Active Directory is the source of identity in the enterprise and iOS devices should be identified in and by AD in order to provide access to resources, in this article published on WServer News I explain the process of supporting iOS devices in your AD DS with Windows Server 2012 R2 and the Device Registration Service.
The post iOS in the Enterprise appeared first on Devices, Services, Life: Simon May's Blog.
It’s that time of year again. Tech gifts are set to be the most popular this year again (after socks) and tablets are top of that tech gifts list. When you get back to work lots of your users will have shiny new Android, iOS and Windows devices that they’ll probably bring to the office. Some will use them as a distraction from work but many will want to use them to enable working in new ways. Not only that but this year it’s not just the tech trendsetters that will be getting tablets, it’s everyone at all levels in your organisation. Some people will just leave those devices at home for a start but some won’t and that will encourage more and more people to start bringing them into the office. It’s probably not tenable to just ban them outright any more – this season will put pay to that ability for most I think. So what can you do? We have two months and a few small upgrades might get you right to where you need to be.
There can be no doubt that for almost every organisation on the planet email is the number one productivity, communications, CRM, sales, marketing and lol cat tool in our arsenal. If you’re going to spot a crunch point this will be it. If you’re running your email on-premises still it might be time to start considering a move to the cloud and my personal, favourite approach here is to go hybrid.
Enabling a BYOD solution for your business at enterprise scale is going to mean you’ll have more and more people wanting to connect more and more devices to your email servers. Within Microsoft we have a limit of 10 which I recently found myself exceeding. Following this year’s holiday buying fest it’s quite likely that any individual might have: a mobile phone, a small tablet (7-8 inch, a present this year from the other half), a larger tablet (10 inch, bought last year as a present to themselves), a company provided laptop, a hot desk computer (only for when the user forgets their laptop). All those devices are going to “require” email access to make them useful. Of course this is also the tip of the iceberg, next year it’ll be wearables.
Moving the email boxes of users who are entering a BYOD program over to Office 365 and leaving those with more traditional requirements on-premises could be a really smart move. Office 365 gives you this option like no other cloud email service can, integrating into your existing Exchange infrastructure providing that seamless familiar experience that users are used to. It’s too much to go into deep detail in this article about next steps but there are plenty of guides around the web.
2. Work Place Join, Enterprise Registration
The chances are that you know who everyone in your company is, what they do and what they should have access to do. The same is probably also true of your company owned laptops and desktops. The reason is of course that these people and devices have accounts within Active Directory (AD) and those accounts then let you specify what those users and computers are allowed to do and what resources they are allowed to access.
Of course not all devices are created equal, they don’t all run Windows today and even if they do with BYOD they might not be members of your domain, known to AD. Essentially they are ghosts, visible but at the same time hidden. Within the Windows Server 2012 R2 wave we have a feature that helps us manage those ghosts and pull away their white sheet of invisibility, making them known to AD. The feature is the Device Registration Service otherwise commonly known as Workplace Join. This feature is complemented in Windows 8.1 with the ability to workplace join the device and iOS also has a similar ability, although the UI isn’t as slick. When a device is registered by the Device Registration service a few things happen, first an identity is created for the device within AD with a unique GUID (device names Aren’t-used per-se, although it is an attribute of the record) because a device can be enrolled multiple times, potentially by different people. Second a certificate is issued to the device to identify it. Now that our device is known to AD there is all sorts we can do to given the device.
To deploy Device Registration you’ll need to deploy Windows Server 2012 R2, deploy the Active Directory Federation Services (AD FS) role, update the schema, issue some certificates and make some DNS changes. There’s a good guide to building this out in a lab here.
3. Publish your internal sites, externally, safely
Not all your internal websites are the most secret things your company has to offer. The intranet might have some proprietary information on it but you could still publish it securely and safely to people. Especially since we now know not only who they are but from what device they’re connecting. Going hand in hand with deploying AD FS in Windows Server 2012 R2 is going the new Web Application Proxy role which takes internal resources and publishes them externally safely using either claims based auth (AD FS) or pass through auth.
Using rules for those published services, called relying parties in AD FS parlance, it’s possible to restrict the level of access over those published services using authorization rules that take a look at the claims an incoming request is making. Those claims can include device claims, so we can easily publish our intranet and create a rule that says if this device isn’t registered with AD don’t let the connection through, if the device is registered with AD and the user is allowed access to the intranet then allow the request.
