Presentation is loading. Please wait.

Presentation is loading. Please wait.

Self Service for Mac and Mobiles at CERN

Published byLeslie Bryant Modified over 9 years ago

Similar presentations

Presentation on theme: "Self Service for Mac and Mobiles at CERN"— Presentation transcript:

1 Self Service for Mac and Mobiles at CERN
Tim Bell, Michal Kwiatek, Maciej Muszkowski, Vincent Bippus (IT-OIS) 12/10/2015 CERN MDM at HEPiX

2 Today’s agenda Introduction Mac self-service Managed iOS VPP Summary
12/10/2015 CERN MDM at HEPiX

3 PC usage is pretty flat at CERN
12/10/2015 CERN MDM at HEPiX

4 Mobile Devices at CERN 12/10/2015 CERN MDM at HEPiX

5 Android phone from the CERN Stores PC or Mac from CERN Stores
BYOD or COPE? User-owned CERN-owned Personal Shared FB iPad Android phone from the CERN Stores iPad of an RP techician PC or Mac PC or Mac from CERN Stores professional use Smartphone private use Another very fashionable acronym is BYOD, which stands for Bring Your Own Device. How does this fit at CERN? We have a long tradition of BYOD at CERN, with physicists from all over the world bringing their own computers to CERN, but the picture is more complex. There are several dimensions. The device can be owned by the user or owned by the Organization. It can be mainly for professional use, or mainly for private use. It can be personal, or shared with other users. To give you some examples, a very common scenario would be a laptop from the CERN stores – so owned by CERN – for professional use mainly, but with private use tolerated according to the CERN Computing Rules. But, the laptop could also be owned by the user – especially if this user comes from another institute – and still be used mainly for professional reasons! Moreover, if it is under Windows, its owner could actually accept that it becomes centrally-managed by CERN IT – simply because it would enable easy access to many useful functionalities provided by CERN IT, such as authentication, network storage, access to software or patches. On the opposite side of the spectrum, we could mention some iPads – owned by CERN and used by Radio Protection technicians – on which private use is tolerated even if their users are not even CERN employees. There are more examples shown on this graph – including the case of the CERN Fire Brigade iPads that Maciek will tell you more about – but one important conclusion here is that both BYOD and COPE – which stands for Corporate Owned, Personally Enabled – are prominent in the CERN culture. COPE: Corporate Owned, personally enabled 22 May 2015 MDM at ITTF

6 Mobile Device Management Market
Apple ProfileManager (iOS, Mac) Absolute Manage (iOS, Android, Mac) Microsoft InTune + SCCM (iOS, Android, Mac) JAMF Casper Suite (iOS, Mac, Android) FileWave (iOS, Android, Mac) MobileIron (iOS, Android, Mac) Talking about the MDM market, this graph shows various MDM vendors according to their ability to execute and the completeness of their vision. It is from May 2013, so by today’s standards it is very old, but it is nonetheless interesting because it shows that the MDM market has been of interest to such players as Symantec, Citrix or even IBM. This particular graph focused mainly on the smartphone/tablet segment and ignored some very interesting players coming from the desktop background. Still, it gives an idea of what products could potentially be interesting. Over the last year, we have tested at CERN the products listed on the left. Maciek will give you more details about these tests and their results. 22 May 2015 MDM at ITTF

7 MDM test results No single product covered Android, iOS and Mac
JAMF Casper Suite works well for iOS and Mac Mature (13 years experience) Large community of sys admins (20,000) Key player for Mac OS and iOS Just entered the Android market None of the product were perfect We realised that JAMF Casper Suite was the best fit to what CERN needs. JAMF is the name of the company, Casper Suite is the name of the product. It is a key player for managing Apple devices, used by Apple itself. It’s a mature product with over 13 years of experience and has a huge community of admins. Also it is easily adaptable to CERN needs, which are… 22 May 2015 MDM at ITTF

8 Implementation iOS: built-in MDM protocol, no agent app
Mac: built-in MDM protocol, agent running in the background Android: agent app using the OS APIs and GCM CHANGED The communication schema usually looks as the one shown in the picture. Communication is initiated by MDM server, which sends the request to send the notification to the device to some notification service. For Apple it’s APNS, for Android it’s Google Cloud Messenging. The device receives the notification from this service and contacts the server to receive what is waiting for it there. For iOS there is a native, built-in Apple management protocol, all solutions can do the same (depending on how much of the protocol they implement of course). For Mac except the almost same protocol as for iOS, additionally there is an agent app running in the background with root privileges, contacting the MDM server in some time intervals. For Android there is no built-inprotocol, there’s always an agent app using undelying operating system APIs. 22 May 2015 MDM at ITTF

