10 Most Important Announcements From Ignite

My top 10 most important announcements so far at Ignite.  Ranked from most important to least importance, as it pertains to me.

  1. Technical preview of Configmgr vNext available now with SCEP
  2. Service pack for SCCM 2012 due next week
  3. Announced Azure Stack – Replacing Azure Pack for on-prem Azure services Deploying Azure in Your Datacenter
  4. Roadmap for Configmgr and Intune
  5. The Microsoft Operations Management Suite (OMS)
  6. Microsoft Advanced Threat Analytics
  7. Power BI in SCCM
  8. Detecting Anomalous Sign-Ins with EMS
  9. Windows 10 Device Guard
  10. The New Outlook App: A Modern Standard for Secure E-mail

Configmgr vNext Technical Preview

New features in today’s Technical Preview include:

  • Support for Windows 10 upgrade with OS deployment task sequence – In addition to providing support for existing wipe-and-load (refresh) scenarios, the ConfigMgr Technical Preview includes enhanced upgrade support with in-place upgrade to Windows 10.
  • Support for installing Configuration Manager on Azure Virtual Machines – Similar to how you can install ConfigMgr on Hyper-V today, you can now run ConfigMgr in Azure VMs. This provides flexibility to move some or all of your datacenter server workloads to the cloud with Azure.
  • Ability to manage Windows 10 mobile devices via MDM with on-premises Configuration Manager infrastructure – With this new option, you can manage Windows 10 mobile devices using ConfigMgr integrated with Microsoft Intune (hybrid) without the need to store your data in the cloud. This is especially helpful for managing devices that are unable to connect to the Internet such as Windows IoT/Embedded devices. So go ahead and try it out – you can enroll devices, set policies, and wipe/retire devices today with more functionality to be added in the future to manage all of your Windows 10 devices with MDM.

Service Pack for Configmgr 2012 (next week)

Next week, Microsoft will also be releasing service packs for Configuration Manager 2012 and 2012 R2 to customers. These will deliver full compatibility with existing features for Windows 10 deployment and management as well as several other features, including:

  • App-V publishing performance – Improved performance that reduces the time required for apps to display after the first logon for non-persistent VDI environments.
  • Scalability improvements  Increased hierarchy scale to 600K and primary/standalone site scale to 150K.
  • Content distribution improvements – Improved data transfer reliability for slow and latent networks, and also improved scale and performance for pull distribution points (DP).
  • Native support for SQL Server 2014 – Added native support for SQL Server 2014 to enable site installation and recovery using SQL Server 2014.
  • Hybrid features  Added a large number of hybrid features for customers using ConfigMgr integrated with Microsoft Intune (hybrid). Some of the features that you can expect to see in this release include conditional access policy, mobile application management, and support for Apple Device Enrollment Program (DEP).

Finally, for SCCM 2007:

  • System Center Configuration Manager 2007 (SP2, R2, and R3) support for the management of Windows 10 is coming via a compatibility pack in Q4 2015 (Note: OS and client deployment will not be supported).
  • An update for the Microsoft Deployment Toolkit (MDT) in Q3 2015 that will deliver support for Windows 10.

Azure Stack

This is Azure running in your own datacenter.

Azure Stack transforms your datacenter infrastructure into automated resource pools that can be tailored to application service levels. This means that your app owners can quickly consume standardized IaaS/PaaS services using the same self-service experience as Azure – and they can do it through a consistent app platform that spans on-premises and Azure.

This makes containers and Hyper-V containers and Nano server much more interesting.

