|
Mr. Clark2 posted:What are y'all using for MDM? We're curently planning a deployment of approximately 100 ipads for students and need software to remotely manage them. We'd like it to be as close to 0 touch as possible. I know about the big ones like Mobile Iron and Maas360 but I'm interested in hearing about how these things actually work in a production environment and peoples experience with them. My company actually did a test run with AirWatch and they were pretty great. Easy to set up and manage and our support guy was always on the ball. We were actually about to purchase it when out of nowhere our executives decided to put the breaks on the whole MDM project. We also tried Mobile Iron but their system takes a little more babysitting to run and we just don't have the manpower for it. Also, if it matters, Mobile Iron uses Linux for their on premise gateway and endpoint systems, AirWatch uses Win Server with IIS.
|
#
?
Jul 11, 2014 18:43
|
|
|
|
| # ? Apr 26, 2024 17:39 |
|
|
Mr. Clark2 posted:What are y'all using for MDM? We're curently planning a deployment of approximately 100 ipads for students and need software to remotely manage them. We'd like it to be as close to 0 touch as possible. I know about the big ones like Mobile Iron and Maas360 but I'm interested in hearing about how these things actually work in a production environment and peoples experience with them. BES. loving kill me.
|
|
#
?
Jul 11, 2014 18:50
|
|
|
I'm looking for something completely cloud-based, I dont feel like managing more hardware and software than I already have to. Checking out Airwatch now, it's looking the best so far. Since I have essentially 0 experience with this, I have one quick question...can I lock down a device to the point where the user will be unable to delete an app? These are going to be deployed to teenage students, and I can guarantee that the first thing they're going to try and do is to delete poo poo just to mess around. These will all be company owned devices so I'm not worried about hurting their feelings or messing with their personal apps.
|
|
#
?
Jul 11, 2014 19:41
|
|
|
Mr. Clark2 posted:I'm looking for something completely cloud-based, I dont feel like managing more hardware and software than I already have to. Checking out Airwatch now, it's looking the best so far. The setup for AirWatch was pretty painless if you only want to use it for policies. Come to think of it, you might not require any hardware if you don't have a requirement to sync with AD. The gateway and endpoint was for encrypted emails and secure documents. Since our account is on hold I can't look directly but I don't think you can prevent deleting apps, but the way the policy works the app will automatically reinstall itself after the device checks back in for a policy refresh. I know you have the ability to white/blacklist apps to keep them from installing stuff you don't want them to have. My company just wanted this for BYOD so we didn't go too deep into restrictions.
|
|
#
?
Jul 11, 2014 20:35
|
|
|
MaaS360 has served us well. I think Casper has a cloud offering now, but that's more for managing stuff if you're an Apple company, as opposed to managing all mobile devices.
|
|
#
?
Jul 11, 2014 20:59
|
|
|
Another vote for MaaS360
|
|
#
?
Jul 11, 2014 21:10
|
|
|
We really just need the ability to: Add/remove apps remotely Disable camera, imessage, email and other apps Restrict ability to install apps Remote wipe Prevent user from changing settings Restrict the device to only join specific wifi networks Ability to physically locate the device on a map Some reporting would be nice Geofencing would be nice but isnt a necessity Dont really need all the content management/protection stuff that the more business oriented solutions seem to offer, we really just need to keep from from screwing them up, and easy, remote fixing when they eventually do screw them up. I'm pretty much the entire IT dept. so managing these things from my desk without having to touch them is paramount. Also, is there some equivalent to WDS and an 'image' like on the PC side? Like when one of these kids screws up the ipad, I can just revert it to a known, clean image. Preferably remotely. Sorry if these are dumb questions but I dont have any experience with ios devices in the enterprise, only for personal usage.
|
|
#
?
Jul 11, 2014 22:04
|
|
|
I still have access to the doc repository for AirWatch so here you go quote:Add/remove apps remotely Yes. Absolutely. quote:Prevent user from changing settings You can only prevent some setting changes... quote:Restrict the device to only join specific wifi networks This one for instance. You can preconfigure wifi settings but you can't block changes (at least from what I'm reading) quote:Ability to physically locate the device on a map Yes to both of these (not sure if this is limited to GPS enabled devices only) quote:Some reporting would be nice More reports then you'll know what to do with. Makes manager friendly charts and graphs too. quote:Also, is there some equivalent to WDS and an 'image' like on the PC side? Like when one of these kids screws up the ipad, I can just revert it to a known, clean image. Preferably remotely As far as I can tell, none of them can do this. You'd have to do a Full Wipe, reenroll the device and let the policies "image" it from there. I'm not trying to champion AirWatch here, I just have more experience with them then MaaS360 or Mobile Iron. They can all basically do these things since they're based off the exact same APIs. The big difference is ease of use and the IT department I work for is tiny which is exactly why we gravitated to AirWatch.
|
|
#
?
