Tweet and win an Ignite 2016 ticket #itproceed

Delivering traditional File Server Workloads in a

secure manner to modern devices

Kenny Buntinx, Tim De Keukelaere

@KennyBuntinx

http://be.linkedin.com/KennyBuntinx

http://scug.be/blogs/sccm

@Tim_DK

http://be.linkedin.com/in/timdekeukelaere/

http://scug.be/tim/

Microsoft NDA Confidential

What are Work Folders ?

System Architecture and server deployment

Client deployment

Behind the scenes

Troubleshooting

Data protection and security

individual data

file server

devices

wherever

remaining in compliance

“Work Folders is a brand new direction for enabling access to data in offline scenarios, along the lines of Citrix ShareFile , Onedrive for Business and Dropbox, but without the cloud and sharing features.“

Co

nsu

mer

/

pers

on

al

data

Ind

ivid

ual

wo

rkd

ata

Team

/ g

rou

p

wo

rk d

ata

Pers

on

al

devic

es

Data location

OneDrive Public cloud

OneDrive For Business SharePoint / Office

365

Work Folders File server

Folder Redirection /

Client-Side Caching File server

USERS can SYNC THEIR WORK DATA to their devices

Users can REGISTER THEIR DEVICES to be able to sync data when IT enforces CONDITIONAL ACCESS

IT can publish access directly through a reverse proxy, or CONDITIONAL ACCESS can be enforced via device registration through the WEB APPLICATION PROXY

IT can configure a file server to provide WORK FOLDER SYNC SHARES for each user to store data that syncs to their devices, including integration with RIGHTS MANAGEMENT

IT can SELECTIVELY WIPE the corporate data frommultiple platforms ( IOS , WP )

ACTIVE DIRECTORY DISCOVERABILITY provides users Work Folders location

- Windows 8.1 and above

- Windows 7 - http://blogs.technet.com/b/filecab/archive/2014/04/24/work-folders-for-windows-7.aspx

Domain join is required

- IOS - iPad / iPhone - http://scug.be/sccm/2015/04/10/work-folders-app-for-iphone-finally-released/

- Android ?

Step 1• Install Work Folders Role

Step 2• Configure Work Folders Server with SSL

Step 3• Configure the Work Folders Server for ADFS Authentication

Step 4• Setting the Relying Party settings in ADFS

Step 5• Configure the Web Application Proxy

Step 6• Create the necessary DNS records

netsh http add sslcert ipport=0.0.0.0:443 certhash=<Cert thumbprint> appid={CE66697B-3AA0-49D1-BDBD-A25C8359FD5D} certstorename=My

In order to publish Work Folders with Web Application Proxy, it must use AD FS (OAuth2) authentication instead of Windows Authentication.

You can use PowerShell to configure the Work Folder Server for AD FS authentication using the following command: Set-SyncServerSettings -ADFSUrl <AD FS URL>

$ECSIdentifier = "https://Windows-Server-Work-Folders/V1";

$ECSDisplayName = "EnterpriseClientSync";

$TransformRuleString = '@RuleTemplate = "LdapClaims" @RuleName = "Ldap" c:[Type ==

"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer

== "AD AUTHORITY"] => issue(store = "Active Directory", types =

("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",

"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",

"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",

"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"), query =

";userPrincipalName,displayName,sn,givenName;{0}", param = c.Value);' ;

$AuthorizationRuleString = '@RuleTemplate = "AllowAllAuthzRule" => issue(Type =

"http://schemas.microsoft.com/authorization/claims/permit",Value = "true");' ;

Add-ADFSRelyingPartyTrust -Identifier $ECSIdentifier -Name $ECSDisplayName -

IssuanceTransformRules $TransformRuleString -IssuanceAuthorizationRules

$AuthorizationRuleString -EncryptClaims:$false -EnableJWT:$true -AllowedClientTypes

Public;

The Relying Party settings must include the UPN in the claims since the Work Folders will use it to impersonate as the user. Unfortunately there is no such file, we used a PowerShell script to create the RP.

$WAPAppName = "EnterpriseClientSync"

$ExternalURL = "https://Workfolders.demolabs.be/"

$BackEndServerURL = "https://Workfolders.demolabs.be/"

Add-WebApplicationProxyApplication -Name $WAPAppName -ExternalURL

$ExternalURL -ExternalCertificateThumbprint $cert.Thumbprint -

BackendServerUrl $BackEndServerURL -ExternalPreauthentication ADFS -

ClientCertificateAuthenticationBindingMode None -

BackendServerCertificateValidation None -ADFSRelyingPartyName

EnterpriseClientSync -UseOAuthAuthentication

Workfolders.demolabs.be

<internalworkfoldersserver>.demolabs.be

Workfolders.demolabs.be

• Manual

• Opt-in

• Mandatory

http://scug.be/nico/2013/09/13/manage-work-folders-with-configuration-manager-2012-r2/

1. Local change detected

2. Initiate sync session with server

3. Upload file to server

4. Server applies change to data dir

5. Sync initiated by second client

6. Download file from server

7. Client applies change to data dir

• Client limited to 1 partnership per user per device

• Client always drives sync

• Device applying the change responsible for conflict resolution

On the Web Application Proxy

Applications and Services

Logs\Microsoft\Windows\We

b Application Proxy\Admin

On the ADFS Server

Applications and Services

Logs\ADFS\Operational

On the client

Applications and Services Logs\Microsoft\Windows\WorkFolders\Operational

For the end user :

And win a Lumia 635

Feedback form will be sent to you by email

Give me feedback

Follow Technet Belgium

@technetbelux

Subscribe to the TechNet newsletter

aka.ms/benews

Be the first to know

Thank you!

Belgiums’ biggest IT PRO Conference