Wednesday, May 11, 2016

Why manage Mobile Devices?

There are many blogs and news articles about which solution is better but very few talk about the Why?  Let’s not start into the debate of the BYOD (Bring Your Own Device) question.  Let’s look more fundamentally at the “why” part.

Companies are anxious about viruses, lost laptops and data breaches but this landscape was never thought of until well after ARPANET started to connect machines in 1969.  It was believed that everyone would work together and security was not well thought of at the time.  Later they started to inflict rules and policies like, don’t send personal data or personal emails over the network.  It was when Morris created what would be later known as the first worm in 1988 and released it to gauge the depth of the Internet and wreaked havoc on the machines that everyone took a serious view of why we need to protected the landscape and write better code.  We have now seen the ability to crash an IPHONE with a special Text message.  What is next?

Why do we want mobile device management?

Control over:

  • Upgrades of Operating System
  • Software install/upgrade of applications
  • Access, Policy and settings
  • Geo-fencing of data or applications
  • What about what we haven’t thought of?

This is just a small view of what companies want to control.  If there is a vulnerability in the OS of the device, grant them control of what do to: Upgrade the device, lock it down, etc.  Everyone wants to protect the company.  I am not going to move into the “user rights vs company protection”. 

You can see many of the desktop management slowly moving to the mobile devices such as policy restrictions, software installs or upgrades.

Let’s think further down the road why it is important to manage not just the mobile devices we carry in our pocket but the IoT (Internet of Things) that run our lives!

Just as you now have A/C, washer, sprinkler service areas, you will soon have more of an IT service personnel at your house making sure they all talk to each other and the “central office”.  No longer will you just have the IT repair person come fix your computer nor will you take your machine to the store to be fixed.  You will have them come in and perform an inspection, yearly or monthly maintenance on devices that control your life.  Each one of your devices might require software, firmware, or possibly even a chip/board upgrade to keep your house secure and compliant.  You don’t want someone hacking your thermostat to gain access to your electronic safe or worse, turn off the security system, open the garage door and walk in.

It is important that all companies and even individuals look in to management of Internet based devices.  Soon the consumer might need to manage their other devices much like they do their car, A/C unit and other “maintenance required” equipment, only this time it is an electronic device interacting with other devices and possibly the Internet.

Embrace device management, no matter if you’re an individual, big or small company.  I look forward to the protection and management of all devices.

This is why Microsoft increased the cadence of Software releases and is slowly adding features to Intune. 

Check out the April 2016 feature list:

Friday, March 11, 2016

Now Available: Update 1602 for System Center Configuration Manager

For those waiting in anticipation for 1602, here if the official release

The major enhancements to this release is the Servicing of Windows 10 and the health Attestation. 

Windows 10  health is a vital part of this upgrade because you need to be aware of client health.  You also want to be aware of which version of Windows 10 is running on the devices.  This the first of many advances we will see with Current Branch for both Windows 10 and Configuration Manager.

  • Client Online Status: You can now view the online status of devices in Assets and Compliance. New icons indicate the status of a device as online or offline.
  • Support for SQL Server AlwaysOn Availability Groups: Configuration Manager now supports using SQL Server AlwaysOn Availability Groups to host the site database.
  • Windows 10 Device Health Attestation Reporting: You can now view the status of Windows 10 Device Health Attestation in the Configuration Manager console to ensure that the client computers have a trustworthy BIOS, TPM, and boot software.
  • Office 365 Update Management: You can now natively manage Office 365 desktop client updates using the Configuration Manager Software Update Management (SUM) workflow. You can manage Office 365 desktop client updates just like you manage any other Microsoft Update.
  • New Antimalware Policy Settings: New antimalware settings that can now be configured include protection against potentially unwanted applications, user control of automatic sample submission, and scanning of network drives during a full scan

Thursday, February 25, 2016

Not Ready to move to CM 1511, Update to Cu3 for R2Sp1 and for Sp2

Microsoft has provided another CU for ConfigMgr 2012 R2Sp1

To see the complete list revier the KB3135680

Here is the ConfigMgr Team blog article

and some highlights:

Administrator Console

  • The Administrator Console may take longer than expected to expand different nodes, such as the All Users or All Devices nodes. This occurs when the console is installed on a touch-screen enabled computer.
  • The Create Task Sequence Wizard generates an Unhandled exception when the Configuration Manager Console is installed on a computer that is running Windows 10 version 1511.
  • The Configuration Manager console exits unexpectedly when the Task Sequence Editor is used to change a Microsoft Recovery (Windows RE) partition. Additionally, you receive an exception that resembles the following:
    System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary.
  • The Configuration Manager console exits unexpectedly when you try to add a custom icon for an application that's available in the Application Catalog. This only occurs if the FIPS local/group security policy, 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing', is enabled on the computer that is running the console.

Operating system deployment

  • A task sequence may continue for an application installation failure, even if the Continue on error option is not selected in the task sequence properties. This applies to task sequences installing applications that use a dynamic variable list.
  • A task sequence will try to reinstall applications already installed by using a dynamic variable list if one of the applications is configured to restart the computer. For example, if the third in a list of 3 applications requires a restart, the first and second applications in the list will try to install again after the restart.
  • Use of the pre-provision BitLocker task sequence step during an operating system deployment results in the Trusted Platform Module (TPM) having a status of Ready for use, with reduced functionality.

Microsoft Intune and mobile device management

  • In a Configuration Manager environment in which the Microsoft Exchange Server connector is configured for use with Microsoft Exchange Server 2013, mobile devices aren't listed as expected in the All Mobile Devices node of the administrator console. Additionally, errors that resemble the following are recorded in the EasDisc.log file on the Configuration Manager site server:
    ERROR: [MANAGED] Invoking cmdlet Get-Recipient failed. Exception: System.Management.Automation.RemoteException: Cannot bind parameter 'Filter' to the target. Exception setting "Filter": "The value "$true" could not be converted to type System.Boolean….
    ERROR: [MANAGED] Exception: Cannot bind parameter 'Filter' to the target. Exception setting "Filter": "The value "$true" could not be converted to type System.Boolean."
    ERROR: Failed to check status of discovery thread of managed COM. error = Unknown error 0x80131501

    Note This log entry is truncated for readability.
  • The certificate required to connect to the Intune service cannot be renewed if the Microsoft Intune connector is installed to a server other than the site server, and proxy authentication is required for Internet access.
  • Blocking Exchange ActiveSync access for an enrolled device fails. Errors that resemble the following are recorded in the EasDisc.log file on the site server after the blocking action fails:
    *** [42000][102][Microsoft][SQL Server Native Client 11.0][SQL Server]Incorrect syntax near 'IsUIBlocked'.ERROR: UpdateDeviceAccessState: Execute() failed.

Site Systems

  • The SMS Executive service may exit unexpectedly when it processes a NOIDMIF file that contains a Unicode character invalid for the codepage of the site server.
  • The "Reassign Distribution Point" migration task may stop responding when it tries to reassign a distribution point from a Configuration Manager 2007 secondary site. This occurs if the database record for the 2007 distribution point is removed and replicated to the primary site before the new record is added.
  • The WMI Provider Host (WmiPrvSE.exe) hosting the Configuration Manager Provider (SMSProv) may exceed its memory quota on a site that processes lots of status messages from a custom application. This can result in a loss of connectivity through the Configuration Manager console until the server hosting the provider is restarted.
  • Queries, and query-based collections that use the Windows Update Agent Version as criteria return unexpected results for Windows 10-based computers. This is because the Windows Update Agent Version in hardware inventory data is reported incorrectly in the 6.x range, such as 6.0.10240.16397 instead of the 10.x range, such as 10.0.10240.16397.

Software distribution and content management

  • 3120338 Content can’t be downloaded from Cloud-Based Distribution Points System Center 2012 Configuration Manager Service Pack 2 when BranchCache is enabled
  • Applications deployed to a device that uses the Primary Device global condition will fail if the primary user has an apostrophe in their name.
  • Distribution Points configured for HTTPS communications will be reset to use HTTP communications after other site properties are changed. For example, installing a new Software Update Point can trigger the Distribution Point to revert to HTTP communications. Other Distribution Point settings may also change.
  • 3123884 Application installation fails from the Company Portal in System Center 2012.