Simon May

Client and cloud

Simon May

  • 5 quick wins for implementing Microsoft’s Enterprise Mobility Vision (+ learn how to do it!)

    There are at least 5 quick wins you can get from implementing Microsoft’s Enterprise Mobility Vision: Epic Reports that tell you about potential security breaches; get a handle on where your data is going with Cloud App Discovery; be better than passwords with simple to implement multi factor authentication; understand your users devices with workplace join and give your users devices they’ll love.

    The client management space is changing: when we look at information from Forrester we see that 40% of companies are say that BYOD programs are a high priority and that many of us (classed as information workers) are using more than one device. That doesn’t mean that the traditional client management space goes away, rather that it’s augmented with new capabilities to support those workloads. A few months back Brad Anderson, CVP Enterprise + Client Mobility started an excellent blog series defining and expanding upon our enterprise mobility vision:

    …to help organizations enable their users to be productive on devices they love while protecting the company.

    This is the first post in a series during which I’m going to expand on some of Brads key points and give you practical ways that you can immediately start to give value back to your business by implementing our vision. I’ll help you solve your mobility challenges (please note that that doesn’t mean I’m going to solve the issue of you being stalked on Facebook by that ex, let’s keep this on enterprise mobility!)
    On that note, let’s get specific – tell me your mobility challenges in the comments, I promise to read them all and help solve some of them.

    Step Zero – Try Stuff

    The very first thing you’re going to want to do is to try things out. We all like to build a lab to understand the technology intimately. To be able to do this you’ll need to lay your hands on some evaluations and trials, luckily we’ve done everything we can to make that easy for you: Take the Empower Workforce Mobility learning path on the TechNet Evaluation Center. Of course I’m not going to leave you to do that on your own, you can sign up for the trials you need and I created this handy video to help you out.

    Quick Win 1: Epic Reports

    This is my favorite first thing to show people about our mobility offering because it’s simple to implement. As soon as you’ve created an Azure AD tenant (which the above video shows you how to do!) and you’ve created a user either in the cloud (IT Pro test: figure this bit out yourself) or you have some users synced from on-prem AD then you can get going. Follow these steps and in about 5 minutes you’ll see the power of Azure AD reports…

    1. Download the TOR browser (do this in a lab that’s NOT on your corporate network)
    2. Use one of your user accounts to log into a few times (do it about 5 times)
    3. Go to the Azure portal and using your admin account go to your Directory then go to Reports and select Users with anomalous sign in activity.

    Now you should see something like this: 5 quick wins for implementing Microsofts Enterprise Mobility Vision (+ learn how to do it!)This is showing that one of my users logged on from places she couldn’t have travelled between in time and was attempting to mask her IP. This is telling you that her account has probably been compromised. I bet you don’t get that with on-prem only AD or any other identity provider.  Show this to your ITSec or CIO and they’ll ask you to show them more. The best thing is that the other reports are even better: I call them “big data for the IT admin” but that’s for another post in the series. Let’s not stop with the quick wins though.

    Quick Win 2: Know where your data is going

    You know your users are getting around your “no personal cloud storage” policy but you don’t know how or to what extent. I hear this all the time from the admins I talk to (and the CIO is probably loosing sleep over this too). Again we have a tool that can give you quick insight: Cloud App Discovery. This tool is very simple but highly effective, install the agent onto Windows PCs in your company and the PC will report back to YOUR Azure tenant information about the cloud services being used on it. So if your user decides to copy data to through the browser – you see it in the report, or it they do it through installed software – you see it in the report. You can also see who the user signed into the PC was and how much date they transferred. 5 quick wins for implementing Microsofts Enterprise Mobility Vision (+ learn how to do it!)In the report above you can see that one of my users has been using a variety of different services, the types of those services, the names of them and the amount data they’ve transferred. As a bonus all the apps with logo tiles in the top right quadrant can instantly be managed as SaaS apps through the portal, but again more in a later post. For now though, download the Windows 8.1 evaluation, install it and then try Cloud App Discovery.

    Quick Win 3: Be Better than Passwords with MFA

    As soon as you have users in the cloud and you have Azure AD Premium you can enabled Azure Multi-Factor Authentication (you have trial if you followed the advice in Step Zero). Once enabled for a user when that user signs in next they will be asked to verify their contact phone number by opting to receive a call or text. Subsequently their sign on will be a little different but a lot safer:

    1. They attempt to sign on
    2. Correctly enter their password
    3. Azure MFA steps in and calls or texts them
    4. They answer or get the SMS code and enter it
    5. Their sign-on is complete.

