Archive
GPO and PowerShell support in #AzureAD and #Intune? Tech Preview released – #EnvokeIT Workspace Client
Finally… we’re pleased to announce that we now have released the Tech Preview of the EnvokeIT Workspace Client service!! 🙂
What is this and why did we build this SaaS device configuration service?
Have you also tried to roll-out Windows 10 with Azure AD and potentially also Microsoft Intune and lack capabilities like Group Polices to control registry and files or to run PowerShell scripts?
We’ve solved that for you! The EnvokeIT Workspace Client is a device configuration client built on the cloud and for the cloud! Now you have all the capabilities that you require to deliver a modern Windows 10 Out-of-the-box delivery using Azure AD!
Have a look at our “quick” overview video or just sign up for a free Tech Preview tenant and you’ll be up and running within minutes!
The service is built for Windows on Azure and leverages the latest technology to ensure that you can adopt the Windows and Azure AD architecture without lacking what you need from good old Group Policies!
Here are some examples of what the service can solve for you:
- You want to remove the Windows “bloatware” for all your Windows 10 devices, no problem
- If you want to specify and ensure that all your users have the same company background, you can do that!
- If you need to configure application settings for all users, no problem!
- Do you need to have an updated User Guides or other material easily pushed to your users desktop, no problem!
- If your web applications require that they are put in Local Intranet or Trusted Sites in your browsers, then you can push that out!
- Does your Windows application require specific local settings files to be pushed to the clients, no worries we’ve got you covered there as well!
- Do you need to push out Microsoft Edge policies you can do that as well! For a complete list of built-in Group Policy objects that you can configure see this list.
- If you need to do special configuration of the OS, applications or user settings you can do that through PowerShell scripts, you write the scripts and our agent makes sure it’s run in user or system context. Configuration possibilities are endless with PowerShell script support!
Read more at the site or sign up for your own trial tenant!
https://cloudclientportal.envokeit.com
http://www.envokeit.com/en/project/envokeit-workspace-client/
And if you need any assistance in your Windows 10, Office 365 or Enterprise Mobility Project just contact us at EnvokeIT: info@envokeit.com or send an email to me directly: richard.egenas at envokeit.com
//Richard
Converged Microsoft Account and Azure Active Directory Programming Model – #Microsoft, #Azure
Wow, finally Microsoft is doing something about the Microsoft Account and Azure AD identity “mess”! 🙂
Until now, building an application that worked with both personal and business accounts from Microsoft required integrating with two different technology stacks. Not only that, you had to have separate buttons in your app where your user needed to choose, up front, to sign-in with a personal account or a work or school account.
With the v2 app model preview, it is possible to sign-in both personal and work users with a single button. Let’s take a quick look at the end user’s experience. We begin with your application, with the addition of a “Sign-in with Microsoft” button.
We’re using the Microsoft brand because end users don’t know about Azure or Azure Active Directory. But they do know that Windows, Outlook, OneDrive, Xbox, and Office 365 are services from Microsoft and they need an account from Microsoft to sign-in there.
When the user clicks the button, they come to a consolidated sign-in page:
The user enters their username. Under the covers we figure out if the username corresponds to a personal account or a work account. Then we take the user to the right page to enter their password. Today this may involve a redirect – in the future we’ll optimize this out.
Read more here!
//Richard
Azure AD Premium a visionary in Gartner IDaaS Magic Quadrant! I love it! – #Azure, #AzureAD, #IDaaS
This is awesome! I just love what Microsoft is doing with all the cool Azure offerings! That’s also why I’ve been digging deeper into this area lately and also took the Microsoft Specialist – Architecting Microsoft Azure Solutions exam and been playing around with Azure AD, DirSync and ADFS a lot.
Now with the whole release of Windows 10, Azure AD, Intune, ADFS and System Center we’re going to have a lovely story going forward with how to do client management going forward, just take a Windows 1o device, join it through Azure AD, Intune and federation and then sign in using your on-premise AD credentials. On top of that you can also then leverage Azure AD or federation with it for your SaaS apps as well and with SSO, and why not use the Azure connector to make your on-premise web apps available on the Internet with authentication as well!
