Self Service for Mac and Mobiles at CERN Tim Bell, Michal Kwiatek, Maciej Muszkowski, Vincent Bippus (IT-OIS) 12/10/2015 CERN MDM at HEPiX

Today’s agenda Introduction Mac self-service Managed iOS VPP Summary 12/10/2015 CERN MDM at HEPiX

PC usage is pretty flat at CERN 12/10/2015 CERN MDM at HEPiX

Mobile Devices at CERN 12/10/2015 CERN MDM at HEPiX

Android phone from the CERN Stores PC or Mac from CERN Stores BYOD or COPE? User-owned CERN-owned Personal Shared FB iPad Android phone from the CERN Stores iPad of an RP techician PC or Mac PC or Mac from CERN Stores professional use Smartphone private use Another very fashionable acronym is BYOD, which stands for Bring Your Own Device. How does this fit at CERN? We have a long tradition of BYOD at CERN, with physicists from all over the world bringing their own computers to CERN, but the picture is more complex. There are several dimensions. The device can be owned by the user or owned by the Organization. It can be mainly for professional use, or mainly for private use. It can be personal, or shared with other users. To give you some examples, a very common scenario would be a laptop from the CERN stores – so owned by CERN – for professional use mainly, but with private use tolerated according to the CERN Computing Rules. But, the laptop could also be owned by the user – especially if this user comes from another institute – and still be used mainly for professional reasons! Moreover, if it is under Windows, its owner could actually accept that it becomes centrally-managed by CERN IT – simply because it would enable easy access to many useful functionalities provided by CERN IT, such as authentication, network storage, access to software or patches. On the opposite side of the spectrum, we could mention some iPads – owned by CERN and used by Radio Protection technicians – on which private use is tolerated even if their users are not even CERN employees. There are more examples shown on this graph – including the case of the CERN Fire Brigade iPads that Maciek will tell you more about – but one important conclusion here is that both BYOD and COPE – which stands for Corporate Owned, Personally Enabled – are prominent in the CERN culture. COPE: Corporate Owned, personally enabled 22 May 2015 MDM at ITTF

Mobile Device Management Market Apple ProfileManager (iOS, Mac) Absolute Manage (iOS, Android, Mac) Microsoft InTune + SCCM (iOS, Android, Mac) JAMF Casper Suite (iOS, Mac, Android) FileWave (iOS, Android, Mac) MobileIron (iOS, Android, Mac) Talking about the MDM market, this graph shows various MDM vendors according to their ability to execute and the completeness of their vision. It is from May 2013, so by today’s standards it is very old, but it is nonetheless interesting because it shows that the MDM market has been of interest to such players as Symantec, Citrix or even IBM. This particular graph focused mainly on the smartphone/tablet segment and ignored some very interesting players coming from the desktop background. Still, it gives an idea of what products could potentially be interesting. Over the last year, we have tested at CERN the products listed on the left. Maciek will give you more details about these tests and their results. 22 May 2015 MDM at ITTF

MDM test results No single product covered Android, iOS and Mac JAMF Casper Suite works well for iOS and Mac Mature (13 years experience) Large community of sys admins (20,000) Key player for Mac OS and iOS Just entered the Android market None of the product were perfect We realised that JAMF Casper Suite was the best fit to what CERN needs. JAMF is the name of the company, Casper Suite is the name of the product. It is a key player for managing Apple devices, used by Apple itself. It’s a mature product with over 13 years of experience and has a huge community of admins. Also it is easily adaptable to CERN needs, which are… 22 May 2015 MDM at ITTF

Implementation iOS: built-in MDM protocol, no agent app Mac: built-in MDM protocol, agent running in the background Android: agent app using the OS APIs and GCM CHANGED The communication schema usually looks as the one shown in the picture. Communication is initiated by MDM server, which sends the request to send the notification to the device to some notification service. For Apple it’s APNS, for Android it’s Google Cloud Messenging. The device receives the notification from this service and contacts the server to receive what is waiting for it there. For iOS there is a native, built-in Apple management protocol, all solutions can do the same (depending on how much of the protocol they implement of course). For Mac except the almost same protocol as for iOS, additionally there is an agent app running in the background with root privileges, contacting the MDM server in some time intervals. For Android there is no built-inprotocol, there’s always an agent app using undelying operating system APIs. 22 May 2015 MDM at ITTF

