Connecting to a Management Infrastructure in the Cloud using BYO & WOA PCs

Following this week's announcement of the Windows 8 Enterprise SKU -- which when released will come with a feature called "Windows To Go" that will allow users to store their Windows 8 desktop on a USB drive and boot up that desktop at home or virtually any other PC.With more and more people providing their […]

Following this week's announcement of the Windows 8 Enterprise SKU -- which when released will come with a feature called "Windows To Go" that will allow users to store their Windows 8 desktop on a USB drive and boot up that desktop at home or virtually any other PC.

With more and more people providing their own hardware for work, the "bring your own" or (BYO) PC is becoming more commonplace and IT Pros want to have the confidence that they can support their clients who follow this trend. This "consumerization of IT" trend is the subject of today's Windows 8 blog including ARM-based processors (also known as WOA).

"We see this most notably in the smartphone device category, but more recently also in tablets or other portable PC form factors that are increasingly showing up in the workplace. As organizations embrace consumerization, IT must consider how much control they can exert over a user's personally-owned device, and how much management is "good enough."," said Jeffrey Sutherland, a program manager lead in Management Systems group.

He says, "We know that developers are going to find it easy and convenient to build elegant Metro style apps that automatically work on any Windows 8 system including WOA, and developers of line-of-business (LOB) apps won't be any different. But many organizations want to directly control and manage access to their internal LOB apps, including the distribution of the app binaries for installation."

That means that such internal Windows 8 Metro apps cannot be offered to employees via the Windows Store as is the case for consumer-based apps. "For these organizations, publishing their LOB apps to the public Windows Store doesn't make sense, since there is no reason to broadcast these applications to others or to have their application deployment managed through the Windows Store process. And access to these resources and the data that they expose requires an assurance to IT that the systems accessing them meet an established bar for security and data protection," he said.

"For WOA, we've integrated a new management client that can communicate with a management infrastructure in the cloud to deliver LOB apps to users. The WOA management client offering will include a built-in system component called an agent; and a Metro-style app called the self-service portal (or SSP), that consumer can use to browse for and install LOB apps. So if a user brings a WOA tablet/PC to work, administrators will be able to control which business apps they will allow them to install on their PCs using the SSP," explains Sutherland.

The user can connect to the company's internal network with just his or her email address and password via a new feature in the Control Panel in WOA, as show in the screenshot:

Connecting to comapny server using WOA or BYO devices

"Using a new Control Panel in WOA, the user can connect to with their company email address and password. Once the agent has found the right address, it establishes a secure connection to the management infrastructure using SSL Server Authentication and authenticates the user. The service issues a user certificate, when the user is successfully authenticated. This certificate is then sent back to the agent along with the organization root certificate and instructions for the agent. Once complete, the user is directed to install the SSP while the agent completes the connection in the background," explains Sutherland.

In addition to the configurable policies described above, the agent can also be used to automatically configure a VPN profile for the user, so that WOA devices easily connect to a corporate network without requiring any user action. Finally, the agent can also monitor and report on compliance of WOA devices for the following: Drive Encryption Status; Auto Update Status; Antivirus Status; AntiSpyWare Status.

The IT admin has a number of options in terms of setting up how much control an employee has with his work PC on Windows 8, including Maximum Failed Password Attempts. Sutherland says:

"So, when a user exceeds the password entry threshold, Windows will instead cryptographically lock all encrypted volumes and reboot the device into the Windows 8 recovery console. If your device has been lost or stolen, this effectively renders the device unreadable. But if you're simply the victim of your young son or daughter trying to get to Angry Birds while your device is locked, you can easily recover with the use of a recovery key that Windows 8 can automatically store on your behalf in your SkyDrive account. This way, you are able to get back up and running without enduring a lengthy wait to re-install all of your apps and copy down all of your data."

This screenshot shows an early prototype of the SSP and may not reflect the final product:

Browsing for LOB apps in the self-service portal (SSP) on Windows 8

Using the Metro style self-service portal app (or SSP) users can browse LOB apps that have been made available to them by the admin. The IT admin can specify which apps are published to each user individually, based on the user's AD domain user account, or as a member of AD user groups. There are actually four different types of apps that IT can publish for users in the SSP, says Sutherland:

  • "Internally-developed Metro style apps that are not published in the Windows Store
  • Apps produced by independent software vendors that are licensed to the organization for internal distribution
  • Web links that launch websites and web-based apps directly in the browser
  • Links to app listings in the Windows Store"

"Anytime the IT admin publishes an update for an app that has been installed on a WOA device, the agent will automatically download and install the update during its next regular maintenance session," he said.

Admins can disconnect a user's device from the company server, during disconnection, the agent does the following:

  • "Removes the activation key that allowed the agent to install LOB apps
  • Removes any certificates that the agent has provisioned
  • Ceases enforcement of the settings policies that the management infrastructure has applied
  • Reports successful deactivation to the management infrastructure if the admin initiated the process
  • Removes the agent configuration, including the scheduled maintenance task."