Microsoft and Azure rocks!
Now also with the magic quadrant from Gartner that shows how well Microsoft is doing! It look very promissing, and just think about combingin all this also with Citrix Workspace cloud going forward! So great! 🙂
Gartner just released their Magic Quadrant for Identity Management as a Service (IDaaS) and after only ~10 months in market, Azure AD premium was placed in the “Visionary” quadrant, far to the right of our competitors for our completeness of vision and our ability to execute, only slightly below companies with established, multi-year track records.
If you are a Gartner client, you can find the report here. We will have a complimentary copy to share soon, so please check back.
We’re really pleased with this result. We believe it validates our vision of providing of a complete solution for hybrid identity management, a solution that includes not just a directory and employee identity management, but full suite of identity capabilities, an integrated device management offering (Microsoft Intune), leading edge information protection (Azure RMS) and a robust set monitoring and security capabilities.
I am especially delighted by this validation because it says a lot about our customers, implementation partners and ISV partners who have worked together with us. They have been awesome about sharing their time and energy every day, to make sure that the products and services we build meet their needs and are helping them position their companies to thrive in the emerging world of cloud and devices.
This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft.
Gartner does not endorse any vendor, product…
Continue reading here!
//Richard
Microsoft Specialist – Architecting Microsoft Azure Cloud Solutions – #Azure, #LoveAzure, #EnvokeIT
Yes, I found a really interesting exam and must say that this is a great one! Makes you show that you understand all the great services that Azure has to offer and on such a good level as well!
I’m happy I made it and that EnvokeIT continues its journey within the Microsoft Cloud and Mobility area! 🙂
The things that I love is the way that Microsoft puts a lot of really good material out there for free for all us techies to consume, like the Microsoft Virtual Academy, Channel 9, Azure Friday, etc.
Also what is really good if you’re preparing for this exam (70-534) is to go through this great prep guide:
So go and explore everything that Azure has to offer and if you have any thoughts or questions around Azure don’t hesitate to contact me at richard at envokeit.com or through our official contact details for the UK and Swedish businesses here.
Have a great weekend!
//Richard
Penetration testing tips for your NetScaler – via @neilspellings – #Citrix, #NetScaler
This is a really good blog post by Neil! Keep up the good work! 😉
When working on Netscaler implementation projects, most of which tend to be internet-facing, one aspect that most organisations always perform is a penetration test. Having been through a number of these over the years, I thought it would be a good idea to share my experiences and some of the common aspects that get highlighted, to enable you to “pass first time” without having any remedial actions to work through and costly re-tests to perform.
The Netscaler has a number of IPs (NSIP, SNIP/MIP, Access Gateway VIPs etc) so what should you test against? The answer may well depend on corporate policy, but I usually test the internet-facing Access Gateway VIP and the management interface (NSIP). I also usually include StoreFront in any internal tests as this is an integral component of the overall solution, but I won’t cover StoreFront in this post.
Of course technically “bad guys” can only reach internet-facing IP addresses (as permissioned by your external firewall) but I recommend including internal-facing IPs for any DMZ-hosts to understand your exposure should another DMZ host get compromised (as your attacker can now potentially access internal IPs so the external firewall rules no longer protect you)
- Remove unnecessary management tools (telnet and FTP are considered insecure so should alwaysbe disabled). Also remove SNMP if your Netscalers are not being monitored or managed by an external monitoring service.
- Ensure that “Secure access only” is selected to force SSL access to the GUI
- Ensure that management applications are only available on an internal IP (NSIP or SNIP). Open the IP properties for the IP addresses that won’t be used for management and untick “Enable management access”
- Change the default nsroot password to something long (obvious you’d think but you’d be amazed how many Netscalers I’ve seen that I can just log straight into using the default credentials!)
