Microsoft Surface Hub Setup and Management

Although Microsoft claims that the Surface Hub 2S is a Windows device, its Windows 10 Team operating system behaves very different to a standard Windows 10 Pro or Enterprise edition. This is because of a totally different usecase the Surface Hub covers. Instead of providing a personal workstation to one user, the Surface Hub is intended to be placed in an open meeting room where anyone can walk in and access the device. Furthermore, it must serve its basic functionality instantly without the hassle of logging in.

The main differences of Windows 10 Team compared to a standard Windows 10 edition are:

The Device Account

In Windows 10 Team a device account – usually an Exchange resource account – is always logged in. Even when rebooted, the system logs in the device account automatically. Microsoft Teams and/or Skype for Business always runs in the context of this device account.

Don’t get confused about the term “device account”. This account has actually nothing to do with a machine account you know from Active Directory or AzureAD. In fact, although it is called “device account” it is rather related to user account from an directory perspective (like an Exchange mailbox/resource account is). It is just called device account because it can be associated with the Surface Hub device, but not with an individual user.

No local admin accounts when bound to a directory

During the initial setup you have to choose how to manage the Surface Hub. You get 3 choices:

  1. Local Admin
  2. Active Directory Admin
  3. AzureAD Admin

If you choose 2 or 3, no local admin will be available. Instead you require a domain admin (2) or a global AzureAD admin (3) to enter the Settings app on the device and make changes. Be careful what to choose here, because a change later in process is hard or impossible. Once you passed this dialog you are unable to join the device to AzureAD later on manually (you can by using a provisioning package).

No commandline or PowerShell

There is no way to access the commandline or PowerShell – even as admin. In fact the only manipulation possibility is the Settings app and only a handful GPOs/CSPs.

Only special software for Windows 10 Team allowed to be installed

You cannot install any software on the Surface Hub except from the Surface Hub Store. Similar to the Windows Store you find a number of tools – specially designed for the Hub and Windows 10 Teams there. There is no way to install software from the standard Microsoft Store or other software not designed for Windows 10 Teams.

My personal best practices for setting up Surface Hub Devices:

Before you begin you should have created a resource account and made sure that this account

  • has a password assigned
  • is login enabled 

Both things are usually not the case as resource accounts are not used for login!

Setup the Surface Hub using a local admin account and make all changes to the system until the device is setup properly.

Use a provisioning package to join the device to AD or AzureAD. Please note that the local admin account is now gone.

Why Progressive Web Apps are really cool!

Pure web applications have a lot of advantages over local installed traditional fat client software. Webapps can be used instantly without any installation and there is no need to update them frequently as they are always up to date. They can be accessed by any device that runs a webbrowser – which means today actually from any device.

However, users still prefer native apps because they feel better integrated in the desktop, they can be launched via an icon, they run in their own window and can be used even if the device is offline.

Progressive  Web Apps (PWAs) try to combine these two worlds and make web applications behave like local installed software. PWAs are installed by the click of a button in the browser (a simple + symbol in the address bar of Chrome) and basically just place an icon on the user’s desktop, start menu or Launcher (depending on the used operating system). From there on, the PWAs behaves almost as a local app, but maintaining the advantages of seamless updates. In fact, when the app is launched a browser instance is started presenting the PWA in a separate window without any browser controls (no address bar, no menu buttons, etc…). So the app looks like a native app.

But there is more!

  • Once loaded, PWAs can run offline, they don’t require a permanent online connection.
  • PWAs can leverage the OS notification system to inform the user about any new like incoming messages.
  • They can update themselves

Summary

PWAs are a very nice way to eliminate the disadvantages of today’s web applications and make them look and feel like native apps. The advantage of being always up to date and the fact that even if the Internet breaks the app is still useable make them a real competitor of fat native client software.

Modern Workplace Management

As discussed in the previous blogpost (The Modern Workplace), requirements of today’s end user computing devices have changed significantly. Lets view these developments from a management perspective. In this blogpost we will see why the traditional management approach is not fitting well to modern workplaces and must be reconsidered.

