name: citn-template
--- template: citn-template class: center, middle, inverse # All-in with Azure AD, Intune, and Office 365 ### πNotes and Slides: billdeitrick.com/citn2019 .small.absbottom[ Bill Deitrick Information Services Director Christ Wesleyan Church Milton, PA ] ??? 1. Introduction 1. This is the AAD, Intune, O365 talk...heads down as you leave... 1. About Me 1. Professional: ISD, CS Degree, Experience: Higher Ed, Fortune 500, Church/K-12 1. Personal: Family, kiddos (time!), Python, web dev, farm 1. Intoduce Mike 1. Overview 1. IT Dir perspective on prem to AAD/Intune/O365-driven in ministry environment 1. Focus: identity mgmt AAD, dev mgmt Intune 1. Intune (Windows) w/multi-platform auth 1. Less focus on O365 1. Goal: Share experience, equip you 1. Not exhaustive 1. Selective, most relevant; more details on website 1. Not expert or consultant; sharing on experience 1. Introduce vendors 1. Avoid prescriptive; stick to descriptive --- template: citn-template class: center, middle, inverse # Your Environments ??? 1. Who is using O365 today? 1. Using cloud-only identities (no on-prem environment)? 1. Using identities from on-prem? 1. Anyone doing federation (ADFS)? 1. Who is using Azure AD for more than just O365 identities? 1. Who is using Intune to manage Windows devices? 1. Using hybrid joined devices (Intune and On-prem AD)? 1. Managing non-windows devices with Intune? 1. Totally in the MS modern managment stack (all MS, no on-prem)? --- template: citn-template # Our Environment .column-left[ ## Church * PCs, Macs, Chromebooks, and iPads * ~65 employees * PC-dominated, moving to mix of above * Traditional AD environment (with AADConnect); moving to Azure AD/Intune only ] .column-right[ ## School * PCs, Chromebooks, and iPads * ~65 employees, ~400 students * Employees all use PCs, students use Chromebooks (one-to-one for high school) and iPads * Fully transitioned into an Azure AD-driven environment ] ??? I don't need to read... Basically two environments we're managing: church/school 1. Church 1. Device choice 1. Not yet all-in! π 1. Azure AD IDP for G Suite (more on this later) 1. School 1. Azure AD and G Suite for employees and students 1. Azure AD auth for all devices (Win, Chrome) 1. Split environments: summer project, move to Azure AD (no more on-prem dependencies) --- template: citn-template # Why Azure AD and Intune? ??? 1. Call of the cloud: less overhead, less time to manage, someone else on the hook when it breaks 1. Ultimately about ministry value: this is the win! π 1. Our specific scenario: 1. Church/school shared; LIC changes (EDU-specific) = time to split 1. Originally: 2 traditional AD, trusts, etc. 1. More servers, more management overhead/complexity 1. G Suite Chromebooks only (great experience, students)? 1. Hardware limits, Microsoft formats 1. Need PCs...put identities in G Suite? No Win signin w/o third party 1. AAD/Intune...why not? Move management tools forward, give platform flexibility -- * Best fit for ministry needs within licensing and cost constraints ??? ### Ministry Needs: 1. No more servers; greatest platform flexibility 1. Want small server footprint (containerize and PaaS what we do maintain); < WinDoze -- * Better Windows device management: NO MORE IMAGING!! π ??? ### Windows Mgmt 1. Building images always quick, favorite activity. π 1. No imaging w/Windows 10 and Intune! 1. Gain in mgmt functionality! -- * Identity Consolidation ??? ### Identity 1. Reduce account sprawl 1. Azure AD = Easy SSO, don't need complex infra! 1. Seamless for users, even for apps not explicitly provisioned 1. Integrated G Suite, can use "Sign in w/O365 or "Sign in w/Google" anywhere -- * Device-agnostic, user-driven, available-from-anywhere experience ??? ### Dev-agnostic 1. Easily, seamlessly move between devices + platforms 1. Data accessibility, state transfer; just sign in and work 1. Self-service; base set of apps, self-service install additional from curated + approved list 1. Available anywhere...no VPN required. (Users get elsewhere, we offer best solution) 1. TL;DL; - we want Windows devices to be ChromeBooks (mgmt; experience -- deploy fewer now) -- * Forward-looking solution ??? 1. Momentum here; MS path forward for orgs like us --- template: citn-template # M365: Two Minute Overview ??? 