Tuesday, May 27, 2014

Windows Intune v5 implementation experiences

Last week I did a proof of concept on Windows Intune v5 (5.0.2000.0) at customer location. During implementation I did the following experiences on functionality. Pity that Intune still is missing enterprise-ready functionality, but that will be better end of year. Have a look at the Intune roadmap for that. Let's have a look at the implementation experiences. It's not all bad :)
 
  • Enrollment and retirement on Windows, Windows Phone, iOS and Android all goes fine (almost realtime), but sometimes retirement takes a lot of time. Microsoft is working on that to make it quicker. It can take up to 24 hours or 30 days total at the moment.
  • When you want to have remote wipe functionality on notebooks (or tablets with Windows on it), just make usage of Windows 8.1. That way don't install the Intune agent, but enroll it as a mobile device. Very nice you can have remote wipe on notebooks either!
  • When using Active Directory Federation Services (ADFS) there's single sign-on in place. Without ADFS you must fill-in account details every x minutes all over again. Really annoying if you ask me. Maybe DirSync will be a solution for this also. Does anyone know?
  • Policies cannot be enforced from the Intune console. Sometimes it can take a while before the policy will be applied, even when you want a remote wipe on the device. Hope there will be a force button in a later release. When synchronize from the mobile device, policy is refreshed immediately. Strange, because you want to force a full wipe quick if your device is missing or stolen.
  • Application blacklisting/whitelisting isn't available yet. You can set a deny on the app store (iOS 6+, Windows Phone 8.1) but there's no option to decide which apps may (not) be installed. This is on the roadmap for Q4 this year. Should be great if you can publish apps and app-links, without the need/permission to use the app store.
  • Applications can be deployed optional only for users, no way to enforce the deployment. When IT support want to pre-config devices, you want bulk-enrollment for apps and policies, without to fill-in credentials on the app store (Microsoft, Apple, Google). This is on the roadmap for Q4 this year either. Fingers crossed :)
  • The user stays in control of the device, and has the possibility to remove the Intune agent also. That way you're not in control of all devices anymore. Should be better if you can deny this I think? It depends if devices are personally or company owned. It would be great if you get an alert on this, that way you know if devices are missing.
 
I still think Windows Intune is (too) light in functionality, when Intune must be the successor of ConfigMgr, there's missing a lot. But..

Later this year there will be bulk enrollment, application blacklisting/ whitelisting, remote lock, secure mail, secure browser, Exchange and OneDrive for business, managed Office apps, app wrapper for iOS and Android, and multiple secure viewers.

Given the fact that the ConfigMgr team is same as the Intune team (and most resources are on Intune, because Microsoft still has a lot of catching up to do, and ConfigMgr is in a finished, almost perfect state), there will fast development on Intune for the next months.

Let's say it again: The future looks bright for Windows Intune!

Wednesday, May 21, 2014

Using the SQL 2012 dashboard within Operations Manager 2012 R2

Within System Center Operations Manager (OpsMgr) 2012 R2 you can use the new great SQL 2012 dashboard. The dashboard can be used for SQL 2012 only however. Let's have a look.
 
The System Center Management Pack for SQL Server can be found here: Download Center. The Management Pack for SQL Server provides the capabilities for Operations Manager 2007 R2 and Operations Manager 2012 to discover and monitor SQL Server 2005, 2008, 2008 R2, 2012 and their components such as SQL instances, databases, and SQL Server agents.
 
When installing the Management pack from the online catalog, you will not found the SQL 2012 dashboard at all. That's why you need to download it from Download Center. The Management packs you need to import are:
-Microsoft SystemCenter Visualization Component Extensions Library
-Microsoft SQLServer Presentation
 
After this you will find the SQL 2012 dashboard in the Microsoft SQL server, Databases, SQL Server 2012 Databases Summary Dashboard. Remember that only SQL 2012 databases will be showed in the dashboard. One of the new features is the widget that will show the related health state color. With that you have a quick overview of the selected SQL 2012 database.

 
After installation I did not see any health state at all however. That's because the monitors, which are needed for that, are disabled by default. To override these monitors go to Authoring Pane, Management Pack, Monitors. Now paste the monitor “Transaction Log Free Space” into the search bar and select the monitor in the "SQL 2012 DB management pack". You can now enable this monitor when right click and select override “For all object of the class: SQL 2012 DB” and choose enable with the check box.
 
