I’ve had a few Microsoft Surface Devices over the last two years:
- Surface RT
- Surface Pro
- Surface 2
- Surface Pro 3 i7
We also have multiple iOS and Android devices in our household.
I’ve typically tried to use the device as much as possible but found it was at best a companion device and at worst less efficient than alternatives (Windows laptop or iOS tablet) for the specific use case.
I had high hopes for the Surface Pro 3. The screen size and keyboard dimensions were very close to my vintage Dell Latitude e6220 i7. I was truly hoping to be able to replace the Dell as my primary device. My first impressions were less than stellar. I had two major issues with my pre-ordered device:
- Wi-Fi would remember the last connected network and show it as connected even if I was in a different location and couldn’t possibly connect to it – and of course the connection did not work. I had to restart the wireless every time I changed location to connect to the new location.
- The fan would come on with minimal workloads and the sound was very noticeable and the tone was bothersome. I couldn’t bring this into a meeting to take notes as it would be disruptive.
Many early adopters had similar issues. I was disappointed to say the least. This is supposed to be a flagship device and my initial experience was very negative.
In September, Microsoft exchanged my device (Lot 1429) with a newer device (Lot 1431). The replacement did not suffer from these issues.
In the last month a lot has changed. My Surface has become my single most used device after my phone. My i7 laptop hasn’t been turned on for normal use since September. I did have Windows 10 Preview installed on it but I haven’t used it for anything other than tinkering. This weekend my son noticed that the iPad wasn’t charged as it hadn’t been used in weeks.
I really can use it just about anywhere. I can work in very tight spaces like an economy class airline seat and get work done. In fact I have written the all of my blog posts since Labour Day on it. Many of them have started on the go and been finished back in the dock with the full sized keyboard and some have been written entirely with the Surface keyboard. The keyboard is much better than previous versions and the infinitely adjustable kickstand makes it easier to find a comfortable viewing and working position. I have even found myself hooking it over my knees on occasion while watching TV.
So what am I doing with the Surface Pro 3 i7? In truth I’m doing many of the same things I did with previous incarnations of the surface, another tablet or my laptop. As such I’ve described the enabling technology so that you can get some of the same coolness even you don’t have a Surface. I’ve even provided a link where applicable so you can learn how to do it for yourself. Without any further ado, here is my top 10 list:
What are some of the cool things you are doing with your devices? What would you like to be able to do that you can’t now?
This post is part of a series. The previous posts in the series can be found here:
So far we have focused on elements of an MDM strategy that are more heavily weighted towards creating a high quality user experience while meeting enterprise policy requirements. Today’s post will focus on the management and manageability aspects of your MDM strategy. These are the elements that can make the implementation and operation of your strategy easier.
“Management” is part of the phrase “Mobile Device Management” but what does it mean in the mobile device context? Management refers to the services and capabilities that will enable IT to measure and meet the objectives of the strategy. These services and capabilities include (but are not limited to) the following:
- Monitoring (users, devices, compute, storage, etc.)
- Provisioning & Configuration
These services and capabilities can all be very complex depending on your use case scenario. In the following sections I will provide some key questions that should be answered for each of these services and capabilities.
- Do you have the legal ability to monitor the devices (consider BYOD)
- Do you require agentless or agent based monitoring capabilities? Perhaps a mix depending on use case? Are agents available for your devices?
- Will you enforce policies or simply monitor adherence?
- Will you require remote management capabilities (E.g. remote/selective wipe)
What are your reporting needs? Do you have specific compliance reports (regulatory or otherwise) that need to be available to auditors? Is your device ownership model (BYOD, CYOD, COPE. Etc.) driving specific reporting requirements. Some examples of the types of reports that might be required include:
- Device Hardware (make, model, firmware, memory, camera, IMEI, SIM, carrier, etc.)
- Device Software (OS Version, Apps Installed,
- Device Configuration (PIN, encryption, certificates, jail broken, etc.)
- Which users are using which devices
- Which users use the most bandwidth (exceed quota, etc.)
- Which users are roaming regularly
- Last successful connection by device and user
- Failed connection attempts
- Device Locations
Provisioning & Configuration
Provisioning deals with how devices will be delivered to users. IT might be driven by your device ownership model and will involve answering some of the following questions:
- How will devices be delivered to end users?
- How will Applications be delivered to devices?
- Will it be different for different platforms?
- How will configurations be maintained overtime?
- Will automation be required to make it more efficient and scalable?
Now that we have a covered Applications, Users, Data Access & Protection, and Management – The Topic that I know you have all been waiting for – DEVICES. Stay tuned.