One significant difference to a traditional workplace is, that a modern workplace is highly mobile. Today’s workforce is not limited any more to physical office boundaries or strict working times, but is used to perform their work from any place and at any time. So, it can’t be expected that modern workplace devices are reachable on a well known, secure network. Actually, these devices will be connected to the Internet most of their online time, rather than to an internal network and the time when they will be online is unpredictable. Management concepts which rely on push connections from a management server to a device and require a stable connection for their transmission of messages and software packages do not really fit into this new scenario.

Another aspect is the diversity of devices and operating systems. Traditional management focuses on Windows devices only. However, Windows PCs are only a part of today’s end user computing device landscape. We see more and more MacBooks gain ground in the enterprise space. Beside the diversity on the computer device side, more and more devices with mobile operatring systems (iOS and Android) are used to perform work and require management.

This all leads to the following approach differences of management solutions:

Traditional management

  • Actions originates from the management server and are pushed to the endpoints
  • Strict control over when things happen where
  • Influence of the end user is very limited and actually not welcomed

Modern management

  • Actions are pulled from the device when it is online and can reach the management server
  • Control when things happen is based on the end user device
  • Most tasks are conceptually based on end user self service actions

I will now explain these different approaches on some basic examples:

Operating system patching

In a traditional environment, patches are downloaded from the OS vendor, tested and placed on a management server for push distribution. By starting the distribution it is expected that all online end points will receive the updates immediately, so after a rather short period of time, all end points can be considered patched.

In a modern workplace environment, the end points are configured to look for patches either directly at the vendor or at an internal management server. Whenever new patches are available the end points will start downloading them based on their polling interval and configuration, and install them automatically. However, the polling interval might be several hours and the download of the patches might be interrupted due to the loss of connectivity and resumed at a later point in time. Although the patches are finally downloaded and installed, the exact point in time when this will happen is not predictable. Further more, there is no way to distribute emergency patches immediately. However, to reduce patch delays, the polling interval can be reduced – leading to higher network consumption.

Software distribution

Installing software on an end user device is strictly controlled, too in a traditional environment. Applications are pushed down to the device. If mass rollouts are performed, the push jobs are handled in deployment queues and packages are directly distributed to the end points. Again, after initiating the distribution job, it is expected that the task is performed on all online endpoints immediately without delays.

On modern workplaces, we have two options on how software is deployed. The mandatory option would prepare the software for installation. However, the download and installation will be initiated by the end point rather than the management server. Depending on the end point’s polling interval, the client will check for new jobs available on the server, download and install the software if prepared for it. An exact point in time when this will be happen is not predictable.

The second option is to offer the software in a self service portal. In this case, the user can decide himself when he will install the software. It’s assumed that the end user can judge best when the time is appropriate as he knows about current connectivity and his further plans and working schedules.

Software updates

Traditionally software updates are pushed out to the end points similar to OS patches or new software installations. On a modern workplace, we also use modern software packages technologies. These new technologies include auto update functionality. The software checks itself for updates and keeps itself up to date without any operator intervention. This is very handy as no effort must be taken for packaging updates and send them out to the endpoints. On the other hand, control is lost when exactly the end point is updating a specific software package.

Bottom line is, that in a traditional environment, all devices are expected to have all required changes applied (otherwise a certain distribution is considered failed and requires investigation). In a modern workplace management environment the situation is not so easy. The operator can define a so called “desired state”, but if this state was (already) applied by the end point can’t be guaranteed. To mitigate risks that arise from the fact that not all changes were applied yet, the concept of “compliant state” was introduced. An endpoint is considered compliant when all defined requirements are met. If there is the requirement of a certain software package or secuirty patch to be installed this can be configured as a criteria for compliance. As long as an end point has not installed the patch it is considered uncompliant. Based on this information access to certain sensible resources can be restricted.