9 Macs 12/10/2015 CERN MDM at HEPiX

10 New self-service experience
User friendly interface Main page contains all packages Categories filtering Links on left Support level on right 12/10/2015 CERN MDM at HEPiX

11 What’s available for CERN Macs
Software Packages Common Open Source (e.g. GIMP, LaTEX, OpenAFS) Commercial (e.g. Office 2016, Parallels, Anti-Virus, …) CERN Custom applications (e.g. CERNBox) Configurations Disk encryption with File Vault Active Directory Exchange Printers EduRoam 12/10/2015 CERN MDM at HEPiX

12 Managed iOS 12/10/2015 CERN MDM at HEPiX

13 Personal iOS devices Community ‘self-help’ support
Extended with curated list of apps & settings Useful applications from the AppStore (Public) CERN apps Settings: certificates, mail, eduroam … Users can add own content (moderated) Very similar for Android at The current model of support for iOS is the community support only remains. However, the existing community webpages for iOS and Android were extended with list of useful applications and settings. CERN users can add own content to these lists. 12/10/2015 CERN MDM at HEPiX

14 Mobile Applications Development
CAPPS user group to share experiences of mobile development Play store and iTunes owners for the organisation Own contracts and certificates for signing Typical applications Outreach (e.g. CERNland, Open days) CERN Maps, Indico, CERNBox, … On-premise self-signing (e.g. Radiation Protection, Fire Brigade) Web apps (e.g. Service-Now for building repairs) 12/10/2015 CERN MDM at HEPiX

15 Professional iOS use case
Real life example: Fire Brigade iPads Shared Predefined set of apps and settings Fully managed by their admin There are some people that use iOS devices for professional use. Let’s take a real life example, the Fire Brigade. Each of their 12/10/2015 CERN MDM at HEPiX

16 Managed iOS Comes with JAMF as for Mac
Not centrally managed, not intended for Bring-Your-Own-Device Delegated administration For professional devices To be managed, device needs to be enrolled Using the web portal Or using USB cable (more privileges on device) For such people, we offer managed iOS. The product that is used to managed Mac’s also supports iOS. However, here we don’t provide a centrally managed configuration or applications, but we give the users the opportunity to manage their devices themselves. In order to manage the device, it needs to be enrolled in the MDM system, either same way as Mac, so using a webpage or using USB cable. 12/10/2015 CERN MDM at HEPiX

17 Managed iOS - applications
Installation AppStore/In-house applications On-demand (Self Service) or auto-install Possible silent installation Update Can be forced Silent Removal Only apps that we installed eBooks (not apps, but managed in similar way) E.g. Fire brigade manuals, offline maps Firstly, we can remotely managed applications. We can install the app from AppStore or from file (so called In-House apps). We can give the users a list of applications they can install or we can push some apps to the devices. For the devices enrolled using the USB cable (called supervised devices), we can install the apps silently We can force an update of the application, the updates are silent and don’t need user acceptance. And finally we can remove the app (only if we installed it). We can also manage the eBooks in iBooks application the same way as apps. 12/10/2015 CERN MDM at HEPiX

18 Managed iOS - settings Every setting in iOS is managed using “configuration profiles” MDM allows to push these settings remotely Examples: Restrictions, passcode Preconfigured WebClips (icons on desktop) Wi-Fi (e.g. eduroam) Single Sign-On ManagedAppConfig – preconfiguring installed application We can also configure some settings on the devices. In iOS every configurable setting is managed using so called “configuration profile”, which is just and XML file containing a dictionary of key-values pairs. So setting name -> value it should take. MDM allows to push these configuration profiles remotely. Just a few examples of what can be configured: Different restrictions on what user can to on the device e.g. disabling appstore or iCloud, passcode requirement Preconfigure CERN Push WebClips (Web is an icon on the desktop looking the same as app icon but opening a link instead) Configure WiFi settings Also to configure SSO (yes, iOS supports SSO) It is also possible to pre-configure the application that is being installed (if the application supports that) 12/10/2015 CERN MDM at HEPiX