A great reference for BYOD with a Microsoft slant can be found on TechNet. I got a many of my ideas from this guide.
I often get asked the following two questions:
- I know you blog but why don’t you blog about Configuration Manager as much as other topics?
- What are some good resources for learning about Configuration Manager?
The answers to these questions are definitely interrelated. Let me start with the first question:
First of all, although as an MVP I have an NDA with Microsoft that permits me to get some “inside information” from time to time. That same NDA forbids me from blogging about MS products until they are GA. Other bloggers don’t have the same restriction so they can write about new features and releases before the MVP community can. Secondly, and more importantly, there are already many very good blogs on Configuration Manger written by some very knowledgeable people (fellow MVPs in many cases) that know far more about specific parts of Configuration Manager than I do. With all of these fine writers already producing high quality content, it is difficult to add new, unique, and valuable posts.
In order to answer the second question I will act contrary to my answer to the first question and provide you with a list of t some of the resources that I use on a regular basis. I have limited the list to 10 by convention (otherwise it wouldn’t be a top 10 list would it?) – It was very difficult to choose. I apologize in advance to anybody that I may have omitted from the list. In an attempt to avoid any serious comparison algorithms and because I don’t have any hermetically sealed envelopes I have arranged the list in alphabetical order.
|1. Configuration Manager Team Blog||This is a great place to get news and information about the product. Things like announcements, latest cumulative updates, new features and capabilities can be found here as well as common scenarios and troubleshooting tips. All of this of course courtesy of Microsoft|
|2. CoreTech||Coretech has a lot of high profile bloggers including Kent Agerlund, and Kaido Järvemets. They do a lot of training and consulting and have seen a lot of real world use cases. As such their Configuration Manager Blog is a great resource.|
|3. Deployment Research||MVP Johan Arwidmark has done some extreme deployments. If you want deep dive and troubleshooting information about deployments including some unsupported workarounds (for your lab of course).|
|4. Enhansoft||Enhansoft is a company that focusses on asset management based on Configuration Manager. They have some free tools to help document Configuration Manager implementations. They also give out a free SSRS report every month. MVP Garth Jones, the founder of Enansoft also writes a blog for SMSUG.ca that has lots of sample reports and queries. I borrow from them often.|
|If you want detailed information about the inner workings of Configuration Manager, Jason Sandys (another MVP) is a fantastic resource. Not only does he understand the detail level, he can explain it in terms that are consumable by non-experts and help them understand the implications and applications. Many of his posts are linked from the Catapult Systems blog site. Not coincidentally Jason is one of the moderators of the Configuration Manager TechNet forums another great resource.|
|6. MyITForum||MyItForum is really a small community (with only 145,000 unique visitors per day). The resources are provided by the members of the community. There are tons of guides and some very good forums. MyItForum is famous for the running of the bulls at MMS to get passes to their famous party. Click here a link to a video about Community and MyITForum from MMS 2012 featuring Rod Trent is the President of MyITForum (and the Community Manager at WindowsItPro)|
|7. System Center User Group Belgium||Lots of good info here including blogs by MVPs Kenny Buntnix and Kim Oppalfens.|
|8. TechNet||TechNet has a lot of good resources including the official Microsoft Document Library for Configuration Manager, Release Notes, and Technical Publications.Configuration Manager TechNet forums is a great place for moderated support. There are other good resources as well such as ConfigMgrDogs.|
|9. WindowsItPro||WindowsItPro is a great resource for IT Pros in general but I like the independent view of the Microsoft world (including System Center) that they provide. As I’m writing this post and looking at their website, I see the System Center section their site framed by no less than six Amazon AWS ads. You won’t see that on the Configuration Manager Team Blog.|
|10. Windows-Noob.com||This is MVP Niall Brady’s blog. IT is a great place to get walkthroughs of every major feature of Configuration Manager. A good starting point for novices and a reference for veterans trying something new or troubleshooting. Although last on this list alphabetically, it should be the noob’s first place to go to check out the SCCM 2012 Guides.|
There are many other good blogs, blog aggregators, and knowledge bases out there. You could do pretty well with a good Google or Bing query for a specific topic. For better results, try some of Kim Oppalfens search providers to make it easier. These are just some that I use regularly and the first ten that came to mind. The selection process was by no means scientific and I was the only member of the selection committee. Full Disclosure – Yes, I do know most of the bloggers but that’s life.
If you have a good source you’d like to share, let me know. Maybe I’ll make a Top 40 list. Again apologies to any good resources that I failed to mention.