Four other things to consider with Azure Stack:

  • Cloud-inspired infrastructure
    Azure Stack is built on a great heritage of technology (Azure, Windows Server, System Center) and it delivers reliable, software-defined infrastructure, that’s proven at hyper scale.
  • On-demand infrastructure extensions
    With Azure Stack you have access to Azure’s bottomless scale and elasticity – without affecting your ongoing on-prem security protocols or performance.
  • Cloud-consistent service delivery
    Enable your developers and end-users to productively consume software-defined infrastructure using the same intuitive self-service experience as Azure. The result is faster time-to-market with composable IaaS/PaaS services that can be deployed wherever you need them (on-prem, hosted, or Azure).
  • Cloud-optimized application platform
    Windows Server and Azure deliver a consistent app platform for next-generation apps. This empowers your developers to build apps for any environment, and those apps can be used in any cloud without having to modify, rewrite or reconfigure code.

Roadmap for Configmgr 2012

 

 

 

Roadmap-02

Roadmap-01

Conditional Access Policy

  • Restrict Access to Exchange on-premise email only if the device is managed
  • Restrict access to Exchange Online only if the device is managed and compliant (Extension released to add support for Exchange Online in March 2015)
  • Restrict access to SharePoint Online and OneDrive for Business only if the device is managed and compliant

Mobile Application Management

  • Managed Office mobile apps – Word, Excel, PowerPoint, OneDrive, OneNote
  • App Wrapping Tool for existing iOS line-of-business apps
  • Managed Browser for iOS and Android devices
  • PDF Viewer, AV Player, and Image Viewer for iOS (in web viewer) and Android devices

Configuration Policies and Resources Access

  • Deployment of certificates in .pfx format (Network Device Enrollment Service not required)
  • Device lockdown via supervised iOS devices and Assigned Access for Windows Phone 8.1
  • Application install allow/deny list
  • Support for custom policies for iOS devices
  • Deployment of email profiles for Android devices using Samsung KNOX
  • Deployment of VPN profiles for Android devices
  • Passcode reset and remote device lock for iOS, Android, and Windows Phone devices

Ongoing Support for Device Platforms

  • Support for Apple Device Enrollment Program (DEP)
  • Support for Samsung KNOX Standard
  • Push free store apps to iOS devices
  • Convenient access to internal corporate resources via per-app VPN configurations for iOS

Futures

Roadmap-03

Conditional access policy

  • Ability to restrict access to Outlook app based on device enrollment and compliance

Mobile app management

  • Intune app SDK for iOS
  • Intune app wrapping tool for Android
  • Support for MAM in Outlook apps
  • Multi-Identity

Ongoing support for device platforms

  • Support for Apple Volume Purchase Program (VPP)
  • Windows 10 support
  • Mac OS X support

Microsoft Operations Management Suite

OMS-01

A new tool for managing your on-premise datacenter and cloud environment from a single view.

Having a hybrid infrastructure that is “pretty good” is not enough. This is a solution that creates a hybrid infrastructure that is great.  Now you can manage Azure or AWS, Windows Server or Linux, VMware or OpenStack – all with a cost-effective, all-in-one cloud IT management solution.

With OMS you’re going to see six big benefits right out of the box:

  • Log Analytics:
    Now you can collect and search across multiple machine data sources and identify the root cause of any operational issues (learn more here).
  • Availability:
    Integrated recovery is enabled for all your servers and apps – no matter where they reside.
  • Automation:
    Complex and repetitive operations are orchestrated for more efficient and cost-effective hybrid cloud management.
  • Security:
    You can identify malware status and missing system updates, and collect security-related events to perform forensic, audit and breach analysis.
  • Extending System Center:
    OMS combines with System Center to do some amazing things. For example, OMS extends its capability to deliver a full hybrid management experience across any datacenter or cloud.
  • Hybrid & Open:
    We recognize that your organization is no longer housed in just a single datacenter. That’s why OMS can manage your hybrid cloud no matter what topology or technology you’re using – and, of course, it works seamlessly with our existing on-prem infrastructure.

View a video of OMS in action here.

The pricing today is available as an addition to your Azure subscription with pay-as-you-go pricing for the features you need.  In July you will also be able to add it to your System Center licensing as a step-up pricing.