1. Microsoft 365 is suite giving access to modern MS 1. Most already familiar...25% of retail as 501c (see website) -- * Office 365 ProPlus ??? ### ProPlus 1. Local office apps -- * Office 365 - E1, E3, E5 ??? ### Office 365 1. The office 365 cloud services 1. Limited Azure AD; for what we're talking today need π -- * Enterprise Mobility Plus Security (EMS) - E3, E5 ??? ### EMS 1. Intune, Azure Active Directory Premium 1. Identity + Dev Mgmt in cloud -- * Windows Enterprise - E3, E5 ??? ### Win Ent 1. Win-as-a-service, user-based (last windows ver) 1. User-based, not device based like vol lic. 1. Ent bits included w/pro (user sign in unlocks) 1. E3 vs. E5 (Win Defend ATP) -- * Microsoft 365 (M365) - E3, E5 ??? ### M365 1. The total package; includes all of the above 1. E3 = E5+ more advanced security, discovery, and auditing tools, plus phone system -- * Our Licensing Strategy * Users with org-owned Windows devices: M365 E3 * Users without org-owned Windows devices: ProPlus, O365 E1, and EM+S * Users with no org-owned devices: O365 E1 and EM+S ??? ### Licensing Strategy 1. E3 sufficient for us 1. This mix-and-match gives best value 1. Helped by 50 free EMS licenses (not available anymore) --- template: citn-template # "Azure AD is not Cloud AD" ??? 1. Ads look to sell...yet another service 1. AD AAD very diff...diff needs, diff eras, diff tech stacks 1. AAD != traditional AD in cloud -- * Goodbye NTLM, LDAP, Group Policy, and RADIUS; hello web services ??? ### Goodbye 1. Native Languages: OAUTH, SAML, OpenID, WS-Fed, WS-Trust etc. 1. WS-FED = join AAD, WS-Trust sign-in 1. Traditional protocols "gonna cost you someting extra" - Han Solo 1. Thought needed LDAP + RADIUS (ADDS, servers in Azure) 1. Two major pain areas: 1. PBX using LDAP for user web portal auth 1. WPA2 Enterprise Wi-Fi 1. NPS/RADIUS - employees, AD-joined deivces 1. Internal Wi-Fi = printing (most cases) 1. Beginning Meraki rollout; will largely ease this pain -- * Azure AD manages applications ??? ### Manage Apps 1. SSO-enabled SaaS, assign users access 1. No analogue in traditional AD -- * Flat user structure; no more OUs or forests -- * Can't customize the directory schema --- template: citn-template # Groups ??? A bit different in AAD -- * Two types of groups: Security and O365 -- * Three membership types: Assigned, Dynamic User, Dynamic Device ??? ### Three membership types 1. Dynamic User + Device (like Exchange dynamic distrib) 1. Build filter, group populates automagically (no AD analogue) 1. Filters user powershell-like syntax 1. Useful to us...automatically create elem, middle, high school groups 1. (based on last two digits of grad year in UPNs) -- * Group-based licensing ??? ### Group-based licensing 1. Use groups to assign licenses to users! Simplified, flexible 1. We try not to use O365 groups as sec groups for things other than the actual O365 group's content. This can get awkward... esp. if allowing users to manage groups. -- * Sec-[GROUP TYPE]-[GROUP NAME] ??? ### Sec-[GROUP TYPE]-[GROUP NAME] 1. Groups broken down into types (Lic, Role) 1. Really nice for searching (users aren't seeing these) --- template: citn-template # Connecting devices ??? Only one type of join in traditional AD (three in AAD) -- * Azure AD Registered ??? ### AAD Registered 1. Personal, BYOD (multi-platform) 1. Registered when sign into org account w/app on device 1. Don't sign into device with org accounts -- * Azure AD Joined ??? ### AAD Joined 1. Closest to traditional AD; sign in with AAD (org) accounts 1. Windows only 1. What we're doing 1. Devices behave as in "workgroup"; once authed w/web svcs, account behaves like local 1. Folder in C:\Users = FirstLast, down-level logon name = π -- * Down-Level Logon Name: `AzureAD\FirstLast` ??? ### Down-level logon name 1. Use this to add to local groups (RDP users, etc) -- * Hybrid Azure AD Joined ??? ### Hybrid AAD joined 1. Both AAD and AD; not explored in depth (eliminate on prem!) --- template: citn-template # Enterprise applications ??? Managing connected apps that we talked about; users sign in with org accounts -- * Administrative control of SSO with third-party apps ??? ### Administrative control of SSO 1. AAD was built for this 1. Like ADFS rolled directly into AD 1. App access controlled at group or individual level -- * Hundreds of applications in the gallery * SaaS vendors and/or Microsoft will typically have documentation ??? ### SaaS vendors... 