Macs 12/10/2015 CERN MDM at HEPiX

New self-service experience User friendly interface Main page contains all packages Categories filtering Links on left Support level on right 12/10/2015 CERN MDM at HEPiX

What’s available for CERN Macs Software Packages Common Open Source (e.g. GIMP, LaTEX, OpenAFS) Commercial (e.g. Office 2016, Parallels, Anti-Virus, …) CERN Custom applications (e.g. CERNBox) Configurations Disk encryption with File Vault Active Directory Exchange Printers EduRoam 12/10/2015 CERN MDM at HEPiX

Managed iOS 12/10/2015 CERN MDM at HEPiX

Personal iOS devices Community ‘self-help’ support Extended with curated list of apps & settings https://ios.web.cern.ch/kiosk Useful applications from the AppStore (Public) CERN apps Settings: certificates, mail, eduroam … Users can add own content (moderated) Very similar for Android at https://android.web.cern.ch/kiosk The current model of support for iOS is the community support only remains. However, the existing community webpages for iOS and Android were extended with list of useful applications and settings. CERN users can add own content to these lists. 12/10/2015 CERN MDM at HEPiX

Mobile Applications Development CAPPS user group to share experiences of mobile development Play store and iTunes owners for the organisation Own contracts and certificates for signing Typical applications Outreach (e.g. CERNland, Open days) CERN Maps, Indico, CERNBox, … On-premise self-signing (e.g. Radiation Protection, Fire Brigade) Web apps (e.g. Service-Now for building repairs) https://indico.cern.ch/category/4852/ 12/10/2015 CERN MDM at HEPiX

Professional iOS use case Real life example: Fire Brigade iPads Shared Predefined set of apps and settings Fully managed by their admin There are some people that use iOS devices for professional use. Let’s take a real life example, the Fire Brigade. Each of their 12/10/2015 CERN MDM at HEPiX

Managed iOS Comes with JAMF as for Mac Not centrally managed, not intended for Bring-Your-Own-Device Delegated administration For professional devices To be managed, device needs to be enrolled Using the web portal Or using USB cable (more privileges on device) For such people, we offer managed iOS. The product that is used to managed Mac’s also supports iOS. However, here we don’t provide a centrally managed configuration or applications, but we give the users the opportunity to manage their devices themselves. In order to manage the device, it needs to be enrolled in the MDM system, either same way as Mac, so using a webpage or using USB cable. 12/10/2015 CERN MDM at HEPiX

Managed iOS - applications Installation AppStore/In-house applications On-demand (Self Service) or auto-install Possible silent installation Update Can be forced Silent Removal Only apps that we installed eBooks (not apps, but managed in similar way) E.g. Fire brigade manuals, offline maps Firstly, we can remotely managed applications. We can install the app from AppStore or from file (so called In-House apps). We can give the users a list of applications they can install or we can push some apps to the devices. For the devices enrolled using the USB cable (called supervised devices), we can install the apps silently We can force an update of the application, the updates are silent and don’t need user acceptance. And finally we can remove the app (only if we installed it). We can also manage the eBooks in iBooks application the same way as apps. 12/10/2015 CERN MDM at HEPiX

Managed iOS - settings Every setting in iOS is managed using “configuration profiles” MDM allows to push these settings remotely Examples: Restrictions, passcode Preconfigured e-mail WebClips (icons on desktop) Wi-Fi (e.g. eduroam) Single Sign-On ManagedAppConfig – preconfiguring installed application We can also configure some settings on the devices. In iOS every configurable setting is managed using so called “configuration profile”, which is just and XML file containing a dictionary of key-values pairs. So setting name -> value it should take. MDM allows to push these configuration profiles remotely. Just a few examples of what can be configured: Different restrictions on what user can to on the device e.g. disabling appstore or iCloud, passcode requirement Preconfigure CERN e-mail Push WebClips (Web is an icon on the desktop looking the same as app icon but opening a link instead) Configure WiFi settings Also to configure SSO (yes, iOS supports SSO) It is also possible to pre-configure the application that is being installed (if the application supports that) 12/10/2015 CERN MDM at HEPiX

