentially* be shared by another application. The approach of app containerization means that all the requirements for the application are self contained within the appx file, in the case of modern Windows apps. There are also protections in place to prevent those files from being modified and as a result a developer knows exactly what will be there when the app installs. There is of course a requirement for IT to give up some control over the customization of the app but the trade off is reliability and predictability. Something that every IT person I’ve ever known has valued above all.

    Anti-interference and Modern Apps

    The app container approach also has remarkable security implications too that resolve many of the standard headaches that IT get involved with. What are those headaches? We’ll one app overwriting the files of another but more worryingly it’s become a really common way for more…nasty…things to happen: specifically malware. Firstly apps in Windows 8.1 are security principles meaning that they can have security permissions assigned to them and by default they do. As you can see from this picture the Windows Store app can be read and executed by other apps but it’s files can’t be modified by other apps. That provides an initial level of malware protection. Additionally appx packages are signed to ensure the creator of the package is who they purport to be so you know that you can only have apps installed from trusted sources.

    Top 3 remarkable reasons modern app practices rock for IT Pros

    Apps also run with least privileges assigned to them so it’s not possible for them to execute code that is outside their context. They do this in just the same way that protected mode Internet Explorer does.

    Integration and Modern Apps

    Traditionally apps were all able to talk to each other but they used many unorthodox ways to accomplish those tasks and they had some really painful middleware requirements in the case of lots of LoB apps. Apps in Windows 8.1 can be more easily integrated into things that a user has already setup on a system with the use of App Contracts. These contracts, which you’ll commonly see when sharing, allow one application (the target) to be used by other applications (the source). For example the Mail app has a target contract to receive data from other applications and Internet Explorer has a source contract to share information about the page you are viewing when you wish to do so. These contracts provide the ability for an app to reach outside of it’s container safely and allow other apps to deposit information into another apps container safely. Contracts are remarkable for IT again because they make things reliable and predictable.

    Sounds Interesting…how do learn more?

    Hopefully this post has given you a few reasons to start thinking about modern apps a little differently to the way you might have been thinking about them. They aren’t just apps that only show up full screen! There is some really sound technical reasons why you want to start prodding your organization to move towards modern apps. You can learn more using this TechNet virtual lab to sideload applications in Windows 8.1 or by downloading the Windows 8.1 evaluation from the eval center.

    The post Top 3 remarkable reasons modern app practices rock for IT Pros appeared first on Enterprise Devices and Infrastructure.

  • 5 quick wins for implementing Microsoft’s Enterprise Mobility Vision (+ learn how to do it!)

    There are at least 5 quick wins you can get from implementing Microsoft’s Enterprise Mobility Vision: Epic Reports that tell you about potential security breaches; get a handle on where your data is going with Cloud App Discovery; be better than passwords with simple to implement multi factor authentication; understand your users devices with workplace join and give your users devices they’ll love.

    The client management space is changing: when we look at information from Forrester we see that 40% of companies are say that BYOD programs are a high priority and that many of us (classed as information workers) are using more than one device. That doesn’t mean that the traditional client management space goes away, rather that it’s augmented with new capabilities to support those workloads. A few months back Brad Anderson, CVP Enterprise + Client Mobility started an excellent blog series defining and expanding upon our enterprise mobility vision:

    …to help organizations enable their users to be productive on devices they love while protecting the company.

    This is the first post in a series during which I’m going to expand on some of Brads key points and give you practical ways that you can immediately start to give value back to your business by implementing our vision. I’ll help you solve your mobility challenges (please note that that doesn’t mean I’m going to solve the issue of you being stalked on Facebook by that ex, let’s keep this on enterprise mobility!)
    On that note, let’s get specific – tell me your mobility challenges in the comments, I promise to read them all and help solve some of them.

    Step Zero – Try Stuff

    The very first thing you’re going to want to do is to try things out. We all like to build a lab to understand the technology intimately. To be able to do this you’ll need to lay your hands on some evaluations and trials, luckily we’ve done everything we can to make that easy for you: Take the Empower Workforce Mobility learning path on the TechNet Evaluation Center. Of course I’m not going to leave you to do that on your own, you can sign up for the trials you need and I created this handy video to help you out.

    Quick Win 1: Epic Reports

    This is my favorite first thing to show people about our mobility offering because it’s simple to implement. As soon as you’ve created an Azure AD tenant (which the above video shows you how to do!) and you’ve created a user either in the cloud (IT Pro test: figure this bit out yourself) or you have some users synced from on-prem AD then you can get going. Follow these steps and in about 5 minutes you’ll see the power of Azure AD reports…

    1. Download the TOR browser (do this in a lab that’s NOT on your corporate network)
    2. Use one of your user accounts to log into myapps.microsoft.com a few times (do it about 5 times)
    3. Go to the Azure portal and using your admin account go to your Directory then go to Reports and select Users with anomalous sign in activity.

    Now you should see something like this: 5 quick wins for implementing Microsofts Enterprise Mobility Vision (+ learn how to do it!)This is showing that one of my users logged on from places she couldn’t have travelled between in time and was attempting to mask her IP. This is telling you that her account has probably been compromised. I bet you don’t get that with on-prem only AD or any other identity provider.  Show this to your ITSec or CIO and they’ll ask you to show them more. The best thing is that the other reports are even better: I call them “big data for the IT admin” but that’s for another post in the series. Let’s not stop with the quick wins though.

