2FA for Apple ID is available, do it now! (or don’t, see within)

On March 21st, Apple made two-factor authentication available for certain devices running iOS 9.3 or MacOS X El Capitan.

Now, let me save you some time.

If you are following the instructions, but not seeing 2FA available in your iCloud security settings, you probably have two-step verification already enabled.

In order to configure 2FA, you will have to disable two-step verification from one of your devices. This will require you to provide some inane ‘security question’ answers, but don’t worry – you won’t use them a single time.

One other note – if you’re signing into a MacOS X device with your iCloud credential, that goes away as well. You will be required to set a new local password that will be used to gain access if you cannot access your 2FA device(s). This may be a challenge for centrally managed environments, and could violate one of more of your internal policies. So please ask your IT department before doing this on a company-owned or managed device.

Once you’ve disabled two-step verification, you can follow the instructions linked above to configure 2FA. It’s pretty slick!

Here’s the notification I received on my Mac when changing a setting on my iPhone that required iCloud authentication:Screen Shot 2016-05-02 at 6.40.20 PM

So, what does the status quo look like?

If you are following my blog, you know I focus on systems management. If you’re new to my world, check this out for a primer.


When it comes to managing infrastructure, deploying content and enabling productivity – there is a right way, and then there’s everyone else. I’m not making the argument that this is a simple binary equation (e.g. either you are optimized or you are not). What I’m going to lay out in this piece are the signatures of an incomplete or immature strategy. It’s not meant to insult anyone, rather I have found in my hundreds of exposures to enterprise IT organizations that there are some key indicators upon which we can rely. Maybe as starting points, or in some cases, switches we can ‘flip’ to radically increase productivity.

Let’s take a look:

Indicator #1: Upgrade Hamster Wheel

So, something doesn’t work and the team thinks we need to upgrade to get it? Or maybe the vendor said “that feature is in our next release.” None of this is new to IT, but what you might be missing is how your internal maturity can affect this decision tree. That is, if you have a decision tree (zing!). 

More often than not, you are upgrading because you think you need a new feature or capability. Let’s back up the software truck a minute though, and consider how we got here.

IT Director says “Godfather (probably the CIO) wants Windows 10 on his desktop. When will it be ready?”

IT Admin says “Well, if I drop everything I can have an image ready by next month. But…”

IT Director says “Great! I’ll go tell him now (so I can look like I get things done)!”

IT Admin /logs off mentally

How many times have you seen this interaction in your IT organization? How many times has it happened to you?

There are sooooooooo many shiny things out there. Even this guy (points thumbs backwards) is known as Shadow IT ™ around the ITS offices. What can YOU do differently?

It’s pretty simple, but it’s not something the IT Admin or IT Pro can do (without some risk to themselves). Better decision making, and higher maturity, begins with the CIO. And that CIO should be embedding a process-driven decision tree framework in their directors and managers. I’m not going to give away all the secrets here, but let’s look at how that conversation goes in a higher-maturity shop:

IT Director says “Godfather (probably the CIO) wants Windows 10 on his desktop. When will it be ready?”

IT Admin says “Excellent, I’m also excited about Windows 10 and what it can do for our business. I have been thinking a lot about how we can streamline our patch compliance ops with Windows Updates for Business and that will be a key part of our Windows deployment strategy. Who can we leverage internally to build the business case? I’m happy to lead this effort and why don’t we aim for a presentation to the CIO in 30 days?”

IT Director says “Uh, yeah. That sounds good. I’ll set up the meeting (so I look competent at least) for you to present your findings.”

IT Admin /sips coffee, enjoys living in a world where decisions are not made outside of business processes and feels internal joy

You’re right though – it’s not that simple.

However, I will argue there are a few things that must be in place to ensure a better outcome. You may not think these are relevant to systems management, but they are.

Behold, thy truths:

  1. There are defined release and support cycles for operating systems
  2. There is a rapid-response protocol for new device form factors and use cases
  3. There is a cross-functional IT architecture team that drives all decision making for new releases
  4. Your business unit has an approved financial model in which you can evaluate the business benefits of any change or new release

Indicator #2: You always need consulting

I have been a consultant, and now I help manage an IT consultancy. Might seem crazy that I suggest this is a problem… let me explain why!