Summary

While traditional management is based on strict control, expecting the end points to be reachable at any time, modern concepts must deal with end points online on the Internet only now and then. This is why the decisions when things are performed moved from the management server to the end point. Based on polling intervals, jobs are collected from the server and fulfilled asynchronosly. To make sure only end points meeting the required security criterias may access resources, compliance states can be configured.

The Workplace and Collaboration Multiversum

The core components of a modern office workplace are mainly the device, its operating system including management, a productivity software suite and a collaboration solution. As of today we see three big players on that market with three different solutions and ecosystems:

  • Apple including the iCloud
  • Microsoft and Office 365
  • Google and G-Suite

Although comparable and sometimes possible to combine, these three ecosystems come from totally different backgrounds which explains their feature set and focus.

Apple

What you must keep in mind when discussing the Apple solution is, that Apple is a hardware company. Everything on top is only to sell (more) hardware. This explains why Apple’s approach is still hardware centric instead of web centric. The Apple ecosystem contains three types of devices, the Mac on macOS as well as the iPad and iPhone on iOS. The main application of the iCloud is to provide a seamless user experience over all Apple devices. Even for collaboration the Apple approach is still very device centric, providing client software for most of their services – sometimes only for the Apple operating systems (for instance: Facetime).

Although Apple limits the use of its services to their own operating system and devices, the Apple platform is open to use other productivity and collaboration suites. Remember, Apple is a hardware company, it is not Apple’s aim to sell services. This is especially true for enterprise clients, Apple actually does not want large corporations to use iCloud services, as they are considered consumer oriented. There is no iCloud for Business option available. It seems that Apple is not willing to invest in their services to reach an enterprise grade service level. Apple even removed the option to login to macOS with iCloud credentials in fear to be responsible if millions of users cannot log in to their devices should their iCloud service fail.

Microsoft

As we all know, Microsoft is originally a software company. They expanded to services only recently. And their hardware efforts are more to provide a reference model what can be done with their software and services. Their new CEO recognized that the future of software sales is in the cloud on a subscription base rather than on premise installations based on perpetual licenses. Although their efforts to position Office 365 as the center of their ecosystem looks promising, their legacy of clients with on premise instances of Microsoft software is still evident. The Microsoft solutions works best with Windows 10 and locally installed Microsoft Office as complementary components to the Office 365 cloud services.

Microsoft understood that the general ecosystem is more important than the platform. This is reflected in the recent reorganizations of the Microsoft divisions, where Windows is now part of the Cloud organization and not a business unit on its own any more. Microsoft’s cloud services can now be consumed on any platform, be it Windows 10, iOS, macOS or Linux. Not with complete feature parity, tough.

In contrast to Apple, Microsoft’s most important target client group are enterprises. Due to Microsoft’s strong background in the enterprise business, Office 365 and its underlying Azure infrastructure are designed with enterprise requirements in mind.

Google

Google on the other hand is a natural service company, born on the Internet.  The only function of Google’s hard- and software is to bring more users on their services. Therefore it is not very surprising that all Google services are web based and can be consumed by any device. To guarantee a certain consistent user experience over all platforms, Google provides its Chrome Browser as the interface for their services. Google is strong in the consumer and education business, but still weak in the enterprise area. Especially in Europe data protection is an important topic and seems not to be addressed properly by Google.

Summary

Three ecosystems that come from three totally different roots but have the same goal. Apple, a hardware company, providing software and services as additional value for its hardware. Microsoft, a software company that requires the service business for further growth and Google, a service company that provides hardware just to enable the consumers to use its services. Keeping the business models of these providers in mind explains their focus and strategy.

Why Directory as a Service is important for the modern workplace

In a majority of today’s enterprise environments Microsoft Active Directory is used as the primary directory service. This worked very well in the past 17 years, due to its ability to centralize user and device management and provide a clear hierarchical structure of enterprise resources.

However, today’s modern workplace introduces new requirements, which are hard to be met with traditional concepts. To understand these challenges a little bit better, lets first discuss the main tasks of a directory service:

  • Authenticate users
  • Authorize users to applications

A traditional on premise directory service like Microsoft AD can fulfill these tasks well as long as we are mainly dealing with non-mobile desktop computers and internal applications based on a corporate network.