 

Microsoft Advanced Threat Analytics

Microsoft Advanced Threat Analytics is an on-premises product to help IT organizations protect their enterprise from advanced targeted attacks by automatically analyzing, learning, and identifying normal and abnormal entity (user, devices, and resources) behavior through Active Directory, the identity management technology used by most enterprises. It also detects known malicious attacks and security issues using security research work. ATA provides clear and relevant threat information on a simple convenient feed, helping IT security professionals to focus on what is important.  You can learn more by visiting the Microsoft Advanced Threat Analytics page. Read today’s blog post from our engineering team.

Power BI for Configmgr

SCCM-BI-01

This combines two great things that are long overdue being paired together: Power BI and System Center Configuration Manager. This combination gives configmgr admins the ability to monitor and report on software update and endpoint protection compliance in their organization, along with other compliance data from baseline configurations, configuration items, software deployments, so on.

This is the dashboard every CISO in the world would want to have and use. In a single place you can now get a view of mobile device compliance with corporate policies, PC compliance with security updates, and malware encounters across the entire enterprise. The Power BI dashboard enables you to drill into a wide variety of reports to identify trends and correlations, as well as use the Power BI Q&A feature to quickly identify any user data that may be at risk.

By integrating with Power BI, you are able to make this data accessible and consumable by IT organizations everywhere and enable IT Pros to unlock powerful new ways to work with, learn from, and take action on their data.

This is an incredible example of the truly vast benefits of using an integrated solution for PC and mobile device management.

The benefits include

  • This dashboard is massively helpful for monitoring and reporting on software updates and endpoint protection compliance for your organization.
  • The interface allows you to identify correlations and gain insight into management and security trends.
  • With the Power BI Q&A feature you can immediately get answers to natural language questions about software updates and malware data.
  • Now you can wallow in the data and see insights that would have been impossible to spot before.

Get started with Power-BI and Configmgr here.

Detecting Azure Anomalous Logins with EMS

This adds analytics-driven security controls to the security you already have. Azure Active Directory’s Machine Learning based anomaly detection reports analyze login patterns to detect irregular activity

  • Azure AD is constantly monitoring user authentication behavior to detect anomalies that might be indicative of identity compromise.
  • This constant monitoring allows IT to quickly identify attacks to their organization and take action.
  • Having Azure AD do the heavy lifting of nonstop user authentications monitoring allows IT to focus on the mission-critical task of remediation.
  • You can catch these compromised accounts and stop attacks!

Device Guard for Windows 10

Device Guard demands that every app attempting to access your network has to be proven safe before it enters, and, even more importantly, Device Guard’s capabilities are protected in an unprecedented way that uses virtualization to protect itself even in the event that the Windows Kernel is fully compromised.

For this reason, Device Guard can block zero day exploits and unknown malware threats because it isn’t dependent on the latest AV signatures or behavior monitoring. It also neutralizes common intrusion workarounds because Device Guard protects users even when they have full admin privileges.

  • This feature is ideal for a very wide range of devices, like PoS’s, ATM’s, and any other assets that serve a critical business function and contain sensitive data.
  • As noted above: It blocks zero day exploits and protects users with admin privileges.
  • This enables IT to provide a much higher level of assurance that malware will not be running on devices.

Coming soon

New Outlook Using MAM

This gives IT control of which apps have access to business data and can share that data. Now end-users no longer need two apps for the same purpose (e.g. one for personal and one for work) because apps that have been enlightened to participate in the Intune MAM capabilities are now multi-user capable.

This feature also enables the full protection stack from identity to device, to apps, to files when used with O365, Azure AD, Intune, and Azure Rights Management (RMS).

Today was the first time Microsoft publicly discussed the multi-identity support coming to the Intune App SDK. This multi-identity support will enable apps to be used in both your personal and corporate lives.

