An introduction to conditional access in ConfigMgr (current branch)

Do you want to keep non-compliant devices from accessing critical company data and prevent otherwise authenticated end users from opening their Exchange store from a non-compliant device, whether it is hosted or on-premise?

Oh snap, y’all.

Something relatively (but not, really) new in ConfigMgr is conditional access for managed devices. Now, this is not your father’s NAC solution, but rather a way for Microsoft to leverage the integration among its services to give you some push-button protection. I’ll do my best to explain how it all works, but you can read this TechNet article for a primer.

First component to this magic is Office 365. You may already be leveraging the mobile device management features that are built in. They look like this:

office protection center

While that is some really nice functionality, if you have ConfigMgr deployed and are feeling froggy – you can go waaaaaaaaaaaay beyond MDM.

Here’s where the conditional access chickens come home to roost, and your investment in Office 365 gets weaponized.

You see, when your Exchange and Sharepoint services are already in the cloud (remember, the magic IT thing?) and you have a management conduit to those services (a la ConfigMgr service connection points) that enables you to do unicorn-level rocket ship engineering with just a few clicks.

Hint: If you need some background on integrations available with ConfigMgr read this article on TechNet.

Let’s dig a little deeper and see how this works. The following diagram is taken from this TechNet article covering ConfigMgr 2012 R2 and shows the basic workflow for conditional access:

The first thing you’ll notice is that two things are checked before conditional access policy is evaluated:

  1. Am I targeted by a policy?
  2. Am I exempted from the targeted policy?

If you are not targeted or are exempted from that policy, then the device is permitted to connect to the service.

If the device is non-compliant in any way, whether that policy comes from Intune or ConfigMgr, or the device is not joined to an authorized domain it will be denied access to the protected service.

Why is this important?

It’s pretty simple – by combining ConfigMgr with Intune (and EMS!) and leveraging the conditional access feature set you are able to limit or deny access to services and data that properly authenticated end users would otherwise be able to obtain and potentially exfiltrate – with no additional systems or software.

Of course, there are some limitations and gotchas here – depending on the device operating system, whether the device is managed by standalone ConfigMgr or a hybrid implementation with Intune… and the specifics of your Office 365 subscription.

Interested? Make sure you check here ‘before you start’ start any implementation design.

The status quo isn’t working

Warning: Bold claims within!

OK, let me give you some background first.

If you read my post about what you don’t know about systems management might kill you, you know I’ve been very focused on systems management for quite some time. Having seen several generations of tools and processes, I wanted to share some best practices.

Whether you are evaluating, deploying, optimizing or scanning your logs in a desperate attempt at remediation you are probably seeing at least one of these conditions:

Architecture health is < 100%

If the platform is not healthy, your site infrastructure won’t be either. If your sites are not healthy, you can’t manage end points. If you can’t manage end points, you can’t do anything.

You have more > 1 deployment process

When I see more than a single hardware-independent deployment or provisioning process, I think of the good ol’ XP and Vista days. When I think about Windows Vista, I get angry. You don’t want to make me angry – and you don’t want to update more than one disk image or task sequence.

Are you leveraging offline servicing to keep your disk images up-to-date?

Patch compliance is < 98%

You simply cannot afford anything less. Sure, the number is arbitrary. But the process know-how to get to a high performance metric and back it up with analytics will help drive your protection and threat mitigation strategy to a high maturity. That’s what you want, by the way 🙂

It takes more than 5 minutes to produce actionable asset intelligence

Do you get drop-by’s from Really Important People who want to know “how many copies of Adobe Acrobat Pro are installed, which version and are they being used?” Do you panic at the invisible complexity no one else sees and doesn’t think about. If you can’t produce results on demand, there’s something out of best practice.

If you’d like more information about how we approach systems management at ITS, you can grab a copy of our newest insights whitepaper at the company website. If you’d like to learn more about the new ConfigMgr-as-a-Service offering from my team please let us know here.

SCCM 2012 & 2012 R2 Scalability Improvements

With the forthcoming service packs for SCCM 2012 and SCCM 2012 R2, you can now scale a hierarchy to 600,000 managed devices (50% increase from 400k) and a standalone primary site now can manage a maximum of 150,000 devices (also 50% increase from 100k).

We’ll be testing these scalability numbers over at ITS Partners in the coming weeks and I’ll update this post with our findings.

ConfigMgr Client settings for Cloud DP on Azure?

If you are interested in leveraging Distribution Point on Azure, or are testing, you may have run into a very simple issue – clients won’t use that cloud DP. After you configure your Cloud DP (as an SCCM administrator), you must also configure your default client settings or create a custom device settings policy that enables your CM clients to use it. Watch the attached video to learn how!

Support for SQL Server 2014 in System Center 2012 R2 Configuration Manager (SCCM)

Those of you installing shiny new instances of Windows Server 2012 R2 and SQL Server 2014 may be disappointed when you fire up prereqchk.exe and find out you can’t proceed with your ConfigMgr installation.

SQL Server 2014 is supported for CAS, Primary Site and Secondary Site databases in SCCM 2012 R2 with CU4+ but you must first install a previous supported release of SQL Server (e.g. SQL Server 2012 SP2) for installing ConfigMgr. After install, you may then upgrade your SQL Server to 2014.

The following footnote is found under Configurations for the SQL Server Site Database in the TechNet article Supported Configurations for Configuration Manager:

This version of SQL Server is only supported when you upgrade the install of SQL Server that hosts an existing site database to this version of SQL Server.