Archive

Posts Tagged ‘policy’

Microsoft Intune May updates – #Intunes, #EMM, #MDM, #Mobility, #EnvokeIT

May 20, 2015 Leave a comment

Thsi week Microsoft is going to roll out some new updates like Android Wrapping Tool and new features for iOS, Android and Windows Phone to Microsoft Intunes.

We are excited to share with you the next set of Intune features that will be released between May 19 and May 26.  With our monthly release cadence, we continue to focus on providing you with best-in-class experiences that help keep your users productive while protecting your company’s sensitive data. You can expect to see the following new Intune standalone (cloud only) features in this release:

  • Ability to extend application protection to your existing line-of-business apps using the Intune App Wrapping Tool for Android (Intune App Wrapping Tool for iOS made available in December 2014)
  • Ability to assign help desk permissions to Intune admins, filtering their view of the Intune admin console to only provide access to perform remote tasks (e.g. passcode reset and remote lock)
  • RSS feed notification option added for Intune admin to subscribe to be alerted when new Intune service notifications are available for their service instance
  • Improved end user experience in the Intune Company Portal app for iOS with step-by-step guidance added on how to access corporate email by enrolling for management and validating device compliance
  • Updated Intune Company Portal app for Windows Phone 8.1 to provide enhanced status notifications for app installations
  • New custom policy template for managing new Windows 10 features using OMA-URI
  • New per-platform mobile device security policy templates for Android, iOS, Windows, and Windows Phone, in addition to new Exchange ActiveSync policy template
  • Ability to deploy Google Play store apps that are required/mandatory to install on Android devices

Also, as announced last week, several new hybrid features are now…

Contact us at EnvokeIT if you like assistance with Intunes or continue reading the blog post here.

//Richard

Categories: All, Cloud, Device Management, Intune, Microsoft, Mobility, Office 365 Tags: , , , , , , , , , , , ,

#Windows 8.1’s #BYOD enhancements ready for business adoption – via @kenhess

June 4, 2013 Leave a comment

This is actually great news and a great article by Ken Hess! Microsoft is finally understanding the new BYOD use cases and scenarios! Interesting reading…

Summary: Microsoft understands, better than any other software company, that BYOD is actually a thing. It’s a thing to be dealt with at the source, which is exactly what they’re doing.

Everyone has weighed in on Microsoft’s Windows 8.1 update due at the end of the month, but few have highlighted the finer points of this significant update. Personally, I see Windows 8.1 as the new business operating system for desktop computing. Microsoft has listened to its critics and has made some super improvements on its much-beleagured new operating system.

Some of the more exciting improvements come in the form of BYOD enhancements. I believe that it is these features that will propel Windows 8.x onto corporate desktop systems and out of critical oblivion.

Excerpt from Stephen L. Rose’s Springboard Blog on Windows.com.

B.Y.O.D (Bring Your Own Device) Enhancements

  • Workplace Join – A Windows 8 PC was either domain joined or not. If it was a member of the domain, the user could access corporate resources (if permissioned) and IT could control the PC through group policy and other mechanisms. This feature allows a middle ground between all or nothing access, allowing a user to work on the device of their choice and still have access to corporate resources. With Workplace Join, IT administrators now have the ability to offer finer-grained control to corporate resources. If a user registers their device, IT can grant some access while still enforcing some governance parameters on the device to ensure the security of corporate assets.
  • Work Folders – Work Folders allows a user to sync data to their device from their user folder located in the corporation’s data center. Files created locally will sync back to the file server in the corporate environment. This syncing is natively integrated into the file system. Note, this all happens outside the firewall client sync support. Previously, Windows 8 devices needed to be domain joined (or required domain credentials) for access to file shares. Syncing could be done with 3rd party folder replication apps. With Work Folders, Users can keep local copies of their work files on their devices, with automatic synchronization to your data center, and for access from other devices. IT can enforce Dynamic Access Control policies on the Work Folder Sync Share (including automated Rights Management) and require Workplace Join to be in place.
  • Open MDM- While many organizations have investments with System Center and will continue to leverage these investments we also know that many organizations want to manage certain classes of devices, like tablets and BYOD devices, as mobile devices. With Windows 8.1, you can use an OMA-DM API agent to allow management of Windows 8.1 devices with mobile device management products, like Mobile Iron or Air Watch .
  • NFC tap-to-pair printing – Tap your Windows 8.1 device against an NFC-enabled printer and you’re all set to print without hunting on your network for the correct printer. You also don’t need to buy new printers to take advantage of this; you can simply put an NFC tag on your existing printers to enable this functionality.
  • Wi-Fi Direct printing – Connect to Wi-Fi Direct printers without adding additional drivers or software on your Windows 8.1 device, forming a peer-to-peer network between your device and any Wi-Fi enabled printer.
  • Native Miracast wireless display – Present your work wirelessly with no connection cords or dongles needed; just pair with project to a Miracast-enabled projector through Bluetooth or NFC and Miracast will use Wi-Fi to let you project wire-free.
  •  Mobile Device Management – When a user enrolls their device, they are joining the device to the Windows Intune management service. They get access to the Company Portal which provides a consistent experience for access to their applications, data and to manage their own devices. This allows a deeper management experience with existing tools like Windows Intune. IT administrators now have more comprehensive policy management for Windows RT devices, and can manage Windows 8.1 PCs as mobile devices without having to deploy a full management client.
  • Web Application Proxy – The Web Application Proxy is a new role service in the Windows Server Remote Access role. It provides the ability to publish access to corporate resources, and enforce multi-factor authentication as well as apply conditional access policies to verify both the user’s identity and the device they are using…