  • Microsoft’s commitment to Data Leakage Protection
    This demo made it clear that Microsoft is committed to not only protecting against data leakage, abut also providing MAM for all platforms. The new Outlook app for iOS and Android, combined with the power of Intune and O365, is delivering on that commitment.
  • Our MAM strategy goes beyond “containers”
    Not only does it extend beyond the idea of containers, it enables multi-identity-aware work and personal experiences that are relevant for real-world uses as well as the expectations users have when interacting with their apps.
  • Identifying corporate vs. personal apps/data
    Not only is it now possible to identify corporate and personal apps and data on a device, but you can keep it separate – and you can do it all in a way that is seamless to the user. This prevents users from accidentally sharing sensitive data outside of the organization, and it allows IT to specifically define which apps have access to that corporate data. This also ensures that, when a device is wiped, only the corporate content is removed.

Coming soon

In addition, Microsoft announced

  • Intune Conditional Access and Mobile Application Management for the Outlook app: This quarter, Intune will enable customers to restrict access to the Outlook app based upon device enrollment and compliance policies as well as restrict actions such as cut, copy, paste, and save as between the Intune-managed Outlook app and personal apps.  Stay tuned to the Intune blog for more information on this feature when it becomes generally available.
  • Azure AD Cloud App Discovery:  In the next month Azure AD will enable customers to identify cloud apps being used in a customer’s IT environment revealing shadow IT. Read more from our engineering team about Cloud App Discovery.
  • Public preview of Azure AD Privileged Identity Management: Enables customers to discover, restrict and monitor privileged accounts and their access to resources and enforce on-demand temporary administrative access when needed. Azure AD Privileged Identity Management is available in Azure AD Premium. Read more from our engineering team about Privileged Identity Management.
  • Public preview of Azure Rights Management Document Tracking: Enables customers to track activities on sensitive files that they have shared with others. With a single click, users can also revoke access to shared files. Read more from our engineering team about Document Tracking.

Custom OMA-URI for Windows 10

Additionally, you can now create custom policies using OMA-URI to manage new Windows 10 features with Intune. As part of our monthly cloud cadence, we also plan to incrementally add native UI support for new Windows 10 features to provide you with best-in-class management for Windows 10 with Intune.

You can find more information on custom OMA-URI settings for Windows 10 here. This list of settings will continue to be expanded over time. You can also view the complete list of Configuration Service Providers (CSPs) exposed in the Windows 10 Technical Preview builds here.

 

Can Microsoft Disrupt Google’s Dominance of Mobile

New tools for developers to integrate with the Universal Windows Platform capabilities

At the Build conference today Microsoft made a play to shift the device ecosystem to Windows.  In the past Android ruled the device OS, Apple came in a distant second with iOS, and Microsoft was in last place, about four laps down.  Part of the problem was from the carriers blocking Microsoft from getting on the device.  This is Google’s battle to lose, they have essentially already won it and just need to not screw it up.  Microsoft is betting that it can make the Windows platform attractive again and is making moves to allow any type of app to run on Windows 10. 

Here is a breakdown of some of the announcements made today.


Porting Android and iOS apps to Windows 10 just became a breeze.

New SDK’s to port apps to Windows 10

  • iOS Objective C
  • Android Java and C++
  • .NET and Win32
  • Web sites

Windows 10 on one billion devices in three years

Windows 10 Device Family

Windows Store for consumers and business

“For businesses, the Windows Store enables admins to highlight apps for their employees, distribute select apps from the Windows Store and private line-of-business apps to their employees, and use business payment methods like purchase orders.”

“Developers will be able to write an application once and distribute it to the entire Windows 10 device family, making discovery, purchasing and updating easy for customers.”

Windows Store in Windows 10.

Universal Windows Platform

“With the Universal Windows Platform, developers can now create a single application for the full range of Windows 10 devices. The platform’s UX controls automatically adapt to different screen sizes, and the developer can then tailor applications to unique capabilities of each device. “

Continuum

New Continuum functionality in Windows 10 extends the Continuum functionality for PCs and tablets to phones, enabling people to use their phones like a PC for productivity or entertainment

Windows 10 phone Contiuum

Apple Pay – Great New Feature or Future Nightmare?

