Vol. 57, #8 - November 25, 2013 - Issue #957
iOS in the Enterprise
- Editor's Corner
- From the Mailbag
- iOS in the Enterprise
- Tip of the Week: Windows Defender Online
- Recommended for Learning
- Quote of the Week
- Admin Toolbox
- Admin Tools We Think You Shouldn't Be Without
- Events Calendar
- Webcast Calendar
- Register for Webcasts
- Tech Briefing
- Windows Server
- Sharepoint, Exchange, and Office
- Windows client
- Other stuff
- Windows Server News
- Cloud data security outside the vacuum: Find 'acceptable' levels of risk
- Broadening your VDI horizon beyond thin client devices
- Highlights of VM live migration changes in Windows Server 2012 R2
- The tenets of infosec can help clamp down hypervisor security
- WServerNews FAVE Links
- This Week's Links We Like. Fun Stuff.
- WServerNews - Product of the Week
- Running Hyper-V? FREE Hyper-V Backup for WServerNews subscribers
- SAVE THIS NEWSLETTER so you can refer back to it later for helpful tips, tools and resources!
- FORWARD THIS NEWSLETTER to a colleague who you think might find it useful!
- SEND YOUR FEEDBACK to firstname.lastname@example.org if you have any comments or suggestions!
This week's newsletter is all about managing Apple iOS devices in enterprise environments using the new Device Registration Service in Windows Server 2012 R2 with a guest editorial by Simon May, an Enterprise Client Evangelist at Microsoft. More and more users want to bring their personal iOS devices into the workplace because of their familiarity with the iOS platform and because of the numerous apps they've downloaded on their devices. In fact, some users seem to get so addicted to their iOS devices that they can't stop downloading apps for them! Are they crazy? This Dilbert comic strip might just have the answer:
From the Mailbag
Back in Issue #955, Keeping it simple I included my own top three observations why IT projects tend to fail. Since then several readers have chimed in with their own top three reasons for why large IT projects often fail.
Nigel, an IT Manager in New Zealand, lists his top reasons for project failure as:
- Scope Creep. Thinking that "while we're doing this, we may as well do that as well".
- IT moves so fast, and big projects take so long, that technology can pull out and pass us, meaning backtracking to fit in the latest.
- Not following the 6P rule - "Proper Planning Prevents P*ss-Poor Performance"
That first item (scope creep) is definitely something we all need to watch for.
Martin, an IT manager in Wien, Austria, says he's noticed the following as reasons for projects going under:
- The project is always too late. Most projects are discussed endlessly before the real work starts…
- Project targets change during the project. Big error -- you should do the changes after the project is finished, not during
- Staff is never enough. Most of the time business decides on budget which leads to either a shortage on number or qualification of staff. In their opinion IT is always requesting a Bentley when they believe a VW can do the same, Reality is somewhere between -- on both ends…
I like his last point that both business and IT need to meet in the middle somewhere.
Other readers can chime with their own suggestions by emailing me at email@example.com
And now on to our guest editorial by Simon May...
iOS in the Enterprise
Over the past few years the devices that we have to support in our organizations has changed, pushed forth by the notion that the devices our users want to use has evolved. Not every worker is happy to only use the devices that IT provide to them as users have become more tech-savvy. I'm not suggesting they've all become technology whiz-kids but they know more than they once did; enough to feel comfortable about owning the latest tech. Devices too have improved making much of what we used to spend our time managing far easier -- security, connectivity. To put things another way IT is starting to be able to shift focus from control to governance.
Windows is always going to be, in my opinion, the most manageable OS on any device. Microsoft started in the consumer space, was embraced by enterprise and built tools for enterprise management. Group Policy, Configuration Management tools and PowerShell all provide tools to manage almost everything about the OS. That said with the billions of smartphones, the increase in tablet usage and more we need to be thinking about managing other devices Apple iOS is chief amongst them and Apple's iOS (now on version 7) has good management built in.
Identity is the cornerstone of good governance, it's impossible to govern without knowing what you're governing and in the enterprise the key identity store for most is Active Directory. From here we assign the roles, the rights, the permissions that our domain users and devices can use. Computers and users are joined to the domain in exchange for access to files and services and to give IT management (to ease user pain / reduce TCO to the business). There is two way trust, users and computers trust the domain and the domain services trust the users and computers.
In this new world though of tech-savvy users, with devices we govern (because we often don't own them), how do we get that identity into our trusted identity store? That's where the new Device Registration Service (commonly called Work Place Join) in Windows Server 2012 R2 comes to the fore.
Preparing for Device Registration
There are a number of components needed to configure a working Device Registration Service. The architecture that we're about to implement will publish the ability to connect devices to our Active Directory Domain to the edge of our network. As such we don't want to hang a Domain Controller out on the Internet, instead we will setup Active Directory Federation Services (ADFS) so that only specific trusted services -- such as device registration -- can access our AD DS. Our ADFS server will live inside our network and as of Windows Server 2012 R2 this service can coexist with a domain controller.