1. Moving everything we can towards SSO! -- * Azure AD as IDP for G Suite ??? ### AAD as IDP 1. Using AAD creds to sign in to G Suite account 1. Big win for church and school (relatively easy setup!) -- * Google "Cloud Identity Free" licenses * Web App Login: "Sign in with Google" * Chrome Sync with Azure AD logins * Azure AD logins on Chromebooks π ??? ### Licensing 1. Church G Suite - commercial (cloud identity free) 1. School - EDU π cloud Identity free cost-effective... 1. Cloud Identity Free = managed account, no Google apps (drive, docs, etc...get all other consumer stuff) 1. Seats relative to # of paid licenses purchased (believe 50 per paid license) ### Web App Login 1. Google SSO very popular 1. Significantly broadens SSO footprint ### Chrome Sync 1. Complete browser platform agnosticism (Chrome is primarily supported browser) 1. Any device, any platform; browser stuff is there 1. Also force Chrome browser mgmt with policy in Intune 1. Manage browsers on devices with Chrome management tools, no per-device cost! 1. We whitelist extensions, block push notifs (don't need ad for used cars), push any other supported config ### AAD logins on ChromeOS 1. Use ChromeBooks less than expected (Intune story is π) 1. Make much sense in certain use cases (part-timer needs email) 1. Not including student use...students on Chrome, not going anywhere else soon 1. School login gets O365, G Suite, SIS, etc. --- template: citn-template class: center, middle --
??? 1. One note: no native binding for Mac 1. MDM may help...Mosyl: "Mosyle Auth for Mac Login Window" which advertises Azure AD logins for Mac (this is a paid addon) 1. We haven't tested this yet (since we don't have any Macs in the school environment, but we plan to do so soon). --- template: citn-template # Conditional Access ??? A "killer feature"...no analogue in traditional AD -- * Configure security controls to apply in specific scenarios ??? ### Configure security controls 1. Conditional allow/deny, require MFA, specific apps, etc. -- * Based on a variety of "signals", such as: -- * Group membership * IP Geolocation * Device (managed or not) * Application being accessed * Risk detection (depending on license) ??? ### Signals 1. Examples we've implemented: 1. MFA for admins 1. Approved Apps (sandbox org data, works w/Intune Mobile App Managment) 1. Other possibilities: 1. Geolocation blocking 1. Broader MFA rollout --- template: citn-template # π Our Pain Points -- * Security group nesting is...unpredictable ??? ## Sec group nesting 1. Works some places, not others 1. So...no more RBAC π -- * Password changes on AAD-joined devices are...jarring ??? ## Password changes 1. Web page! 1. New employee...sign out/in, or nothing works --- template: citn-template # Intune ??? 1. Not just GPO in cloud (MDM, MAM) 1. MDM like for mobile devices -- * Device configuration profiles ??? ### Device configuration Profiles 1. Managing these instead of GPO -- * Assigned to devices or groups of devices (not OUs), not hierarchical like GPO ??? ### Assigned to devices 1. Select platform, then type 1. See website for more 1. Basically 8 config profiles for whole config 1. Built-in profiles not exhaustive as GPO 1. Recent additions give more capability -- * Administrative Templates ??? ### Admin Templates 1. Win 10 Admin Temp GPO in Intune 1. GA in July, major config scope broadening 1. Not exhaustive, fills in lots of gaps --
??? ### Image 1. OneDrive setup enabled with Admin Templates 1. SSO w/Windows logon, files on demand, KFM 1. Makes OneDrive completely seemless -- * Custom Profiles/OMA-URI ??? ### Custom Profiles 1. Specify settings no in standard profiles or admin templates -- * Specify custom OMA-URI and values ??? ### OMA-URI 1. OMA-URI = Open Mobile Alliance Uniform Resource Identifier 1. Path to setting (think URL) 1. Follows OMA-DM (Device Management spec) 1. All possible OMA-URI for Windows in the CSP (configuraiton service provider) ref (great evening reading) 1. Find settings to spec custom policies; links on website 1. We use custom policy for pushing default apps -- * Ingest Custom ADMX ??? ### Ingest Custom ADMX 1. Ingest any ADMX template (not just built-in) 1. We use for pushing Google Chrome to register as managed browser 1. Paste XML into Intune, specify OMA-URIs (see docs--links online) using specific syntax --- template: citn-template # Patching: No WSUS? No problem! ??? Two things needed in tandem: -- * Delivery Optimization ??? ### Delivery Optimization 1. P2P Update distribution; gets you local caching (no WSUS) 1. Config profile sets up parameters -- * Softare Update Policy: Update Rings ??? ### Software Update Policy 1. Separate section from config profs in Intune 1. Specify Windows Update settings 1. No more control over individual patches (necessary? cumulative patching), instead... 1. Update Rings 1. Groups of devices sharing patching settings 1. Primarily, specify deferral period for feature and quality updates 1. Fast Ring for a few devices (short deferral), slower [standard] by default --
