Cloud OS Week - Empower People Centric IT

As part of the Microsoft Cloud OS Week, Thursday will be the day for learning about everything "desktop" related and how Microsoft can help you shift from looking at managing devices to how you can empower your users with self-service and a seamless experience across devices.

I've been lucky enough to be asked to help out on the day and take over the Virtual Desktop Infrastructure and Remote Desktop Services in Windows Server 2012 session.

http://www.eventbrite.com/event/7530739645/es2/?rank=1

If you're not already signed up to attend the session, I definitely recommend signing up quick and attending as it's sure to be a brilliant day packed full of information from some brilliant MVP's!

Deploying the System Center 2012 Service Manager Console as an App-V package

While at MMS2012 I had a conversation about packaging the System Center 2012 Service Manager Console as an App-V package and whether it had been tried or not.

At the time I couldn't think of any information I'd come across saying that it could or couldn't be done, but knowing that I had previously packaged the 2010 version successfully, I couldn't see why the 2012 version wouldn't be ok.

Well I've finally managed to squeeze some time in to try it and it seems to package and run fine.

After I had tried it, I thought it might be an idea to blog about it for others, but since there are so many steps, writing it up was a bit of a mammoth task.

So I recorded it and stuck it on YouTube!

Not only does this video show you the packaging of the console, which to be honest is a bit boring with nothing really special to see, but I also walk through some of the steps to then create an application in Configuration Manager and deploy it as an App-V package.

The steps I show also include deploying the dependencies for the Service Manager Console and targeting it at an Active Directory group of users rather than a collection of devices.

It also shows installing the application from the ConfigMgr self service portal.

Couple of bits of information shown in the video:

1. When sequencing the application, the Service Manager shortcut isn't captured and needs manually adding.
2. The silent install command I used is:
   setup.exe /Silent /Install:Console /AcceptEula:YES /CustomerExperienceImprovementProgram:NO /EnableErrorReporting:NO /RegisteredOwner:"Registered User"
3. Dependancies Specified in ConfigMgr:
   App-V Client
   SQL Analysis Objects
   Report Viewer 2010

Each of those dependencies have their own requirements and dependencies ensuring the right components get installed depending on the OS and usage.

The App-V sequencing can definately be improved, but it works at the end of the day.

Finally...
This is a DEMO.  I have not tested this to great lengths so ensure you do your own testing before putting this into your live production environment.  There's no warranties from me and no official statement from Microsoft about this being supported either.

MBAM 2.0 plus other MDOP updates

The Redmond machine really is in high gear at the moment as lots of other products and solutions start to recieve tweaks and new features, mainly in preperation for Windows 8 and Server 2012.

One set of tools getting some love is the Microsoft Desktop Optimisation Pack (MDOP).

Microsoft had already previously announced that MDOP was seeing a new component being added called UE-V which along with App-V makes MDOP a desirable solution to have in any environment looking to have a fantastic dynamic desktop, but today MS announced MBAM will also be getting some new features.

The Microsoft Bitlocker Administration and Monitoring (MBAM) will be updated to include new options such as:

• Used Space Only Encryption where only the part of the drive containing data will be encrypted instead of the full disk to save time
• Integration with hardware encrypted hard disks
• Complex PIN enforcement
• Self Service Key Recovery (I would prefer to see some SCSM integration here)
• Management of fully FIPS compliant configurations/designs
• Some SC 2012 Configuration Manager integration for reporting

Microsoft have also promised another update to UE-V very soon but so far during my tests I've seen no issues other than some poor documentation around its setup/configuration (hint... watch out for Offline Files or rather the lack of...)

App-V 5 is in Beta with new features such as shared cache which is amazing for VDI infrastructure.

Advanced Group Policy Management (AGPM) 4.0 SP1 beta is also available with mainly bug fixes and Windows 8/Server 2012 support rather than new features.

DaRT is also getting an update, again mainly to support Windows 8.

Building the TESG Private Cloud Customer Experience Centre - Part 1

Every year my employer holds an event for customers (and potential new customers) to show case what we do and give customers a chance to meet our partner vendors.

This year, nicely coinciding with just after the System Center 2012 release, I landed the brilliant job of setting up something to demonstrate our System Center and Desktop expertise.

And so the concept of the Private Cloud and Optimised Desktop Customer Experience Centre was born.

The goal?

1. To showcase the full System Center 2012 suite
2. To showcase the interactions of each component and how they drive efficiencies
3. To showcase an elastic and easily scalable datacentre that can flex into the Public Cloud
4. To showcase the dynamic desktop with OS, Data, User and Application layers abstracted
5. To showcase BYOD and specifically desktop/application access on tablet devices

Over a couple of blog posts I'll aim to share some of the planning, thoughts and tips & tricks that went into building it.
What I'll not be doing is guides on how to install the different components as there are plenty of them out there, but I will post links to some relevant good guides.

My original test lab was made up of a couple of HP Proliant DL380 G7's with some shared space pinched off the corporate SAN, but as this was going to need to host a lot more and it would need to be "slightly" portable for attending events like the T360 it was time to purchase some upgrades.

1. More memory.  Upgrade from 64Gb per host to 128Gb
2. Dedicated Storage.  iSCSI SAN that would also allow me to show some of the VMM storage management features (N.B. More details on this later, plus some pitfalls to watch out for!)
3. Dedicated Switches.  To show SCOM network management & keep the environment self contained.
4. More NIC's.  The original environment only had 4 onboard NICs, not good enough.
5. Flight case to rack it all in to make it portable (kind of!)

Now that might sound slightly overkill for a test/demo environment.  However, I have a laptop which is quite capable of showing 2-3 of the System Center products at the same time, but this Customer Experience Center had to host the following:

• Active Directory
• Virtual Machine Manager
• Operations Manager
• Service Manager
• Configuration Manager
• Data Protection Manager
• Orchestrator
• App Controller
• SQL 2008 R2 Server
• SharePoint Enterprise Server
• Exchange
• Lync
• ForeFront UAG
• ForeFront TMG
• File Servers
• XenDesktop Mgt Server
• XenDesktop VDI Desktops
• XenApp Mgt Server
• XenApp App Servers
• Remote Desktop Session Hosts
• Remote Desktop Broker/Gateway/Licensing
• RDS/Hyper-V VDI Desktops
• Dedicated Win 7 Admin Workstations
• Citrix NetScaler VM Appliance
• App-V Sequencer Workstations

When you consider that all of this needs to be up and running at the same time, my laptop just wasn't going to cope!

So far this has spread out across 34 VM's and there's still more to come...

This is a quick example diagram that I drew up to show the Hyper-V layout

Once all the hardware components were installed and racked then Hyper-V was the first thing to tackle and all I can say is thank god for Aidan Finn and his blog: http://www.aidanfinn.com/

Lots of useful posts, for example: http://www.aidanfinn.com/?p=10311

I'm going to leave the rest for the next post, but I just want to mention something that came to light when I installed the first System Center component, Virtual Machine Manager.

This is a logical first place to start if you've got the chance to build a private cloud from scratch like I have as you can implement Service Templates for deploying your VM's to help structure the environment and provide servicing and scale out options.

However, I hit a problem almost straight away, I struggled to get it to see my storage provider.

Originally I was ordering a Dell Equalogic iSCSI SAN for the environment, but due to certain disks not being available and increased costs for alternatives I was suggested to look at a DotHill AssuredSAN 2332.

The first thing I did was ask/check it supported SMI-S protocol, which it did as this is what VMM requires for the new features.
However when trying to set it up in VMM, it soon came to light that it only supported SMI-S 1.3 whereas VMM requires version 1.5.

So lesson learnt, make sure that when checking specifications, especially SAN's that you check in detail, right down to the version number!

There is a useful table (I found this afterwards!) that details the supported arrays:
http://technet.microsoft.com/en-us/library/gg610600.aspx

Part 1 - Building the TESG Private Cloud Customer Experience Centre

Part 2 - Service Accounts & Permissions

Part 3 - Installation Guide Links
Part 4 - Partner Solutions & Extensions

MDOP just got even more attractive

Microsoft today announced that along with the next major update to App-V taking it to version 5.0 they would also be adding a new solution to the Microsoft Desktop Optimisation Pack (MDOP) called UE-V.

From the brief blurb from Microsoft that talks about allowing user and application settings to follow the user across multiple devices, it sounds similar to other user setting/state virtualisation products such as those from AppSense, ResSoftware and Citrix etc.

Microsoft have called it User Experience Virtualisation (UE-V) and from the brief video on the Windows Team Blog, it looks like it can synchronise application level setting changes, without the need for logging on and off, fixing the biggest problem of last write wins and roaming profiles.

UE-V also looks to have settings roll back capability for individual applications, meaning if the user messes up an app by fiddling, the service desk can quickly revert it without affecting the whole system, along with other apps by using something like system restore which would.

A more in-depth explanation of UE-V can be found here on the SpringBoard blog.

I must admit, this is looking like a really compelling reason to have MDOP, finally making it something more than App-V with a couple of possibly interesting extras.

This will be going straight into the testlab when I get back from MMS 2012 and I'll make sure to do a full blog post on the installation and usage since this ties in so nicely with the mantra of ensuring a seamless end user experience that I promote to customers when I talk to them.

Oh, Microsoft have also announced that they will be dropping AIS from the MDOP package due to (rather unsurprisingly) low demand and customers preferring enhanced in house services (ConfigMgr, SNOW License Manager, FrontRange Discovery etc).

UE-V Beta Download

App-V 5.0 Beta Download

User Centricity and Licensing

The world of IT is changing.  There is a strong push to move to a much more User Centric approach for software delivery and that means using technology such as delivering an application through RDS or a Citrix Presentation session.  This brings so much simplification in terms of centralised management of the application and updates as well easily controlling user access by groups for example and as long as the number of users the application is available to matches the number of licenses owned for the application then everything is fine... isn't it?


Wrong…

This has to be the top licensing misconception and often comes up in discussions I have with customers.

When an application such as Office, Visio or Project is delivered in this manner then controlling access either via Active Directory groups, or Group Policies etc is not sufficient. This is due to these applications being licensed “per device”. With this license model it means that every device that the user can potentially access (or does access) the remote session with the application in requires a license.

For example;

1. Fred usually uses the Thin Client on his desktop. That’s license number 1 required.
2. He pops into a branch office in the afternoon and logs into a PC and connects to his remote session through a portal. That’s license number 2 needed.
3. He then disappears home early and logs in from home using his iPad. That’s license number 3.

Parking the whole logging in remotely scenario for now as that’s an even bigger amount of possible devices, Fred has the ability to use any device within the organisation to access his remote desktop. Each one of these devices would require licensing for the per device licensed application.

This isn’t just limited to Terminal Services, Remote Desktop Services and Citrix (I know the underlying tech is the same!) scenarios.

This same license model also applies to VDI, you could potentially access a VDI desktop from any device as that’s the benefit. It also applies to app streaming solutions like XenApp and application virtualisation such as App-V and AppWave.

Basically, all the technologies that really push User Centricity and targeting applications at users rather than devices (System Center 2012 Configuration Manager heavily focuses on this).
So really since applications can be delivered to any client device, a per device application license must be obtained for every device the delivery mechanism server has the ability to deliver an application to, not just the person using the desktop application.

One solution to this is AppSense Application Control. While this solution allows you to claw back some control and compliance and is recognised by Microsoft as an official way to control licensing it does have some draw backs.
AppSense Application Control allows you to define the devices that are allowed to run the per device licensed software and block it from running on non-licensed devices, giving you the flexibility of centrally managing and delivering software like MS Project from RDS/XenApp/VDI/App-V methods, but at the same time removes the flexibility that targeting the user and flexible working should bring.

One area that this is vitally important in, in my opinion, though is blocking access to applications licensed in this model when logging in from outside of the corporate network when any device could be used and “in theory” thousands/millions of licenses should be required and you only have your corporate devices covered fully by an Enterprise Agreement for example.

So what can you do?  Well it all depends on the application, the vendor and the licensing model.  There are some agreements and special licensing models that can be potentially useful but they all take some analysis of numbers required, benefits and costs etc.
All I can really advise is:

1. Make sure every application you aim to deliver remotely has it's licensing properly checked before you take the plunge and do it to ensure you avoid any costly compliance challenges.
2. If in doubt, speak to someone who knows.  All application vendors/suppliers will have specialists, check with your account manager to see what they can do to help.

 

App-V improvements in Configuration Manager 2012

I started this post ages ago, but never finished it or posted it.
Rather than it staying in my drafts I'll post it as is, so this may have changed from beta to RC and again may still do upon RTM.

App-V improvements in Configuration Manager 2012
Just a quick post to show some of the App-V & ConfigMgr 2012 integration improvements coming.

Essentially you still need to sequence the application outside of ConfigMgr using the App-V sequencer, then create an application or deployment type from the sequenced information.
The client requires App-V 4.6 SP1.

• You can unpin the content from the ConfigMgr cache (cache improvements)
• You can specify individual components in the app to publish to clients (publishing improvements)
• No requirement to create virtual packages vs physical packages - just now deployment types in the same application
• All DPs are enabled for streaming by default (was separate config process in ConfigMgr 2007)
• Streaming over the Internet supported

There may be some others that I've missed, but this is all I've tracked down so far.