Monthly archives "August 2015"

Cloud App Discovery–Cool tool, but is it ready for Primetime?

Joe Kuster

It’s no secret, I perfectly OK with the cloud. So when I heard about Cloud App Discovery back when it was released to preview, I immediately jumped on it, testing it out in my lab and doing a few demos. The idea is to provide a tool that identifies the unknown or hard to track down services that your users might be using (and leaking corporate data onto) as well as facilitating easy utilization numbers to SaaS tools. Microsoft put a lot of thought into solving this particular problem and it shows.

Cloud App Discovery and Azure AD Premium seem built for each other. Cloud App identifies workloads and data usage that IT doesn’t know about, kind of like the Application Compatibility Toolkit for cloud tools. The agent is installed on each system (silent deploy supported) and it sends the highlighted service access to Azure storage. Azure then does some analytics work on it and provides easy to read reports on your data, informing you which users are using 3rd party services, whether or not they are in your control and federated. In the event Cloud App doesn’t recognize the app (and it recognizes a very large number), it records the URLs, ports as well as the frequency of access and amount of data transmitted.

If it does recognize the service and it’s in the Azure AD Premium gallery, it guides me to making decisions on where to trust/federate I can enable SSO in a couple clicks.

Thanks to access to the Azure Storage blob, if I want to grab files and do my own analysis, like running it through a Security Information Monitoring tool, I’m able to. The raw logs look like this:

Machine Name    User Name    App Name    Category    Is Business App    Device Family    Requests    Bytes Sent    Bytes Received    Date Begin Window    Date End Window
X79    X79\Joe    google    noisecategory    False    Windows 8.1    0    5173    0    12/31/2014 12:00:00 AM    12/31/2014 12:01:00 AM
X79    X79\Joe    dropbox    collaboration    True        0    0    179    12/31/2014 12:00:00 AM    12/31/2014 12:01:00 AM
X79    X79\Joe    live    noisecategory    False    Windows 8.1    0    1567    0    12/31/2014 12:00:00 AM    12/31/2014 12:01:00 AM
X79    X79\Joe    live    noisecategory    False        0    0    662    12/31/2014 12:00:00 AM    12/31/2014 12:01:00 AM
X79    X79\Joe    google    noisecategory    False        0    0    783    12/31/2014 12:00:00 AM    12/31/2014 12:01:00 AM
X79    X79\Joe    dropbox    collaboration    True    Windows    1    352    0    12/31/2014 12:00:00 AM    12/31/2014 12:01:00 AM
X79    X79\Joe    192.168.1.111_8080    othercategory    False        1    100    277    12/31/2014 12:01:00 AM    12/31/2014 12:02:00 AM

X79    X79\Joe    live    noisecategory    False    Windows 8.1    0    4637    0    12/31/2014 12:21:00 AM    12/31/2014 12:22:00 AM
X79    X79\Joe    google    productivity    False    Windows 8.1    2    4186    0    12/31/2014 12:21:00 AM    12/31/2014 12:22:00 AM
X79    X79\Joe    live    noisecategory    False        0    0    1986    12/31/2014 12:21:00 AM    12/31/2014 12:22:00 AM
X79    X79\Joe    outlook.com    othercategory    False        1    1481    10562    12/31/2014 12:21:00 AM    12/31/2014 12:22:00 AM

Pretty straight forward. Aside from the slightly annoying aspect of only being available in the “Preview” Azure portal, the finished reports however, are really nice and filter well. I can easily drill down and see who is using which apps, how much data, and how often they use it.

image

So that’s the good. What’s the not so good? The implementation of the Network listener. I haven’t ripped fully into it to understand how it interacts with the network stack, but my notes from the field have not been without issues. Big issues. On many types of hardware. On a disturbing percentage of the systems. Now is where I take long breath and have to tamp down my enthusiasm as I really wanted to like Cloud App Discovery. On my Hyper-V lab, it’s run for months without issue. On physical hardware though, there have been more systems with serious issues than systems without.

I really hope this gets fixed, and I’ll gladly update this post once the issues are resolved, but here’s the symptoms I’ve seen:

  • After reboot, it prevents all network access. Uninstallation immediately fixes.
  • After reboot, a sudden rash of blue screens when opening web browsers that clear up immediately after product is removed.
  • After reboot, most access works, but certain cloud services are completely inaccessibly including: OneDrive for Business, Dropbox and Crashplan. Uninstallation immediately resolves issue.

I’ve noted this behavior on Windows 7, 8.1 and 10.

If you have a fix, I’d love to hear it. Hit me up on twitter: @Joe_Kuster

Add Azure RMS License to Office 365 E1 Users

Joe Kuster

If you are like most companies looking to secure your data, and you happen to be on Office 365, it’s a pretty no-brainer to enable Azure RMS for item level protect (encryption + usage rights + user controls). If you have an E3 license, you already have rights to use RMS and I’ve covered how to enable Azure RMS before for your Office 365 tenant. However, what about your E1 users? Well, thankfully Azure RMS can be purchased stand alone and it’s pretty reasonably priced. Call up your LAR and one conversation later, your Azure RMS licenses appear in your Office 365 Portal.

Now, you could manually assign users, but around here, we’re fans of being lazy admins. I’m also a big fan of a single line of PowerShell where I can get away with it hence:

Note, that if you re-run this script, nothing bad happens. You will not accidently use multiple licenses, but you will see it complain about an “Invalid” license where it prevents assigning two of the same licenses to a user.

That error looks like:

If you see above on your first go and your portal does not show that you’ve consumed your licenses, you need to check your SKUs are available and that you are using the correct domain. Thankfully there’s a simple commandlet to display that information. Just run the following:

 

Getting license errors when using Office 365 Click to Run with Azure Remote App?

Joe Kuster

Today I had an interesting exchange with a Program Manager at Microsoft regarding Azure RemoteApp. There were some great nuggets in the back and forth about solving some of the issues and opportunities I’ve experienced with Azure RemoteApp that will be in a follow up blog, but for today I want to focus on installing Office 365. Previously, when I installed the click to run bits on my templates and published it out, users would encounter an error stating that the had the incorrect license and they needed a volume activation to run Office in what is essentially a VDI configuration. Turns out, there’s a simple fix. I had incorrectly assumed that it was RemoteApp process creating the issue and that a difference license for VDI was needed, not that I needed to adjust my Click to Run bits since it would be supporting multiple users. Install the click to run bits as normal then:

  1. Open RegEdit
  2. Navigate to: KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\15.0\ClickToRun\Configuration
    image
  3. Right click and add a new String
    image
  4. Name the string value “SharedComputerLicensing” (without quotes)
  5. Double click on SharedComptuerLicensing and set the value to 1
    image
  6. Complete the rest of your build as normal.

 

Thanks for the tip Eric!