??? ### Screenshot 1. Our update rings... 1. Control: Pause, uninstall last feature update, resume 1. Specify settings related to user interruption, dealines in rings 1. Less granular control with rings, much less labor intensive --- template: citn-template # PowerShell Scripts ??? Easy to push custom PS to Windows w/Intune. The sky is the limit! -- * Intune Management Extension deploys scripts and installs Win32 apps ??? ### Intune Mgmgt Extension 1. Small helper service 1. Pushed automatically when PS or Win32 app is assigned -- * PowerShell Scripts can be run user or machine-scoped ??? ### PowerShell Scripts can be run user or machine-scoped 1. You assign to group of users or machine-scoped 1. Control context for scripts (user/machine) 1. Scripts run until complete with success (exit code), 3 retries 10 min timeout -- * DO NOT put sensitive data into PowerShell scripts you push with Intune ??? ### DO NOT put sensitive data... 1. Script contents dumped to plaintext logs! 1. Accessible from standard user account, offline if not encrypted! 1. Example use case: Teams deployment (yes really)... 1. Needs command-line param not to run large-and-in-charge, could only get this to behave with PS (when tested) --- template: citn-template # App Deployment ??? 1. A favorite capability (didn't have good answer before) 1. Recently added ability to deploy Win32 apps...really robust 1. Apps assigned to devices or users -- * Types of apps that can be deployed on Windows: -- * Microsoft Store apps ??? ### Microsoft store apps 1. Straightforward...purchase from store, sync to Intune, deploy -- * Line of business apps (well-behaved MSI) ??? ### Line of business apps 1. Really easy...upload MSI, specifi params, done. IME download MSI (using BITS) and install. -- * Windows app (Win32) ??? ### Windows app 1. Majority of apps not "well behaved" 1. Lots of flexibility--MSI or EXE, custom script 1. process 1. Put all resources to silently deploy in folder (exe, scripts, etc) 1. Use MS-provided utility to bundle into .intunewin archive 1. Upload .intunewin 1. Specify entrypoint (script, exe itself, etc) 1. Specify requirements needed to isntall (win version, disk space, memory, etc) 1. Specify detection rules (folder/file present, app GUID is present, etc) 1. Lots of room for creativity 1. We have poorly behaved test taking app (user data to %programfiles%) 1. Installer script symlinks those folder to OneDrive; bam, done. -- * Company Portal app ??? ### Company Portal app 1. Self-service app installation 1. Required or available - required = automatically pushed, available =
--
??? ### Image 1. Great for optional apps, users install on-demand 1. App type doesn't matter--UX is same --- template: citn-template # π Our Pain Points -- * App install error codes for Win32, MSI are often...unhelpful ??? ### App install error codes 1. Means hands-on troubleshooting with test machine 1. Notes on website -- * Built-in cloud-based printer deployment solution is...nonexistent * Needed third party product (Printix) ??? ### Built-in cloud-based printer deployment 1. Third-party (paid) product: Printix (no print server) 1. Came from Papercut; Printix has no realy reporting, visibility isn't as good 1. Printix does cover Win, Mac, iOS, Android 1. 30% NPO discount 1. A whole session...talk to me if interested. :-) -- * Wi-Fi policies will report an error if pushed to a device without a Wi-Fi adapter, which we find...annoying ??? ### Wi-Fi policies 1. Err if pushed to device w/no Wi-Fi adapter 1. Probably helpful, means need separate groups for devices w/ and w/o adapter -- * Reporting intervals are...really slow π’ ??? ### Reporting intervals 1. Graphs are pretty, takes awhile for them to reflect reality --- template: citn-template # π Getting Devices "Business Ready" ??? 