Managed iOS - actions Force device to contact the server Erase Lock Normally done once a day Erase Lock Disabling/enabling roaming The third group are different actions that can be executed on devices. The devices are contacting the MDM server daily, but it is possible to force to contact the server. It is possible to erase the device content and also to lock it remotely. And finally it’s possible to disable and enable the voice and data roaming. 12/10/2015 CERN MDM at HEPiX

Managed iOS - inventory Hardware parameters Owner Applications list Configurations list NO reading/writing files from/to device NO reading private data like SMSes/mails NO geolocation System collects also some information about the devices. Hardware parameters like OS version, free space, serial no, phone number, MAC addresses etc. Every device in the system has an owner It collects also the list of installed applicatioins and settings. It’s not possible to read or write files to the device. It’s not possible to read private data like SMSes/e-mails. And it’s not possible to trace what is the current location of the device. 12/10/2015 CERN MDM at HEPiX

VPP – Apple Volume Purchase Program Way for CERN IT to purchase iOS/Mac apps for users Needs MDM (to create user-application relation) Needs Apple ID registered in Suisse AppStore You can reassign the license Single license can be used to install the app on multiple devices Volume discounts for 20+ licences Please create a general ServiceNow request: https://cern.service-now.com/service-portal/report-ticket.do?name=request&fe=Apple-Contract In the past, the only possible way to buy paid software for Mac was to contact specific vendor and buy licences from directly him. Now it is possible also to purchase software from the AppStore, for both Mac and iOS. It’s called VPP – Volume Purchase Program and it needs MDM to work, in practicular to create a user-application association. As for everything from the AppStore, user also needs to have his/her AppleID which identifies him. The license can be reassigned to another user. Single license can be used to install the app on multiple devices (owned by the same user) and there are volume discounts if you buy a bigger number of licenses, so the more you buy the less you pay. Purchasing procedure is handled in SNOW and looks as follows (next slide) Comment: User needs to already have or create an Suisse store Apple ID 12/10/2015 CERN MDM at HEPiX

MDM registered devices 12/10/2015 CERN MDM at HEPiX

Summary Self-Service Kiosk for Mac Managed iOS Easy discovery Configuration scripts rather than documentation Optional future managed service if acceptable Managed iOS Locked down for work activities Easy reset Apple Volume Purchase Program (VPP) Avoid end user license ownership Discounts for volume 12/10/2015 CERN MDM at HEPiX

Links How to join for CERN users: More information at http://information-technology.web.cern.ch/services/fe/howto/pilot-mac-self-service Mac: https://mdm.cern.ch/enroll Managed iOS: contact IT-OIS-DS Paid software: https://cern.service-now.com/service-portal/report-ticket.do?name=licence-mac&fe=mac-support VPP: https://cern.service-now.com/service-portal/report-ticket.do?name=request&fe=Apple-Contract Feedback: https://social.cern.ch/community/mac-selfservice And just a summary slide with all useful links. How to enroll your device to the MDM system, the links to SNOW forms for requesting software and the link to feedback page. 12/10/2015 CERN MDM at HEPiX

Questions? That would be everything, what you for your attention and are there any questions? 12/10/2015 CERN MDM at HEPiX

12/10/2015 CERN MDM at HEPiX

New self-service experience Enrollment First go to this site https://mdm.cern.ch/enroll Connect using your CERN username and password Download and install the package Connect to the self-service No SSO yet CERN login 12/10/2015 CERN MDM at HEPiX

New self-service experience Login page No SSO yet CERN login 12/10/2015 CERN MDM at HEPiX

