Although Microsoft claims that the Surface Hub 2S is a Windows device, its Windows 10 Team operating system behaves very different to a standard Windows 10 Pro or Enterprise edition. This is because of a totally different usecase the Surface Hub covers. Instead of providing a personal workstation to one user, the Surface Hub is intended to be placed in an open meeting room where anyone can walk in and access the device. Furthermore, it must serve its basic functionality instantly without the hassle of logging in.

The main differences of Windows 10 Team compared to a standard Windows 10 edition are:

The Device Account

In Windows 10 Team a device account – usually an Exchange resource account – is always logged in. Even when rebooted, the system logs in the device account automatically. Microsoft Teams and/or Skype for Business always runs in the context of this device account.

Don’t get confused about the term “device account”. This account has actually nothing to do with a machine account you know from Active Directory or AzureAD. In fact, although it is called “device account” it is rather related to user account from an directory perspective (like an Exchange mailbox/resource account is). It is just called device account because it can be associated with the Surface Hub device, but not with an individual user.

No local admin accounts when bound to a directory

During the initial setup you have to choose how to manage the Surface Hub. You get 3 choices:

1. Local Admin
2. Active Directory Admin
3. AzureAD Admin

If you choose 2 or 3, no local admin will be available. Instead you require a domain admin (2) or a global AzureAD admin (3) to enter the Settings app on the device and make changes. Be careful what to choose here, because a change later in process is hard or impossible. Once you passed this dialog you are unable to join the device to AzureAD later on manually (you can by using a provisioning package).

No commandline or PowerShell

There is no way to access the commandline or PowerShell – even as admin. In fact the only manipulation possibility is the Settings app and only a handful GPOs/CSPs.

Only special software for Windows 10 Team allowed to be installed

You cannot install any software on the Surface Hub except from the Surface Hub Store. Similar to the Windows Store you find a number of tools – specially designed for the Hub and Windows 10 Teams there. There is no way to install software from the standard Microsoft Store or other software not designed for Windows 10 Teams.

My personal best practices for setting up Surface Hub Devices:

Before you begin you should have created a resource account and made sure that this account

• has a password assigned
• is login enabled 

Both things are usually not the case as resource accounts are not used for login!

Setup the Surface Hub using a local admin account and make all changes to the system until the device is setup properly.

Use a provisioning package to join the device to AD or AzureAD. Please note that the local admin account is now gone.

Pure web applications have a lot of advantages over local installed traditional fat client software. Webapps can be used instantly without any installation and there is no need to update them frequently as they are always up to date. They can be accessed by any device that runs a webbrowser – which means today actually from any device.

However, users still prefer native apps because they feel better integrated in the desktop, they can be launched via an icon, they run in their own window and can be used even if the device is offline.

Progressive  Web Apps (PWAs) try to combine these two worlds and make web applications behave like local installed software. PWAs are installed by the click of a button in the browser (a simple + symbol in the address bar of Chrome) and basically just place an icon on the user’s desktop, start menu or Launcher (depending on the used operating system). From there on, the PWAs behaves almost as a local app, but maintaining the advantages of seamless updates. In fact, when the app is launched a browser instance is started presenting the PWA in a separate window without any browser controls (no address bar, no menu buttons, etc…). So the app looks like a native app.

But there is more!

• Once loaded, PWAs can run offline, they don’t require a permanent online connection.
• PWAs can leverage the OS notification system to inform the user about any new like incoming messages.
• They can update themselves

Summary

PWAs are a very nice way to eliminate the disadvantages of today’s web applications and make them look and feel like native apps. The advantage of being always up to date and the fact that even if the Internet breaks the app is still useable make them a real competitor of fat native client software.

As discussed in the previous blogpost (The Modern Workplace), requirements of today’s end user computing devices have changed significantly. Lets view these developments from a management perspective. In this blogpost we will see why the traditional management approach is not fitting well to modern workplaces and must be reconsidered.

One significant difference to a traditional workplace is, that a modern workplace is highly mobile. Today’s workforce is not limited any more to physical office boundaries or strict working times, but is used to perform their work from any place and at any time. So, it can’t be expected that modern workplace devices are reachable on a well known, secure network. Actually, these devices will be connected to the Internet most of their online time, rather than to an internal network and the time when they will be online is unpredictable. Management concepts which rely on push connections from a management server to a device and require a stable connection for their transmission of messages and software packages do not really fit into this new scenario.

Another aspect is the diversity of devices and operating systems. Traditional management focuses on Windows devices only. However, Windows PCs are only a part of today’s end user computing device landscape. We see more and more MacBooks gain ground in the enterprise space. Beside the diversity on the computer device side, more and more devices with mobile operatring systems (iOS and Android) are used to perform work and require management.

This all leads to the following approach differences of management solutions:

Traditional management

• Actions originates from the management server and are pushed to the endpoints
• Strict control over when things happen where
• Influence of the end user is very limited and actually not welcomed

Modern management

• Actions are pulled from the device when it is online and can reach the management server
• Control when things happen is based on the end user device
• Most tasks are conceptually based on end user self service actions

I will now explain these different approaches on some basic examples:

Operating system patching

In a traditional environment, patches are downloaded from the OS vendor, tested and placed on a management server for push distribution. By starting the distribution it is expected that all online end points will receive the updates immediately, so after a rather short period of time, all end points can be considered patched.

