itproceed_workplacemobility_delivering traditional file server workloads in a secure manner to...
TRANSCRIPT
Tweet and win an Ignite 2016 ticket #itproceed
Delivering traditional File Server Workloads in a
secure manner to modern devices
Kenny Buntinx, Tim De Keukelaere
@KennyBuntinx
http://be.linkedin.com/KennyBuntinx
http://scug.be/blogs/sccm
@Tim_DK
http://be.linkedin.com/in/timdekeukelaere/
http://scug.be/tim/
Microsoft NDA Confidential
What are Work Folders ?
System Architecture and server deployment
Client deployment
Behind the scenes
Troubleshooting
Data protection and security
individual data
file server
devices
wherever
remaining in compliance
“Work Folders is a brand new direction for enabling access to data in offline scenarios, along the lines of Citrix ShareFile , Onedrive for Business and Dropbox, but without the cloud and sharing features.“
Co
nsu
mer
/
pers
on
al
data
Ind
ivid
ual
wo
rkd
ata
Team
/ g
rou
p
wo
rk d
ata
Pers
on
al
devic
es
Data location
OneDrive Public cloud
OneDrive For Business SharePoint / Office
365
Work Folders File server
Folder Redirection /
Client-Side Caching File server
USERS can SYNC THEIR WORK DATA to their devices
Users can REGISTER THEIR DEVICES to be able to sync data when IT enforces CONDITIONAL ACCESS
IT can publish access directly through a reverse proxy, or CONDITIONAL ACCESS can be enforced via device registration through the WEB APPLICATION PROXY
IT can configure a file server to provide WORK FOLDER SYNC SHARES for each user to store data that syncs to their devices, including integration with RIGHTS MANAGEMENT
IT can SELECTIVELY WIPE the corporate data frommultiple platforms ( IOS , WP )
ACTIVE DIRECTORY DISCOVERABILITY provides users Work Folders location
- Windows 8.1 and above
- Windows 7 - http://blogs.technet.com/b/filecab/archive/2014/04/24/work-folders-for-windows-7.aspx
Domain join is required
- IOS - iPad / iPhone - http://scug.be/sccm/2015/04/10/work-folders-app-for-iphone-finally-released/
- Android ?
Step 1• Install Work Folders Role
Step 2• Configure Work Folders Server with SSL
Step 3• Configure the Work Folders Server for ADFS Authentication
Step 4• Setting the Relying Party settings in ADFS
Step 5• Configure the Web Application Proxy
Step 6• Create the necessary DNS records
netsh http add sslcert ipport=0.0.0.0:443 certhash=<Cert thumbprint> appid={CE66697B-3AA0-49D1-BDBD-A25C8359FD5D} certstorename=My
In order to publish Work Folders with Web Application Proxy, it must use AD FS (OAuth2) authentication instead of Windows Authentication.
You can use PowerShell to configure the Work Folder Server for AD FS authentication using the following command: Set-SyncServerSettings -ADFSUrl <AD FS URL>
$ECSIdentifier = "https://Windows-Server-Work-Folders/V1";
$ECSDisplayName = "EnterpriseClientSync";
$TransformRuleString = '@RuleTemplate = "LdapClaims" @RuleName = "Ldap" c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer
== "AD AUTHORITY"] => issue(store = "Active Directory", types =
("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"), query =
";userPrincipalName,displayName,sn,givenName;{0}", param = c.Value);' ;
$AuthorizationRuleString = '@RuleTemplate = "AllowAllAuthzRule" => issue(Type =
"http://schemas.microsoft.com/authorization/claims/permit",Value = "true");' ;
Add-ADFSRelyingPartyTrust -Identifier $ECSIdentifier -Name $ECSDisplayName -
IssuanceTransformRules $TransformRuleString -IssuanceAuthorizationRules
$AuthorizationRuleString -EncryptClaims:$false -EnableJWT:$true -AllowedClientTypes
Public;
The Relying Party settings must include the UPN in the claims since the Work Folders will use it to impersonate as the user. Unfortunately there is no such file, we used a PowerShell script to create the RP.
$WAPAppName = "EnterpriseClientSync"
$ExternalURL = "https://Workfolders.demolabs.be/"
$BackEndServerURL = "https://Workfolders.demolabs.be/"
Add-WebApplicationProxyApplication -Name $WAPAppName -ExternalURL
$ExternalURL -ExternalCertificateThumbprint $cert.Thumbprint -
BackendServerUrl $BackEndServerURL -ExternalPreauthentication ADFS -
ClientCertificateAuthenticationBindingMode None -
BackendServerCertificateValidation None -ADFSRelyingPartyName
EnterpriseClientSync -UseOAuthAuthentication
Workfolders.demolabs.be
<internalworkfoldersserver>.demolabs.be
Workfolders.demolabs.be
• Manual
• Opt-in
• Mandatory
http://scug.be/nico/2013/09/13/manage-work-folders-with-configuration-manager-2012-r2/
1. Local change detected
2. Initiate sync session with server
3. Upload file to server
4. Server applies change to data dir
5. Sync initiated by second client
6. Download file from server
7. Client applies change to data dir
• Client limited to 1 partnership per user per device
• Client always drives sync
• Device applying the change responsible for conflict resolution
On the Web Application Proxy
Applications and Services
Logs\Microsoft\Windows\We
b Application Proxy\Admin
On the ADFS Server
Applications and Services
Logs\ADFS\Operational
On the client
Applications and Services Logs\Microsoft\Windows\WorkFolders\Operational
For the end user :
And win a Lumia 635
Feedback form will be sent to you by email
Give me feedback
Follow Technet Belgium
@technetbelux
Subscribe to the TechNet newsletter
aka.ms/benews
Be the first to know
Thank you!
Belgiums’ biggest IT PRO Conference