Apple Plays

Apple introduced the iPhone 6’s this week and spent time talking about the size, display and CPU speed but it also spent an exorbitant amount of time, marketing dollars  and effort to push a new feature most people could really care less about, Apple Pay.

What is Apple Pay?

Apple Pay is a payment service on the iPhone that stores and transmits your credit card information.  Let that sink in before moving on.

iPay-01

Apple has not released much in the way of details yet on exactly how Apple Pay works to the public and the media has several different guesses of how it thinks the system will work.  Gartner claims no credit card information will be stored on the phone, using your iTunes credit card information, others including Apple say your card details will be stored on the phone.  The Washington Post writer assures his readers that by using the iPhone finger print reader no one else will be able to make purchases with your phone.  He doesn’t bother to mention how the fingerprint reader was also hacked, in less than two days after it was released.  And that  virtual card numbers are what will be sent to the merchant from your phone instead of your actual card number.

Using the docs from stripe.com, a third party offering an API to allow merchants to use Apple Pay without needing to do all the integration on their own it would seem that credit card information is stored on your iPhone and depending on the merchant you are using you will be sending them your card number, CVC code, name, expiration date and billing address, all information that they can choose to store for later use if they decide they want to.  Stripe.com’s documentation includes frightening phrases including “Make sure any communication with your server is SSL secured to prevent eavesdropping.”  Shouldn’t Apple Pay force SSL communication?

This is all speculation at this point but I think Stripe.com likely has better information than the Washington Post and Gartner at this point.

However, I couldn’t leave out this little gem out from Makeuseof.com as they stay in lock step with the party line claiming anyone who doesn’t fully embrace Apples latest feature as the greatest change to the monetary system since the advent of coins is a lunatic alien abductee.

“Those of you reaching for your tinfoil hats will be relieved to hear the usual security and privacy spiel from such an announcement involving sensitive financial data. Merchants cannot see card numbers, Apple cannot tell what you are buying, and if you lose your phone, you can simply suspend the service using Find My iPhone.”

All but the last part about using Find My iPhone is incorrect, but it doesn’t matter because they don’t address the real security concerns.

Update: According to Nerd Wallet, Apple will get 0.15% of each transaction paid to them by the bank issuing the credit card.  This new additional fee on top of the regular fees paid per transaction for the convenience of using a card instead of cash will unwittingly be paid for by consumer.  When you think about the concept of paying a company to lend you your own money with interest and fees added on to it you may begin to understand that using cash and living within a realistic budget is better than using Apple or any credit card company.

The Real Point Please?

Here is the main problem with what Gartner, WAPO all of the internet sites claiming there is nothing to worry about.  They all talk about how the transaction is secure, how the merchant doesn’t actually get your card details, how a random number or one time token is going to keep your purchase secure.  Great.  But what about the phone?  How secure is the device where you are storing the cards?  With all the information needed to use each one of your cards.  I don’t recall Apple talking about how secure their phone and new OS are, none of the websites fighting for your precious monetized clicks talk about how secure the platform storing all your data is.  Instead they make claims to ensure you that Apple has it all figured out, after all it’s Apple! They never have security problems, just ask Kate Upton, Kirsten Dunst, Jennifer Lawrence or Jonathan Zdziarski.  Jonathan is the researcher that presented a paper recently on how every iOS device is running hidden and undocumented services that allow access to phone data even the ability to bypass the iTunes backups encryption all without needing physical access to your phone.  Which it doesn’t take much thought to figure out exactly how someone could get at all the photos of all celebrities, your spouse or your own photos stored in iCloud.