19 Managed iOS - actions Force device to contact the server Erase Lock
Normally done once a day Erase Lock Disabling/enabling roaming The third group are different actions that can be executed on devices. The devices are contacting the MDM server daily, but it is possible to force to contact the server. It is possible to erase the device content and also to lock it remotely. And finally it’s possible to disable and enable the voice and data roaming. 12/10/2015 CERN MDM at HEPiX

20 Managed iOS - inventory
Hardware parameters Owner Applications list Configurations list NO reading/writing files from/to device NO reading private data like SMSes/mails NO geolocation System collects also some information about the devices. Hardware parameters like OS version, free space, serial no, phone number, MAC addresses etc. Every device in the system has an owner It collects also the list of installed applicatioins and settings. It’s not possible to read or write files to the device. It’s not possible to read private data like SMSes/ s. And it’s not possible to trace what is the current location of the device. 12/10/2015 CERN MDM at HEPiX

21 VPP – Apple Volume Purchase Program
Way for CERN IT to purchase iOS/Mac apps for users Needs MDM (to create user-application relation) Needs Apple ID registered in Suisse AppStore You can reassign the license Single license can be used to install the app on multiple devices Volume discounts for 20+ licences Please create a general ServiceNow request: In the past, the only possible way to buy paid software for Mac was to contact specific vendor and buy licences from directly him. Now it is possible also to purchase software from the AppStore, for both Mac and iOS. It’s called VPP – Volume Purchase Program and it needs MDM to work, in practicular to create a user-application association. As for everything from the AppStore, user also needs to have his/her AppleID which identifies him. The license can be reassigned to another user. Single license can be used to install the app on multiple devices (owned by the same user) and there are volume discounts if you buy a bigger number of licenses, so the more you buy the less you pay. Purchasing procedure is handled in SNOW and looks as follows (next slide) Comment: User needs to already have or create an Suisse store Apple ID 12/10/2015 CERN MDM at HEPiX

22 MDM registered devices
12/10/2015 CERN MDM at HEPiX

23 Summary Self-Service Kiosk for Mac Managed iOS
Easy discovery Configuration scripts rather than documentation Optional future managed service if acceptable Managed iOS Locked down for work activities Easy reset Apple Volume Purchase Program (VPP) Avoid end user license ownership Discounts for volume 12/10/2015 CERN MDM at HEPiX

24 Links How to join for CERN users:
More information at Mac: Managed iOS: contact IT-OIS-DS Paid software: VPP: Feedback: And just a summary slide with all useful links. How to enroll your device to the MDM system, the links to SNOW forms for requesting software and the link to feedback page. 12/10/2015 CERN MDM at HEPiX

25 Questions? That would be everything, what you for your attention and are there any questions? 12/10/2015 CERN MDM at HEPiX

26 12/10/2015 CERN MDM at HEPiX

27 New self-service experience
Enrollment First go to this site Connect using your CERN username and password Download and install the package Connect to the self-service No SSO yet CERN login 12/10/2015 CERN MDM at HEPiX

28 New self-service experience
Login page No SSO yet CERN login 12/10/2015 CERN MDM at HEPiX

29 CERN test criteria Functional Technical Commercial
For each OS: iOS, Android, Mac OS Which versions supported for each OS family Ownership models: Privately owned CERN owned, but used by a single user CERN owned, but shared Management models User-managed Centrally-managed, but with the user in full control Centrally-manager with some items enforced Delegated administration Integration with volume purchasing programs and software vendors licence models Apple VPP, including licences floating between users Support for concurrent licences Self-service app store Updates For OS For apps Configurations ex. WiFi, EduRoam, CERN certificates, data roaming as preferences or forced Hardware and software inventory Extras file sharing, encryption Technical CERN login integration AD, SSO or OAUTH For end-users and admins Load balancing, high availibility Initial deployment effort Basic configuration Integration (with AD, Network DB, etc.) Ease of use For the End-user For the administrators Update cycle effort Time before next OS versions are supported Upgrade procedures Commercial Licencing model Per device? Per registered user? Per FTE? Cost During staged deployment After the deployment is completed and we get CERN users on board Contract policy The risk of the cost sky-rocketing after we complete the deployment Don’t worry, I am not going to go through all of these one by one, this detailed lists are here more for reference. These were the things we were checking. The point is to show that we need to find the balance between many of different criteria, not only functional so what issupported for each platform, but also technical like ActiveDirectory and Single Sing-On integration and commercial like for example what is the licensing model. 22/05/2015 MDM at ITTF

