Simon May

Client and cloud

Simon May

  • Last week in Enterprise Devices and Infrastructure July 15 to 21

    Last week was a very interesting week in the world of enterprise devices and infrastructure: the Apple / IDM announcement, a great BYOD post on LinkedIn, Azure AD SaaS apps in the spotlight and many more useful bits.

    Business Stuff

    Apple and IBM signed an exclusive deal for IBM to start selling Apple devices along with it’s software deals and for IBM to produce exclusive business apps for iOS. This is a great move for both companies and will give Apple an instant enterprise sales force. I spotted this very interesting post on Linked In that questions how you terminate someone’s employment when they use BYOD. Of course the answer is “containers” but the question is always going to be who controls the container. It definitely shows how important it is to have a multi-layered approach to enabling mobility today.

    Device Apps

    We announced the App Portals tool for Windows 8.1. The tool lets you create a curation of enterprise apps and use it in very interesting ways, using Assigned Access in Windows 8.1 you can replace the Start Screen with App Portals or simply run the app from the Start Screen.

    SaaS Apps

    SaaS apps are a big part of most organizations app portfolio these days but management of them can be a little choppy with many requiring disparate, non-integrated or centralized credentials to make them work. We have a solution though and Gartner reported a little about it last week meanwhile Brad Anderson explained all in a great blog post (scroll to the bottom for a great video too). Last week in Enterprise Devices and Infrastructure July 15 to 21

    Remote Apps

    My good friend Andrew Fryer released his excellent VDI book this week. Take a look at Getting started with Windows VDI.

    Device Security

    BitLocker PIN on Surface Pro 3 and Other tablets lists the technical approaches that you can put in place for when you’re company still won’t accept that you probably don’t need a PIN on a Windows 8.1 device with BitLocker – such as the Surface Pro 3.

    The post Last week in Enterprise Devices and Infrastructure July 15 to 21 appeared first on Enterprise Devices and Infrastructure.

  • Setup Azure RMS File Protection (Encryption) and File Classification Infrastructure (FCI) with On-Prem File Servers

    In our new world of highly mobile access to loosely coupled services it’s far easier for a user, who has legitimate access to the data, to accidentally move it to a storage location that doesn’t have your corporate data protections: They move a file from the file server to their personal cloud storage for example. Through Enterprise Management Suite we have a solution to this problem, Azure RMS. Traditionally RMS was less than simple to deploy and required users to do something to protect their files. Thankfully Azure RMS is substantially different, there’s a ton of documentation you can read for more info on TechNet which helps you to deploy Azure RMS but here I’m bringing together the guides for building out File Classification Infrastructure and Azure RMS.

    Quick Azure RMS Primer

    Setup Azure RMS File Protection (Encryption) and File Classification Infrastructure (FCI) with On Prem File Servers Azure RMS allows you to protect documents (and now other types of files) with encryption, identity and authorization policies and those files can only be accessed as long as a connection to the Azure RMS service can be made and the user is authorized to read or write the document. A great example is in the Azure TechNet library:

    you can configure a file so that it can be accessed only by people in your organization, or control whether the file can be edited, or restricted to read-only, or prevent it from being printed. You can configure emails similarly, and in addition, prevent them from being forwarded or prevent the use of the Reply All option. These protection tasks can be simplified and streamlined for your end users by using standardized policy templates. Azure Rights Management is a cloud service, and is integrated into other Microsoft cloud services and applications for simple ease-of-use and persistent protection.


    Quick FCI Primer

    File Classification Infrastructure runs on Windows Server 2012 (R2) and looks for files that match specific rules that admins have configured. When a file matches your rule it is classified in terms you’ve set, such as in my example below when “Confidential” is detected in a document that document is classified as “High Impact”. File Classification runs on a schedule and when new files are created if you so desire. In addition to the Classification Rule a File Management Rule runs to take that classification and apply something to it, in our case RMS protection. The actual classifiers are passed down from AD on-prem using Dynamic Access Control, which can also provide conditional access rules – but that’s beyond the scope of this post.