- If you have set up integrated AD authentication via LDAP for administrative access to the GUI, ensure that you have protected access using a filter group, otherwise anyone with a valid AD account will be able to access your Netscaler GUI (although they won’t be able to make any changes, it’s still not a good idea them having this access!)
- If you are using…
Continue reading here!
//Richard
#Citrix #ShareFile StorageZone controller 2.2 released – #BYOD
If you haven’t seen this then have a look at what 2.2 now has to offer!
- StorageZones for ShareFile Data — You can store ShareFile data in either Windows Azure cloud storage or a private single-tenant storage system that you maintain. You specify a storage option when you configure StorageZones for ShareFile Data.
What’s new
StorageZones Controller 2.2 provides the following enhancements:
Support for Windows Azure storage containers — If you have a Windows Azure account, you can use an Azure storage container for your private data storage instead of a locally-maintained share.
To get started create a new zone and choose the Azure option when you configure StorageZones for ShareFile Data.
Connectors to SharePoint root-level sites — You can now create a StorageZones Connector for a SharePoint root-level site or site collection, enabling users to navigate all of the subsites and document libraries in the site. To provide more limited access, you can continue to create connectors to individual SharePoint document libraries.
Connectors to user home drives based on Active Directory — You can now create a Connector for network file shares that reliably points to user home drives. To create a connector for user home drives, set the UNC path to the variable %homedrive%. StorageZones Controller will then create connectors based on the user home folder path property in Active Directory.
Installation on non-English operating systems — You can install the English version of StorageZones Controller on the following operating system versions: French, German, Japanese, Simplified Chinese, and Spanish.
Read more here!
//Richard
Connect #Office365 to #AD for Free, with #Okta
This is kind of cool! Check it out!
Connect Office365 to AD for Free, with Okta
- Simple Set Up and Configuration – Enabling AD integration is a simple, wizard driven process. With the click of a button from the Okta administrative console you can download the Okta Active Directory agent and install it on any Windows Server that has access to your Domain Controller.
- Intelligent User Synchronization – Once the agent is installed and the initial user import takes place Okta intelligently processes the results.
- Robust Delegated Authentication – Okta’s AD integration also allows you to delegate the authentication into Okta, to your on-premises AD Domain.
- Integrated Desktop Single Sign-On – Okta leverages Microsoft’s Integrated Windows Authentication to seamlessly authenticate users to Okta that are already authenticated with their Windows domain.
ACTIVE DIRECTORY OVERVIEW
#Windows #Azure Active Directory steps out of the shadows
I’ve blogged about this release before with some info but here is another good article about how it can assist you in managing user authentication in the cloud.
Microsoft recently announced the general availability of Windows Azure Active Directory, a cloud-based service that lets admins manage multiple user identities and access. Although it’s been lurking in the background of other Microsoft products for some time — and still requires work to make it a fully useful tool — it’s a step in the right direction.
At its core, Windows Azure Active Directory is essentially a copy of Active Directory held in the cloud that provides basic authorization and authentication when users access cloud services. Ideally, admins use it to centralize the database of authorized users for cloud services, which then lets them authorize employees and contractors to work in certain applications. This allowance includes both Microsoft and third-party applications that accept authentication through common industry standards.
Through synchronization with an on-premises Active Directory deployment, you can also deploy single sign-on, so users don’t have to remember multiple passwords or enter them more than once to access cloud applications. More importantly, it provides a better way to remove access to cloud services for users who have left the company — a previous weak link in the cloud identity management story.
Windows Azure Active Directory: Not exactly new
True to Microsoft’s history of dogfooding its own products, Windows Azure Active Directory had been in use for nearly a year before its current general release. Few actually knew that all Office 365 accounts have been using a preview release of Windows Azure Active Directory for some time. Users of the general Windows Azure service, Dynamics CRM andWindows Intune also have their details stored in private Windows Azure Active Directory accounts.
According to Microsoft, since just after the beginning of the 2013 calendar year, “Windows Azure AD has processed over 65 billion authentication requests while maintaining 99.97% or better monthly availability.” Windows Azure Active Directory is a distributed service running across 14 of Microsoft’s data centers all over the globe.