Continue reading here!

//Richard

Categories: All, BYOD, Client Services, Cloud, Device Management, Enterprise Architecture, Microsoft, Mobility, Security, Windows 8 Tags: , , , , , , , , , , , , , , , , , , , , ,

#BYOD: From optional to mandatory by 2017, says #Gartner

May 15, 2013 Leave a comment

I agree with this great article and the analysis made by Gartner.

Bring-your-own-device (BYOD) has for some time been gaining traction in the workplace, as not only a way of freeing up IT costs but also liberalizing workers from being virtually chained, clunky, aging machines at their desks.

But latest research from Gartner suggests that by 2017, half of employers may impose a mandatory BYOD policy — requiring staffs to bring their own laptop, tablet and smartphone to work.

As an optional policy, workplaces still have an IT fallback option, but many are choosing to bring their own tablets and smartphones to work in order to work more effectively using the technology they feel more comfortable with.

Some interesting tidbits from the research:

  • 38 percent of companies expect to stop providing workplace devices to staff by 2016. (PCs, such as desktops and laptops, are included in the definition of BYOD.)
  • BYOD is most prevalent in midsize and larger enterprises, often generating between $500m-$5bn in revenue per year, with 2,500-5,000 employees on the roster.
  • BRIC nations, such as India, China, and Brazil, will most likely already be using a personal device — typically a “standard mobile phone” — at work.
  • Meanwhile, companies in the U.S. are more likely to allow BYOD than those in Europe (likely due to stronger data protection rules, see below).
  • Around half of all BYOD programs provide a partial reimbursement, while full reimbursement costs “will become rare.”
  • Gartner vice president David Willis says companies should “subsidize only the service plan on a smartphone.”

But there’s a problem within. Those who have yet to adopt a BYOD policy often generally cite one of two good reasons (or both): interoperability and…

Continue reading here!

//Richard

Categories: All, BYOD, Mobility Tags: , , , , , , , , , , , , , ,

How to check which #NetScaler policy that your #Citrix #Receiver or web browser hits?

April 18, 2013 1 comment

Ok, this is a common issue that you’ll end up in when setting up Access Gateway access scenarios:

How do you know which policy that is hit when your different Receivers are logging in?

Well, there are a couple of nice commands that can help you troubleshooting your access scenario! I guess that most of you have a simple scenario where you have one domain to authenticate against and some simple PNA, CVPN and potentially SSL VPN policies and profiles to deal with, and they are all linked to the virtual server like something like this simple example:

AG_vServer_VIP

But in more complex scenarios you may end up controlling which browser the user is accessing with (for giving nice error messages instead of Citrix default messages when users may use an unsupported browser etc.), or when you have multiple AD domains and AD groups to link different policies to etc. Then it may be complex and you have multiple policies and profiles for the same config with minor changes like the SSO domain name etc. So how do you then troubleshoot that easily?