1. Wasn't sure what to call this (enroll, register, join mean different things) 1. "Business ready" is what MS calls a device ready for a user to used 1. Question: How to we take a device form "boxed to busy" 1. How to get devices into Azure AD/Intune and manage them? 1. Actually more nuanced...different options depending on needs (another session!) 1. Focusing on what we've done (cloud-only--our goal) -- * Azure AD/Intune Integration ??? ### Azure AD/Intune Integration 1. Well integrated; specify MDM in Azure, join and auto-enrolled for management 1. Recall: Registered = BYOD, Joined = Org-owned -- * Primary choice: User or IT-driven? ??? ### Primary choice 1. MS parlance: self-enrollment or administrator-based 1. Can hand users unopened box, they unpack, sign in and go 1. Downside: more user time for device to be ready 1. Upside: works great if no IT a remote site, need light touch, or want to ship 1. Can make more IT-driven 1. IT does prep, hands user ready-to-roll device 1. Downside: IT time/touch required 1. Upside: UX -- device ready -- * Self-enrollment methods * BYOD * Azure AD Join * Autopilot ??? ### Self-enrollment methods: 1. Not hitting everything...trying to focus on most relevant 1. BYOD: users self-register personal devices ("Connect Work or School Account" from Settings app) 1. Azure AD Join: User joins device themselves during OOBE 1. Downside: takes time for all policies to pull down (large app installs, etc) 1. Autopilot: Sort of like Microsoft's version of DEP, but more 1. Really interested in the "White Glove" experience 1. IT connects device to Modern Management environment, device pulls down policies, then reseals for end-user (gives simplified OOBE) 1. This requires TPM 2.0 (rules out almost all of our existing devices) 1. Lots more we could talk about -- * Administrator-based enrollment methods * Hybrid Azure AD Join * Bulk enrollment ??? ### Hybrid AAD Join 1. Use GPO to connect devices to AAD/Intune 1. Bulk enrollment 1. Use Windows Configuration Designer to create Provisioning package 1. Provisioning package contains info to join device to AAD (token) 1. Can be configured to blow-away device vendor-added apps as part of setup 1. Drop token on flash drive; plug in at OOBE 1. If installing Win 10 off of flash drive, basically automagic! -- * Our process: Bulk enrollment, Fresh Start reset ??? ### Our process 1. "Gray glove deployment" 1. Gives users almost experience of AutoPilot white glove deployment, not require TPM 2.0 (1.2) 1. Use bulk enrollment (quickly join w/provisioning package)--devices w/Win 10 or as OS upgrade --- template: citn-template # π¨ Random Tasty Tidbits ??? Wasn't sure where else to put this stuff... -- * π BitLocker: Key escrow to Azure AD, Intune policy for automatic encryption ??? ### BitLocker 1. Super easy to set up, no good reason not to be deploying if have TPM > 1.2 -- * π Azure AD Sign-in logs ??? ### Sign-in logs 1. Quickly see user sign-in logs, flagged for risk -- * π Azure Cloud Shell ??? ### Azure Cloud Shell 1. Containerized powershell instance in browser (on Linux)...nice because you're probably already authed with MS account 1. Pennies per month for Azure storage account -- * π Intune: Compliance policies ??? ### Compliance policies 1. Specify standards for your device to meet for nice green status boxes 1. BitLocker enabled, Win ver > x, etc. 1. Can be combined with conditional access rules in AAD. Powerful! -- * π± Mobile App Management ??? ### Mobile App Management 1. Specify configuration for apps users use, without needing device in MDM 1. Use w/conditional access to force users to use MS apps (email...not os native) 1. Create sandboxed, encrypted environment on personal device for org data 1. Can wipe just org data if you want 1. Big Win: Don't need to manage entire device, just apps w/access to your data. 1. Works in conjunction w/conditional access to force approved apps --- template: citn-template # Conclusion: Is this the right fit? -- * What are your dependencies on traditional AD? Can they be eliminated? * LDAP, RADIUS, traditional Windows Auth -- * Our goals: * Best fit for ministry needs within licensing and cost constraints * Better Windows device management: NO MORE IMAGING!! π * SSO for SaaS apps * Mobile Application Management (MAM) * Device-agnostic, user-driven, available-from-anywhere experience * Most future proof solution --- template: citn-template class: center, middle, inverse ## π billdeitrick.com/citn2019 ## π§ bill.deitrick@cwc.life ## π¨ @billdeitrick (CITN Slack)