ADFS has a reliance on correctly working public key infrastructure (PKI), I'm not going to go into detail on how to configure this, but we will look at getting the right certs from our enterprise CA.
The next service that's needed for this process to work is another new addition to Windows Server 2012 R2, the Web Application Proxy, which functions like a reverse proxy and as our publishing point and our ADFS proxy. This service will rely on the ability to use certificates issued to other web servers and as such it makes use of the Kerberos Constrained Delegation (KCD) feature released with Windows Server 2012.
In other words we need:
- Web Application Proxy
- Kerberos Constrained Delegation
- Device Registration Service
- iOS (or Windows 8.1) devices
The first thing to do is to add a DNS record for our ADFS server to our internal DNS -- something like ADFS.corp.contoso.com -- pointing to our ADFS server, next we do the same to our external DNS pointing to the address of what will be our Web Application Proxy.
The next step is to setup the account that the ADFS service and latterly our Device Registration Service, will use. Introduced with Windows Server 2012 R2 were Group Managed Service Accounts (GMSA), they are special because AD manages passwords for these accounts that are changed regularly and are therefore potentially more secure than standard user accounts when used with services. On our domain controller we need to run the following PowerShell:
Add-KdsRootKey --EffectiveTime (Get-Date).AddHours(-10)
This creates the root key for the Key Distribution Service that manages our Group Managed Service Accounts within our domain. We then need to create our new group managed service account:
New-ADServiceAccount FsGmsa -DNSHostName adfs.corp.contoso.com -ServicePrincipalNames "http/adfs.corp.contoso.com"
Here we are saying that this GMSA can be used by the host adfs.corp.contoso.com and we define the name of the services that can use the GMSA.
Our next step is to request certificates for our ADFS service from our enterprise CA. To request this certificate we must already have configured our CA to allow us to request certificates where we can specify the subject name and subject alternate names on our cert and also we must be able to export the certificate and the private key. We request a cert with a subject name that matches the DNS name for our ADFS server, adfs.corp.contoso.com and with two subject alternate names adfs.corp.contoso.com and enterpriseregistration.corp.contoso.com. The second of these two must be exactly that name "enterpriseregistration" within your domain. You could also buy this cert from a root CA.
We now add the ADFS role to our server and once it's added go to the notifications item in Server Manager to select "Configure the federation service on this server" to configure our service. We create our new ADFS farm and specify our admin account. Then when asked for our SSL certificate we select the certificate issued to adfs.corp.contoso.com that we requested previously from our CA. The Federation Service Name is taken from the cert but we can provide a friendly name for users, in my case "Contoso LTD ADFS". Then we provide our GMSA as the service account, for testing and small deployments we can use the Windows Internal Database rather than SQL and finally we finish the config with a review of the options. Our ADFS service will be started and we'll be able to access the service with the URL https://adfs.corp.contoso.com/adfs/ls/IdpInitiatedSignon.aspx
At this point we have a working ADFS environment and we can confirm that by logging into our ADFS server. If the ADFS site is considered a local intranet site (i.e added to that zone) we won't even need to provide our creds.
Next we can add trusts for any claims aware web services that require authentication through ADFS, this can be done by adding a relying party trust in the AD FS Management console but it's not necessary for device registration.
Prepare for Web Application Proxy
The very next thing we need to do is setup our Web Application Proxy but before we do we need to allow our Web Application Proxy server to use the same certificates that are used to secure our ADFS and any intranet websites with SSL. So we need to export them from the webservers and ADFS servers they reside on and import them into the Personal certificate store of our Web Application Proxy server. This is easily done from the Certificates MMC snap in.
We now need to allow the secure impersonation or delegated use of those certificates by the Web Application Proxy server for those certificates using KCD. From PowerShell or Command Prompt as an Administrator we run:
setspn -S http/edge.corp.contoso.com edge
This will register the SPN http/edge.corp.contoso.com for the server named "edge", we also add the short name version of this:
Setspn -S http/edge edge
Now that we've registered the SPN we can go to the user account in AD and configure delegation such that our Web Application Proxy server (called EDGE here) can act as our ADFS server (our DC in this case) and any other servers for which we publish their SSL secured websites through our Web Application Proxy.
Configure the Device Registration Service
The device registration service is what does the magic of adding our non-domain joined devices to our domain without domain joining them. Configuration requires two lines of PowerShell:
The first line turns the service on and when ran interactively requests the name of the GMSA we used earlier for our ADFS configuration. The second line configures Device Registration to use ADFS, we then need to go configure ADFS to pass details to Device Registration. The AD FS Management console allows us to do this by selecting the "Authentication Policies" node and then "Edit Global Primary Authentication" from the Actions pane.