In the override column change false to true and save this setting in a "Overrides SQL server Management pack". Do this for all changes needed in OpsMgr by default! The following four Monitors which must be enabled for the dashboard are:
-Transaction Log Free Space (%)
-DB Total Space
-Disk Read Latency
-Disk Write Latency


After configuration I still did not see any health state at all. Bummer! That's because security is not in place by default too. When SQL 2012 is installed by default - we no longer place BUILTIN\Administrators in the security access list, AND we restrict NT AUTHORITY\SYSTEM to “public” access. Therefore a RunAs account is needed for communication now. This RunAs account will be granted Local Admin over the OS and SA (SysAdmin) rights to SQL. After that you will see the widget that will show the related health state color.

Just a beautiful dashboard isn't it!?

Sources:
System Center Dynamics by wwwally
Microsoft TechNet Forums
Kevin Holman's System Center Blog

Update: Albert Neef mentions MSDN Blogs to manage SQL 2008 databases within the dashboard as well. Very nice indeed!

Friday, May 16, 2014

New features in Windows Intune coming soon..

A few months ago the Windows Intune roadmap was published during a Partner Session in February. There were some very interesting features announced, which will make Windows Intune way more advanced then in earlier versions. Because I'm doing a lot of implementation next coming months, it would be great when features are coming in soon. Let's have a look which features are announced during MS TechEd NA 2014.

As a cloud service, Windows Intune is updated on a regular basis, roughly every quarter. We’re currently rolling out an update to the Windows Intune service which provides support for Windows Phone 8.1 and Samsung KNOX Standard (formerly Samsung SAFE) support. In Q3, we will add support for Windows 8.1 Update settings specific to “family safety” which are useful for education environments. 

In Q4, we’ll be releasing major new functionality specifically focused on managed mobile productivity (managed applications and data protection) and IT enhancements, including bulk enrollment and support for Apple Configurator.

Intune will support the ability to bulk enroll iOS and Android (no Windows Phone?) devices, and use a single Intune service account to enroll the devices instead of having separate IDs for each device, since they are not associated with a user each. For iOS, Intune will support Apple’s Device Enrollment Program to do this bulk enrollment.
 
Intune will also support the ability to configure iOS devices using the Apple Configurator tool, allowing more granular and enforced “lock down” policies through the iOS Supervisor mode. This is especially useful in education scenarios where the student should not be able to un-enroll the device or when more stringent management is required (sounds good!). Additional settings include the ability to allow or block a specific set of applications and URL addresses.

Microsoft’s approach is more natural – build manageability and data protection into the apps which people choose to use, and extend that capability for enterprises to use with their own apps. To do this, we will deliver a unique container solution that is different from the traditional containers offered by other mobile device management solutions on the market.

The future looks bright for Windows Intune!
Source: Windows Intune Team

Tuesday, May 13, 2014

New Jalasoft SNMP device simulator v5 released

Sponsor post
 
During Microsoft TechEd North America in Houston, Jalasoft released the New SNMP device simulator v5. If you are joining TechEd this week, just visit their booth (#1440) and get 30-50% discount in your next purchase. Don't miss that one!
 
 
If you have to test your network or the SNMP tools you use to run it, you know that having the right devices at the right time is harder than the actual testing. Is your network heavily secured or too isolated for testing? Do you need to test a specific device for real world activity? Do you need a test lab with 1000 or more devices? No problem. We have your solution. Jalasoft’s SNMP Device Simulator V5, removes these challenges and gives you the power to dynamically simulate any SNMP device you need. Fast. Efficient. Easy.

Do you need to create a virtual network for yesterday? The SNMP Device simulator has you covered! The easy to use installation wizard and interface let you bring a simulated device online in under 5 minutes. Choose the device that you want to create, select the data your want to simulate, give it an IP address and press play. Changes in V5 allow you to run more than 1,000 simulated devices at one time from a single machine. Need more devices? Need to put a firewall between devices? Deploy the SNMP Device Simulator agents on different computers and manage them through a single console.

Simulate any network device through the Device Recorder feature
Ideal for testing with network devices that you don’t have in your test lab, the Device Recorder lets you mimic the behavior of any real SNMP device. Use the new Device Recorder feature to capture real world data and simulate the selected behavior as many times as needed, without putting your production network at risk.
 
Dynamic Simulation
The SNMP Device simulator grants users the option to perform a dynamic simulation or a normal simulation (the most basic type). The simulator uses a variety of formulas and statistical operations to generate dynamic values on the selected virtual devices, resulting in more realistic behavior. These values are also recorded on log files so they can be used later in the historical simulation mode.

Historical Simulation
Use the logs generated in a dynamic simulation to reproduce a precise behavior during a specific timeframe. With the Historical Simulation feature you can reproduce identical scenarios over and over again to changes to your tools, monitoring software or network configuration. This feature is ideal for tests that depend on identical data in changing environments.