My view has always been that you shouldn’t bring a consultant in because you don’t know how to do something. You bring in outside expertise to get the benefits of their field experience and help accelerate your project. It’s about wisdom, not skill. We are all smart people… and frankly why would you pay someone else to push the Next button?

Anyways, where we see this problem become business-impacting is when your operations or project offices default to consulting for any change or incident. This is a leading indicator that your team is either under-staffed (meaning they don’t have time, and need outside augmentation) or unsure of how to proceed (there is a process problem).

The real point here is you should have a set process that includes a step to consider outside consulting. The process should not start with nor rely upon outside resources.

Indicator #3: FTE’s go up, but productivity does not

If you are an IT manager or director, you probably have a handful of key people that get things done for you. When a new solution is brought in, or IT expands operations, it is natural to take on additional staff to manage the new workloads.

There are a couple different ways to measure your productivity here: inside the IT team, and within the end user community. Let’s dive in:

IT Pros

Teams should have a defined set of responsibilities, and those should be matched against the available time and broken down by service or product owners. You cannot improve what you don’t measure, and if you’re not measuring you are stuck.

End Users

The ultimate metric for most systems management teams is the relative happiness of their end users. These are the folks that need apps & data to be productive. If you’re not giving them what they want, they way they expect and without compromises – you are probably losing traction with the community that can provide the most leverage for budget allocation – or worst case, your right to exist in the larger organization.

Give people what they want, or they will find someone else who will.

Indicator #4: Process questions are answered with vendor terminology

Finally, this one is a red light and air raid siren for most CIO’s. If you ask your team how something will get done, and the answer is specific to one vendor or product – you’re starting from the wrong place.

Systems and processes need to be born from hard wrenching the chanlleges to your business, not the tools or suppliers that help you deliver the necessary outcomes.

When you break it down to the most basic level, you need to define your why, which will lead you to developing the how. This all needs to happen before you start talking to vendors about how their offerings can help you deliver that.

An introduction to conditional access in ConfigMgr (current branch)

Do you want to keep non-compliant devices from accessing critical company data and prevent otherwise authenticated end users from opening their Exchange store from a non-compliant device, whether it is hosted or on-premise?

Oh snap, y’all.

Something relatively (but not, really) new in ConfigMgr is conditional access for managed devices. Now, this is not your father’s NAC solution, but rather a way for Microsoft to leverage the integration among its services to give you some push-button protection. I’ll do my best to explain how it all works, but you can read this TechNet article for a primer.

First component to this magic is Office 365. You may already be leveraging the mobile device management features that are built in. They look like this:

office protection center

While that is some really nice functionality, if you have ConfigMgr deployed and are feeling froggy – you can go waaaaaaaaaaaay beyond MDM.

Here’s where the conditional access chickens come home to roost, and your investment in Office 365 gets weaponized.

You see, when your Exchange and Sharepoint services are already in the cloud (remember, the magic IT thing?) and you have a management conduit to those services (a la ConfigMgr service connection points) that enables you to do unicorn-level rocket ship engineering with just a few clicks.

Hint: If you need some background on integrations available with ConfigMgr read this article on TechNet.

Let’s dig a little deeper and see how this works. The following diagram is taken from this TechNet article covering ConfigMgr 2012 R2 and shows the basic workflow for conditional access:

The first thing you’ll notice is that two things are checked before conditional access policy is evaluated:

  1. Am I targeted by a policy?
  2. Am I exempted from the targeted policy?

If you are not targeted or are exempted from that policy, then the device is permitted to connect to the service.

If the device is non-compliant in any way, whether that policy comes from Intune or ConfigMgr, or the device is not joined to an authorized domain it will be denied access to the protected service.

Why is this important?

It’s pretty simple – by combining ConfigMgr with Intune (and EMS!) and leveraging the conditional access feature set you are able to limit or deny access to services and data that properly authenticated end users would otherwise be able to obtain and potentially exfiltrate – with no additional systems or software.

Of course, there are some limitations and gotchas here – depending on the device operating system, whether the device is managed by standalone ConfigMgr or a hybrid implementation with Intune… and the specifics of your Office 365 subscription.