Configure Web Application Proxy
Finally we need to configure our Web Application Proxy to publish our Device Registration Service. We need to add the role to our server then configure it when prompted through Server Manager. Web Application Proxy expects ADFS to be configured already and immediately asks for the Service name, here I used ADFS.corp.contoso.com and a domain admin password to access the ADFS server, the certificate for the service is the same one previously imported and usable through KCD.
Enrolling an iOS device
Unlike on Windows 8.1 there is enrolment UI on an iOS device, instead we go to a URL that is now published by our ADFS server and onward through our Web Application Proxy on our iOS device: https://adfs.corp.contoso.com/enrollmentserver/otaprofile
If you're doing this in a lab you'll have to get your root CA cert onto your iOS device to ensure that your CA is trusted that is if it's not chainable back to a root CA that's already trusted.
Once we've visit the URL above on our iOS device we are asked to authenticate, and a profile is downloaded to our device. Once installed the device handshakes with AD and a record is created in AD for our iOS device. A certificate is also issued to our iOS device. To find the name of the record in AD (it's a GUID) you'll need to go into your iOS devices settings, open the profile you just installed and view the common name on the certificate that was issued to your device.
From this point on we can use the new object in AD to allow access and as an authentication factor in a multifactor authentication plan, preventing users from accessing resources form unknown devices. More granular data control can be provided with Dynamic Access Control allowing only specified users access to resources if they have iOS 4 or above for example.
Hopefully this walkthrough has given you a little introduction into bringing iOS devices into the fold and giving them access to AD provided resources. If nothing else take a deeper look at ADFS -- it's going to be rare to find an enterprise without an ADFS implementation in a few years' time. There's a great lab guide for ADFS on TechNet:
and the evaluation of Windows Server 2012 R2
is free for anyone for 180 days.
About Simon May
Simon May is Enterprise Client Evangelist for Microsoft Corp. He can be reached on twitter at
or by email at firstname.lastname@example.org
Send us feedback
Got comments or questions about the above editorial? Let us know at email@example.com
Tip of the Week: Windows Defender Online
Worried that malicious software might have bypassed your antivirus software and installed itself on your PC? Try using Windows Defender Offline to detect and eradicate such nasties:
GOT TIPS you'd like to share with other readers? Email us at firstname.lastname@example.org.
Recommended for Learning
This week we have a bunch of announcements from the Microsoft Virtual Academy.
December 3: Mission Critical Performance with SQL Server 2014
SQL Server pros, find out how SQL Server 2014 will help you improve performance speed by 10-30 times, using your current hardware. And you’ll improve reliability at the same time. Get in on a technical preview of the new Mission Critical features of SQL Server 2014, led by the team of Microsoft experts who own the features. Register here:
December 4: Platform for Hybrid Cloud with SQL Server 2014
Attention IT Pros, learn about the benefits of moving your organization to the cloud, and how that can provide cost benefits at the same time as increasing scale and flexibility. Microsoft experts will show you how you can make that move one step at a time, using SQL Server 2014 to create a hybrid environment. Register here:
December 9: Windows 8.1 UX Design Jump Start
App designers, here’s your chance to showcase your existing skills, express your brand, and make your app discoverable beyond the store—to millions of people. Create Windows Store apps for Windows 8.1, give Windows users a unique experience that still feels familiar, and explore customizable experiences with windowing. Register here:
December 12: Advancing your skill set through professional development opportunities
For educators and academic institution staff, staying ahead of the technology curve is critical to delivering current and compelling lessons. Hear from educators within the Microsoft IT Academy community on how best they are advancing their skill sets along with free professional development resources and tools available today that can help validate and polish an educators professional experience. Attend this virtual event December 12, and get access to the series of previous on-demand events. Register today:
This last one is an on-demand course that is not tied to a specific date:
On-demand training on System Center 2012 R2
If you’re looking for training on System Center 2012 R2 that you can take at your own pace, check out these two free on-demand courses from Microsoft Virtual Academy (MVA): Automation & Self-Service with System Center 2012 R2:
and IT Service Management with System Center 2012 R2:
Quote of the Week
"The fastest way to succeed is to look as if you're playing by somebody else's rules, while quietly playing by your own." --Michael Korda
Note to subscribers: If for some reason you don’t receive your weekly issue of this newsletter, please notify us at email@example.com and we’ll try to troubleshoot things from our end.
Admin Tools We Think You Shouldn't Be Without
Free Hyper-V backup tool – easy to use, quick to set up, packed with features and free for 2 VMs, for WServerNews subscribers. (Supports Windows Server 2012 R2!)
Audit, Track and Report on all changes to files and their Permissions on Windows File Server. Generate Real-time alerts and Schedule any predefined or custom reports.