Jul 11, 2014 22:56
|
|
|
If I want to tell a PDC (e: obv I mean the FSMO role dont you lecture me dont you dare!!!!) to sync time from a list of IPs, can someone walk me through that? Even if I use a single IP for testing, it reverts to either another domain controller (guh??) or local CMOS clock. The commands I am using on the PDC are: w32tm /config /manualpeerlist:69.25.96.13,0x1 /reliable:yes /update w32tm /config /syncfromflags:manual /reliable:yes /update (in retrospect I don't know why I have these first two commands on separate lines but I'll be damned if this is the issue) net stop w32time net start w32time w32tm /query /status However it keeps giving me a source of the other domain controller, or local CMOS clock. Suggestions on a direction to head in? MC Fruit Stripe fucked around with this message at 23:52 on Jul 11, 2014 |
|
#
?
Jul 11, 2014 23:48
|
|
|
I normally use:code:
|
|
#
?
Jul 12, 2014 00:15
|
|
|
MrMoo posted:I normally use: Yeah, I thought 0x8 was what you needed, not 0x1.
|
|
#
?
Jul 12, 2014 00:20
|
|
|
nexxai posted:Yeah, I thought 0x8 was what you needed, not 0x1. If you use 0x1 you have to set a registry key for the polling interval as well. (I think, it's been a while) e: yeah found it: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\SpecialPollInterval
|
|
#
?
Jul 12, 2014 00:39
|
|
|
I just followed this technet post and had no issues  Server 2012 r2 PDC
|
|
#
?
Jul 12, 2014 00:44
|
|
|
Do PC manufacturers provide a OEM Professional to Enterprise license by any chance for new machines? Or would I need to get the professional, then buy a upgrade separately? Was using WinMagic SecureDoc to encrypt PCs, but it like has issues working with Windows 8.1 UEFI.
|
|
#
?
Jul 12, 2014 00:46
|
|
|
No such thing as OEM Enterprise. Microsoft is currently phasing out the cheapest method of acquiring enterprise: when you buy an OEM Pro license you have 90 days to buy software assurance for it. Really the only way to get Enterprise now is on select or enterprise agreements. Sorry. e: bitlocker comes in 8/8.1 Pro, though. It is no longer an Enterprise-only feature like it was in 7, if that's what you're looking for.
|
|
#
?
Jul 12, 2014 00:48
|
|
|
I always use my firewall/gateway as a time sync source instead of an internet host. Everything syncs from this source and the device syncs from the internet. The firewall is always going to be up and I know the IP address will always be good. I also just have to change my master time sync source in one location instead of all over the place.
|
|
#
?
Jul 12, 2014 03:45
|
|
|
Strangely, on the other DC, I had been running w32tm /config /reliable:yes, but as soon as I swapped to /reliable:no on the other domain controller and then cycled w32time, everything was resolved! This is just a weird situation because I can only use IPs and not DNS in only this one environment, so I'm populating this ridiculous just-in-case list of 20 IPs for it to sync to, and so far it does appear to be working, it's just a bit more work than I'd like.
|
|
#
?
Jul 12, 2014 06:16
|
|
|
skipdogg posted:Feeling your pain.. I'm the main AD guy where I work and I get asked once or twice a month to do bulk updates to folks user accounts or group membership.. Ok, here's what you're gonna say next time: "Sure, no problem, send me the data in this format." GreenNight posted:I was asked to add everyones pictures to AD so it gets used in Outlook and Lync. They gave me 400+ pictures and each one a huge fuckoff 40 meg tif on a terabyte drive. IrfanView takes care of this nicely, usually.
|
|
#
?
Jul 12, 2014 18:10
|
|
|
MC Fruit Stripe posted:I can only use IPs and not DNS in only this one environment
|
|
#
?
Jul 12, 2014 19:18
|
|
|
DNS is a security risk because hackers can guess what a server does from its name.
|
|
#
?
Jul 12, 2014 22:32
|
|
|
peak debt posted:DNS is a security risk because hackers can guess what a server does from its name.
|
|
#
?