It’s actually the Web Application Proxy that publishes the enterprise registration service mentioned previously out to the internet. The Web Application Proxy also acts as an AD FS proxy allowing you to keep your AD FS server inside your network and taking these two services and linking them with Office 365 we can easily develop a single sign on environment.
4. Device Governance
It’s tough to require the ability to control all aspects of an individual’s personal device, in fact in some places it may soon contravene the law to remote wipe someone’s device without their permission, something you may want to do for example when they level the company. The idea of “governance” however is to allow access to specific resources – such as applications or remote help, once the individual has allowed you specific access to their devices.
With this power comes the responsibility to not do such things as wholesale wipe their device. Once a device has been workplace joined we have the ability to start to selectively wipe the corporate aspects of their device. For example we could revoke the certificate that we placed on their device when they workplace joined. If they pulled any data down to their device and we’ve encrypted it with EFS, we would then be able to break the chain of trust that allows the device to access said data. Likewise we can do the same for sideloaded corporate apps.
5. Data Governance
It would be nice if we all knew all of the data inside our organisations. Sadly we don’t, especially when we consider the data explosion and how much data we will be storing in the future (I think storage space is like your salary: the more you earn the more you spend; the more storage you have the more you use!) Our users aren’t much good at managing their data either – they generally don’t understand ACLs and how to correctly permission their data. It would be far better if there were a better, more automatic way. Thankfully there is…
Windows Server 2012 introduced Dynamic Access Control (DAC) and dynamic file classification through File Server Resource Manager (FSRM). Essentially this means that, given some rules, we can have our file servers look at the data they are hosting and apply access controls based upon the content of that data. For example we could look at all the Word documents on our file share and if they contain something that looks like a credit card number (using RegEx) we can classify the files as only for the eyes of people in our customer finance department (this is just file classification not DAC). The DAC part of the equation comes into play when we start to use those applied classifications in addition to the claims being made by the party accessing the files.
The party accessing the files is going to be a user, but the device that the user is using to access the files could vary. In Windows Server 2012 we could take a devices identity in AD (the computer account) and decide that only users with a specific OS can access the files. Now that we have device registration in play too we can not only do this for Windows devices that are domain joined but also for Windows devices and iOS devices that are workplace joined. The upshot being that we could allow Jane from Finance access to a file with a credit card number in only from her Windows 8.1 domain joined device but not from her iOS device unless she registers the device and we therefore have the ability to track the data. All of this has been done without IT needing to understand the specific document or the specific device she used.
Hopefully this article has been a little thought provoking. It’s probably a very big ask for you to get this stuff into production in time for the holidays but at least you can start to think about building a lab to try this out with those devices that Santa leaves for you. You’ll need some lab guides, and the Windows Server 2012 R2 and Windows 8.1 Enterprise Evals to be able to do just that – luckily it’s all free to try, our present to you.
The iconic kickstand a better, full HD screen, lighter form factor and superior sound make Simon May, Microsoft Evangelist, rather obviously fall in love with the new Surface 2 and Surface Pro 2 devices. But are they good for the IT guy.
Last week I was lucky enough to be one of the first people to go “hands on” with the new Surface 2 and Surface Pro 2 devices from Microsoft. As always this series is about writing about what they’re like for IT Pros which I’ll get onto in a few lines but before I do let me tell you how I use my current Surface devices. Currently I only own a Surface RT, actually I own three of them and two are for demo purposes. My main Surface device spends most of its time sat by the sofa and it’s used for casual non-work stuff but it’s also used heavily for commuting. For the times I go into London to for work I only take my surface, I don’t need anything else for emails, for meetings, for blogging or my general day to day non-technical work. Surface RT is the perfect device for this because it’s light and I don’t need to charge it. I also have an Android tab sat there, invariably I prefer Surface RT.
Let’s start off looking at the new Surface 2 then which runs Windows RT. The very first thing I noticed when I grabbed the device was how much lighter it feels than the Surface RT, I am sure there’s not much of a weight difference but it’s enough to be noticeable. The very next thing I did was to try the iconic kick stand, it feels as solid as the Surface RT with that pleasing spring when it gets to the end of its movement but the kickstand can be pulled to make it move a smidge further and provide a flatter working angle. I moved the kickstand to the second position and I was quite surprised about how that affected by ability to type. With the first position and on the Surface RT it’s pretty cumbersome to type on screen, with Surface 2 the kick stand position makes it easy to type with both hands –almost touch type.
