Have you ever deployed a Conditional Access policy, only to later discover that users had found a way to circumvent it? It is surprising to discover that someone found a way around your carefully designed and tested policy.
Setting up Conditional Access policies can get confusing. If you don’t plan your policies carefully, you may end up with holes that you didn’t expect. Most of us start by thinking about the scenarios we want to allow. The problem with this approach is that if you only think about what you want to allow you may forget to block scenarios you don’t approve. Without a policy in place to block unapproved scenarios, a malicious actor can exploit those scenarios by simply providing a user’s compromised credentials.
For example, consider this scenario: You are asked to create a policy that will allow a user to access their email on an iPhone. You will allow a user to use the native mail application with ActiveSync or Outlook if the application is protected by a Mobile Application Management policy. The policy you create is applied to the user, targeted to Exchange Online, and applies to ActiveSync and Modern Authentication clients. Controls are set to grant access if the device is compliant or if a MAM policy is applied.
When you test the policy and the device is not registered you are blocked from accessing the application in the ActiveSync client. The Outlook application prompts you to install the Azure Authenticator to access the application. Once the Authenticator app is installed or it is enrolled the user can access their mail in the targeted applications. This policy works as designed; users must meet one of the controls in the policy to use their email as intended. You may consider the policy successful and move it into production. However, there’s just one problem…
This is the second post in a series on the principles behind the Modern Workplace.
The first can be found here: It's not you, It's me
“Change for the sake of change is frivolous. It must be avoided. I know what users want because I’ve been doing this for so long, I know what works!” For a guy who has loudly told the world that he has never read Harry Potter, my (former) coworker sure did an amazing Dolores Umbridge impersonation.
We are caught in a cultural tug-of-war in our technology departments. On one side we have legacy SysAdmins who believe that IT knows what’s best for our users. The other end is anchored by the Modern Workplace evangelists who preach a gospel of agility, data-driven decision making, and user empowerment. End users are caught in the middle, often to the detriment of our organizations.
Brad Anderson touched on this in his blog post announcing Modern Endpoint Manager. He cites a study by Enterprise Strategy Group that shows certain trends amongst end users. The study demonstrates the importance of moving towards modern endpoint solutions.
This is the first post in a series on Modern Workplace management. Through this series I will explore the underlying questions of endpoint management and what it means for us as IT Pros.
It’s not you, it’s me.
I get it – you want this amazing modern workplace experience, but I’m not sure you know what you’re ACTUALLY asking for. I mean, look at our environment. It’s complex because it needs to be. The old IT manager wrote a login script, and I’ve spent a lot of time adding to it and maintaining it – and, well, to be honest … I’m not quite sure what all of it does. I just don’t want to break anything by taking it out. And our group policies? I mean, I know what the stuff I created does. I’m just not sure about everything else … and besides, do we really want to mess with our Default Domain policy? I don’t think we can tolerate that kind of risk – and have you met OUR end users? OUR users are the worst! Way worse than anywhere else I have been!
I could insert any number of clichés here. (The world is changing, the future is now, or any statement involving the word synergy.) We all know that business and technology are changing at an unrelenting pace. Our organizations are demanding that we provide solutions that allow them to be more mobile, more collaborative, and more flexible. We, as IT Pros, have turned around and asked our vendors for better solutions. They have, in turn, provided those solutions.
This is the first post in a series on Impostor Syndrome among IT Pros. I will be talking about my journey, the people who have inspired me, and how we can deal with this common challenge that faces many of us.
Do I belong at this table?
At a recent event I was sitting at a table with several Microsoft team members and customers. We all had one thing in common – a love for Microsoft’s Modern Endpoint Management solutions. While I looked around the table, I started keeping score in my head. On my right were two MVPs – Matthew Hudson and Kent Agerlund. To my right was another IT Pro from a Microsoft Partner. Rion was one of the most engaging and charismatic members of the community I have had the pleasure of meeting. The rest of the table was filled with members of the Endpoint Management team at Microsoft – from engineers to project managers.