Jul 13, 2014 00:14
|
|
|
I worked for a guy who used to call servers really stupid names "for security purposes", and then not document anywhere that the RADIUS server called "piginshit" was also an MSSQL box. The idea that people would just port scan a range to see what services were running on the machine was totally lost on him. When I finally  he was busy spacing out the IP ranges for the 5 or 6 VLANs that we ran internally because he was convinced that the packets would get confused somehow if 192.168.1.x and 192.168.2.x were both in use.
|
|
#
?
Jul 13, 2014 01:12
|
|
|
DirectAccess is Enterprise OS only in Win7 (and Win8 I believe) but it loving owns if it fits your org. It's a bummer that Enterprise licensing is so difficult, I know it costs us a bundle but it's great for off-site Windows management.
|
|
#
?
Jul 13, 2014 05:09
|
|
|
Malcolm posted:DirectAccess is Enterprise OS only in Win7 (and Win8 I believe) but it loving owns if it fits your org. It's a bummer that Enterprise licensing is so difficult, I know it costs us a bundle but it's great for off-site Windows management. This is absolutely true. Honestly a lot of the ways that people decide it doesn't fit their org are lame political reasons or perceived needs that they aren't going to satisfy with other solutions either. I absolutely love firing up my laptop and connecting to resources in the office without even thinking whether or not I'm VPN'ed in. 95% of the time, it plain just works. The other times, the DA server is down (I haven't setup a load balanced cluster yet because I'm a terrible IT person), the Office Inernet is down, My internet is down, or the customer who's Guest WiFi I'm on is doing something weird and terrible to SSL traffic.
|
|
#
?
Jul 13, 2014 17:01
|
|
|
nexxai posted:I feel like I'm going to hate myself for asking, but uhhh why? e: and I mean the IP of a time server not its name, ruling out any of the usual pools. Obviously this environment has DNS. MC Fruit Stripe fucked around with this message at 03:16 on Jul 14, 2014 |
|
#
?
Jul 14, 2014 03:13
|
|
|
KS posted:e: bitlocker comes in 8/8.1 Pro, though. It is no longer an Enterprise-only feature like it was in 7, if that's what you're looking for. Yeah, that was the thing we were looking for. Works out then. Dumb question but I assume the Pro version allows you to use BitLocker from the centralized administration panel right? Thanks!
|
|
#
?
Jul 14, 2014 17:06
|
|
|
lol internet. posted:Yeah, that was the thing we were looking for. Works out then. The centralized Panel is MBAM (http://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/mdop/mbam.aspx) and is part of the MDOP CAL/License/Thing. You may need a EA for this. I stay as far away from licensing as I possibly can though.
|
|
#
?
Jul 14, 2014 23:53
|
|
|
MBAM doesn't really do anything new though, it just puts a fancier UI on everything. Even without it, you can activate Bitlocker by group policy and store the recovery keys in AD.
|
|
#
?
Jul 15, 2014 00:29
|
|
|
peak debt posted:MBAM doesn't really do anything new though, it just puts a fancier UI on everything. Even without it, you can activate Bitlocker by group policy and store the recovery keys in AD. The 2 big advantages to MBAM I've seen has been a help desk portal (my team is too small to have a HD so whatever) and a user self-service portal which no user will ever touch. I integrated it with SCCM to test it out and we still ended up just sticking with AD storage for our keys. edit - Plenty of reporting tools for your report loving manager
|
|
#
?
Jul 15, 2014 03:40
|
|
|
Not really in an enterprise setting, but I feel this is probably the best thread to get help. I'm not a SysAdmin or anything, just trying to screw around. I want to access a Windows app from my MacBook via RemoteApps (the host is a Windows 8 Pro), do I need to pay some kind of licensing fee for that? I don't need multiple users or anything, it's just me connecting to my own Windows 8 Pro. If I don't, this is what I've have so far: I can connect to it via RDP with the entire desktop just fine, it's just when I specify a particular App I have an issue (Internet Explorer). I made a RDP file with the RemoteApps Tool application, but when I attempt to connect to it it just disconnects straight away, I never even see the RDP Window. The event viewer log on the Win8 shows that I log off within a few seconds of logging in. I edited the local group policy to allow 60 minutes of active RDP session. My Win8 isn't on any domains, my firewall/routers are configured correctly (I think? Port 3389 forwarded right? Does RemoteApp use any other port besides the 3389?) and my user is configured with remote desktop access. Any tips?
|
|
#
?
Jul 16, 2014 17:10
|
|
|
nescience posted:Not really in an enterprise setting, but I feel this is probably the best thread to get help. DId you see this note on the site you linked? quote:Note: If you try to host RemoteApps on any other edition of Windows (eg Win 7/8 Professional), the tool will run but RemoteApps will not work. The RDP client will appear to be connecting, then just disappear.
|
|
#
?