This post is part of a series. The previous posts in the series can be found here:
Last post I discussed the types of questions that need to be answered about your mobile users and their requirements. The takeaway was to understand the relevant use case scenarios and personas. In this post we will dig a little deeper and explore some of the security implications of providing different user personas with the mobile capabilities required for specific scenarios. I’m going to consider Data Access and Protection together from an implementation perspective but from a design perspective the can (and should) be decoupled.
Again, this series is not intended to provide you with an MDM strategy. The intent is to make sure that you are asking the right questions during the design phase of your MDM project so that the end result provides the capabilities and outcomes that best meets your organization’s needs.
Data Access deals with how users gain admission to data (and applications). What we need to address is how the various personas and use canes scenarios impact current security policies, applications and infrastructure. Some of the questions we need to be asking include:
- What are the authentication requirements for users to be able to remotely access company apps from their devices?
- Where will the authentication services reside and how will they be managed?
- Is the current platform able to enforce authorization per user and per app without having to rewrite the apps?
- Is it possible to enforce Multi-Factor Authentication according to a user’s location?
- Are current remote access methods adequate for the mobile scenarios you’ve defined? (When we deal with devices we’ll determine whether the UX (User Experience)is acceptable)
Protection and Access go hand in hand. Data Access provides capabilities to enable specific use case scenarios while data protection helps ensure that the data remains safeguarded. The safeguarding of data is a balancing act as too much security can make the UX
- How will data be stored on user’s devices? Will it be encrypted? What is the risk of data loss is it cannot be decrypted?
- What is the risk of data los if the device is lost and the data is not encrypted?
- Will any corporate data stores be accessed by the device? Where is the data located (datacenter, cloud, other)? Will additional safeguards be required for the data being accessed? Will it be encrypted?
- How will data be transferred to and from the device? Will it be encrypted in motion (HTTPS, IPSEC)?
- Will any infrastructure changes be required (PKI, firewalls, gateways, etc.)
- Will the safeguards impede the UX?
- Are there any regulatory compliance issues that need to be addressed (SOX, PCI, etc.)
These are just a sample of the items you might want to consider as part of your MDM strategy. Please let me know if there are other items that you would consider when defining your data access and protection strategy for mobile devices.
Now that we have a covered Applications, Users, Data Access and Protection, I plan to discuss Management and Devices in the last two posts in this series. Stay tuned.
A great reference for BYOD with a Microsoft slant can be found on TechNet. I got a lot of my ideas from this guide.
- “Data stored overseas should be accessible to US government, judge rules” – Source Reuters
- “Obama administration contends that company with operations in US must comply with warrants for data, even if stored abroad” – Source The Guardian
With the rulings this summer that Microsoft must provide the US government with customer data even if it is stored outside of the United States, many organizations and individuals alike are concerned about data sovereignty and privacy – And they should be however, legal issues like data sovereignty and Safe Harbor are distractions from the real issue.
Let’s start with a definition of Data Sovereignty:
|Definition: Data sovereignty is the concept that information which has been converted and stored in digital form is subject to the laws of the country in which it is located.
– Source TechTarget
If you are at all concerned about data security and privacy, it’s not just legal jurisdictions that you need to be worried about. Consider some of the more high profile security breaches over the past few weeks (let alone the past year) in both cloud services and private data centers:
- “Hundreds of Intimate Celebrity Pictures Leaked Online Following Alleged iCloud Breach” – Source Newsweek
- “Prosecutors: Accused Russian hacker jailed here had 2.1 million stolen credit card numbers when arrested” – Source – Fox
- “Data Breach Bulletin: Home Depot Credit Card Breach Could Prove To Be Larger Than Target Breach” – Source Forbes
- “Russian Hackers Amass Over a Billion Internet Passwords“ – Source New York Times
The message to me is that it doesn’t matter where the data is, it isn’t safe. In fact one could argue that while the US DOJ, SEC or IRS having access to your data is a privacy concern, it is less of a threat than a major security breach like Home Depot etc.
So what’s the answer?
Obviously this is a complex problem and large organizations with lots of smart people have been struggling with it for years. I don’t have a simple answer nor should you expect one. I know that many of the technology problems we faced in the past have been solved – and even seem quaint Remember having to rewind VHS movies before DVDs? Or returning DVDs before Netflix? Since I can’t travel to the future to tell you what the solution will eventually be, let’s look to somebody who has seen the future. Namely Captain Jack Harkness.
He definitely doesn’t want to get caught with his pants down while saving the earth. Notice that he is wearing both suspenders (braces for our British readers) and a belt? So what can we learn from this?