30 Our tests Deployment in CERN environment Products tested
Apple ProfileManager (iOS, Mac) Absolute Manage (iOS, Android, Mac) Microsoft InTune + SCCM (iOS, Android, Mac) JAMF Casper Suite (iOS, Mac, Android) FileWave (iOS, Android, Mac) MobileIron (iOS, Android, Mac) and a few more … The test schema was simple – install the product in the CERN enviroment, following the long list of criteria, checking which features were available and how it worked. (and update) the test criteria. Update, because of course the criteria list wasnt’t fixed, if something was not possible to do it was removed, if some product offered an interesting functionality we haven’t thought about before, we checked if other products also offer it. The following products were tested, if the platform is grayed out, that means that product supported that that platform very basic level. 22 May 2015 MDM at ITTF

31 New self-service experience based on JAMF Casper Suite
MDM enables us to empower our users Centralised point of distribution for configurations and applications Automated process for installing software Specific needs for multiple computers installation can be adapted No mandatory packages 12/10/2015 CERN MDM at HEPiX

32 New self-service experience
Add printers Taking care of installing appropriate driver Multiple queues configuration in one time Proposing printers around you first, complete list available 12/10/2015 CERN MDM at HEPiX

33 New self-service experience
Microsoft Office 2016 The new Office suite for Mac is now available on self-service Requires Mac OS X Yosemite New interface New features Dedicated presentation coming soon New design tab Sharepoint integration (social.cern.ch) Threaded comments 12/10/2015 CERN MDM at HEPiX

34 Microsoft Remote Desktop
New self-service experience Microsoft Remote Desktop Available on AppStore via self-service Lets you access CERN terminal services Lets you access your Windows virtual machines and physical hosts when connected on CERN network 12/10/2015 CERN MDM at HEPiX

35 New self-service experience
Parallels Desktop V11 Makes virtual machines easy to use More flexible than dual boot Compatible with Filevault encrypted disk Lets you have multiple operating systems at the same time 12/10/2015 CERN MDM at HEPiX

36 New self-service experience
Filevault A few clicks will let you encrypt your whole disk Should not be used with multiple operating systems Makes your data safer in case of stolen or lost laptop Roissy :773 ordis perdus par semaine ! Londres : 900 12/10/2015 CERN MDM at HEPiX

37 New self-service experience
CERNBox CERN file storage Privacy respectful Documents synchronized on your Mac and available through your browser 12/10/2015 CERN MDM at HEPiX

38 New self-service experience
OpenAFS Lets you access AFS storage servers Available for Mavericks and Yosemite 12/10/2015 CERN MDM at HEPiX

39 Miscellaneous packages
New self-service experience Miscellaneous packages XCode Gimp Firefox LaTex Microsoft SCEP Microsoft Lync About this Mac 12/10/2015 CERN MDM at HEPiX

40 VPP 12/10/2015 CERN MDM at HEPiX

41 VPP – purchase workflow
Ask for software through the Service Desk Agree on the price and provide the budget code Sign the TID in EDH Accept the VPP invitation in the Self Service Install the software from the App Store First user ask for the sofrware throught the service desk. We check the price and ask user to provide the budget code. User signs the TID in edh which is document allowing transfer money between budget codes Enrolls his Mac/iOS into MDM (if he’s not already there). Accepts the VPP invitation using the Self-Service and installs the software using AppStore. The software will appear in Purchased in AppStore, it can be also added to Self-Service. 12/10/2015 CERN MDM at HEPiX

Download ppt "Self Service for Mac and Mobiles at CERN"

Similar presentations

General Operation and Facts As of 3/24/2014. Virtual Desktop 1. What is a Virtual Desktop? 2. Why VDI? 3. Installing the Virtual Desktop 4. Accessing.

General Operation and Facts As of 3/24/2014. Virtual Desktop 1. What is a Virtual Desktop? 2. Why VDI? 3. Installing the Virtual Desktop 4. Accessing.
Windows 8.1 Device Management With Windows Intune Mark O’Shea MVP Windows Expert – IT Pro 30 June 2014.