Download 2X ApplicationServer XG to deliver virtual desktops and applications from a central location, providing continuous availability, resource-based load balancing and complete end-to-end network transparency for administrators.
The Hands-on Guide: Understanding Hyper-V in Windows Server 2012 gives you simple step-by-step instructions to help you perform Hyper-V-related tasks like a seasoned expert.
Microsoft Exchange PST Capture allows you to search for PST files on computers in your organization and then import those files to mailboxes in your organization:
Project Conference, 2014 on February 2-5 in Anaheim, California
Lync Conference 2014 on February 18-20, 2014 at The Aria in Las Vegas, Nevada
SharePoint Conference 2014 on March 3-6, 2014 at The Venetian in Las Vegas, Nevada
Microsoft Worldwide Partner Conference (WPC 2014) coming in July, 2014 in Washington, D.C.
European SharePoint Conference on May 5-8, 2014 in Barcelona, Spain
Add your event
PLANNING A CONFERENCE OR OTHER EVENT you'd like to tell our 95,000 subscribers about? Contact firstname.lastname@example.org
Register for Webcasts
Add your Webcast
PLANNING A WEBCAST you'd like to tell our subscribers about? Contact email@example.com
This section is organized topically by platform/product and provides you with links to tips, tools, information and other resources that can help you in your job role whether you're an IT professional or an IT decision-maker.
Microsoft Releases Remote Desktop For Apple iOS (Aidan Finn, IT Pro)
Microsoft Remote Desktop Is Also Available For Android And Updated For Mac OS X (Aidan Finn, IT Pro)
SharePoint, Exchange and Office
Anti-Spam and Anti-Malware Protection in Exchange 2013 (Part 1) (MSExchange.org)
The case of the erroneous disk space checker (Tony Redmond's Exchange Unwashed Blog)
Maximizing Your Virtual Machine Density in Hyper-V (Part 1) (VirtualizationAdmin.com)
How To Avoid Common Networking Issues In Hyper-V (Aidan Finn, IT Pro)
Upgrade to VMware vSphere 5.5 (VirtualizationAdmin.com)
vSphere Flash Read Cache – What’s New White Paper (Punching Clouds)
Windows 8.1 Support Lifecycle Policy FAQ (Microsoft Support)
More on Group Policy Caching in Windows 8.1 (Group Policy Blog)
TMG and UAG Network Topologies (ISAserver.org)
Are we heading for Identity Management Federation (Part 2) (WindowsSecurity.com)
Internet Explorer Administration Kit 11 is now available (Microsoft Download Center)
Network Throughput Testing Tools (WindowsNetworking.com)
Cloud data security outside the vacuum: Find 'acceptable' levels of risk
Even the hint of a security issue can dismantle a cloud project and discredit the entire planning process – and planners. Read these tips from our experts on how to create a realistic view of security and build an understanding of “acceptable” risk to help avoid a potential pitfall in your cloud project.
Broadening your VDI horizon beyond thin client devices
Think you need thin clients to deploy VDI? Think again. Hear from our experts on techniques for implementing desktop virtualization outside of the traditional thin-client approach including strategies such as reusing existing PCs and integrating mobile devices.
Highlights of VM live migration changes in Windows Server 2012 R2
Previous versions of Windows Server were inefficient when it came to the VM live migration process, but thankfully that has changed with Windows Server 2012 R2. In this IT tip, learn more about the primary factors that affect live migration speed and changes to R2 that optimize the process.
The tenets of infosec can help clamp down hypervisor security
It’s crucial to consider security measures at all levels of your virtual infrastructure to prevent systems from being compromised. Gain expert advice for achieving the three major goals for IT security – confidentiality, integrity and availability – in your virtual environment.
This Week's Links We Like. Tips, Hints And Fun Stuff
GOT FUN VIDEOS or other fun links to suggest you'd like to recommend? Email us at firstname.lastname@example.org
Future Girl Engineers Build Rube Goldberg Machine:
Thorium-Fueled Car Only Needs A Fill-Up Once A Century:
Worlds First 360° Barrel Roll In A Car:
Huge Remote-Controlled Airbus A380:
Koi fish swim in circle - a very unusual sighting. Recorded at the Kek Lok Si Temple in Air Itam, Penang, Malaysia:
WServerNews - Editors
Mitch Tulloch is Senior Editor of WServerNews and is a widely recognized expert on Windows administration, deployment and virtualization. Mitch was lead author of the bestselling Windows 7 Resource Kit from Microsoft Press and has published hundreds of articles for IT pros. Mitch is also a seven-time recipient of Microsoft's Most Valuable Professional (MVP) award for his outstanding contributions in support of the global IT pro community. Mitch owns and runs an information technology content development business based in Winnipeg, Canada. For more information see www.mtit.com