    Configuring a Lab

    Here I’m explaining how I configured my lab, but it’s basically the same process for production. I’m assuming that Azure AD Premium licensing has been applied to the Azure AD tenenant. Trials are free. Azure AD Premium is required because the Azure AD RMS Connector is only available with this licensing option. I’m also using Windows Server 2012 R2 for my file servers and for my connector server. I configure my lab using PowerShell as below, everything can be done through the UI – I prefer the brave new world of Infrastructure as Code wherever possible.

    #Configure DAC in AD on-premises
    Invoke-Command -ComputerName -ScriptBlock{
    Set-ADResourceProperty -Enabled:$true -Identity:"CN=Impact_MS,CN=Resource Properties,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com" -Server:""
    This first section will configure the AD Resource properties that we need to use for file classification. I do it using an invoke-command because I’m probably not running this on a domain controller, or somewhere with RSAT installed in my case.
    #Configure FSRM on App Server, including a classification rule and making a Wokfolders folder if needed
    Invoke-Command -ComputerName -ScriptBlock {
    Get-WindowsFeature *fs-resource* |Install-WindowsFeature -IncludeManagementTools
    if(-not (test-path d:\WorkFolders -PathType Any)){New-Item -Path d:\WorkFolders -ItemType Directory}
    Note: I’ve split this scriptblock to better explain it. First I invoke to run this section on my file server (called APP in my case). I then add the File Server Resource Manager feature to the server. Finally above I check to see if the folder I want to monitor exists, if it doesn’t I create it…I kind of love the simplicity of this line.
    $date = Get-Date
    $AutomaticClassificationScheduledTask = New-FsrmScheduledTask -Time $date -Weekly @(3, 2, 4, 5,1,6,0) -RunDuration 0;
    Set-FsrmClassification -Continuous -schedule $AutomaticClassificationScheduledTask
    New-FSRMClassificationRule -Name "High Business Impact" -Property "Impact_MS" -Description "Determines if the document has a high business impact based on the presence of the string 'Confidential'" -PropertyValue "3000" -Namespace @(“D:\WorkFolders”) -ClassificationMechanism "Content Classifier" -Parameters @("StringEx=Min=1;Expr=Confidential") -ReevaluateProperty Overwrite
    Here I pull the updated properties from AD, set todays date and setup an automated FSRM task to run  my classification rules. I then define my rule to run “continuously”, i.e. on new file write, add it to the scheduled task. Finally I define the new rule…this last part is actually easier through the UI since the syntax is long, but the documentation on it is on TechNet.
    #Now download and install the connector on the connector server
    # authorize the app server if not already done
    The above commented section cannot be done in PowerShell. The connector needs to be downloaded and installed on your connector server (there should be two of them, and they should be balanced with NLB for availability) – in the next section the sync.corp.contoso hostname should be the DNS name of the NLB cluster. Of course for a lab you only need one server to run as the Azure RMS Connector.
    # Run this line on the APP server
    & '\\dc\c$\DemoContent\GenConnectorConfig.ps1' -ConnectorUri– -SetFCI2012
    Above again is almost manual. I run this script on my file server so this works for me. The GenConnectorConfig script is downloaded at the same time as the Connector software from the same link. What we are doing here is configuring the file server to look to the Azure RMS Connector server (which in turn looks to Azure RMS) for RMS templates. The –setFCI2012 switch sets things up for FCI but the script can also be used to configure on-prem SharePoint and Exchange to use Azure RMS via the connector. Almost done.
    # Now configure the Management Task in FSRM (the following will work too or use as a backup)
    $fmjRmsEncryption = New-FSRMFmjAction -Type 'Rms' -RmsTemplate 'FakeURLUSA - Confidential'
    $fmjCondition1 = New-FSRMFmjCondition -Property 'Impact_MS' -Condition 'Equal' –Value '3000'
    $date = get-date
    $schedule = New-FsrmScheduledTask -Time $date -Weekly @('Sunday')
    $fmj1=New-FSRMFileManagementJob -Name "High Business Impact" -Description "Automatic RMS protection for high business impact documents" -Namespace @('D:\WorkFolders') -Action $fmjRmsEncryption -Schedule $schedule -Continuous -Condition @($fmjCondition1)
    Above finally sets up the file management task to apply RMS protection, using the FakeURLUSA Confidential RMS template to any files classified as High Business Impact.
    Start-FsrmFileManagementJob -Name "High Business Impact"
    Finally the above two lines will run the required classification and management jobs on-demand.

