Windows Server 2012 R2 Live Meeting

Bring your own device using AD FS

Wednesday 2 April 2014, 19:00 – 20:00

Chris Spanougakis MCT, MVP Directory Serviceschris@systemplus.gr

WhoamI

• Microsoft Certified Trainer since 2000

• Microsoft Most Valuable Professional in Directory Services since 2008

• IT Consultant, teaching, travelling

• Twitter @spanougakis

• Blog http://www.spanougakis.com

agenda

• What is Work Folders?• Implementation of Work Folders using ADFS• Work Folders with File Server Roles• Workplace Join using ADFS• Demos• Links• Questions

Enabling work from anywhere

IT can publish access to resources with the Web Application Proxy based on device awareness and the users identity

IT can provide seamless corporate access with DirectAccess and automatic VPN connections.

Users can work from anywhere on their device with access to their corporate resources.

Users can register devices for single sign-on and access to corporate data with Workplace Join

Users can enroll devices for access to the Company Portal for easy access to corporate applications

IT can publish Desktop Virtualization (VDI) for access to centralized resources

BYOD

http://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/windows-8-1/compare/default.aspx

Consumer

/ personal

data

Individual work data

Team /

group

work data

Personal

devices

Data location

SkyDrive Public cloud

SkyDrive Pro SharePoint / Office 365

Work Folders File server

Folder Redirection / Client-Side Caching

File server

File Sync Solutions

New File Server Role in Windows Server 2012 R2New file sync protocol over HTTPSNon-Work Folder clients can connect via SMBWorks with other File Server RolesRequires Locally Attached DiskWork Folder ShareRequires Public or Private PKIUser must be a member of a Sync Group

Work Folders Prerequisites

• Windows 8.1 Domain Joined

• Windows 8.1 Non-Domain Joined

• Windows 8.1 RT

• Windows 7 (with agent software, coming soon)

• iPad (coming soon)

Work Folders Clients

Options to connect

• Auto-Discovery• User types his e-mail address

• By using a URL• User types the URL

• Opt-in (GPO, SCCM, Intune)• User decides when to connect

• Mandatory (GPO, SCCM, Intune)• Forced, automatic

• Install the FS role on Windows Server 2012 R2 and enable Work Folders

• Create a DNS entry for workfolders.yourdomain.com

• Open port 443 on your firewall and publish the FS

• Create or use the server certificate and verify that is used by https web app

• Create users, groups, GPOs

• Configure the Windows 8.1 client

Where to start

GPOs & Certificates

• netsh http show sslcert• netsh http delete sslcert hostnameport=dc.testlab.com:443• netsh http add sslcert hostnameport=dc.testlab.com:443

certhash=<Cert thumbprint> appid={CE66697B-3AA0-49D1-BDBD-A25C8359FD5D} certstorename=MY

• Use it to force automatic setup, so the user should not type his e-mail address or WorkFolders URL

• It’s a good idea to use https instead of http

• It’s also a good idea to use a public PKI certificate...

• TechNet - http://blogs.technet.com/b/in_the_cloud/archive/2013/07/10/what-s-new-in-2012-r2-making-device-users-productive-and-protecting-corporate-information.aspx

• How to deploy Test Lab - http://blogs.technet.com/b/filecab/archive/2013/07/10/work-folders-test-lab-deployment.aspx

• Work Folders - http://technet.microsoft.com/en-us/library/dn296644(v=wps.630).aspx

• PowerShell http://technet.microsoft.com/en-us/library/dn296644(v=wps.630).aspx

• Selective Wipe - http://blogs.technet.com/b/configmgrteam/archive/2013/07/10/protecting-corporate-data-on-mobile-devices.aspx

Work Folders Links

Work Folders Demousing ADFS

Workplace Join

Associates the device with a user Provides a seamless second factor authentication Enables IT to conditionally restrict access only to workplace joined

devices

Enables a better end user experience with SSO

Avoids risks involved in saving passwords with each application Avoids users having to repeatedly enter their credentials

Enabled by device registration service in AD FS

Expanding device support

Limited accessNo IT Control

Device at work with IT governance & controlled access to apps

Company owned device with full IT

control & full access

Active Directory

Not Joined to AD Workplace Joined Domain Joined

• Active Directory Domain• Active Directory Federation Server

Role• Managed Service Account for the

ADFS Service:• Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10) • New-ADServiceAccount FsGmsa -DNSHostName adfs.contoso.com –ServicePrincipalNames

http/adfs.contoso.com

• Certificate for the ADFS Server:• Subject Name (CN): adfs.contoso.com

Subject Alternative Name (DNS): adfs.contoso.com

Subject Alternative Name (DNS): enterpriseregistration.contoso.com

Workplace Join Prerequisites

See all the detailed steps here: http://technet.microsoft.com/en-us/library/dn280939.aspx

• Authenticate the users using one more…. Factor

• Microsoft Azure can help with PhoneFactor

• Phone calls or SMS can be used for additional authentication

Multi-Factor Authentication

Workplace Join Demousing ADFS

Έχετε Windows 8? Κατεβάστε την δωρεάν εφαρμογή!

Q&AQuestions And Answers

@spanougakis spanougakis

www.spanougakis.com

www.systemplus.gr chris@systemplus.gr

Get in touch

Windows Server 2012 R2 Live Meeting

Thank you!

Chris Spanougakis MCT, MVP Directory Serviceschris@systemplus.gr