Modern workplace management with Enterprise Mobility + Security- part 2

In this series of 3 posts I discuss what I see as the modern way of workplace management. In the first post I defined the workplace. Now I would like to start with identity and also add the Enterprise Mobility + Security products of Microsoft in the mix.


Since network boundaries are disappearing, identity is the most important part of today’s workplace management. In the past, the Local Area Network was the perimeter to secure. Firewalls, the local network boundary, that was the place to secure. With the adoption of cloud services and also content sharing externally, the original perimeter is being extended to the outside world. The LAN perimeter is fading. What’s there to secure is the identity.

First of all, how do you make it easy for users to access cloud services, preferably with Single Sign On, so using the on-premise’s credential? You extend Active Directory to the cloud and what is a better place to do that than to extend it to Azure. And again, yes I’m prejudiced but 1 of the big advantages is the fact that Microsoft collects a lot of information regarding logons (around 350 billion authentications), logon behaviour, suspicious logons, botnet networks, breaches at major public services (yes Linkedin is one of them, years ago). Microsoft is using that information to make their services better and thus making the services better which customers use. Check out Brad Anderson on Youtube talking about Microsoft Intelligent Security Graph.

With identity becoming very important, you would like to know who is accessing your services, and when it seems to be the right person, you would like to have some reassurance sometimes. Maybe a couple of steps further, you would like to risk assess a person and use that rating or profile to enforce specific policies.

The first Layer of Control is regarding identity. Some of the controls are:

  1. Multi Factor Authentication: an extra layer of security on top of a password. MFA is an Azure cloud service which is very easy to adopt. MFA can be turned on per user, so every time when that user wants to access services via Azure, that user will hit MFA. More granular, it also can be turned on per specific app. This is possible in combination with conditional access. When MFA is turned on, AD/AAD doesn’t accept your domain password anymore but expects a second factor. This can be a text with a code, a phone call where the user needs to push the # key or the use of the Microsoft Authenticator app on a device. It does work with cloud services but also with your on premises environment and even with 3rd party hardware tokens. More details can be found here. Just turning on Azure MFA provides a higher level of identity protection. Be aware that in order to be able to use MFA, you need to enable “Modern Authentication” in your Azure environment on Exchange and Skype for Business. Also be aware that not all clients understand Modern Authentication/MFA, like Apple Mail, Thunderbird and older Office apps. More details on modern authentication and Microsoft clients can be found here,
  2. Azure AD Identity Protection: to put it (too) simply, Azure Active Directory Identity Protection is a cloud based layer of control which helps you detect potential identity vulnerabilities and can define automated actions for those. More details can be found here. On an Azure level, Microsoft can see which identities are trying to log on, from which IP address, location and for example compare that to the last logon (remember the Intelligent Security Graph). Based on many variables a user risk level/profile or sign-in level/profile can be calculated. As a result, for example, a user logging on in the morning in Los Angeles and 3 hours later from an IP address in Madrid can be calculated as a high risk and the last login could be blocked or the user could hit MFA. In this case a very important tool comes around to put an extra layer of control on securing the identity:
  3. Conditional Access: with CA, it is possible to setup policies with several conditions with controls. You can combine the layers of control (identity, trusted/untrusted IP’s, device compliance, MFA and user risk) to grant or block access to cloud services.                                                                                                               Conditional Access is defined as: “When this happens, then do this”. The first part is the Condition Statement and the second part the Controls . An example of a statement: “All users, accessing Exchange Online, from all platforms, using browser and desktop apps, are granted on compliant (Intune managed) devices and when they use MFA. Another example is: “all users, accessing Sharepoint Online, from Windows devices, from all networks except trusted IP’s, using both browser, mobile and desktop apps, are granted when using MFA. Combing the layers of control is very powerful where you can setup a great balance between user friendliness and security.

Client apps/cloud services:

The second Layer of Controls are controls for client apps and cloud services. The first control you have here is the pre-built App Based Conditional Access policy for Exchange Online and Sharepoint Online. With these controls you can force users to use specific Intune manageable apps like the Outlook app to access your Exchange environment. Yes, this is tied to the mobile Android and IOS apps. Again, you can force users to use Outlook by enabling MFA, since Outlook knows about Modern Authentication/MFA. And why would you like to do this, you ask. Very good question but read on about another great feature and I will wrap up an give you my thoughts.