My very next move was to power the device up and log in to set it up. Immediately I noticed how sharp the 1080p screen is compared with the 720p screen is on the Surface RT which just made the Surface logo that little bit smoother. It’s also noticeable on the labels on live tiles which are just that little bit more readable. Personally I prefer to have more tiles so I quickly set my Surface 2 to display 4 and the 1080p screen handles that really nicely too. Within about 10 minutes my apps had started to sync down too so I jumped onto twitter which did exactly what you’d expect on a 1080p screen. Wanting to test the screen more I popped into the Windows Store and installed the 500px app to view some beautiful photography. I have to say the clarity of the screen, the contrast of the colours everything about the screen makes it wonderful to look at.
Taking a look at the desktop to use the Microsoft Office apps also didn’t disappoint me. The higher resolution makes office just that little bit nicer to work with which I think is possibly because it’s slightly more congruous with the display on my Asus Zenbook Prime, things just seem to be the right dimensions.
Everything starts to feel snappier around the interface than my Surface RT with apps loading just that little bit more quickly. Overall I found the Surface 2 to be a pretty great improvement over the Surface RT for me, I’ll probably be buying my own. Sometimes people say to me that it’s not a great device for IT Pros because it doesn’t run desktop apps, I however find that it does almost everything I need for short periods and does much better than anything else I’ve ever used for such. I have easy access to PowerShell and to Remote Desktop and in fact though remote desktop I deliver a couple of apps I need occasionally (like the RSAT) using Remote App and they basically feel like native tools.
Another thing I like, which is actually a Windows 8 feature is the ability to wipe my device. The device I used for this review wasn’t mine, was not going to be mine and other people needed to use it, so I used the reset ability of Windows 8 to just reset the device and take away all my customizations before I handed it off. Very handy for recycling your old Surface RT device I thought.
Surface Pro 2 for the Professional
Next I was onto taking a look at the Sur face Pro 2, a colleague had signed into this device first and it was setup with their Microsoft Account. The very first thing I did was play a movie trailer from Xbox video, not so that I could see the screen – it’s 1080p just like the Surface Pro, but so I could the sound. The Surface Pro 2 and actually the Surface 2 have Dolby audio built in and wow do they sound good! The sound is excellent and probably the best of any tablet device since they have two speakers (lots of tablets only have one – aka Mono) but Surface has multiple drivers and sounds superb. I could happily use the Surface Pro 2 as music device or to watch whole movies on.
I wanted to give the USB 3 on the device a try so I moved a huge amount of data over from a USB3 memory stick and transfer speeds averaged about 34mbs. Copying from the Surface 2 to the stick managed a similar average transfer speed, so we can tick the “it just works” box. I also ran some benchmarks on the device and it out performed by new laptop (Asus Zenbook Prime) in almost every way from drive speed, 3D graphics performance and various CPU tests. I have to say it was impressive in every respect and obviously a total laptop replacement for an IT Pro – with this you’d only need one device for everything in your life – even a little bit of virtualisation!
Are you being asked to take a look at Hyper-V by your boss but short on time and not sure where to look? Are you unsure what features are being added with Windows Server 2012 R2? This could be the best post you've read all day then! In just a couple of weeks Andrew Fryer and I will be grabbing our favourite demo rigs and delivering three days of free technical events around Virtualisation. We are just now opening the ability for everyone to come along, that said not everyone should come along.
We've designed this series of 3 camps around people who know a thing or two VMware and find themselves needing to know about Hyper-V. Luckily Andrew and I spent some time delving into the competition's technology, not so we can pick it apart, but so that we can help translate between the two "languages". You should come to this camp if you're interested in Virtualisation with Hyper-V or new virtualisation related features of Windows Server 2012 R2 such as Software Defined Networking, Software Defined storage, VDI and other interesting stuff.
London, 29 October – Cardinal Place (Use Code: A177D1)
London, 30 October – Cardinal Place (Use Code: 436ACE)
The best infrastructure reads of the past week, including Windows Azure Pack, Virtualization, Supported OSes on Hyper-V, The Azure NOC, PowerShell to gather pref data, Windows Azure for IT Pro, MDT for servers and failover clustering in Windows Server 2012 R2.
The post Great Reads: Infrastructure 8 October 2013 appeared first on Devices, Services, Life: Simon May's Blog.