    This simple additional factor requires that the user knows and has something: raising the safety level quickly. In production you might not only have cloud users but this can now be implemented through Azure AD for all on-prem AD users that are synchronized to Azure AD without the need for on-prem server deployment. Like all our solutions you can embrace the power of AND – on-prem and cloud. MFA is very flexible and I’ll cover it in more detail in a later series post.

    Quick Win 4: Know your users devices with Workplace Join

    When a conversation gets passed “I don’t know what cloud apps my users are using” the conversation normally moves onto “I don’t know what devices they’re using”. For the past 15 years we’ve had Domain Joined devices – company owned, company managed devices. The real point of domain membership is to give Windows devices identity – but you probably don’t want devices that the company doesn’t own joined to you domain (and users really don’t want the GPO that deploys the corporate wallpaper on their device!). iOS and Android devices obviously don’t support Domain Join either. Workplace join steps in and helps out. It works with all the most common devices and you can use it to permit and deny access to corporate resources with conditional access. It takes a while to implement a Workplace Join scenario so why do I call it a quick win? Well not all quick wins happen in 10 minutes: sometimes they take a while to implement but become fruitful quickly. If you implement workplace join you’ll quickly start finding out what devices your users are trying to use – that can inform policy – but policy you’ll be able to implement quickly. Luckily you can try it out in about an hour with the labs in our tech journey!

    Quick Win 5: “devices they love”

    The quickest win I can think of is to stop trying to please everyone all the time – it just makes everyone unhappy. Your users will love (and therefor keep using) devices that get the job done for them in the way they want it done. Sometimes that will be them selecting the device, sometimes if will be IT selecting an array of devices for them to choose from…sometimes it will be a task-specific device. In essance the quick win is to think of managing only three device types:

    • Employee owned, company enabled
    • Company owned, employee enabled
    • Company enabled only.

    When you do this and you implement device management policies that match those device types and apply similar configurations across each device type within each category you’ll save time and better enable your users. The best thing to do is to start trying things out, so start yourself off on an eval journey. Also take a look at Brad’s series, especially his post on Microsoft being your vendor of choice for EMM.

    Share these key points:

    • 5 quick wins from Microsoft's Enterprise Mobility vision
    • Quickly get "big data for IT admins" with Azure AD reports
    • Use Cloud App discovery to understand your orgs use of cloud apps
    • Multi-Factor Auth with a couple of clicks + 5 Quick Wins with EMS

    The post 5 quick wins for implementing Microsoft’s Enterprise Mobility Vision (+ learn how to do it!) appeared first on Enterprise Devices and Infrastructure.

  • Last “week” in Enterprise Devices and Infrastructure News

    These last week posts seem to have slipped due to ridiculously busy schedules, I’m let me try to get them started again:

    Windows Devices

    Surface Pro 3 deployment resources will help you get those Surface Pro 3 devices rolled out, the PFE team have even included links to the firmware and driver packs that you’ll need and take you through how to deploy with MDT!

    Cloud Storage

    This great article on OneDrive for business managed deployment will get you able to deploy the OneDrive for business apps silently in your business.

    Microsoft is doing lots to make it easier for you to trust how we run our cloud, whatever that trust might include – be it protection from government snooping, compliance standards or stronger encryption and we’ve put together a load of great resources that you’ll find really useful. You can find them here: [via The Fire Hose]

    Device Management and App Security

    Brad Anderson (CVP Mobility and Client Management @ Microsoft) posted a great article that articulates our map to the future of where we are taking our solutions for mobility management. I found this part really interesting:

    In Q4 of 2014 we will update Intune and introduce a new feature called “Conditional Access Policy.” This feature will allow the administrator to grant access to O365 (e-mail and OneDrive for Business) or on-prem Exchange only
    the device is managed by Intune and meets the compliance policy criteria specified by the IT administrator.

    Read Brad’s post here and take a listen to Brad’s podcast (the Brad Cast [sic]) – I was there during the recording and some of the upcoming ones are super cool!

    The post Last “week” in Enterprise Devices and Infrastructure News appeared first on Enterprise Devices and Infrastructure.

  • Edge Show 115: Azure AD Connect

    In this episode of the Edge show I interview Jen Field from the Azure AD Fabric team and get her to walk me through the new Azure AD connect tool that helps you quickly link your on-prem AD to Azure AD. The tool will even deploy the server roles you need on-prem!

    Share this post with a suggested tweet

    • Check out Azure AD Connect (streamlined AD FS deployment)

    The post Edge Show 115: Azure AD Connect appeared first on Enterprise Devices and Infrastructure.