When Target and the other retailers had their POS systems hacked, they did not attack the individual payments, they wanted the card data so they could sell the cards on the market and then those who bought the cards would use them to make fraudulent purchases, clean out accounts or worse.  Talking about how a single transaction is secure is only interesting if you are a merchant, bank, card processing company or Apple.  The consumer loses nothing if a retailer or bank doesn’t secure their transaction because they are covered.  But if the consumer has their savings account drained to $0, well they are just out all of their savings.  The banks, card processor and retailer will happily take that stolen money.

One Last Thing

Apple Pay uses NFC to transmit your purchase details.  In 2012, 2013 and 2014 there have been demonstrations on how to hack NFC to take advantage of payment systems to steal data, send payments and transfer funds.  It’s unfortunate that Apple and the media won’t spend the 30 seconds it takes to Google NFC credit card hack and watch the videos, read the conference notes and articles on how insecure NFC really is.

Apps use NFC technology to hack Credit Card credentials
Oct 16, 2013 – After months Google still hasn’t fixed the issue letting Apps from the Play Store use NFC technology to steal Credit Card credentials.
[PDF] NFC Hacking: The Easy Way – Def Con
https://www.defcon.org/images/…/DEFCON-20-Lee-NFC-Hacking.pdf
by E Lee – ‎Cited by 5 – ‎Related articles

NFC Hacking: The Easy Way. DEFCON 20 … between chipped credit cards and POS terminals … Contactless Credit card reader (e.g. VivoPay, Verifone).
[PDF]Hacking the NFC credit cards for fun and debit – Hackito …
Apr 3, 2012 – Hackito Ergo Sum 2012 – April 12,13,14 – Paris, France. 4. How to recognize an NFC-enabled credit card? ○. Small wave logo printed on the  …

How NFC phones can steal your credit card info. – YouTube
Jan 27, 2012 – Uploaded by Id Stronghold

How NFC phones can steal your credit card info. … Building a RFID Zapper – Hacking a Disposable Camera by Tobias Othmar Hermann  …

Hacking the NFC credit cards for fun and debit by … – YouTube
www.youtube.com/watch?v=VWIzW0rRw_s
Jul 24, 2012 – Uploaded by Shakacon LLC

Hacking the NFC credit cards for fun and debit by Renaud Lifithitz … The way of do business very much easy using NFC business card..

[NFC HACK] : Use Pass Snow card or transport card with
www.youtube.com/watch?v=B0pTdNrEXnI
Mar 8, 2013 – Uploaded by iHeathOfficial
[NFC HACK] : Use Pass Snow card or transport card with your … Cloning Credit Cards: Pre-play and downgrade attack (full length) by Michael  …

Android NFC hack lets subway riders evade fares | Naked …

nakedsecurity.sophos.com/…/android-nfc-hack-lets-subway-rider…
Sep 24, 2012 – Android NFC hack lets subway riders evade fares … Benninger said during his talk that he could replenish his card endlessly, according to Computerworld: “I can do …. Carwash POS systems hacked, credit card data drained.

Credit Card stealing Apps from NFC cards – Latest News …
www.secure-commerce.org/…/credit-card-stealing-apps-from-nfc-cards/
Apr 29, 2013 – This report in Mashable and CBS reports that there’s app’s now available to read and hack the NFC data on credit cards with the purpose of  …

The Perfect Hack for Enabling NFC Credit Card Payments …
www.businessinsider.com/the-perfect-hack-for-enabling-…
Business Insider
Aug 3, 2011 – Remember the good ol’ days when you actually had to swipe your credit or debit card to make a pay…

Hacking the NFC Credit Cards for Fun and Debit by Renaud …
www.slideshare.net/…/hacking-the-nfc-credit-cards-for-fun-and-debit-by…
Jul 2, 2012 – Small wave logo printed on the card: “Hacking the NFC credit cards for fun and debit ;)” Renaud Lifchitz – BT 4 Shakacon 2012 – June 18-21  …