During the Windows 10 Community Event organized by the Philippine Windows Users Group (PHIWUG) and Microsoft Philippines.
Since the MVP is a recognition which candidates get nominated by another MVP or by Microsoft, one of the questions asked is in the lines of what do you think were you doing that warranted a nomination for MVP? It was noticeable that one word was used by all MVPs in the panel: passion (to the delight of MVP Eufer Pasion). All MVPs are so passionate about Microsoft technology that they would be going through great lengths to share the technology over and above the call of duty, whether work or school. A common trait among MVPs is their sharing of these technologies online (via blogs or videos) or offline (via community events). The Philippine Windows Users Group, and the other Philippines’ Users Groups based on Microsoft technologies were all set up by passionate individuals which eventually were recognized by Microsoft as MVPs themselves.
Another question that was asked was if the MVP program actually made any career advantage. The overwhelming answer was Yes. This is simply because an MVP becomes an MVP not by one’s own efforts, but as a recognition by a separate party: Microsoft. Not only that, usually MVPs have an online presence like a blog, which is a testament to one’s technical expertise in itself. Plus of course, an active community contributor is placed in a position of demonstrating the technologies in front of a live audience, a skill which would be useful later on as a consultant or an architect.
While all of the MVPs who participated in these events are Filipinos (entirely or partially), not all of them are currently Philippines MVPs. Jay-R Barrios and this author are Singapore MVPs by virtue of their residence since both are employed and live in Singapore. However, both became MVPs in the Philippines and were part of the team that formed PHIWUG. Both of us flew in back home for this event.
The last words for the attendees from the MVPs were to not want to become an MVP. Become passionate with the technology, go out and actively contribute to the technical community. Whether or not one becomes an MVP is Microsoft’s prerogative, but the other benefits of contributing to the community — the network, the reputation, learning directly from technology experts, and the soft skills learned like public speaking — is something that one can acquire when contributing.
Special thanks to all the MVPs who contributed to this discussion:
Thank you very much for attending this event PHIWUG Presents – Windows 10 Unleashed. It has been a pleasure for the Microsoft Most Valuable Professionals (MVP) and the Philippine Windows Users Group (PHIWUG) to provide words of inspiration to our future technology leaders.
From someone who works overseas, conducting events in Filipino and English means I think less and feel more. Which is why this afternoon’s session was special for me.
Thank you also to the leads of PHIWUG, and the Microsoft Philippines folks for your undying support. I look forward to sharing in more Community Events like this in the future.
Hello dear subscribers and readers of my techblog! First and foremost, I would like to inform all that I was awarded the Microsoft Most Valuable Professional for the 9th time. My thanks goes out to Microsoft, and to all of you who read and learn about these great technologies.
As I was looking through tech materials I had produced / written over the past years, the Windows 7 Deployment Video Series still top my list, and more than 5 years after it was published it is still getting monthly views. Part 1 had 153 views last March 2015 (it peaked at 1,949 last March 2011). But as I reflect on this graph, only one thing comes to mind: time to make a new one!
So new one it is! Still in the planning stages, but I’m thinking of collaborating on this project. It will still be in video, so those of you who don’t really like reading long, boring blogposts, and prefer visuals and audio (like me). And most probably will include Microsoft System Center 2012 R2 Configuration Manager as well!
Do leave a reply to this blog post if you wish to suggest tech topics you want covered, especially in the upcoming Deployment video.
During last week’s System Center Universe Asia Pacific, there was a question raised during the Ask the Experts portion on how Microsoft can address BYOD while ensuring that corporate security is still maintained, the Experts in the panel were not really able to address the required architecture.
I was formerly connected with Citrix, and right there I immediately thought of Citrix XenDesktop. However being in a Microsoft event I decided to keep my mouth shut and just decided to share the solution by writing about it. So here it is!
The solution is to allow the personal devices to connect to VMs. These VMs are connected to the corporate network, while the personal devices are in some sort of protected network which is separate from the corporate network, and is only allowed to use the protocols necessary to allow the client to connect to the VMs.
Since the solution requires VMs. using Hyper-V is the way to go. No discussion here.
For this solution to work, there must be some technology that does VM provisioning. This is where the Citrix XenDesktop product comes in. You can dynamically provision VMs as needed.
The VMs can be shared VMs deployed with the same apps, or app deployment can be performed dynamically as the VM is being provisioned using either Citrix XenApp, or using Configuration Manager.
Just to be sure, some sort of health checking is prudent before the personal devices can be connected to the personal devices network. Also, they have to be enrolled to allow for authentication and encryption.
So does this solution work? Yes it does, and one great experience I had with Citrix is that BYOD and non domain joined devices are the norm!
This blog post is about my personal gotchas! in implementing Role Based Access Control in System Center 2012 R2 Configuration Manager.
When implementing Role Based Access Control in Configuration Manager, I personally recommend that the consultant come up with conditions in the whole RBAC space and ensure thorough testing of these RBAC roles, with very specific success criteria.
Perhaps the first potential issue I would emphasize to the consultant is that Reporting Services would probably be the first collateral damage in implementing RBAC, so ensure that this one is your primary test criteria. Why? If we limit the RBAC roles, especially Security Scopes, to objects that directly affect the client (e.g., applications, DP, etc.), then Reporting Services will not work. I will write a separate blog post on this issue, but the quick solution is to ensure that a Security Scope is created that includes the Site container, and should be given also to all RBAC roles that require reporting.