User interface improvements
One improvement that happened between the preview release of Windows Azure Active Directory and the Web version release is the user interface, which was basically nonexistent before. Now you can access a clean section of the modern-looking Windows Azure control panel to create and manage instances of Windows Azure Active Directory (Figure 1).
You can add these instances to your Windows Azure subscription by logging into your Microsoft account, which…
Continue reading here!
//Richard
How to check which #NetScaler policy that your #Citrix #Receiver or web browser hits?
Ok, this is a common issue that you’ll end up in when setting up Access Gateway access scenarios:
How do you know which policy that is hit when your different Receivers are logging in?
Well, there are a couple of nice commands that can help you troubleshooting your access scenario! I guess that most of you have a simple scenario where you have one domain to authenticate against and some simple PNA, CVPN and potentially SSL VPN policies and profiles to deal with, and they are all linked to the virtual server like something like this simple example:
But in more complex scenarios you may end up controlling which browser the user is accessing with (for giving nice error messages instead of Citrix default messages when users may use an unsupported browser etc.), or when you have multiple AD domains and AD groups to link different policies to etc. Then it may be complex and you have multiple policies and profiles for the same config with minor changes like the SSO domain name etc. So how do you then troubleshoot that easily?
First we have the must know command that hooks into the auth process of the NetScaler and gives you a view of the authentication process:
cat /tmp/aaad.debug
When you run that and you authenticate you’ll see the result of your auth process agains for instance LDAP and RADIUS sources like the result here when I logged in to our little environment:
At the top of the output you see all the AD groups that I’m a member of that needs to match the group that you like to use on the NetScaler side, and last you see that accept from AD for my authentication request.
Then you know that you’re authentication ok, but which of the session polices are we hitting? Then you need to have a look at this great command:
nsconmsg -d current -g pol_hits
This is the output when I access using my Receiver on OS X:
Windows Azure Active Directory (AD) has reached General Availability!
This is cool! And I think that it’s a great step in the right direction for many companies! 🙂
Windows Azure Active Directory
Windows Azure Active Directory (Windows Azure AD) is a modern, REST-based service that provides identity management and access control capabilities for your cloud applications. Now you have one identity service across Windows Azure, Microsoft Office 365, Dynamics CRM Online, Windows Intune and other 3rd party cloud services. Windows Azure Active Directory provides a cloud-based identity provider that easily integrates with your on-premises AD deployments and full support of third party identity providers.
Use Windows Azure AD to:
Integrate with your on-premises active directory
Quickly extend your existing on-premises Active Directory to apply policy and control and authenticate users with their existing corporate credentials to Windows Azure and other cloud services.
Offer access control for you applications
Easily manage access to your applications based on centralized policy and rules. Ensure consistent and appropriate access to your organizations applications is maintained to meet critical internal security and compliance needs. Windows Azure AD Access Control provides developers centralized authentication and authorization for applications in Windows Azure using either consumer identity providers or your on-premises Windows Server Active Directory
Build social connections across the enterprise
Windows Azure AD Graph is an innovative social enterprise graph providing an easy RESTful interface for accessing objects such as Users, Groups, and Roles with an explorer view for easily discovering information and relationships.
Provide single sign-on across your cloud applications
Provide your users with a seamless, single sign-on experience across Microsoft Online Services, third party cloud services and applications built on Windows Azure with popular web identity providers like Microsoft Account, Google, Yahoo!, and Facebook.
Read more about the service here!
Pricing
Access Control
Access Control is available at no charge. Historically, we have charged for Access Control based on the number of transactions. We are now making it a free benefit of using Windows Azure.
Directory
The base directory, Tenant, User & Group Management, Single Sign On, Graph API, Cloud application provisioning, Directory Synchronization and Directory Federation, is available at no charge. Certain additional capabilities such as Azure AD Rights Management will be available as a separately priced option.
Read more about pricing here!
//Richard
The IT Melting Pot! 