  • Last week in Enterprise Devices and Infrastructure July 15 to 21

    Last week was a very interesting week in the world of enterprise devices and infrastructure: the Apple / IDM announcement, a great BYOD post on LinkedIn, Azure AD SaaS apps in the spotlight and many more useful bits.

    Business Stuff

    Apple and IBM signed an exclusive deal for IBM to start selling Apple devices along with it’s software deals and for IBM to produce exclusive business apps for iOS. This is a great move for both companies and will give Apple an instant enterprise sales force. I spotted this very interesting post on Linked In that questions how you terminate someone’s employment when they use BYOD. Of course the answer is “containers” but the question is always going to be who controls the container. It definitely shows how important it is to have a multi-layered approach to enabling mobility today.

    Device Apps

    We announced the App Portals tool for Windows 8.1. The tool lets you create a curation of enterprise apps and use it in very interesting ways, using Assigned Access in Windows 8.1 you can replace the Start Screen with App Portals or simply run the app from the Start Screen.

    SaaS Apps

    SaaS apps are a big part of most organizations app portfolio these days but management of them can be a little choppy with many requiring disparate, non-integrated or centralized credentials to make them work. We have a solution though and Gartner reported a little about it last week meanwhile Brad Anderson explained all in a great blog post (scroll to the bottom for a great video too). Last week in Enterprise Devices and Infrastructure July 15 to 21

    Remote Apps

    My good friend Andrew Fryer released his excellent VDI book this week. Take a look at Getting started with Windows VDI.

    Device Security

    BitLocker PIN on Surface Pro 3 and Other tablets lists the technical approaches that you can put in place for when you’re company still won’t accept that you probably don’t need a PIN on a Windows 8.1 device with BitLocker – such as the Surface Pro 3.

    The post Last week in Enterprise Devices and Infrastructure July 15 to 21 appeared first on Enterprise Devices and Infrastructure.

  • Setup Azure RMS File Protection (Encryption) and File Classification Infrastructure (FCI) with On-Prem File Servers

    In our new world of highly mobile access to loosely coupled services it’s far easier for a user, who has legitimate access to the data, to accidentally move it to a storage location that doesn’t have your corporate data protections: They move a file from the file server to their personal cloud storage for example. Through Enterprise Management Suite we have a solution to this problem, Azure RMS. Traditionally RMS was less than simple to deploy and required users to do something to protect their files. Thankfully Azure RMS is substantially different, there’s a ton of documentation you can read for more info on TechNet which helps you to deploy Azure RMS but here I’m bringing together the guides for building out File Classification Infrastructure and Azure RMS.

    Quick Azure RMS Primer

    Setup Azure RMS File Protection (Encryption) and File Classification Infrastructure (FCI) with On Prem File Servers Azure RMS allows you to protect documents (and now other types of files) with encryption, identity and authorization policies and those files can only be accessed as long as a connection to the Azure RMS service can be made and the user is authorized to read or write the document. A great example is in the Azure TechNet library:

    you can configure a file so that it can be accessed only by people in your organization, or control whether the file can be edited, or restricted to read-only, or prevent it from being printed. You can configure emails similarly, and in addition, prevent them from being forwarded or prevent the use of the Reply All option. These protection tasks can be simplified and streamlined for your end users by using standardized policy templates. Azure Rights Management is a cloud service, and is integrated into other Microsoft cloud services and applications for simple ease-of-use and persistent protection.


    Quick FCI Primer

    File Classification Infrastructure runs on Windows Server 2012 (R2) and looks for files that match specific rules that admins have configured. When a file matches your rule it is classified in terms you’ve set, such as in my example below when “Confidential” is detected in a document that document is classified as “High Impact”. File Classification runs on a schedule and when new files are created if you so desire. In addition to the Classification Rule a File Management Rule runs to take that classification and apply something to it, in our case RMS protection. The actual classifiers are passed down from AD on-prem using Dynamic Access Control, which can also provide conditional access rules – but that’s beyond the scope of this post.

    Configuring a Lab

    Here I’m explaining how I configured my lab, but it’s basically the same process for production. I’m assuming that Azure AD Premium licensing has been applied to the Azure AD tenenant. Trials are free. Azure AD Premium is required because the Azure AD RMS Connector is only available with this licensing option. I’m also using Windows Server 2012 R2 for my file servers and for my connector server. I configure my lab using PowerShell as below, everything can be done through the UI – I prefer the brave new world of Infrastructure as Code wherever possible.