Another great tool to secure your apps and cloud services is Mobile Application Management, provided by Intune on the Microsoft Office apps- desktop and mobile versions. This is a very cool feature and pretty unique. Users can keep on using their well known Office apps like Word, Excel and Powerpoint and you as the organization are able to secure these apps and data inside them. Read here for more details on the MAM features within the Office apps on Android and IOS. Also know that these MAM policies can be configured for the desktop Office apps as well. Windows 10 creators Update (1703) and Office 2016, app versions 1705 and above. Essentially, with MAM you can protect your Office apps on Windows, Android and IOS. An example of what you can do with MAM is that you can deny copy data in Word and paste it in a personal app on your device.  Or, that a PIN is required when opening the apps. This way you prevent data leakage.

Why do I think the client apps/cloud services Layer of Control is such a big deal? Well, Exchange/email is a good example. Within many organization, users are handed a corporate laptop/desktop. That device has a very locked down image, where a lot of settings/features are disabled, I cannot install anything and in a lot of cases the user experience is poor. Within those same companies, you can take any (mobile) device, any browser and any email client and connect to the company’s Exchange environment and download the inbox/create an .OST or use OWA. User experience wise, great! Security wise, maybe not so great!. Data and information we send via email, many times, is very sensitive and I’m sure you don’t want it to be cached on a device with no Layer of Control.

This case of Exchange also is keeping me busy: how would I let my users connect to my Exchange environment (assuming I would have a company and employees). Well for sure I would like to have some sort of control. At least I would like to enforce the Outlook app, and set a PIN on it (maybe even a PIN regardless if there is a device PIN in place). I would disable copy/past from the Outlook app to other, not managed apps, like the device’s notes app. And also, maybe I would add conditional access to the mix to enforce MFA when there is a high risk user profile or the user is at home. Maybe, nowadays, I must consider email as that sensitive that I require an enrollment of the device in Intune. Maybe I would like to have the “corporate data wipe” control in case something bad happens. Of course, I still would like to have the MAM policies in place.

I’m aware this won’t fully protect me against intentional data leakage or fraud. I doubt it if there is a set of tools protecting you against it. Think about the simple camera in your phone. However, the identity layer of control and client apps/cloud services layer of control is a very good start and most likely more than what a lot of customers currently have.

Next, Modern workplace management with Enterprise Mobility + Security- part 3

A big change: from VMware to Microsoft

After 9+ years at VMware, I decided to change companies and moved over to Microsoft. At VMware, I worked as a Sr. Specialist Systems Engineer End User Computing. I will fulfill a similar role at Microsoft as a technology Solutions Professional Enterprise Mobility + Security. In this role I will cover Azure AD, Azure Information Protection, Identity, Office Workspace and Mobility-Intune.

I’m truly excited to be working for Microsoft and eager to learn more about all it offers around Enterprise Mobility + Security.

Although I love End User Computing in general (everything VMware, Citrix and Microsoft have to offer), I will change the content of Bright-Streams more towards Microsoft technology…obviously. I will keep on making (Microsoft’s) End User Computing technology simple to understand and explain what it can do for you.


“Links” section update Bright-Streams

Today I updated the “links” section on Bright-Streams. Products has been added to the VMware End User Computing portfolio over the last years. I added links to these product/technical resource/blog pages.

I also would like to mention the new website, VMware launched recently. Videos, blog posts (also 3rd party) and other content is available there. Do check it out.

The updated links cover the following products:

  • VMware Corporation
  • VMware End User Computing
  • VMware View
  • VMware ThinApp
  • Zimbra
  • VMware Horizon App Manager
  • VMware Mirage
  • VMware Socialcast
  • Horizon Mobile

The Post-BlackBerry Era

A great article has been posted on the VMware CTO Office’s blog site by VMware’s Srinivas Krishnamurti.

Personally I still think Horizon Mobile is the way to go for mobile devices. Yes, Mobile Device Management tools could help enterprises a lot but is that the way to go? Would you allow enterprise management tools on your own personal mobile device? Even if you use that device for your work related activities?

Personally, I wouldn’t accept that. However, a corporate phone, pushed on top of my own phone as a virtual machine..yes…I could deal with that. Assuming my employer doesn’t have access to the “personal side” of my phone, my Facebook ( oh wait, I don’t use FB), my Twitter, my private email, Google+ etc. With Horizon Mobile, that’s the case.

Again, (people keep asking this), will Horizon Mobile move to iPhone, iPad and other Tablets? I really can’t tell. My wish: please. In fact, I would prefer Horizon Mobile to become available on tablets more than on phones… but that’s a very personal opinion.

Before I forget this (and I have had several discussions about this before) I see Horizon Mobile as a great solution to separate work and private activities on one single device. I’m not discussing mobile devices as an access point to access Virtual Machines and push corporate apps etc…That’s a whole different story.



ThinApp Setup Capture; Basics (video included)

A little while ago I wrote an article about one of the biggest secrets of VMware; ThinApp.  I wrote about what ThinApp is, how it fits in the End User Computing vision and what the features are.