If your primary RBAC requirement is that exclusive visibility to client computers for different client admins, your RBAC focus is on Collections. Your first move is to ensure that the client-administering RBAC roles do not have access to All Systems (which contain, of all things, all your servers that have installed CM client). But doing so would mean you cannot use All Systems as the Limiting Collection of all other collections required by these admins (the resulting collection will not contain any objects). Therefore, you need to create one collection each for the client-administering groups, and this collection should contain all the computers that the said group can administer, and should not contain any computer that should not be administered by that group. This collection will now be used as the Limiting Collection of all other collections that these admins will create.
- EUROPE Client Admins – Collection that only contain EUROPE computers
- APAC Client Admins – Collection that only contain APAC computers
- EMEA Client Admins – Collection that only contain EMEA computers
It is highly recommended that you use Incremental Updates on these collections so that the memberships update every 5 minutes by default.
Security roles in Configuration Manager answer the question Where could the operation be done?
There are two built-in security scopes: All and Default. All is not assignable to any object. Default is initially assigned to new objects. It can be removed later on if the object is assigned another security scope.
You can assign security scopes to the following objects:
- Alert subscriptions
- Boot images
- Boundary groups
- Configuration items
- Custom client settings
- Distribution points and distribution point groups
- Driver packages
- Global conditions
- Migration jobs
- Operating system images
- Operating system installation packages
- Software metering rules
- Software update groups
- Software updates packages
- Task sequence packages
- Windows CE device setting items and packages
Examples of security scope applications
- Security scopes for test and production applications.
- Security scopes for different groups in the organization that are administered by a different team.
- If different Sites are intended to be administered by different teams, create a security scope per site, and assign it to the respective teams.
Security scopes can be customized based on how they are intended to be applied. Ensure that your security scope design is simple as possible so as not to subject unnecessary load onto the Configuration Manager databases
Security roles in Configuration Manager answer the question What operation could be done?
The following are the default Security Roles available in Configuration Manager 2012 R2
- Application Administrator – Grants permissions to perform both the Application Deployment Manager role and the Application Author role. Administrative users who are associated with this role can also manage queries, view site settings, manage collections, edit settings for user device affinity, and manage App-V virtual environments.
- Application Author – Grants permissions to create, modify, and retire applications. Administrative users who are associated with this role can also manage applications, packages, and App-V virtual environments.
- Application Deployment Manager – Grants permissions to deploy applications. Administrative users who are associated with this role can view a list of applications, and they can manage deployments for applications, alerts, templates and packages, and programs. Administrative users who are associated with this role can also view collections and their members, status messages, queries, conditional delivery rules, and App-V virtual environments.
- Asset Manager – Grants permissions to manage the Asset Intelligence Synchronization Point, Asset Intelligence reporting classes, software inventory, hardware inventory, and metering rules.
- Company Resource Access Manager – Grants permissions to create, manage and deploy company resource access profiles such as Wi-Fi, VPN and certificate profiles to users and devices.
- Compliance Settings Manager – Grants permissions to define and monitor Compliance Settings. Administrative users associated with this role can create, modify, and delete configuration items and baselines. They can also deploy configuration baselines to collections, and initiate compliance evaluation, and initiate remediation for non-compliant computers.
- Endpoint Protection Manager – Grants permissions to define and monitor security policies. Administrative Users who are associated with this role can create, modify and delete Endpoint Protection policies. They can also deploy Endpoint Protection policies to collections, create and modify Alerts and monitor Endpoint Protection status.
- Full Administrator – Grants all permissions in Configuration Manager. The administrative user who first creates a new Configuration Manager installation is associated with this security role, all scopes, and all collections.
- Infrastructure Administrator – Grants permissions to create, delete, and modify the Configuration Manager server infrastructure and to perform migration tasks.
- Operating System Deployment Manager – Grants permissions to create operating system images and deploy them to computers. Administrative users who are associated with this role can manage operating system installation packages and images, task sequences, drivers, boot images, and state migration settings.
- Operations Administrator – Grants permissions for all actions in Configuration Manager except for the permissions that are required to manage security, which includes managing administrative users, security roles, and security scopes.
- Read-only Analyst – Grants permissions to view all Configuration Manager objects.
- Remote Tools Operator – Grants permissions to run and audit the remote administration tools that help users resolve computer issues. Administrative users that are associated with this role can run Remote Control, Remote Assistance and Remote Desktop from the Configuration Manager console. In addition, they can run the Out of Band Management console and AMT power control options.
- Security Administrator – Grants permissions to add and remove administrative users and to associate administrative users with security roles, collections, and security scopes. Administrative users who are associated with this role can also create, modify, and delete security roles and their assigned security scopes and collections.
- Software Update Manager – Grants permissions to define and deploy software updates. Administrative users who are associated with this role can manage software update groups, deployments, deployment templates, and enable software updates for Network Access Protection (NAP).
For details on each RBAC role, download the Matrix of Role-Based Administration Permissions for ConfigMgr 2012.
To copy an existing Security Role to a custom one
1. In Configuration Manager Console > Administration workspace > Overview > Security > Security Roles, right-click the security role you want to customize, and click Copy
2. in Specify details for the customized copy of the selected security role, add a name and description, and modify the permissions as necessary. Click OK.