First we have the must know command that hooks into the auth process of the NetScaler and gives you a view of the authentication process:

cat /tmp/aaad.debug

When you run that and you authenticate you’ll see the result of your auth process agains for instance LDAP and RADIUS sources like the result here when I logged in to our little environment:

aaad_debug_output

At the top of the output you see all the AD groups that I’m a member of that needs to match the group that you like to use on the NetScaler side, and last you see that accept from AD for my authentication request.

Then you know that you’re authentication ok, but which of the session polices are we hitting? Then you need to have a look at this great command:

nsconmsg -d current -g pol_hits

This is the output when I access using my Receiver on OS X:

nsconmsg_policy_hit

Read more…

Categories: Access Gateway, All, Citrix, NetScaler, Receiver, StoreFront Tags: , , , , , , , , , , , , , , , , , , ,

Surprising Stats About Mobile Security

February 28, 2013 Leave a comment

Another good article!!

Surprising Stats About Mobile Security

IT security and data protection are the top ranked challenges faced by many mobile IT asset managers. This was certainly brought to light in Mobile Enterprise’s IT headaches executive survey, and recent research from the International Association of IT Asset Managers (IAITAM) brings this to light as well.

When IAITAM asked: how do organizations handle mobility and security? Fifty five percent of respondents access the enterprise from a remote location during off hours and the same number can access enterprise information from any BYOD device. Yet only 60% of organizations track how, how long or who is accessing remotely.
Out of those employees who do access the enterprise remotely, slightly more than half use a secure key or digital pass, while 49% use a login name and password on a secure site. A little more than half (53%) of organizations surveyed have an intrusion protection system for deployed mobile units.

Lost/Stolen Devices Covered
Nearly 90% of respondents have a mobile device policy and process in place for lost, misplaced or stolen mobile devices. At the same time, little more than a quarter have real-time location system tracking on any/all mobile devices. Still, 56% say they are able to perform a remote wipe of all data.
Less than half (43%) will automatically replace a lost, misplaced or stolen device within a 24 to 48 hour period. Eighty-four percent of companies have a firm policy that employees leaving the company must surrender their mobile device(s).
Tracking software downloaded on devices and preventing software downloads came in third and fourth as the most challenging issues, respectively, but with the predicted growth of mobile malware, this number could change going forward.

Asset Tracking?
Nearly 60% believe that they are managing mobile security adequately, but nearly 75% surveyed felt that licensing and management of mobile device assets is a challenge; 52% track their assets using an automated tool, while 36% still use spreadsheets. Another 12% are not tracking mobile assets at all. Members of the Mobile Enterprise Editorial Advisory recently had few things to say about this topic.
The main software programs accessed through a mobile handheld device or smartphone are Microsoft (85%), Google (52%) and Adobe (26%). Many of these same software publishers aggressively protect their intellectual property through software audits.

BYOD
Fifty-one percent of organizations surveyed had a BYOD or BYOT [technology] program that allows employees to use their personal mobile devices for work purposes. Surprisingly, 60% who took advantage of a BYOD program only accounted for 25% or less of employees who brought in their personal devices. 
 
More than three-quarters (77%) allow their employees…
Continue reading here!
//Richard
Categories: All, BYOD, Mobility, Security Tags: , , , , , , , , , , , , , , , ,

Do you really need a #BYOD policy? – via @GeneMarks

February 27, 2013 Leave a comment

This is a really good article by Gene Marks!

Social media.  Cloud computing.  Gamification.  SaaS.  Social CRM. Virtualization.  Mobile.  Every year we hear of the latest technology issues facing small business owners like me.   And now it’s BYOD (Bring Your Own Device).  Everywhere I read in the tech world it’s BYOD.  That’s because with the proliferation of smartphones, tablets and mini-laptops it’s become the hot tech security issue.  Whitepapers are written.  Seminars are conducted. Roundtables are moderated.  It’s a BYOD year.

I have 10 people in my company.  And a half dozen other contractors.  These people are using smartphones, tablets and laptops to access our data.  We do not have a BYOD policy.  Do I really need one?  Do all businesses, big or small, need to really worry about this?  Or is just another scare tactic from a bunch of IT guys looking to put fear into their clients’ minds and generate additional billable hours.

Hmmm.