Today, I would like to continue and show you the basics around virtualizing an application using ThinApp. I created a video where I virtualize Mozilla Firefox. I will show you all the steps creating the virtual “bubble”.  Many people haven’t seen or touched ThinApp and I would like to show you what the process is., the steps to take.  I won’t discuss details and features. This is purely about the basics. More information about details will follow shortly.

So, where to start…

For anyone who is interested in trying out ThinApp, you can download a trial. Click here for your 60-day evaluation.

After the software, you need a machine to “capture” your application/create your virtual applications.  Personally, I use Virtual Machines on VMware Fusion.  VM’s are great for ThinApp-ing. Create a snapshot of your VM and you can install, change, do whatever you want and after you’re done, revert to the snapshot and you can go ahead with another application. You can package on Windows XP or Windows 7. Choose the OS which is the “oldest” in your environment. If you have a mixed XP and W7 environment and you want a package to run on both, package the application on XP. Keep this machine as clean as possible. Install patches and leave it like that.  After that, install the ThinApp Setup Capture application, and lastly, take a snapshot.

Right, you are good to go. Pick your application and follow the steps in the video.

Again, I’m not touching details like entry points, data container, isolation modes, AppLink and ThinDirect. I will blog about those soon. In case you want to read ahead, see below for more information;

Entry points/Data container

Isolation Modes


Enjoy creating your first ThinApp package!

A video tour through VMware View Manager; Overview

VMware View Manager is an enterprise-class virtual desktop manager. It is the place for desktop administrators to provision pools of VM’s, entitle users to pools and deploy virtualized applications, ThinApps.

I bet there still are a lot of people who haven’t seen or touched the View Manager Console. With this video, I wanted to give you an overview of what it looks like, how navigation via links is been done and how you can find information about users, pools and your environment.

This video is part 1 of multiple videos. I will cover other topics with videos as well. Stay tuned.

Videos coming up

I have noticed a lot of people haven’t seen or touched VMware View Manager, ThinApp Capture etc. Of course I can talk and write articles about them but people also like to see what it looks like, the interface, buttons…

My plan is to add videos (where I can and it is beneficial, of course) to articles, to give people a better idea what I’m talking about.

If you have an idea about a short video, let me know and I will see if I can make it work.

Get the overview; VMware End User Computing vision

VMware View and ThinApp have been around for a while now. It is about virtualizing desktops and current Windows applications. All pretty straight forward and easy to understand and give it a place in your environment.

Suddenly, all new products were announced; Horizon App Manager, Appblast, Sliderocket, Octopus, Mozy, Zimbra and Socialcast. I can hear you think; where do these products fit in my organization, in my strategy for the coming years?

I can imagine everything around End User Computing is going very fast. I have noticed people hear about the different, new products but don’t have the clear overview picture; what’s the goal, steps to get there? What’s VMware’s End User Computing vision? It’s been out there for a little while but maybe it can’t hurt to discuss it again.

The vision starts with the end goal, the platform for the Post-PC Era. This platform is built on 3 pillars;

  • Simplify
  • Manage
  • Connect

“Simplify” is all about freeing up end user assets in backend silos and transform them to managed services,

After you have simplified the backend, you can define a new central hub where IT can set policies on who gets what, when, on which device and with which security policies, the “manage” pillar,

The “connect pillar is about the user connecting with the device of choice and getting the right applications and data

To get to this Post-PC Era platform, there is a 3-step journey ahead;

  • Improve what you have,
  • Embrace the Cloud,
  • Escape to the Cloud.

During the “Improve what you have” phase, you try to virtualize as much as possible. Use VMware View to turn desktop in a managed service. This gives you central management/security and universal access. Also, virtualize as many Windows applications with VMware ThinApp. Decouple the PC-layers Hardware, OS, applications and User with virtualization.

The second step is “Embrace the Cloud”; embrace Horizon App Manager. With App Manager you can create a central application store for all your applications; mobile, SaaS, Windows, virtualized applications.  It also is a central place to set policies; security, management and provisioning policies. When you have to replace certain applications, replace them with SaaS apps. These new SaaS apps can easily be placed in Horizon App Manager.

“Escape to the Cloud” means you are moving more and more services into the Cloud. Cloud in this case, can be private and/or public. Decommission applications when needed and choose a new service from the Cloud. Also, think about Project Octopus and Appblast, Zimbra, Socialcast and Sliderocket.

So, there is a journey, there are steps to take to get to the Post-PC Era platform.  Sometimes the lines between steps are thin. Sliderocket, for example, can be of interest in step 2 for some customers and in step 3 for others. The journey is a guideline. If you like to see Vittorio Viarengo explain the vision, take a look here.