CERN test criteria Functional Technical Commercial For each OS: iOS, Android, Mac OS Which versions supported for each OS family Ownership models: Privately owned CERN owned, but used by a single user CERN owned, but shared Management models User-managed Centrally-managed, but with the user in full control Centrally-manager with some items enforced Delegated administration Integration with volume purchasing programs and software vendors licence models Apple VPP, including licences floating between users Support for concurrent licences Self-service app store Updates For OS For apps Configurations ex. WiFi, EduRoam, CERN certificates, data roaming as preferences or forced Hardware and software inventory Extras file sharing, encryption Technical CERN login integration AD, SSO or OAUTH For end-users and admins Load balancing, high availibility Initial deployment effort Basic configuration Integration (with AD, Network DB, etc.) Ease of use For the End-user For the administrators Update cycle effort Time before next OS versions are supported Upgrade procedures Commercial Licencing model Per device? Per registered user? Per FTE? Cost During staged deployment After the deployment is completed and we get CERN users on board Contract policy The risk of the cost sky-rocketing after we complete the deployment Don’t worry, I am not going to go through all of these one by one, this detailed lists are here more for reference. These were the things we were checking. The point is to show that we need to find the balance between many of different criteria, not only functional so what issupported for each platform, but also technical like ActiveDirectory and Single Sing-On integration and commercial like for example what is the licensing model. 22/05/2015 MDM at ITTF

Our tests Deployment in CERN environment Products tested Apple ProfileManager (iOS, Mac) Absolute Manage (iOS, Android, Mac) Microsoft InTune + SCCM (iOS, Android, Mac) JAMF Casper Suite (iOS, Mac, Android) FileWave (iOS, Android, Mac) MobileIron (iOS, Android, Mac) and a few more … The test schema was simple – install the product in the CERN enviroment, following the long list of criteria, checking which features were available and how it worked. (and update) the test criteria. Update, because of course the criteria list wasnt’t fixed, if something was not possible to do it was removed, if some product offered an interesting functionality we haven’t thought about before, we checked if other products also offer it. The following products were tested, if the platform is grayed out, that means that product supported that that platform very basic level. 22 May 2015 MDM at ITTF

New self-service experience based on JAMF Casper Suite MDM enables us to empower our users Centralised point of distribution for configurations and applications Automated process for installing software Specific needs for multiple computers installation can be adapted No mandatory packages 12/10/2015 CERN MDM at HEPiX

New self-service experience Add printers Taking care of installing appropriate driver Multiple queues configuration in one time Proposing printers around you first, complete list available 12/10/2015 CERN MDM at HEPiX

New self-service experience Microsoft Office 2016 The new Office suite for Mac is now available on self-service Requires Mac OS X Yosemite New interface New features Dedicated presentation coming soon New design tab Sharepoint integration (social.cern.ch) Threaded comments 12/10/2015 CERN MDM at HEPiX

Microsoft Remote Desktop New self-service experience Microsoft Remote Desktop Available on AppStore via self-service Lets you access CERN terminal services Lets you access your Windows virtual machines and physical hosts when connected on CERN network 12/10/2015 CERN MDM at HEPiX

New self-service experience Parallels Desktop V11 Makes virtual machines easy to use More flexible than dual boot Compatible with Filevault encrypted disk Lets you have multiple operating systems at the same time 12/10/2015 CERN MDM at HEPiX

New self-service experience Filevault A few clicks will let you encrypt your whole disk Should not be used with multiple operating systems Makes your data safer in case of stolen or lost laptop Roissy :773 ordis perdus par semaine ! Londres : 900 12/10/2015 CERN MDM at HEPiX

New self-service experience CERNBox CERN file storage Privacy respectful Documents synchronized on your Mac and available through your browser 12/10/2015 CERN MDM at HEPiX

New self-service experience OpenAFS Lets you access AFS storage servers Available for Mavericks and Yosemite 12/10/2015 CERN MDM at HEPiX

Miscellaneous packages New self-service experience Miscellaneous packages XCode Gimp Firefox LaTex Microsoft SCEP Microsoft Lync About this Mac 12/10/2015 CERN MDM at HEPiX

VPP 12/10/2015 CERN MDM at HEPiX

VPP – purchase workflow Ask for software through the Service Desk Agree on the price and provide the budget code Sign the TID in EDH Accept the VPP invitation in the Self Service Install the software from the App Store First user ask for the sofrware throught the service desk. We check the price and ask user to provide the budget code. User signs the TID in edh which is document allowing transfer money between budget codes Enrolls his Mac/iOS into MDM (if he’s not already there). Accepts the VPP invitation using the Self-Service and installs the software using AppStore. The software will appear in Purchased in AppStore, it can be also added to Self-Service. 12/10/2015 CERN MDM at HEPiX