Windows 8.1 Device Management With Windows Intune Mark O’Shea MVP Windows Expert – IT Pro 30 June 2014.
IPads Everywhere! Management Considerations for the Enterprise Bill Morrison Director of Technology, Rapides Parish School District

IPads Everywhere! Management Considerations for the Enterprise Bill Morrison Director of Technology, Rapides Parish School District
Desktop Central Managing Desktops, Servers & Devices Romanus Prabhu R Technical Account Manager LinkedIn : romanus.prabhu.

Desktop Central Managing Desktops, Servers & Devices Romanus Prabhu R Technical Account Manager LinkedIn : romanus.prabhu.
Sophos Mobile Control. Tablets on the rise 2 Trends 3 75% of 157 polled companies encourage employee owned smart phones and tablets to access corporate.

Sophos Mobile Control. Tablets on the rise 2 Trends 3 75% of 157 polled companies encourage employee owned smart phones and tablets to access corporate.
Meraki Mobile Device Management

Meraki Mobile Device Management
Enterprise Mobility Platform Microsoft Differentiation Managed Mobile Productivity Layered Protection Hybrid Solutions Office 365DynamicsWorkday.

Enterprise Mobility Platform Microsoft Differentiation Managed Mobile Productivity Layered Protection Hybrid Solutions Office 365DynamicsWorkday.
Protect your data Enable your users Unify Your Environment DevicesAppsData Help organizations enable their users to be productive on the devices they.

Protect your data Enable your users Unify Your Environment DevicesAppsData Help organizations enable their users to be productive on the devices they.
Plan Build Custom Image (Drivers, Apps, Updates) New Hardware In-Place (Refresh) WipeReimage New Windows Version or Major Image Revision.

Plan Build Custom Image (Drivers, Apps, Updates) New Hardware In-Place (Refresh) WipeReimage New Windows Version or Major Image Revision.
Script Kiddies; CybercrimeCyber-espionage; Cyber-warfare CybercriminalsState sponsored actions; Unlimited resources Attacks on fortune 500All sectors.

Script Kiddies; CybercrimeCyber-espionage; Cyber-warfare CybercriminalsState sponsored actions; Unlimited resources Attacks on fortune 500All sectors.
Management lifecycle summary Mobile Device Management with Windows Intune or 3 rd Party tools Simplified and flexible device enrollment, using.

Management lifecycle summary Mobile Device Management with Windows Intune or 3 rd Party tools Simplified and flexible device enrollment, using.
Desktop virtualization Access & information protection Mobile device & application management Hybrid identity Simplified device enrollment and.

Desktop virtualization Access & information protection Mobile device & application management Hybrid identity Simplified device enrollment and.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Why You Should Consider Upgrading to Simplify Printing TX When Mobile Matters Tricerat, Inc. 2014. All rights reserved.

Why You Should Consider Upgrading to Simplify Printing TX When Mobile Matters Tricerat, Inc All rights reserved.
IOS 8 for MDM/EMM Greg Elliott Shiv Chandra Kumar.

IOS 8 for MDM/EMM Greg Elliott Shiv Chandra Kumar.
Microsoft ® Application Virtualization 4.5 Infrastructure Planning and Design Series.

Microsoft ® Application Virtualization 4.5 Infrastructure Planning and Design Series.
Windows XP Professional Deployment and Support Microsoft IT Shares Its Experiences Published: May 2002 (Revised October 2004)

Windows XP Professional Deployment and Support Microsoft IT Shares Its Experiences Published: May 2002 (Revised October 2004)
App signing workflow CAPPS, 9/11/2013 App singing workflow2 Michał Kwiatek, IT/OIS.

App signing workflow CAPPS, 9/11/2013 App singing workflow2 Michał Kwiatek, IT/OIS.
Sr. Manager Global Business Solutions Carlos Capó Master Macs in Business Easily integrate Macs into a Microsoft Shop.

Sr. Manager Global Business Solutions Carlos Capó Master Macs in Business Easily integrate Macs into a Microsoft Shop.
Empower Enterprise Mobility Jasbir Gill Azure Mobility.

Empower Enterprise Mobility Jasbir Gill Azure Mobility.

Similar presentations

Ads by Google