In a modern workplace environment, the end points are configured to look for patches either directly at the vendor or at an internal management server. Whenever new patches are available the end points will start downloading them based on their polling interval and configuration, and install them automatically. However, the polling interval might be several hours and the download of the patches might be interrupted due to the loss of connectivity and resumed at a later point in time. Although the patches are finally downloaded and installed, the exact point in time when this will happen is not predictable. Further more, there is no way to distribute emergency patches immediately. However, to reduce patch delays, the polling interval can be reduced – leading to higher network consumption.

Software distribution

Installing software on an end user device is strictly controlled, too in a traditional environment. Applications are pushed down to the device. If mass rollouts are performed, the push jobs are handled in deployment queues and packages are directly distributed to the end points. Again, after initiating the distribution job, it is expected that the task is performed on all online endpoints immediately without delays.

On modern workplaces, we have two options on how software is deployed. The mandatory option would prepare the software for installation. However, the download and installation will be initiated by the end point rather than the management server. Depending on the end point’s polling interval, the client will check for new jobs available on the server, download and install the software if prepared for it. An exact point in time when this will be happen is not predictable.

The second option is to offer the software in a self service portal. In this case, the user can decide himself when he will install the software. It’s assumed that the end user can judge best when the time is appropriate as he knows about current connectivity and his further plans and working schedules.

Software updates

Traditionally software updates are pushed out to the end points similar to OS patches or new software installations. On a modern workplace, we also use modern software packages technologies. These new technologies include auto update functionality. The software checks itself for updates and keeps itself up to date without any operator intervention. This is very handy as no effort must be taken for packaging updates and send them out to the endpoints. On the other hand, control is lost when exactly the end point is updating a specific software package.

Bottom line is, that in a traditional environment, all devices are expected to have all required changes applied (otherwise a certain distribution is considered failed and requires investigation). In a modern workplace management environment the situation is not so easy. The operator can define a so called “desired state”, but if this state was (already) applied by the end point can’t be guaranteed. To mitigate risks that arise from the fact that not all changes were applied yet, the concept of “compliant state” was introduced. An endpoint is considered compliant when all defined requirements are met. If there is the requirement of a certain software package or secuirty patch to be installed this can be configured as a criteria for compliance. As long as an end point has not installed the patch it is considered uncompliant. Based on this information access to certain sensible resources can be restricted.

Summary

While traditional management is based on strict control, expecting the end points to be reachable at any time, modern concepts must deal with end points online on the Internet only now and then. This is why the decisions when things are performed moved from the management server to the end point. Based on polling intervals, jobs are collected from the server and fulfilled asynchronosly. To make sure only end points meeting the required security criterias may access resources, compliance states can be configured.

The core components of a modern office workplace are mainly the device, its operating system including management, a productivity software suite and a collaboration solution. As of today we see three big players on that market with three different solutions and ecosystems:

• Apple including the iCloud
• Microsoft and Office 365
• Google and G-Suite

Although comparable and sometimes possible to combine, these three ecosystems come from totally different backgrounds which explains their feature set and focus.

Apple

What you must keep in mind when discussing the Apple solution is, that Apple is a hardware company. Everything on top is only to sell (more) hardware. This explains why Apple’s approach is still hardware centric instead of web centric. The Apple ecosystem contains three types of devices, the Mac on macOS as well as the iPad and iPhone on iOS. The main application of the iCloud is to provide a seamless user experience over all Apple devices. Even for collaboration the Apple approach is still very device centric, providing client software for most of their services – sometimes only for the Apple operating systems (for instance: Facetime).

Although Apple limits the use of its services to their own operating system and devices, the Apple platform is open to use other productivity and collaboration suites. Remember, Apple is a hardware company, it is not Apple’s aim to sell services. This is especially true for enterprise clients, Apple actually does not want large corporations to use iCloud services, as they are considered consumer oriented. There is no iCloud for Business option available. It seems that Apple is not willing to invest in their services to reach an enterprise grade service level. Apple even removed the option to login to macOS with iCloud credentials in fear to be responsible if millions of users cannot log in to their devices should their iCloud service fail.

Microsoft

As we all know, Microsoft is originally a software company. They expanded to services only recently. And their hardware efforts are more to provide a reference model what can be done with their software and services. Their new CEO recognized that the future of software sales is in the cloud on a subscription base rather than on premise installations based on perpetual licenses. Although their efforts to position Office 365 as the center of their ecosystem looks promising, their legacy of clients with on premise instances of Microsoft software is still evident. The Microsoft solutions works best with Windows 10 and locally installed Microsoft Office as complementary components to the Office 365 cloud services.

Microsoft understood that the general ecosystem is more important than the platform. This is reflected in the recent reorganizations of the Microsoft divisions, where Windows is now part of the Cloud organization and not a business unit on its own any more. Microsoft’s cloud services can now be consumed on any platform, be it Windows 10, iOS, macOS or Linux. Not with complete feature parity, tough.