    #Configure DAC in AD on-premises
    Invoke-Command -ComputerName -ScriptBlock{
    Set-ADResourceProperty -Enabled:$true -Identity:"CN=Impact_MS,CN=Resource Properties,CN=Claims Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com" -Server:""
    This first section will configure the AD Resource properties that we need to use for file classification. I do it using an invoke-command because I’m probably not running this on a domain controller, or somewhere with RSAT installed in my case.
    #Configure FSRM on App Server, including a classification rule and making a Wokfolders folder if needed
    Invoke-Command -ComputerName -ScriptBlock {
    Get-WindowsFeature *fs-resource* |Install-WindowsFeature -IncludeManagementTools
    if(-not (test-path d:\WorkFolders -PathType Any)){New-Item -Path d:\WorkFolders -ItemType Directory}
    Note: I’ve split this scriptblock to better explain it. First I invoke to run this section on my file server (called APP in my case). I then add the File Server Resource Manager feature to the server. Finally above I check to see if the folder I want to monitor exists, if it doesn’t I create it…I kind of love the simplicity of this line.
    $date = Get-Date
    $AutomaticClassificationScheduledTask = New-FsrmScheduledTask -Time $date -Weekly @(3, 2, 4, 5,1,6,0) -RunDuration 0;
    Set-FsrmClassification -Continuous -schedule $AutomaticClassificationScheduledTask
    New-FSRMClassificationRule -Name "High Business Impact" -Property "Impact_MS" -Description "Determines if the document has a high business impact based on the presence of the string 'Confidential'" -PropertyValue "3000" -Namespace @(“D:\WorkFolders”) -ClassificationMechanism "Content Classifier" -Parameters @("StringEx=Min=1;Expr=Confidential") -ReevaluateProperty Overwrite
    Here I pull the updated properties from AD, set todays date and setup an automated FSRM task to run  my classification rules. I then define my rule to run “continuously”, i.e. on new file write, add it to the scheduled task. Finally I define the new rule…this last part is actually easier through the UI since the syntax is long, but the documentation on it is on TechNet.
    #Now download and install the connector on the connector server
    # authorize the app server if not already done
    The above commented section cannot be done in PowerShell. The connector needs to be downloaded and installed on your connector server (there should be two of them, and they should be balanced with NLB for availability) – in the next section the sync.corp.contoso hostname should be the DNS name of the NLB cluster. Of course for a lab you only need one server to run as the Azure RMS Connector.
    # Run this line on the APP server
    & '\\dc\c$\DemoContent\GenConnectorConfig.ps1' -ConnectorUri– -SetFCI2012
    Above again is almost manual. I run this script on my file server so this works for me. The GenConnectorConfig script is downloaded at the same time as the Connector software from the same link. What we are doing here is configuring the file server to look to the Azure RMS Connector server (which in turn looks to Azure RMS) for RMS templates. The –setFCI2012 switch sets things up for FCI but the script can also be used to configure on-prem SharePoint and Exchange to use Azure RMS via the connector. Almost done.
    # Now configure the Management Task in FSRM (the following will work too or use as a backup)
    $fmjRmsEncryption = New-FSRMFmjAction -Type 'Rms' -RmsTemplate 'FakeURLUSA - Confidential'
    $fmjCondition1 = New-FSRMFmjCondition -Property 'Impact_MS' -Condition 'Equal' –Value '3000'
    $date = get-date
    $schedule = New-FsrmScheduledTask -Time $date -Weekly @('Sunday')
    $fmj1=New-FSRMFileManagementJob -Name "High Business Impact" -Description "Automatic RMS protection for high business impact documents" -Namespace @('D:\WorkFolders') -Action $fmjRmsEncryption -Schedule $schedule -Continuous -Condition @($fmjCondition1)
    Above finally sets up the file management task to apply RMS protection, using the FakeURLUSA Confidential RMS template to any files classified as High Business Impact.
    Start-FsrmFileManagementJob -Name "High Business Impact"
    Finally the above two lines will run the required classification and management jobs on-demand.

    File Protection.Done. < 20 lines of PowerShell

    That’s all there is to it. Now any Office file saved into that folder with “Confidential” in the body will be encrypted, but it strikes me that in our highly mobile world you might want to be able to protect every file in the folder if they are company information – of course once a file is protected with RMS the file can no longer be parsed by FSRM and FCI. Because this is RMS the files can be opened anywhere the user tries to open the file and contact Azure RMS to read them…of course if a cloud storage service that doesn’t support RMS tries to read the files (to sell Ads or something) they will be corrupted…which is kind of the point.

    The post Setup Azure RMS File Protection (Encryption) and File Classification Infrastructure (FCI) with On-Prem File Servers appeared first on Enterprise Devices and Infrastructure.