Upload
chris-spanougakis
View
175
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Η αγορά έχει γεμίσει ταμπλέτες και φορητές συσκευές κάθε είδους, ενώ οι admins πρέπει να βρουν έναν τρόπο να διαχειριστούν αυτή την νέα κατάσταση και να δώσουν πρόσβαση στα δεδομένα από παντού… Γίνεται; Σε αυτή την παρουσίαση θα εξερευνήσουμε σε βάθος πως αυτό μπορεί να γίνει δυνατό χρησιμοποιώντας την τεχνολογία των Work Folders που προσφέρει ο νέος Windows Server 2012 R2, αλλά επίσης και το νέο Workplace Join, που μπορεί να δώσει πρόσβαση στις εταιρικές εφαρμογές ακόμα και σε αυτούς που …. δεν χρησιμοποιούν Microsoft λειτουργικά. Θα εξερευνήσουμε επίσης και την δυνατότητα MFA (Multi-Factor Authentication) για την πρόσβαση στα δεδομένα της εταιρίας από οπουδήποτε.
Citation preview
Windows Server 2012 R2 Live Meeting
Bring your own device using AD FS
Wednesday 2 April 2014, 19:00 – 20:00
Chris Spanougakis MCT, MVP Directory [email protected]
WhoamI
• Microsoft Certified Trainer since 2000
• Microsoft Most Valuable Professional in Directory Services since 2008
• IT Consultant, teaching, travelling
• Twitter @spanougakis
• Blog http://www.spanougakis.com
agenda
• What is Work Folders?• Implementation of Work Folders using ADFS• Work Folders with File Server Roles• Workplace Join using ADFS• Demos• Links• Questions
Enabling work from anywhere
IT can publish access to resources with the Web Application Proxy based on device awareness and the users identity
IT can provide seamless corporate access with DirectAccess and automatic VPN connections.
Users can work from anywhere on their device with access to their corporate resources.
Users can register devices for single sign-on and access to corporate data with Workplace Join
Users can enroll devices for access to the Company Portal for easy access to corporate applications
IT can publish Desktop Virtualization (VDI) for access to centralized resources
BYOD
http://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/windows-8-1/compare/default.aspx
Consumer
/ personal
data
Individual work data
Team /
group
work data
Personal
devices
Data location
SkyDrive Public cloud
SkyDrive Pro SharePoint / Office 365
Work Folders File server
Folder Redirection / Client-Side Caching
File server
File Sync Solutions
New File Server Role in Windows Server 2012 R2New file sync protocol over HTTPSNon-Work Folder clients can connect via SMBWorks with other File Server RolesRequires Locally Attached DiskWork Folder ShareRequires Public or Private PKIUser must be a member of a Sync Group
Work Folders Prerequisites
• Windows 8.1 Domain Joined
• Windows 8.1 Non-Domain Joined
• Windows 8.1 RT
• Windows 7 (with agent software, coming soon)
• iPad (coming soon)
Work Folders Clients
Options to connect
• Auto-Discovery• User types his e-mail address
• By using a URL• User types the URL
• Opt-in (GPO, SCCM, Intune)• User decides when to connect
• Mandatory (GPO, SCCM, Intune)• Forced, automatic
• Install the FS role on Windows Server 2012 R2 and enable Work Folders
• Create a DNS entry for workfolders.yourdomain.com
• Open port 443 on your firewall and publish the FS
• Create or use the server certificate and verify that is used by https web app
• Create users, groups, GPOs
• Configure the Windows 8.1 client
Where to start
GPOs & Certificates
• netsh http show sslcert• netsh http delete sslcert hostnameport=dc.testlab.com:443• netsh http add sslcert hostnameport=dc.testlab.com:443
certhash=<Cert thumbprint> appid={CE66697B-3AA0-49D1-BDBD-A25C8359FD5D} certstorename=MY
• Use it to force automatic setup, so the user should not type his e-mail address or WorkFolders URL
• It’s a good idea to use https instead of http
• It’s also a good idea to use a public PKI certificate...
• TechNet - http://blogs.technet.com/b/in_the_cloud/archive/2013/07/10/what-s-new-in-2012-r2-making-device-users-productive-and-protecting-corporate-information.aspx
• How to deploy Test Lab - http://blogs.technet.com/b/filecab/archive/2013/07/10/work-folders-test-lab-deployment.aspx
• Work Folders - http://technet.microsoft.com/en-us/library/dn296644(v=wps.630).aspx
• PowerShell http://technet.microsoft.com/en-us/library/dn296644(v=wps.630).aspx
• Selective Wipe - http://blogs.technet.com/b/configmgrteam/archive/2013/07/10/protecting-corporate-data-on-mobile-devices.aspx
Work Folders Links
Work Folders Demousing ADFS
Workplace Join
Associates the device with a user Provides a seamless second factor authentication Enables IT to conditionally restrict access only to workplace joined
devices
Enables a better end user experience with SSO
Avoids risks involved in saving passwords with each application Avoids users having to repeatedly enter their credentials
Enabled by device registration service in AD FS
Expanding device support
Limited accessNo IT Control
Device at work with IT governance & controlled access to apps
Company owned device with full IT
control & full access
Active Directory
Not Joined to AD Workplace Joined Domain Joined
• Active Directory Domain• Active Directory Federation Server
Role• Managed Service Account for the
ADFS Service:• Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10) • New-ADServiceAccount FsGmsa -DNSHostName adfs.contoso.com –ServicePrincipalNames
http/adfs.contoso.com
• Certificate for the ADFS Server:• Subject Name (CN): adfs.contoso.com
Subject Alternative Name (DNS): adfs.contoso.com
Subject Alternative Name (DNS): enterpriseregistration.contoso.com
Workplace Join Prerequisites
See all the detailed steps here: http://technet.microsoft.com/en-us/library/dn280939.aspx
• Authenticate the users using one more…. Factor
• Microsoft Azure can help with PhoneFactor
• Phone calls or SMS can be used for additional authentication
Multi-Factor Authentication
Workplace Join Demousing ADFS
Έχετε Windows 8? Κατεβάστε την δωρεάν εφαρμογή!
Q&AQuestions And Answers
Windows Server 2012 R2 Live Meeting
Thank you!
Chris Spanougakis MCT, MVP Directory [email protected]