But today’s world is different.

The mobile workforce is not only using mobile computers like laptops or MacBooks, it more and more does not use any computers at all, but mobile devices like tablets and smartphones. Although mobile accounts (in Active Directory)  is a workaround to solve the fact that more and more computers are not connected to the internal network when users log on, admins know the pain of cached credentials and the consequence of hanging machines waiting for timeouts while trying to reach a domain controller. The problem even increased since laptops are just put into sleep mode rather than shut down.

Beside the user behavior, also the application landscape has changed dramatically. Client / server applications are exchanged by web based apps, which tend to be more often off premise (cloud Software as a Service). While internal client/server software was mainly based on Kerberos authentication, web based SaaS offerings use different, more Internet compatible authentication protocols like SAML or OAuth.

In a nutshell, the modern workplace requires a different set on functionality:

  • Support for the mobile workforce on devices connected to the Internet
  • Support for Internet based SaaS applications using SAML/OAuth authentication protocols

Internet based directory services try to meet these requirements. As their name implies, these directory services are accessible from the Internet and therefore provide authentication services regardless if the user is in the internal corporate network or on the Internet. Furthermore they are designed to federate with SaaS applications and provide single sign on to internal and external web applications.

Even Microsoft understood the importance of Directory as a Service for the future workplace. Azure AD is Microsoft’s DaaS implementation, highly integrated in the Windows 10 platform. A Windows 10 device can be bound easily to Azure AD. The built in mechanism enables a user to logon to the device with his/her Azure AD credentials. The basic concept is similar to Active Directory mobile accounts. When the device is not online (or cannot reach Azure AD), cached credentials are used to authenticate the user. But, this new implementation of the mobile accounts can handle network switches while on standby far better than AD did in the past.

Independent DaaS providers are introducing more OS agnostic concepts. Jumpcloud for example, works with pure local accounts. It controls those accounts through an agent installed on the device. Local accounts work best in an offline / Internet based scenario as they don’t require any network connectivity or reachable infrastructure. The combination of local accounts and central management of them is an interesting best of both worlds approach. Furthermore, as local accounts exists on macOS and Linux, too, this solution is not limited to Windows devices only.

Summary

On premise directory solutions will have more and more problems to fulfill future requirements the modern workplace and application landscape will demand. The introduction of an Internet Directory or Directory as a Service offering will help getting the best out of the modern workplace and enables the seamless integration with Internet based SaaS applications.

The Modern Workplace

A significant change is happening about how workplaces are managed and used in the future. Software vendors like Microsoft refer to this as The Modern Workplace.

For the past 20 years enterprises followed the paradigm of a strictly controlled workplace. Workplaces should stick to a company standard. Deviations to this standard were unwanted and considered to lead to higher management costs. The goal was to have a golden (single) image of the base installation and only accept small changes to settings and software. To achieve this goal, users were restricted to a minimum of rights without any self service capabilities.

This model worked well for years, but todays requirements on productivity and the increasing complexity of usecases must lead to rethink this approach. All major software and hardware vendors (Microsoft, Apple) seem to have understood these new challenges and created their own vision on how a modern workplace will look like in the future:

Enable the end user to perform certain tasks by himself, easily supported by an self service engine that drives these user initiated tasks in a controlled way. Starting at the deployment by providing an out of the box experience to the end user, continuing for software distribution via an AppStore including the ability to install software updates when it fits the user’s work schedule. With such tools, the end user can tailor his workplace to optimize his own productivity.

Support highly mobile usecases where workstations could easily be out of the company network for weeks. Control must not end at the company’s network perimeter but instead must handle devices which mainly live on the Internet as well as those in the internal network.