    Quick Win 2: Know where your data is going

    You know your users are getting around your “no personal cloud storage” policy but you don’t know how or to what extent. I hear this all the time from the admins I talk to (and the CIO is probably loosing sleep over this too). Again we have a tool that can give you quick insight: Cloud App Discovery. This tool is very simple but highly effective, install the agent onto Windows PCs in your company and the PC will report back to YOUR Azure tenant information about the cloud services being used on it. So if your user decides to copy data to Box.com through the browser – you see it in the report, or it they do it through installed software – you see it in the report. You can also see who the user signed into the PC was and how much date they transferred. 5 quick wins for implementing Microsofts Enterprise Mobility Vision (+ learn how to do it!)In the report above you can see that one of my users has been using a variety of different services, the types of those services, the names of them and the amount data they’ve transferred. As a bonus all the apps with logo tiles in the top right quadrant can instantly be managed as SaaS apps through the portal, but again more in a later post. For now though, download the Windows 8.1 evaluation, install it and then try Cloud App Discovery.

    Quick Win 3: Be Better than Passwords with MFA

    As soon as you have users in the cloud and you have Azure AD Premium you can enabled Azure Multi-Factor Authentication (you have trial if you followed the advice in Step Zero). Once enabled for a user when that user signs in next they will be asked to verify their contact phone number by opting to receive a call or text. Subsequently their sign on will be a little different but a lot safer:

    1. They attempt to sign on
    2. Correctly enter their password
    3. Azure MFA steps in and calls or texts them
    4. They answer or get the SMS code and enter it
    5. Their sign-on is complete.

    This simple additional factor requires that the user knows and has something: raising the safety level quickly. In production you might not only have cloud users but this can now be implemented through Azure AD for all on-prem AD users that are synchronized to Azure AD without the need for on-prem server deployment. Like all our solutions you can embrace the power of AND – on-prem and cloud. MFA is very flexible and I’ll cover it in more detail in a later series post.

    Quick Win 4: Know your users devices with Workplace Join

    When a conversation gets passed “I don’t know what cloud apps my users are using” the conversation normally moves onto “I don’t know what devices they’re using”. For the past 15 years we’ve had Domain Joined devices – company owned, company managed devices. The real point of domain membership is to give Windows devices identity – but you probably don’t want devices that the company doesn’t own joined to you domain (and users really don’t want the GPO that deploys the corporate wallpaper on their device!). iOS and Android devices obviously don’t support Domain Join either. Workplace join steps in and helps out. It works with all the most common devices and you can use it to permit and deny access to corporate resources with conditional access. It takes a while to implement a Workplace Join scenario so why do I call it a quick win? Well not all quick wins happen in 10 minutes: sometimes they take a while to implement but become fruitful quickly. If you implement workplace join you’ll quickly start finding out what devices your users are trying to use – that can inform policy – but policy you’ll be able to implement quickly. Luckily you can try it out in about an hour with the labs in our tech journey!

    Quick Win 5: “devices they love”

    The quickest win I can think of is to stop trying to please everyone all the time – it just makes everyone unhappy. Your users will love (and therefor keep using) devices that get the job done for them in the way they want it done. Sometimes that will be them selecting the device, sometimes if will be IT selecting an array of devices for them to choose from…sometimes it will be a task-specific device. In essance the quick win is to think of managing only three device types:

    • Employee owned, company enabled
    • Company owned, employee enabled
    • Company enabled only.

    When you do this and you implement device management policies that match those device types and apply similar configurations across each device type within each category you’ll save time and better enable your users. The best thing to do is to start trying things out, so start yourself off on an eval journey. Also take a look at Brad’s series, especially his post on Microsoft being your vendor of choice for EMM.

    Share these key points:

    • 5 quick wins from Microsoft's Enterprise Mobility vision
    • Quickly get "big data for IT admins" with Azure AD reports
    • Use Cloud App discovery to understand your orgs use of cloud apps
    • Multi-Factor Auth with a couple of clicks + 5 Quick Wins with EMS

    The post 5 quick wins for implementing Microsoft’s Enterprise Mobility Vision (+ learn how to do it!) appeared first on Enterprise Devices and Infrastructure.

  • Last “week” in Enterprise Devices and Infrastructure News

    These last week posts seem to have slipped due to ridiculously busy schedules, I’m let me try to get them started again:

    Windows Devices

    Surface Pro 3 deployment resources will help you get those Surface Pro 3 devices rolled out, the PFE team have even included links to the firmware and driver packs that you’ll need and take you through how to deploy with MDT!

    Cloud Storage

    This great article on OneDrive for business managed deployment will get you able to deploy the OneDrive for business apps silently in your business.

    Microsoft is doing lots to make it easier for you to trust how we run our cloud, whatever that trust might include – be it protection from government snooping, compliance standards or stronger encryption and we’ve put together a load of great resources that you’ll find really useful. You can find them here: [via The Fire Hose]

    Device Management and App Security

    Brad Anderson (CVP Mobility and Client Management @ Microsoft) posted a great article that articulates our map to the future of where we are taking our solutions for mobility management. I found this part really interesting:

    In Q4 of 2014 we will update Intune and introduce a new feature called “Conditional Access Policy.” This feature will allow the administrator to grant access to O365 (e-mail and OneDrive for Business) or on-prem Exchange only
    if
    the device is managed by Intune and meets the compliance policy criteria specified by the IT administrator.

    Read Brad’s post here and take a listen to Brad’s podcast (the Brad Cast [sic]) – I was there during the recording and some of the upcoming ones are super cool!

    The post Last “week” in Enterprise Devices and Infrastructure News appeared first on Enterprise Devices and Infrastructure.

  • Edge Show 115: Azure AD Connect

    In this episode of the Edge show I interview Jen Field from the Azure AD Fabric team and get her to walk me through the new Azure AD connect tool that helps you quickly link your on-prem AD to Azure AD. The tool will even deploy the server roles you need on-prem!

    Share this post with a suggested tweet

    • Check out Azure AD Connect (streamlined AD FS deployment)

    The post Edge Show 115: Azure AD Connect appeared first on Enterprise Devices and Infrastructure.