    File Protection.Done. < 20 lines of PowerShell

    That’s all there is to it. Now any Office file saved into that folder with “Confidential” in the body will be encrypted, but it strikes me that in our highly mobile world you might want to be able to protect every file in the folder if they are company information – of course once a file is protected with RMS the file can no longer be parsed by FSRM and FCI. Because this is RMS the files can be opened anywhere the user tries to open the file and contact Azure RMS to read them…of course if a cloud storage service that doesn’t support RMS tries to read the files (to sell Ads or something) they will be corrupted…which is kind of the point.

    The post Setup Azure RMS File Protection (Encryption) and File Classification Infrastructure (FCI) with On-Prem File Servers appeared first on Enterprise Devices and Infrastructure.

  • Edge Show 111: Azure AD Premium SaaS Apps, App Proxy and Reports

    On the Edge Show last week I interviewed Nasos about Azure Identity and AD Premium. We got to talking about some of the cool new features in Azure AD.

    The post Edge Show 111: Azure AD Premium SaaS Apps, App Proxy and Reports appeared first on Enterprise Devices and Infrastructure.

  • System Center Configuration Manager, Windows Intune and Managing iOS: What’s New?

    In this episode of the Edge show I’m joined by Martin Booth from the Server and Tools Marketing group to take a look at the new features that just shipped to Windows Intune stand alone and unified management experience with Config Manager. We look at iOS management and take a quick look at the road map.


    The post System Center Configuration Manager, Windows Intune and Managing iOS: What’s New? appeared first on INFRASTRUCTURALIST.

  • Five Gadgets to ask Santa for

    What are the best gadgets to get for Christmas? An Xbox One, a Dell Venue 8 Pro, a Spider II, Lotus F1 Team USB Charger and a something to keep the coffee warm. Of course the real test is, are they any good for the IT Guy?

    Over the Christmas period it’s hard to get the right gifts for people that they love and that they actually want. I decided to help out my loved ones this year by bypassing their need to buy me gifts and to just buy them myself so that I could write about them in this blog post, as a result I’ll be happy with socks!

    Xbox One

    First up is the Xbox One because the holidays are a time for fun not just working. The Xbox One comes in at around £520 with a game and is obviously one of the two next gen consoles on the market, there are reviews of it all over the web from core gamers, journos and the like so I thought I’d give you some observations about the console itself that they might have missed.

    The Kinect sensor is built in and voice commands are really handy as is having the sensor automatically sign you in when you’re in the room. What I’ve noticed though is that the sensor doesn’t have to be front on, under the TV or over the TV to work. I have it off angle to the left of my TV since the Kinect’s two meter cable doesn’t quite reach from our media unit to our TV. The Kinect doesn’t always “see” me in the room for a start but starting a game by saying “Xbox go to Forza Motor Sport 5” it seems to be enough to recognise who I am and sign me in.

    The games themselves look stunning, Forza Motor Sport 5 has an amazing level of detail in every single frame you see on screen. The bonnet of my shiny Shelby reflects all detail of the oncoming horizon and i get to see little helicopters hovering around the race track as I drive.

    The controller is excellent, as you’d expect, but the best thing about it is absolutely the rumble buttons which give great feedback while breaking, accelerating and hitting rumble strips in Forza.

    Is it any good in the Datacentre? Well that depends…In the past I’ve been known to move a sofa into the DC over holidays for the operators, combine that with an Xbox One and you’ll probably receive less support calls…

    Dell Venue 8 Pro


    I can’t talk highly enough of this device, actually few can and indeed it’s been so popular that when the Microsoft Store in the US recently offered a holiday discount taking the device down to $199 it sold out in minutes. The device is now available in the UK and it’s *possibly* the best Windows 8.1 device I’ve ever used. You can find my full review here on my Infrastructuralist blog.

    Windows 8.1 is great on this device, really snappy thanks to a quad core Intel Atom, which also supports any desktop app you want. I find it works really well as a Sonos controller in my house as a result. It obviously also means you can use apps like iTunes that aren’t available on Android tablets for example. I don’t and I use Xbox music but some people are hooked on other music platforms (sidebar: devices are important, apps are important but it’s the music infrastrucutre and data that people want access too).