Everyone at the table was someone whom I looked up to. They were all very accomplished professionals. I had used their blogs and technical articles to build my own environment. A lot of doubt began to creep in. How did I get here? How do I stack up to the other people sitting at this table? Do I have anything to offer to the conversation? What perspective do I have to offer that the other people sitting here can’t give? It was immediately obvious to me that I didn’t have the breadth of experience or depth of knowledge of the other professionals I was sitting with. My credentials didn’t seem to measure up to theirs, and I began to question my experience.
Welcome to the managed.modernEndpoint.com blog! Posts will range from step by step walk throughs (like this one) to deep dives on topics I find interesting or am actively working on. I will also spend time discussing my perspective on Managing Modern Endpoints, a topic I am truly excited about!
In case you haven't explored the new Admin Center you may not have noticed the new guided scenarios. These are currently still in Preview, but I wanted to do a brief walk through on one of the available scenarios. Two of the scenarios (Deploy Edge for Mobile and Deploy a Cloud Managed PC) are available on the Home blade. My personal favorite, Secure Office apps for mobile, is neatly tucked away on the Troubleshooting blade under Guided scenarios. The various guided scenarios enable administrators to quickly deploy policy sets that contain baseline policies for several device types at once.
Deploying consistent applications across device types can be a time consuming experience. This guided scenario helps both seasoned veterans and new administrators quickly deploy baseline app protection policies that cover multiple applications and device types in one workflow. We can select the applications we want to target, configure a handful of basic settings, and assign the policy to targeted groups.
I am Sean Bulger, an IT Pro working in the Modern Endpoint Management workspace. I have been working with Intune and Configuration Manager in the enterprise since 2015. I have a broad range of experience having worked in nearly every career field from plumbing to emergency medicine. I have always come back to technology, initially starting out in QA, and then moving to desktop support. I rejoined the IT field in 2014 as a help desk analyst at a large accounting firm. I was able to quickly build my skill set and moved into a workstation engineering role a year later.
modernEndpoint.com represents the next stage in my personal and professional development. I have changed companies twice in the last two years. During that time I lost touch with the pulse of the endpoint management community. I was still doing the work, but I wasn't in an environment that was mature enough to adopt many of the modern solutions that were available. Over the last three months I have had the chance to re-engage with the community. It has been reinvigorating. I have been reminded that I have something to offer.
I am starting this site as a way to engage with the Modern Endpoint Management community, share my perspective, and most importantly to learn from all of the other professionals in our field. This is an exciting time for those of us who work with Intune, Configuration Manager, and the entire Enterprise Mobility and Security suite. Our organizations are changing quickly. The role of a windows administrator has shifted. We no longer spend (as much of) our time writing logon scripts and managing group policy to lock down Windows. Our organizations now expect us to provide a stable platform that empowers users rather than limits them.
Modern Endpoint Management requires us to take a holistic look at our environments and our existing workflows. We need to adjust our paradigms to work with tech savvy users and stay ahead of rapidly emerging trends. If we fail to get ahead we will continue to fight against Shadow IT in our organizations. I believe the best way for us to do that is to become solutions providers. Through this site I hope to help provide holistic solutions that drive technology adoption.
I plan on using modernEndpoint.com as a place to share information, explore technical challenges, and foster a dialog on how best to provide users with the cutting-edge experiences they desire. Through the various blogs on this site we will explore the challenges facing all of us as we transition from a traditional solutions to a modern workplace.
I hope that my blog – managed.modernEndpoint.com – and my collaborators' blogs – Scripted and Collaborative – will provide insight and value on how to manage solutions in the modern workplace.
Thank you for visiting. Please follow us on Twitter (@managed_blog) for more updates!
My name is Sean Bulger. I am an IT Pro that has worked in the Modern Endpoint Management work space since 2015. I have worked in various environment, ranging from mature enterprise all the way down to a fledgling IT organization looking to find their way in a cloud first world. Before rejoining the technology field in 2014 I had a wide range of careers - from plumber to paramedic - that have helped to shape my perspective on the world.