In contrast to Apple, Microsoft’s most important target client group are enterprises. Due to Microsoft’s strong background in the enterprise business, Office 365 and its underlying Azure infrastructure are designed with enterprise requirements in mind.

Google

Google on the other hand is a natural service company, born on the Internet.  The only function of Google’s hard- and software is to bring more users on their services. Therefore it is not very surprising that all Google services are web based and can be consumed by any device. To guarantee a certain consistent user experience over all platforms, Google provides its Chrome Browser as the interface for their services. Google is strong in the consumer and education business, but still weak in the enterprise area. Especially in Europe data protection is an important topic and seems not to be addressed properly by Google.

Summary

Three ecosystems that come from three totally different roots but have the same goal. Apple, a hardware company, providing software and services as additional value for its hardware. Microsoft, a software company that requires the service business for further growth and Google, a service company that provides hardware just to enable the consumers to use its services. Keeping the business models of these providers in mind explains their focus and strategy.

In a majority of today’s enterprise environments Microsoft Active Directory is used as the primary directory service. This worked very well in the past 17 years, due to its ability to centralize user and device management and provide a clear hierarchical structure of enterprise resources.

However, today’s modern workplace introduces new requirements, which are hard to be met with traditional concepts. To understand these challenges a little bit better, lets first discuss the main tasks of a directory service:

• Authenticate users
• Authorize users to applications

A traditional on premise directory service like Microsoft AD can fulfill these tasks well as long as we are mainly dealing with non-mobile desktop computers and internal applications based on a corporate network.

But today’s world is different.

The mobile workforce is not only using mobile computers like laptops or MacBooks, it more and more does not use any computers at all, but mobile devices like tablets and smartphones. Although mobile accounts (in Active Directory)  is a workaround to solve the fact that more and more computers are not connected to the internal network when users log on, admins know the pain of cached credentials and the consequence of hanging machines waiting for timeouts while trying to reach a domain controller. The problem even increased since laptops are just put into sleep mode rather than shut down.

Beside the user behavior, also the application landscape has changed dramatically. Client / server applications are exchanged by web based apps, which tend to be more often off premise (cloud Software as a Service). While internal client/server software was mainly based on Kerberos authentication, web based SaaS offerings use different, more Internet compatible authentication protocols like SAML or OAuth.

In a nutshell, the modern workplace requires a different set on functionality:

• Support for the mobile workforce on devices connected to the Internet
• Support for Internet based SaaS applications using SAML/OAuth authentication protocols

Internet based directory services try to meet these requirements. As their name implies, these directory services are accessible from the Internet and therefore provide authentication services regardless if the user is in the internal corporate network or on the Internet. Furthermore they are designed to federate with SaaS applications and provide single sign on to internal and external web applications.

Even Microsoft understood the importance of Directory as a Service for the future workplace. Azure AD is Microsoft’s DaaS implementation, highly integrated in the Windows 10 platform. A Windows 10 device can be bound easily to Azure AD. The built in mechanism enables a user to logon to the device with his/her Azure AD credentials. The basic concept is similar to Active Directory mobile accounts. When the device is not online (or cannot reach Azure AD), cached credentials are used to authenticate the user. But, this new implementation of the mobile accounts can handle network switches while on standby far better than AD did in the past.

Independent DaaS providers are introducing more OS agnostic concepts. Jumpcloud for example, works with pure local accounts. It controls those accounts through an agent installed on the device. Local accounts work best in an offline / Internet based scenario as they don’t require any network connectivity or reachable infrastructure. The combination of local accounts and central management of them is an interesting best of both worlds approach. Furthermore, as local accounts exists on macOS and Linux, too, this solution is not limited to Windows devices only.

Summary

On premise directory solutions will have more and more problems to fulfill future requirements the modern workplace and application landscape will demand. The introduction of an Internet Directory or Directory as a Service offering will help getting the best out of the modern workplace and enables the seamless integration with Internet based SaaS applications.

As I mentioned in one of my older posts, the client operating system becomes less and less important in today’s IT world. However, how important is a standardized client OS still for enterprises?

Up to today, enterprises’ workstation rollout strategy is based on a corporate OS built which includes all relevant policies and settings. Any application package can rely on this standardized OS and its unique features. This was best practice for years – even decades, but is it the answer for the challenges the new way of working introduces to the corporate world?

I am not so sure about that and I think this paradigm needs to be reviewed!

With Bring your own device, mobility and social collaboration new end user devices are used for corporate applications. Most of these devices come with its own operating system and might or might not be manageable. Some CIOs still believe they can cope with this challange by just prohibiting these new devices, which is more ostrich-like politics than a a future proof concept.

While I don’t say that a standardized OS platform is something bad, I think today’s applications must not rely on it any more. They must be robust enough to cope with any underlying OS configuration to be ready for the future.

Infrastructure is commodity and therefore getting more and more diverse. This means, specific OS vendors, versions or settings must become less and less important to higher level of applications!