    The Venue 8 Pro ticks all the boxes for me because:

    • the screen is great - ok it could be full HD but it’s great
    • the size is right – lots of Windows 8.1 apps look gorgeous on an 8” screen (Amazon, Twitter, Facebook all adapt)
    • the weight is perfect  - things can be too light as well as too heavy, it’s all about balance.
    • the thickness is nice – I believe that tablets need to replace paper, this device nicely replaces a reporters notebook (it’s almost identical to other tablets that are comparable to pencils)
    • the feel is good – there’s a nice rubbery backing on the device that makes it a joy to hold
    • it can run any Windows app – that means it has the biggest app ecosystem in the world. Not all apps are great with touch though so…
    • you can connect any peripheral – I occasionally connect a mouse, keyboard and 24” 1080p screen using a USB OTG cable.

    IS it any good for the IT Pro? Yes, it runs Windows 8.1 which means I can carry the RSAT around with me and remotely manage anything I want. It’s the best tablet in the world for this, right now in my opinion.

    Spider II


    What the heck is it? Well I am a man of many gadgets and it’s good for many of my gadgets, it’s a USB cable to connect device. One of the things I always have to have in my kit bag is a micro-USB cable to charge my Nokia 925 phone and my Dell Venue 8 Pro before this bit of kit though one thing has always troubled me. Cable length!

    I don’t need a 2m cable or even a 1m cable to charge my phone. Very often I only need a tiny, weeny 1 inch cable to do the job and that’s what the Spider II provides but for lots of devices. It comes with Apple Lighting, iPhone and Micro-USB so it can connect anything that most people have in their pockets. It also comes with a tactility pleasing rubber case emblazoned with a Windows logo.

    Lotus F1 Team USB Charger


    I’ve also started packing one of these into my every day kit and it’s something I’ll be packing into Christmas stockings a plenty. Just like the Spider II it has an iPhone and Micro0USB charging adapter but that’s not this things strength. One of the big problems with tablets and ultrabooks for me is a lack of USB ports and this device helps out there.

    This device has a pass through USB port for power and it has a Micro-SD slot built in. As a result I can always connect some storage and be able to power my devices.

    Microsoft Branded Heat Retaining Aluminium Flask

    It’s getting cold out there folks, it’s time to take some coffee with you but it’s going to get cold … enter the flask.

    So you’ve probably guessed by now that I’m not going to review the flask and that the last three items in this article aren’t the usual types of gadgets I look at…but it’s Christmas (other holidays are available) and so I’m going to give away a Spider II, a Lotus F1 Team USB charger and a Microsoft Branded Heat Retaining Aluminium Flask to three randomly selected folks who retweet this article with the following tweet and also follow me on twitter - @simonster* competition closes on the 10th of January, three lucky winners will be notified after, please refer to the T&C's below.

    Just two small steps needed to win:

    Step 1 - Follow myself on twitter - @simonster

    Step 2 - Tweet: "I’m asking Santa for some gadgets, having read @Simonster’s ‘Five Gadgets to ask Santa for’ on the @TechNetUK blog:

    *you need to follow me so I can get your mailing address and contact the winners!

    **Just to be really clear I’m not giving you my Xbox One or Dell Venue 8 Pro!!

    T&C's found here.

    Merry Christmas


    Terms & Conditions

    1. ELIGIBILITY. This promotion is open to any person resident in the United Kingdom who is eighteen (18) years of age or older at the time of entry and who is a registered member of the Website (the "Website").  IF YOU ARE NOT A REGISTERED MEMBER OF THE WEBSITE YOUR ENTRY WILL NOT BE VALID AND YOU WILL NOT BE ABLE TO WIN A PRIZE.  Follow the instructions on the Website to register.

    Employees of Microsoft or its affiliates, subsidiaries, advertising or promotion agencies are not eligible, nor are members of these employees’ families (defined as parents, children, siblings, spouse and life partners). 

    1. ENTRY. To be entered into the competition you must:

    Follow @Simonster on the Website and Tweet the text “I’m asking Santa for some gadgets, having read @Simonster’s ‘Five Gadgets to ask Santa for’ on the @TechNetUK blog:”.