A closer look on the current market reveals that most vendors have solutions to support this new workplace concept:

Mobile Device Management Software is used for the basic management of the devices instead of heavy tools like ADS-GPOs and SCCM. Most MDM vendors support the traditional computing operating systems (Windows, macOS) nowadays as good as the mobile platforms and keep focusing on them.

Deployment methods which leverage the hardware vendor’s preload instead of reimaging the device are upcoming and supported by zero touch technologies like DEP (Apple) or Autopilot (Windows).

Internet Directories like AzureAD are more and more replacing traditional identity providers like ADS.

MDM systems are usually provided as a cloud service and accessible from the Internet or when installed on premise reachable from the Internet to provide services and control to Internet living devices.

The biggest obstacle for moving towards the modern workplace in a traditional enterprise is the cultural change that comes with it. While Startups have already adapted to the new paradigm, most users of traditional enterprises consider self service more as a burden than an opportunity. Not to mention the security department which likes strict control much better than loose, lightweight management.

However, as vendors move fast in this direction and are stopping support for some traditional methods (Apple will very likely discontinue imaging technologies with the next macOS version) and Millennials are demanding a certain degree of freedom for their productivity, also enterprises should consider the modern workplace at least as an option.

Reducing Windows OS migration costs

Upgrading Windows operating systems in an enterprise context can be a very expensive task. Not because the development of a new OS base install image is so complex, but the integration of all application packages in the image and the testing of those on the new platform are the main cost drivers.

Typically, the costs are split as follows:

  • 33% developing the actual OS image
  • 33% testing the applications on the new OS platform
  • 17% project management and admin
  • 17% actual roll out

To minimize Windows OS upgrade costs, but also to reduce costs for the running operation of a Windows based workplace, applications must be decoupled from the underlying operating system layer. When applications are decoupled (meaning, they are not directly installed on the Windows OS), the Windows base image is less complex (and therefore more easy to develop), and the integration testing of the all the applications on the new platform can be saved.

Now, decoupling is easy said, but hard achieved. New ways of how applications are provided to the user need to be explored. The most obvious way would be to drive applications to become HTML-5 based. Although this might be possible for applications which are newly introduced in the environment, we also need a solution for existing legacy programs. I see two main technologies which could be of use here:

  • Application virtualization
  • Application publishing

Application virtualization provides a sandbox around the application, so a new Windows platform does not interfere with the application context and the virtualized application in the sandbox can be deployed on the new OS without intensive testing. Further advantage of this technology is the possibility to manage the application from a central point and control application updates without the requirement to send out software update packages to thousends of clients.

Application publishing lets the software run on a terminal server. So again, the application context is independent from the workstation OS and can be upgraded centrally on the terminal server.

The more applications are provided with either option, the slimmer the OS base image can become and upgrades to new OS versions will be getting cheaper. This might be the first step to a new model of the client workplace where the actual client OS is not important any more, but just provides a runtime for required access software (like a browser or the Citrix receiver software).

Strategies for replacing Microsoft Office

In my previous blogpost I discussed why Microsoft is still so dominant in the productivity software space and why it is hard to move to alternative office products. However, if you are still considering to replace MS Office, here is how to do it:

Commitment

The most important point is management commitment. Don’t be naive, it will be a hard process and without the full support from the management up to the CEO, this project will fail. IBM, my former employer tried to save MS Office licenses in favour for IBM’s own product Symphony and later for Apache OpenOffice. When thinking of 400.000 IBMers, internal communication could have easily been moved to the Open Document Format, however, this effort never had the buy in of the upper management. Although Office licenses were restricted strongly and you were required to run a complex exception process to get one, most management still produced PowerPoints and Excel files. Internal tools were still developed as Excel macros and it sooner or later became a real pain if you would not have Microsoft Office installed. My personal opinion is that the missing commitment from management was the main reason why they gave up on this mid 2014 and purchased Office licenses again.

Introduce an internal file format standard

Establish ODF as the one and only accepted internal standard for editable files. For non-editable files, PDF should be the way to go. Also for sharing files with externals, as long as they don’t need to be edited, use PDF. Provide your corporate templates in the new format.