Interested? Make sure you check here ‘before you start’ start any implementation design.

Want updates? Better deploy Windows 10 now

A reasonable IT Pro may cast suspicion here…

However, in a post on the Windows Experience Blog, EVP Terry Myers states the following:

…Today we are clarifying our Windows support policy:

Windows 7 will continue to be supported for security, reliability, and compatibility through January 14, 2020 on previous generation silicon. Windows 8.1 will receive the same support through January 10, 2023. This includes most of the devices available for purchase today by consumers or enterprises.

Going forward, as new silicon generations are introduced, they will require the latest Windows platform at that time for support. This enables us to focus on deep integration between Windows and the silicon, while maintaining maximum reliability and compatibility with previous generations of platform and silicon. For example, Windows 10 will be the only supported Windows platform on Intel’s upcoming “Kaby Lake” silicon, Qualcomm’s upcoming “8996” silicon, and AMD’s upcoming “Bristol Ridge” silicon.

Through July 17, 2017, Skylake devices on the supported list will also be supported with Windows 7 and 8.1. During the 18-month support period, these systems should be upgraded to Windows 10 to continue receiving support after the period ends. After July 2017, the most critical Windows 7 and Windows 8.1 security updates will be addressed for these configurations, and will be released if the update does not risk the reliability or compatibility of the Windows 7/8.1 platform on other devices.

The bottom line is that Intel and Microsoft have made a deal, and that deal involves you not getting updates for the magical combination of new hardware and old operating systems.

What should you do here?

In my opinion, there’s not much reason to hold off on Windows 10 at this point anyways. The stability is there, and the experience is compelling. When you look at the capabilities of your systems management tool for Windows 10, combined with the Enterprise Mobility Suite, you really can manage any device, anywhere.

If your organization has a refresh cycle for end user computing, and I hope that’s the case, make sure you understand these key dates:

  • Windows 7 will receive updates through 1/14/2020 on previous generation chipsets
  • Windows 8.1 will receive updates through 1/10/2023 on previous generation chipsets
  • Windows 10 will be required for any new chipsets going forward from now
  • All in, you should be executing on a migration to Windows 10 with a completion date before 7/17/2017

Finally, there has been an update to the original blog post that clarifies which Skylake devices (broken out by manufacturer) will support Windows 7 and 8.1 until 7/17/2017.

Update (3/18/2016): Yet another modification to this policy, with an extension to 7/18/2018. Details at this TechNet article.

The status quo isn’t working

Warning: Bold claims within!

OK, let me give you some background first.

If you read my post about what you don’t know about systems management might kill you, you know I’ve been very focused on systems management for quite some time. Having seen several generations of tools and processes, I wanted to share some best practices.

Whether you are evaluating, deploying, optimizing or scanning your logs in a desperate attempt at remediation you are probably seeing at least one of these conditions:

Architecture health is < 100%

If the platform is not healthy, your site infrastructure won’t be either. If your sites are not healthy, you can’t manage end points. If you can’t manage end points, you can’t do anything.

You have more > 1 deployment process

When I see more than a single hardware-independent deployment or provisioning process, I think of the good ol’ XP and Vista days. When I think about Windows Vista, I get angry. You don’t want to make me angry – and you don’t want to update more than one disk image or task sequence.

Are you leveraging offline servicing to keep your disk images up-to-date?

Patch compliance is < 98%

You simply cannot afford anything less. Sure, the number is arbitrary. But the process know-how to get to a high performance metric and back it up with analytics will help drive your protection and threat mitigation strategy to a high maturity. That’s what you want, by the way 🙂

It takes more than 5 minutes to produce actionable asset intelligence

Do you get drop-by’s from Really Important People who want to know “how many copies of Adobe Acrobat Pro are installed, which version and are they being used?” Do you panic at the invisible complexity no one else sees and doesn’t think about. If you can’t produce results on demand, there’s something out of best practice.

If you’d like more information about how we approach systems management at ITS, you can grab a copy of our newest insights whitepaper at the company website. If you’d like to learn more about the new ConfigMgr-as-a-Service offering from my team please let us know here.