    To the extent that entry requires the submission of user-generated content such as photos, videos, music, artwork, essays, etc., entrants warrant that their entry is their original work, has not been copied from others, and does not violate the privacy, intellectual property rights or other rights of any other person or entity.

    Entries will be ineligible for the prize draw if they:

    • are incomplete;
    • exceed the maximum number of entries allowed per person;
    • violate the rights of any other person or entity;
    • are received outside of the Promotion Period set out below; or
    • are reported to violate the terms governing use of the Website.

    Only one (1) entry per person will be accepted.  No purchase necessary to enter the promotion.  Entry constitutes full and unconditional acceptance of these Terms and Conditions.  Microsoft is not responsible for lost, corrupted or delayed entries.  Microsoft reserves the right to disqualify anyone who violates these Terms and Conditions.

    1. TIMING. This promotion runs from 1200 GMT on 19th December 2013 until 2359 GMT on 10th January 2014 (inclusive) (the “Promotion Period”).
    2. USE OF YOUR ENTRY. Personal data which you provide when you enter may be used for future Microsoft marketing activity if you indicate your consent to such activity (if applicable).  Otherwise your personal data will be used by Microsoft and agents acting on Microsoft’s behalf only for the operation of this promotion. 
    3. SELECTION OF WINNERS. All valid entries will be submitted for the prize draw.

    Winning entries will be determined by a random draw conducted by Microsoft Ltd. on 13th January 2014 and will be supervised by an independent adjudicator.  Chances of winning depend on the number of entries received.

    A maximum of one prize per eligible entry is allowed.  Winners will be notified or through the Website by 17th January 2014.  If a potential winner has not confirmed receipt of the notification within TEN (10) days after the first attempt, an alternative winner will be selected on the same basis as described above (either at random for prize draws or according to the same judging criteria for competitions).  Winners may be asked to provide identification proving their eligibility before they are entitled to receive the prize.  Winners may be asked to participate in further publicity or advertising.

    1. PRIZE(S). There will be nine (9) prizes in total.  The prizes will be as follows:
    • 3x Prize bundles consisting of a Microsoft Branded Thermos Flask, a Lotus F1 Team USB Charger and a Spider II Device Charger (£35 approximate value)

    Prizes are as stated and are not transferable.  No cash alternatives available.  Microsoft reserves the right to substitute the prizes with prizes of equal or greater value.  All prizes will be sent by Microsoft or its agent no later than 28 days after the prize draw has been made by Microsoft.  Unless otherwise stated, all prizes are subject to their manufacturer's warranty and/or terms and conditions.

    Prizes may be considered as a taxable benefit to the winners. Winners will be directly responsible for accounting for and paying to HMRC, or other relevant tax authority, any tax liability arising on their prize.  Please contact for any query related to the taxable amount for reporting to HMRC, or other relevant tax authority.

    1. WINNERS LIST. Each winner consents to his/her surname being made publicly available upon request.  Winners’ names will be available for a period of 28 days after the selection of winners by written request to    
    2. OTHER. No correspondence will be entered into regarding either this promotion or these Terms and Conditions. In the unlikely event of a dispute, Microsoft’s decision shall be final.  Microsoft reserves the right to amend, modify, cancel or withdraw this promotion at any time but only before the delivery of prizes, without notice.

    Participants in this promotion agree that Microsoft will have no liability whatsoever for any injuries, costs, damage, disappointment or losses of any kind resulting in whole or in part, directly or indirectly from acceptance, misuse or use of a prize, or from participation in this promotion.  Nothing in this clause shall limit Microsoft’s liability in respect of death or personal injury arising out of its own negligence or liability arising out of Microsoft’s fraud.

    Microsoft cannot guarantee the performance of any third party and shall not be liable for any act or default by a third party.  

    1. SPIRIT OF THE COMPETITION. If an entrant attempts to compromise the integrity or the legitimate operation of this promotion by hacking or by cheating or committing fraud in ANY way, we may seek damages from that entrant to the fullest extent permitted by law. Further, we will disqualify that entrant’s entry to this promotion and may ban the entrant from participating in any of our future promotions, so please play fairly.  

    Promoter: Microsoft Limited (“Microsoft”), Microsoft Campus, Thames Valley Park, Reading, RG6 1WG, England.