IP Address Manager
This feature is a time saver that you’ll love! Imagine that you need to simulate 100 devices. With the IP Address Manager you no longer have to worry about manually creating IP addresses for all these devices. Instead, create individual IP addresses or a range directly from the simulator’s console, and apply them to the devices that you need to simulate.

Generate simulated devices from scripts You can access almost all V5 features without ever opening the console. This includes creating a new simulated device, loading recorded data to a device and stopping/starting device simulations. Save valuable time through automation and scripts!

Save simulation configurations
Need to create a simulation for your network switches? They are all the same model, but the ones in R&D are configured differently from the ones in Accounting. No problem. Using our templates as a base, load the base data, make the changes needed to match your environment and then same the custom configuration with one for “Switch – R&S” and one for “Switch – Accounting”. With the Save Configuration features, you customizations are waiting for you the next time you do a test or an audit.

For more information click here (PDF): Jalasoft
Xian SNMP Device Simulator: Download for free today

Sunday, May 11, 2014

Direct management of Android devices in Windows Intune

Within Windows Intune it's possible to manage (mobile) devices. Because an agent is installed, we can use Direct management instead of Exchange ActiveSync (EAS), which is limited. When Windows Intune v5.0 was released, it was needed to have ConfigMgr 2012 R2 integration configured. Otherwise new functionality (selective wipe, Android support, advanced policies) were not available. With the latest update however these are within Intune standalone now also. Let's have a look how to enroll an Android device (for example).

In this situation I'm using a HP SlateBook 10 x2 PC with Android 4.2 installed on it. Just browse in Google Play and search for "Windows Intune". When installed credentials must be given. Just logon with your Intune credentials (which are [user]@[domain].onmicrosoft.com) and enrollment is done already. When applications and/or policies are deployed, they will be activated within 5 minutes. Same for properties on the device in Admin console. Just give it a minute :-)

Policy is not applied as expected

Pros:
- It's really easy setup, especially on Android devices. No certificates needed at all.
- Enrollment of devices is almost real-time. Retirement is done within approximately 15 minutes.
- APK files can be downloaded for free, without the need to register them or install a certificate.

- Remote Lock and/or Passcode Reset, which are added in the last update.

Cons:
- Retirement is done within 24 hours max. That will be way faster in a later update.
- Every [?] minutes you must fill-in credentials again on Intune console and Company portal.
- Focus is on Microsoft and iOS, not that much on Android. Almost no settings available.
- When retire the device, apps and data remain installed which were installed by Intune before.

No Required install because greyed out

When deploying apps you can choose for a Available install only. No Required install or Uninstall can be choosen. Maybe the're for Windows Operating Systems only!? Pity that this isn't possible.

Next time I will use my iPad for enrollment. Hope that will give me more control on the device.. On Android I can enable passwords, encryption and disable the camera. That's all? Yes for now..

The Windows Intune roadmap 2014 can be found HERE.

Thursday, May 8, 2014

Whiteboard Fridays: Disaster Recovery Wars

Sponsor post

A long time ago in a galaxy far, far away...
It is a period of data recovery wars. Join us in May for three episodes of epic Whiteboard Fridays: Recovery Wars saga and become true Virtualization Jedi!


Master your skills during these episodes:

- May 13. Episode IV - A New Host: learn how to prepare for disaster, document your environment, ensure your backups and configure backup
-
May 20. Episode V - The Admin Strikes Back: be prepared for recover process of the datacenter and primary VM’s, learn how to rebuild your environment effectively
-
May 27. Episode VI - Return of the Admin: deep dive into restoring services, best practices around restores, focus on the getting services up and running for the end-users.
 

Register for a chance to win new Google Glass! Also, we’ll be giving away 15 pizza coupons at every show!

The World’s Premier Data Center Availability Event

Sponsor post

 

Veeam is launching the World’s Premiere Data Protection Conference with the chance to dive deep into valuable data protection techniques and solutions. There's no better place and time to connect with the Veeam community, meet friends, establish new relationships and build buzz!

Join us at VeeamON 2014 to discover a new level of availability for your Modern Data Center. Pre-register today to qualify for introductory pricing. VeeamON 2014 is scheduled on October 6-9 2014.

Monday, May 5, 2014

Install and update Endpoint Protection (SCEP) during a task sequence

In my daily job I'm doing a lot ConfigMgr and SCEP implementations. Sometimes Endpoint Protection (SCEP) is installed for antivirus and antimalware usage. During installation the SCEP client can be installed and an export of the SCEP policy can be applied. After the task sequence is done the SCEP client still needs to be updated however. This can be done during the task sequence also. Let's have a look.
 