The fact that everyone in my company has a different smartphone is of no concern to me.  Why should I care if Sam prefers his iPhone but Josh likes his Droid?  They are using their phones to call clients on Verizon or AT&T or whatever so I’m not exposed to any risk there.  The same with texting.  But uh oh…then there’s email.  Am I exposed to security issues when they send and retrieve email from our server?  No.  That’s because we have a hosted mail server and each employee has their own login to their email account.  They set up their email on their own with instructions we gave them.  Viruses, spam and all the other evil things that could happen via email are (hopefully) controlled by the security software running at the server level.

Read more…

Categories: All, BYOD Tags: , , , , , , , , , , , , , ,

#XenMobile, #MobileSolutions – Is this what we’ve been waiting for? – #Citrix, #ZenPrise, #BYOD

February 25, 2013 Leave a comment

Ok, so Citrix has now presented their new offering after merging Zenprise into their product portfolio. And is this what you have been waiting for?

My personal answer to that is probably yes, now you have all the capabilities (almost) out there to get your BYOx program/strategy and architecture in place or if you just want to add additional capabilities to your existing service offerings.

I must say though that the packaging is compelling and VERY interesting!

Citrix Mobile Solutions Bundle

The Citrix Mobile Solutions Bundle, which is comprised of XenMobile MDMand CloudGateway, offers a complete enterprise mobility management solution that enables IT to manage and secure devices, apps, and data.

XenMobile MDM Edition

XenMobile MDM Edition offers market leading mobile device management capabilities that deliver role-based management, configuration and security of corporate and employee-owned devices.

What I’d like to see is a roadmap where Citrix becomes an even more complete provider of technology in the Mobility segment. I still believe that Mobility is not only about smartphones and tablets and all the apps that you shall deliver to those devices and non-managed and non-corporate owned devices. There is still a need to provide device management of corporate assets that are not smartphones and tablets! And why should you have to implement another device management service/product for those.

So please Citrix = add Windows 7/8, OS X and Linux device capabilities as well in your almost complete Enterprise Mobile Management offering!

The offering is of course also today an early release where the former Zenprise product and CloudGateway is provided under the same marketing and price bundle but I’m waiting for when we have one (1) enterprise app store! And all capabilities from one technical architecture and product that you enable each capability on a need basis and are licensed accordingly.

But this is a great step for Citrix and I must say that I’m looking forward to see where this is going, I mean the feature set is pretty awesome!

Compare Features

XenMobile MDM Edition

Mobile Solutions Bundle
Enterprise MDM
Device management
Configure policies
Security and compliance
Scalability and high-availability
Ease of administration
Provisioning and self-service enrollment
Enterprise integration
Monitor and support
Decommission devices
Secure email, browser and data sharing apps
@WorkMail
Email attachment encryption
@WorkWeb
ShareFile integration
Microsoft SharePoint integration
Mobile app containers
Mobile application management
MDX Vault
MDX Interapp
MDX Access
App wrapping
Unified app store
Enterprise app store
Follow-me apps
Identity management, single sign-on and scenario-based access control
Active Directory integration
Instant application and data provisioning
Single sign-on to apps and data
App requests
Instant application and data de-provisioning
Strong authentication
Secure remote access
Policy enforcement

More information about the technologies have also been added to eDocs!

MobileSolutions_Citrix_edocs

 

Of course also made their competition table:

Compare the Mobile Solutions Bundle to other enterprise mobility solutions

These are exciting times and I’m looking forward to play around with the whole bundle!

Read more about XenMobile/Mobile Solutions here!

//Richard

Categories: All, BYOD, Citrix, CloudGateway, Device Management, MobileSolutions, Mobility Tags: , , , , , , , , , , , , , , , , , , , , , , , , , ,

SSO to StoreFront not working in CVPN mode – #Citrix, #NetScaler, #StoreFront

January 31, 2013 3 comments

Single Sign-On from Access Gateway to StoreFront not working in CVPN mode

There is yet another “thing” to have in mind when setting up Access Gateway and StoreFront in CVPN mode!

It’s been an interesting day (or days/weeks/months I must admit) with some “issues” with a NetScaler ADC, Access Gateway with CVPN profiles and StoreFront 1.2. And one thing that we have been struggling with was Single Sign-On to StoreFront when we had the AG configured for CVPN access. And it was just this environment where I’ve seen this issue!!

After a lot of troubleshooting the Citrix guys came up with an explanation on why SSO from AG doesn’t work in this specific environment! And it’s not an obvious one to find I must say… but I now understand why it doesn’t work!