What you don’t know about systems management may kill you

I have seen a lot of endpoint trends come and go over my fifteen-plus years in enterprise technology. From the very first ‘mobile’ devices from Palm and HP (iPaq… the first iDevice!) to VDI and now the wave of constantly iterating MDM and mobile security platforms…

I ask myself, what’s a thoughtful CIO to do here?

In the interest of clarity, I should say that I have really only worked with two technologies throughout my IT career: Symantec’s Altiris technology and Microsoft System Center (the artist formerly known as Systems Management Server). There have been a few other brief flirtations (JAMF Casper, LANDesk, etc) but for the purposes of this article assume the commentary is relevant to what I know best.

Now, back to the question I posed. If you are leading a technology organization, or even running a growing business…do you know:

  • All of the form factors in the hands of your end users?
  • The number of solutions deployed to manage those devices?
  • Your patch compliance across the entire ecosystem?
  • What to do in case of emergency?

My experience tells me that you probably don’t know the answer to any of those questions, let alone all of them. The good news is there’s probably someone that can identify the gaps and assess your risk (hint: it’s me, or another grizzled veteran of the Windows Vista wars).

But before you invest any time in the answers… let me give you a few hard truths:

  1. It’s impossible to manage risk without asset intelligence
  2. There are too many complex tools doing too many things
  3. You cannot secure devices you can’t manage
  4. Operational maturity is measured by how your team reacts to an advanced/persistent threat

With respect to asset intelligence, this is not an argument that your ITAM program is broken (but if you think it is, go look at this). The simple fact is you must know who is using whatwhere they are and if they are using those tools for approved purposes. This is the difference between merely having information and having intelligence.

I am also willing to bet that you have separate MDM, MAM and endpoint management tools. This used to be a necessity, but with the rise of the hybrid architecture (watch out for the Azure Shark!) we can stitch the right tool with the right team to accomplish your systems management mission.

Do you have a single systems management platform?

Finally, when the fudge hits the ceiling fan you’ll find out whether you have asset intelligence that is actionable, enabling you to touch those devices and support your remediation mission. If you are a CISO/CSO reading this and want to have some fun – go ask your desktop guys for a live dashboard showing the manufacturer, model and operating system of every device with access to company IP. Keep in mind that is only a surface-level reading of your exposure.

Did they run away, or just pass out?

Windows 10 is going to change your business, and there’s nothing you can do to stop it

In your organization, you have quite a few people who were born digitalWhat Microsoft has figured out, that you may not have (yet)… is that these folks have an expectation that they can work anywhere they want.

The fact that you need to embrace a mobile-first workforce is not new, and even I am cringing at using some played-out buzzwords. So what do you need to know – that you don’t already?

Windows 10 is going to fundamentally change the way you do business, and there’s little you can do to resist that change.

Let’s break it down, based on what we know today:

  • Cortana in Windows 10 means you can talk to your “work” device like you talk to your iPhone with Siri (or your Android with Google Now, or your WinPhone with… Cortana!)
  • Windows Hello means your digital natives are going to expect that their computer greets them, much in the way their phone gives them data on a lock screen – and they’re not going to tolerate complex login processes or gasp! – having to VPN in first. (Seriously, do you want to hire and retain the best?)
  • OneNote, combined with Office 365 and a Surface Pro or iPad Pro is the magical triangle of productivity. Sure, you can use Office apps on many devices but that will involve some compromises. I can see at least 3 Surface Pro 3’s in this Starbucks where I am writing right now.

Now, maybe you are a stodgy last-generation CIO and you don’t believe all of this hooey about digital natives and how they are gonna tell you how to do your job…

My point is that you better figure this out if you want to keep your job and move your organization from a cost center to something that generates real and measurable business value.

Here’s what you need to do today. Right now, in fact.

  1. Set a top-down adoption strategy to move your organization from Windows 7 (or Windows XP?!) to Windows 10, built on a consistent and repeatable process for in-place migration.
  2. Determine how you will build a comprehensive thought on systems management, that no longer makes distinction between a “mobile” device and an endpoint. Manage them all, in one place.
  3. Stop worrying about how to protect it or manage it. Find a way to make people productive.

Questions? Hit me up on Twitter!