The SCEP client can be installed with a ConfigMgr package. Just use a program like this: "SCEPInstall.exe /policy <policy>.xml". More about that can be found here: css-security.com
 
The SCEP definitions can be updated during a task sequence also. That way new definitions can be installed during OS deployment. More about that can be found here: chrisnackers.com
 
When using the SCEP definitions a VBS script is used, which downloads new MPAM and NIS definitions each day. When using a scheduled task this will be done automatically. The SCEP definitions package can be synchronized on the ConfigMgr Distribution point daily within package properties. This is needed to deploy the package with the new content downloaded. No SCEP installation with old definitions anymore :)

Download: EP_Definitions.vbs 
The definitions updates can be found on the following location:
-Endpoint Protection antimalware definition update (x86)
-Endpoint Protection antimalware definition update (x64)
-Network Inspection System definition updates (x86)
-Network Inspection System definition updates (x64)

Just use above configuration to automate installation and daily SCEP definitions, so a up-to-date SCEP client will be installed always.

Just great, isn't it!?

Thursday, May 1, 2014

The future of ConfigMgr is uncertain for sure!

You all heard the news, Wally Mead, the foremost authority on System Center Configuration Manager (SMS/SCCM/ConfigMgr) and a leading figure within the community, will leave after spending over 22 years with Microsoft. Because of that it's almost like ConfigMgr died too! This emphasizes how Microsoft is changing. ConfigMgr is strictly an on-premises technology and Microsoft is moving us all to the Cloud.
 
 
So after killing Microsoft Management Summit (MMS), this seems to be the next step for Microsoft. Let's have a look at the changes coming. It all has to do with Mobile First/Cloud First vision.
 
Starting this year we are merging MMS with TechEd
Over the past 11 years, the Microsoft Management Summit (MMS) has grown from a small user group event focused on systems management and managing PCs, to a large and passionate gathering of the world’s best and brightest IT Pros. Now it’s time to look ahead to the next step for our industry and this community. Starting this year we are merging MMS with TechEd.. (and so it will be)
 
After merging MMS with TechEd rumours say 2014 could be the last year Microsoft holds a TechEd event.
 
No MS TechEd next year anymore?
If the rumors are right, this year's TechEd may be the last. The content at TechEd North America this year also is expected to include some management-specifc tracks, as the Microsoft Management Summit (MMS) is now being folded into this show. (If MMS content is available on TechEd Europe too is not sure)
 
During the TechEd 2014 Keynote Sneak Peek the message was clear for all IT Pros: Go Cloud or go home.
 
TechEd 2014 Keynote Sneak Peek
Intune is ConfigMgr delivered from the cloud. Last Fall we created a strong connection between both of them for use in a hybrid cloud model. Today there are more than 10k customers using Intune to manage their PCs and devices. The choice is yours: Do you want to manage on-prem or from the cloud -- we give you the option to do either. (For how long it takes)
 
Given the fact that the ConfigMgr team is same as the Intune team (and most resources are on Intune, because Microsoft still has a lot of catching up to do, and ConfigMgr is in a finished, almost perfect state), there will be less development on ConfigMgr for the next years. You can see this in the Windows Intune Roadmap also. Focus is on Windows Intune as a cloud solution, not providing functionality which need ConfigMgr integration anymore. (Richer cloud-only MDM capabilities, Full MDM parity in Windows Intune standalone)
 
And also: With the added development focus (at the expense of ConfigMgr), it won't be long before Windows Intune is an exact match, further blurring the lines of how endpoints are managed. If Microsoft can show that managing on-premise endpoints from the Cloud is viable, ConfigMgr could be history.
 
And now, Wally Mead, the Face of ConfigMgr, Leaves Microsoft after 22 Years. Thanks Wally for being a great inspiration for me, and good luck with your new job as Principal Program Manager at Cireson!
 
Microsoft's Wally Mead Joins Cireson as Principal Program Manager
Wally Mead, pioneer of Configuration Manager, joins Cireson and strengthens the growing System Center focused organization.

Wally Mead, the Face of ConfigMgr, Leaves Microsoft after 22 Years
During one conversation with Wally, he indicated that when Microsoft decided to push ConfigMgr completely into the Cloud, it would be time for him to retire. I won't state that Wally leaving Microsoft indicates anything more than a simple professional change, but it is interesting timing since we're anticipating roadmap announcements at TechEd 2014 in a couple weeks.
 
Rod Trent (CEO & Founder at myITforum.com, Inc.) reacted on the topic with: I think it's safe to put it this way: MMS is dead. Microsoft is moving us all to the Cloud. And, Wally Mead has left Microsoft.
 
So.. The future of ConfigMgr is uncertain. Let's move to the cloud now, that's the message! Lucky me I will do a lot on Intune next months..