So let’s explain the design reason for why it doesn’t work (so bear with me, solution at the end!!)…

The following picture tries to give a VERY rough picture of how it could look like, clients on the Internet on the left, then a NetScaler ADC with the Access Gateway feature enabled and a vServer configured. This AG vServer has session policies and profiles for ICA proxy (old traditional ICA proxy policy) and the little newer CVPN mode. And YES; I’ve left out a lot of stuff like AD etc. to simplify this picture A LOT…

High_Level_Design_overview_SSO_not_working

The overall idea and config is that AG authenticates the user and then shall do SSO to StoreFront. The CVPN policy have been created according to all best practices etc. (Citrix CloudGateway Express 2.0 – Implementation Guide).

But SSO still doesn’t work!! If you login through a browser when having the CVPN policy linked to the vServer you’ll see that authentication works perfectly but then when it tries to passthrough the authentication to StoreFront it fails.

This picture just shows the login to the NetScaler ADC Access Gateway vServer:

NetScaler_Access_Gateway_login

Read more…

Categories: Access Gateway, All, Citrix, NetScaler, StoreFront Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Host checks/EPA scans are not for everyone – #Citrix, #NetScaler, #AccessGateway

January 30, 2013 Leave a comment

This is an interesting blog post from Citrix… It captures a scenario that I know one of my previous customers was thinking of, so have a look at it!

The main thing that think of when reading this though is that EPA scans are NOT for everyone, I agree. And please also read my earlier posts on why it cannot be done with todays products from Citrix.

#Citrix #Receiver 3.4 and 11.7 = is the #SmartAccess story more real now? – #CloudGateway, #AGEE, #NetScaler, #StoreFront

#Citrix #SmartAccess = A complete story or not? – #NetScaler #AGEE #EPA

Even though the latest Receiver Receivers changed some scenarios and enables host checks/EPA scans it still doesn’t provide the full picture. But I’ll be publishing a more detailed picture on why later, some late night I’ll be able to complete it! 😉

Here you have the blog post from Tobias Frigger:

A customer of one of my Citrix Consulting colleagues recently came up with an interesting request.

Like many others they are using Citrix NetScaler’s Access Gateway Enterprise Edition module to grant remote secure remote access to applications and desktops.
Additionally, they use a client management and software distribution solution to deploy the EPA plugin to client computers and therefore wanted to suppress Access Gateway offering the EPA scan plugin for download through the browser. This introduces some additional level of control over which client is entitled to connect through Access Gateway.

An approach restricting certain user groups from logging in by using group memberships is a more common scenario, but in this case the customer intended to restrict the end points and not the users. When end users lack administrative permissions to install custom software, preventing the download is indeed an effective measure.

A job for Citrix Consulting!

As you know, Access Gateway Enterprise Edition offers two ways of running Endpoint Analysis (EPA) scans – before and after authentication. Consequently, there are two procedures.

The formal requirements

  • Remove the download button displayed when accessing the AGEE virtual server and the plugin is not detected by the browser or if the plugin is outdated
  • Alter the message text such that it refers user to contact their system administrator if they think the plugin should be installed.
  • When using a post-authentication EPA scan, add a “logout” button.

EPA Scan dialogue

Backup
As a precaution, we want to make backup copies…

Continue reading here!

//Richard

Categories: Access Gateway, Citrix, NetScaler, Receiver, Uncategorized Tags: , , , , , , , , , , , , ,

Webinar – #Citrix Mobile Device Management – #CloudGateway – @RobSanders

January 17, 2013 1 comment

How to secure native iOS and Android email as well as other apps for business use

Thursday, 24th January 2013, 3:00pm GMT (4:00pm CET)

Citrix provides two new mobile apps to support mobile workers with secure email and web browsing on their BYO and corporate mobile devices – @WorkMail and @WorkWeb.Come to this technical webinar to learn more about how these and other native iOS and Android applications can be securely distributed and managed for your business.

Topics include:

  • Managing, securing and controlling web and native mobile applications and data
  • Secure mobile containers
  • Seamless app integration
  • Policy-based access controls
  • Application-specific Micro VPN

This live webinar presented by Rob Sanders and will be followed by a live Q&A session.

Space is limited.

Register here!

//Richard

Categories: All, Citrix, CloudGateway, Mobility Tags: , , , , , , , , , , , , , , , , ,
%d bloggers like this: