Solving Office 365 Client Deployment Scenarios Dean Yamada | Senior Premier Field Engineer, Microsoft Stephen Hall | Cloud Solutions Specialist, District Computers
Course Topics Solving Office 365 Client Deployment Scenarios 01 | System Center Configuration Manager (SCCM) Deployment Best Practices 02 | Multi-language Deployment Considerations for Office 365 ProPlus 03 | Office 365 ProPlus with Azure Rights Management Services for IRM/Encryption 04 | Controlling access to Office 365 ProPlus & Services 05 | Office 365 and Exchange Migration Troubleshooting Common Gotchas 06 | New Office 365 ProPlus Customizations via Group Policy or XML 07 | New Updating and Repair Command-Line Options for Office 365 ProPlus
New Office 365 ProPlus Customizations via Group Policy or XML Module 6: New Office 365 ProPlus Customizations via Group Policy or XML Dean Yamada | Senior Premier Field Engineer, Microsoft Stephen Hall | Cloud Solutions Specialist, District Computers
Module Overview Security Compliance Manager Critical/Important vs EC & SSLF* Commonly-set Group Policies by large Enterprises Group Policies for Managing Updates Excluding apps XML, App-V and AppLocker Shared computer activation *We’ll define and explain EC & SSLF.
Security Compliance Manager
Security Compliance Manager Security Baselines for Office 2007, 2010, 2013/Office 365 ProPlus Includes Office Security Guide covering the areas of Data Confidentiality, Integrity, Availability and Implementation Security in Office 365 Whitepaper Critical/Important security settings vs Enterprise Client (EC) & Specialized Security – Limited Functionality (SSLF) Where do I find the latest Office 2013/Office 365 ProPlus baselines? Security Compliance Manager Key SCM Features: (From: http://technet.microsoft.com/en-us/library/cc677002.aspx) Baselines based on Microsoft security guide recommendations and industry best practices: These baselines are designed to help you manage configuration drift, address compliance requirements, and reduce security threats. Centralized security baseline management features: These include a baseline portfolio, customization capabilities, and security baseline export flexibility to accelerate your organization’s ability to efficiently manage the security and compliance process for the most widely used Microsoft technologies. Updated security guides: Take advantage of the deep security expertise and best practices in the updated security guides, and the attack surface reference workbooks, to help reduce the most important security risks for your organization. Understanding the new Security Classifications The recommended settings for Critical (formerly Enterprise Client (EC)) environments are for organizations that seek to balance security and functionality. Typical security-conscious enterprises, government departments, and other organizations should start with the Critical recommendations and customize them to meet their individual circumstances and requirements. The recommended settings for Important (formerly Specialized Security - Limited Functionality (SSLF)) environments are for organizations with very stringent security standards, and for which security is more important than application functionality. These settings are designed for organizations and departments with national security responsibilities or that handle highly classified information. You may choose to apply the Important settings to a subset of the computers in your organization, or balance the Critical and Important recommendations to fit your needs. Where to obtain the latest Office 2013/Office 365 ProPlus Security Compliance Manager Baselines (as of this writing): http://go.microsoft.com/fwlink/?LinkID=403023&clcid=0x409 (baseline) http://go.microsoft.com/fwlink/?LinkID=403024&clcid=0x409 (attachments)
a look at the security compliance manager demo As of this writing, you may not immediately find the Office 2013 / Office 365 ProPlus Security Compliance Manager Baselines. In this demo, we’ll show you how to obtain and review the new security baselines and reference material. Where to obtain the latest Office 2013/Office 365 ProPlus Security Compliance Manager Baselines (as of this writing): http://go.microsoft.com/fwlink/?LinkID=403023&clcid=0x409 (baseline) http://go.microsoft.com/fwlink/?LinkID=403024&clcid=0x409 (attachments) a look at the security compliance manager
Commonly-set Office Group Policies seen in the field
Commonly-set Group Policies seen in the field Common customer question, but no two environments are the same Always consider all security-related settings Beyond that, consider these common settings ~2200 settings available, here are the top 40 we most commonly see Best practice tip! – Always check for the latest Office Administrative Templates monthly With so many diverse customer environments, it is difficult to come out with a single article that describes which Microsoft Office group policy settings should be enabled. With that in mind, we must set the expectation that this section is not an official recommendation nor mandatory requirement. This section is an unofficial collection of the most common settings that we see customers implement. Always consider all security-related settings and then consider the settings discussed here. In no particular order, consider the following commonly-set settings to enable or disable: (Search these keywords in the Administrative Templates spreadsheet included in the admintemplates.exe download) Default UI Theme* Disable Opt-in Wizard on first run Show OneDrive Sign In Automatically activate Office with federated organization credentials Block signing into Office (ie. allow Organizational Accounts only) Disable First Run Movie Enable Automatic Updates Turn on telemetry data collection Turn on data uploading for Office Telemetry Agent Online Content options Service Level options Enable Customer Experience Improvement Program Automatically receive small updates to improve reliability Hardware graphics acceleration Update Path, Target Version, Update Deadline Display enterprise themes only (PowerPoint only) Prevent users from adding PSTs Prevent users from adding new content to existing PST files PST Absolute maximum size PST Size to disable adding new content Best Practice Tip! - Always check for the latest Office Administrative Templates monthly*: http://go.microsoft.com/fwlink/p/?LinkId=257051 And update all of your administrative template locations. *If you do not have the latest Administrative Templates, you might not find all settings referenced above.
Which group policies do customers frequently enable? demo NOTE: With so many diverse customer environments, it is difficult to come out with a single article that describes which Microsoft Office group policy settings should be enabled. With that in mind, we must set the expectation that this section is not an official recommendation nor mandatory requirement. This section is an unofficial collection of the most common settings that we see customers implement. Always consider all security-related settings and then consider the settings discussed here. In no particular order, consider the following commonly-set settings to enable or disable: (Search these keywords in the Administrative Templates spreadsheet included in the admintemplates.exe download) Default UI Theme* Disable Opt-in Wizard on first run Show OneDrive Sign In Automatically activate Office with federated organization credentials Block signing into Office (ie. allow Organizational Accounts only) Disable First Run Movie Enable Automatic Updates Turn on telemetry data collection Turn on data uploading for Office Telemetry Agent Online Content options Service Level options Enable Customer Experience Improvement Program Automatically receive small updates to improve reliability Hardware graphics acceleration Update Path, Target Version, Update Deadline Display enterprise themes only (PowerPoint only) Prevent users from adding PSTs Prevent users from adding new content to existing PST files PST Absolute maximum size PST Size to disable adding new content Which group policies do customers frequently enable?
Group Policies for managing updates for Office 365 ProPlus
New Group Policy settings for managing updates http://technet.microsoft.com/en-us/library/dn761708(v=office.15).aspx
new group policy settings for managing updates demo http://technet.microsoft.com/en-us/library/dn761708(v=office.15).aspx new group policy settings for managing updates
Excluding apps in Office 365 ProPlus
Excluding apps in Office 365 ProPlus Via the Configuration XML With App-V 5.0 SP2 AppLocker Azure RemoteApp* Note: When excluding apps with configuration.xml, an online repair will add the excluded app back. For ultimate enforcement, use App-V or AppLocker. Azure RemoteApp* is in preview mode. As of this writing, search for the Azure RemoteApp trial/preview to test it out yourself!
excluding apps in office 365 proplus demo Note: When excluding apps with configuration.xml, an online repair will add the excluded app back. For ultimate enforcement, use App-V or AppLocker. Azure RemoteApp* is in preview mode, as of this recording. As of this writing, search for the Azure RemoteApp trial/preview to test it out yourself! excluding apps in office 365 proplus
Shared computer activation
Shared computer activation Office 365 ProPlus subscription license is valid for up to 5 device-activations Previously not ideal for shared computer environments such as most municipalities (hospitals, police/fire stations) When enabled, shared computer activation does not decrement from the user’s 5 device-activation allotment http://technet.microsoft.com/en-us/library/dn782860(v=office.15).aspx
shared computer activation demo http://technet.microsoft.com/en-us/library/dn782860(v=office.15).aspx Prior to shared computer activation, a nurse in a hospital environment may log into 10 different shared computers in the course of an average work day. The 5 device-activation limit would likely be reached in a single day! In this demo, we will show you how the new shared computer activation works. Better yet, with ADFS, this is seamless to the user. Without ADFS, the user will be prompted for the subscription license email address. With ADFS, activation will automatically utilize their logged-in credentials in passing the ADFS token to Azure AD and back. shared computer activation
Resources
Resources Office 365 ProPlus Deployment for IT Pros Additional MVA course: Office 365 ProPlus Deployment for IT Pros http://www.microsoftvirtualacademy.com/training-courses/office-365-deployment-for- it-pros Office Blogs and Garage Series for IT Pros http://blogs.office.com/office365updates/ Additional MVA course: Office 365 Deployment for IT Pros http://www.microsoftvirtualacademy.com/training-courses/office-365-deployment-for-it-pros Office Blogs and Garage Series for IT Pros http://blogs.office.com/office365updates/