Jul 16, 2014 17:48
|
|
|
I've got a fun one. What would you do in this situation:
Here's our options:
The last one will never happen, but I left it there as a comedy option.
|
|
#
?
Jul 16, 2014 18:15
|
|
|
This is more of a "we contacted an outside IT company for help about setting up a server and we have some questions" question. I hope this is the right place. My office is trying to implement a new server. They contacted a local IT company and they provided us a quote for buying hardware, software, and installation. The boss isn't too technology focused and I'm only a little better at it than he is. The quote looks something like this. Next to it is the cost I found from Google. Tower Server : $579 / $379 4 1TB Hard Drive : $99 each / $50 each Windows Server 2012 OS: $800 / $500-$600 Windows Server 2012 5 Remote Licenses: $500 / $199 Installing Windows : $120 Installing Software : $120 Creating Active Directory Domain: $120 Set Up Server Roles : $120 Configuring DNS & DHCP : $120 That's just half of the quote. They have more $120 quotes. So they've obviously marked up a lot of the cost. I can understand charging for installation of software since that's labor but its still bullshit since we can buy everything ourselves at a much lower cost. Also, the quote looks like they're trying to add a bunch of duties to the quote just to inflate the overall costs. (Installing Windows for $120??????????) When it comes to hiring an outside IT company for this, is it fair to ask them to lower the prices on hardware? What about stuff like installing software? PS. I know this kind of quote can work for a company that has next to no computer knowledge but since I'm here, a lot of red flags have been raised. Dr. Video Games 0089 fucked around with this message at 18:41 on Jul 16, 2014 |
|
#
?
Jul 16, 2014 18:37
|
|
|
120$ a pop for clicking links in the Server Manager window. I really need to start freelancing.
|
|
#
?
Jul 16, 2014 18:39
|
|
|
Dr. Video Games 0089 posted:This is more of a "we contacted an outside IT company for help about setting up a server and we have some questions" question. I hope this is the right place. Don't get trapped in the "my 15 year old cousin can set up a server" mindset. You're paying them so that you can call and yell at them when poo poo breaks. If you think they are being unreasonable, then look at other options. Trying to do it yourself, poorly, doesn't seem like one of those options.
|
|
#
?
Jul 16, 2014 19:14
|
|
|
I see nothing unreasonable about those costs to be honest. Businesses exist to make money, and everything seems reasonable there.
|
|
#
?
Jul 16, 2014 19:17
|
|
|
Looks pretty good to me. Assuming $120/hour (which is actually a pretty fair rate), sure, some of those will come in on the shorter side, but it's a reasonable approximation. The only thing that jumps out is "installing software" because it's a duplicate of "Set Up Server Roles" unless you're adding in some 3rd party stuff. But yeah, with limited info, looks good.
|
|
#
?
Jul 16, 2014 19:34
|
|
|
That server is suspiciously cheap, the rest of the rates are entirely reasonable. The company may work with you on pricing, but honestly getting pushback on a project that size would result in us just walking away from it, it's not worth haggling with someone with that mindset.
|
|
#
?
Jul 16, 2014 20:41
|
|
|
sanchez posted:That server is suspiciously cheap, the rest of the rates are entirely reasonable. The company may work with you on pricing, but honestly getting pushback on a project that size would result in us just walking away from it, it's not worth haggling with someone with that mindset. I agree here. What you're seeing is Markup and Hourly Rates. Which honestly are pretty low when looked at from the perspective of the hours that will be put in. A manual server OS build and config I would typically budget a full day for. Just think of the time the tech is going to sit there with his thumb up his butt waiting for Windows Updates to complete. For you this means you hit go and walk away to do other duties. For the consultant on site he's stuck staring at it and waiting which means you pay for that time. What I'm seeing glaringly missing in that quote is the Design time for AD. You really need to sit down with them and figure out what the best way to lay out your AD infrastructure is. That's not even beginning to get into GPOs, migration of users from local profiles to domain profiles. Implementing AD is a huge leap to make and will take some time and effort to migrate to. Secondly, find a way to get another server. All of your AD eggs in one basket is a disaster waiting to happen.
|
|
#
?
Jul 16, 2014 21:18
|
|
|
|
| # ? Apr 26, 2024 17:39 |
|
|
Maneki Neko posted:DId you see this note on the site you linked? doh. What would the be server equivalent edition to Win7? 2008 R2?
|
|
#
?
Jul 16, 2014 22:19
|
|