Stop developing Excel macros

Get your developer on board and provide education how to start developing in your new productivity tool suite. Regardless if it is Apache OpenOffice or LibreOffice (or any other alternative), they all come with a more or less powerful scripting language to fulfill most requirements. If it is worth migrating existing Excel macros to the new platform depends on how many and how complex they are. Maybe they can still live in Excel until they are sunset anyway.

Provide education to your users

In the very end it is all about user acceptance. The better they get educated, the higher chances are they accept the new platform. Don’t underestimate this point, from a cost perspective this might be the biggest portion of the project!

Consider web based solutions

Give your end users new functionality by moving towards the web. There are alternatives out on the market (Google, IBM Docs, Zoho, ….). Maybe these new possibilities attract your users.

I am sure, there are a lot more points to consider, but without the ones mentioned above, I am pretty sure such a project will fail. Please feel free to join the conversation on Twitter via @emarcusnet!

Why is Microsoft Office still so dominant?

If you think about productivity tools, Microsoft Office is the product it is all about. Even the term Office is used as a synonyme for productivity tools and competitive products use it in their name (LibreOffice, OpenOffice, Softmaker Office, etc…).

At least there are competitive products available, and there always were. Actually the grounds of productivity tools was once prepared by Lotus with its 1-2-3 spreadsheet calculation tool accompanied by AmiPro and Freelance to form the Lotus SmartSuite. But Microsoft soon took over this market with Word, Excel and Powerpoint and kept it tight since then. Allthough Microsoft Office is rich on functions, the alternative players can provide what 99% of users require, so

why is Microsoft Office still so predominant?

In the recent years I saw a number of projects with the goal to replace Microsoft Office. But none of them declared victory over Redmond’s cashcow. Here are some reasons why:

Compatibility

None of the competitive tools achieved a decent file format compatibility. Meaning, when exchanging documents with Microsoft Office users, the layout, tables, etc… often get misplaced making the document look differently then the original. Allthough import/export filters for the older binary based Microsoft formats (like .doc, .xls and .ppt) made progress over the years, the new XML based formats (.docx, .xlsx, .pptx) are again quite a hurdle.

I would see this as the main reason for failing user acceptance.

Excel macros

Don’t underestimate the number of application like Excel macros which are out in the world and sometimes vital to companies. I saw enterprises running critical reports based on Excel macros. Those macros can be complex, reading input data from various sources etc… To migrate them to another platform is a project of its own and even if possible ruins every serious cost case.

Integration

A lot of 3rd party tools provide connectors to Microsoft Office. This could be an Outlook plugin or the possibility to produce an Excel sheet as the result of a query, etc. For alternative office tools such integrations are often missing.

User acceptance

Finally, the employees are used to the Microsoft products from home / school / previous jobs -make them use an alternative usually costs high education and motivation efforts.

In my next blopost I will talk about strategies that could be considered when attempting to move away from Microsoft Office to an alternative product.

How important is the client OS any more?

As I mentioned in one of my older posts, the client operating system becomes less and less important in today’s IT world. However, how important is a standardized client OS still for enterprises?

Up to today, enterprises’ workstation rollout strategy is based on a corporate OS built which includes all relevant policies and settings. Any application package can rely on this standardized OS and its unique features. This was best practice for years – even decades, but is it the answer for the challenges the new way of working introduces to the corporate world?

I am not so sure about that and I think this paradigm needs to be reviewed!

With Bring your own device, mobility and social collaboration new end user devices are used for corporate applications. Most of these devices come with its own operating system and might or might not be manageable. Some CIOs still believe they can cope with this challange by just prohibiting these new devices, which is more ostrich-like politics than a a future proof concept.

While I don’t say that a standardized OS platform is something bad, I think today’s applications must not rely on it any more. They must be robust enough to cope with any underlying OS configuration to be ready for the future.

Infrastructure is commodity and therefore getting more and more diverse. This means, specific OS vendors, versions or settings must become less and less important to higher level of applications!