While taking all of the precautions that you can with data center processes is an important part of a security strategy, some additional steps can also be taken. Consider data encryption. Yes, the data may still be accessed by unauthorized parties but the data will be of little use to them if they can’t decrypt it. In a private data center that has been compromised, the data may still be safe.
In public cloud environments, data can be encrypted before it enters the vendors cloud. The keys can reside in the client’s data center or in a third party escrow facility. In order for the data to be useful, a double breach would be necessary.
The same holds true for data sovereignty. Who cares if the DOJ has your data if they can’t read it.
Of course all of this assumes that the level of encryption being used is sufficiently strong that it is non-trivial to decrypt it through brute force or other means.
What do you think the future holds for data sovereignty and security?
For some organizations, just catching their breath from a Windows XP end of life that took them by surprise and more time and effort than they anticipated, I have some bad news: There is no rest for the weary. The next big end of support horizon that you need to be concerned about is Windows Server 2003/R2 on July 14th of next year. That’s 322 days as of this writing.
What does End of Support Mean?
Under Extended Support last calendar year (2013), Microsoft released 37 critical updates for Windows Server 2003/R2. No new updates will be developed or released after July 14th, 2015.
Lack of compliance with various regulatory and industry standards and regulations can have a huge impact on an organization For example, lack of compliance with the Payment Card Industry (PCI) Data Security Standards might mean that your organization can no longer accept major credit cards without using a third party (which might prove costly if not inconvenient).
No safe haven
Both virtual and physical instances of Windows Server 2003/R2 and Microsoft Small business Server (SBS) 2003 are vulnerable and would probably not pass a compliance audit.
How big a job is this?
Microsoft estimates that at the enterprise level, the average server migration take approximately 200 days of elapsed time and the average application migration takes close to 300 days. Of course these numbers are not based on level of effort but from project start to finish (consider project planning, needs analysis, procurement, testing, etc.).
So how do we make best use of the time we have left? I would hope that as we are fresh from out Windows XP migrations, we have learned some lessons that we can apply to accelerate our Windows Server 2003/R2 migrations. Two key learnings that I’d like to explore in this post are concern application compatibility and application deployment.
The biggest issues that most organizations will face will be around application compatibility. What we have found in our Windows XP migrations is that there is a class of applications that no matter what you do cannot be made compatible without some recompiling at a minimum. The applications I am referring to are 16-bit applications. The reason for this is based on the implementations of Windows-on-Windows (WoW):
- Wow can be used to run 16-bit applications on a 32-bit Windows OS
- Wow can be used to run 32-bit applications on a 64-bit Windows OS
- Wow can NOT be used to run 16-bit applications on a 64-bit Windows OS
These same issues will present themselves with Server 2003/R2 migrations. However; if you are moving to Windows Server 2012/R2 (and why wouldn’t you?) – there is no 32-bit version available. Applications that are susceptible to these compatibility issues need o be dealt with in a different manner. Perhaps a small pool of 32-bit Windows Server 2008 servers. You will have until 2020 until extended support for Server 2008 runs out.
As part of migrating and existing application or deploying a new application, best practices would recommend having at a minimum of three segregated environments:
Virtualization has made this much more economical and accessible to smaller organizations. One of the issues I see is moving applications between the environments. I can be time consuming and error prone. One way to minimize the level of effort and increase the accuracy is to use Server App-V. Server App-V (part of System Center Virtual Machine Manager) is a technology that enables virtualization of server applications. With Server App-V, you can create a package that contains all of the required elements of an application (including configuration information) and deploy it simply by “copying” the package to the target server. No changes (registry, service, COM, DCOM, COM+, WMI, etc.) are required on the target server. Server App-V addresses the full lifecycle of an application including deployment, updating, and retiring.
Server App-V is can be used with or without SCVMM but the greatest advantage to the technology comes from integrating packages into VMM Service Templates.
Now go out and upgrade those servers.
My Surface Pro 3 512 GB / Intel Core i7 Just arrived today. I’ll let you know how far off base Mitch is shortly.
As I have written previously I recently picked up a Microsoft Surface Pro 3, and despite a couple of minor annoyances it truly is a wonderful device. Because I have not been traveling as much as I did over the past few years, I have taken the opportunity to downsize my carry-load.
My sister called me a couple of weeks ago with the news that her new company device would be a Surface Pro 3, and asked me what accessories she should make sure she picks up. We had a conversation about the keyboard, battery life, and so on. Jennifer and I don’t speak all that often, and it was a nice excuse to talk.
Last week a friend and fellow MVP told me that his device was being delivered shortly. He knew that I had downsized my carry load, and with that knowledge, and knowing that we have the…
View original post 1,412 more words