My Digital Life

One of the more interesting things to come out of the recent PDC conference (for me at least) was the work MS has been doing around identity in the cloud.  It’s always looked like a bit of a stumbling block for the adoption of cloud services, especially for enterprises where simple user interfaces and single sign-on have been a focus for years.

The main points that I picked up on were:

The Microsoft Federation Gateway - provides an identity and federation gateway into MS provided/hosted services including Azure and Live ID.

The Microsoft Services Connector - allows you to federate your Active Directory with MS to gain access to services hosted in their cloud. 

‘Geneva’ Server - a standards based Security Token Service that allows federation between your AD and any other claims based service (including the MS hosted services)

Live ID and Open ID - Live will become an Open ID provider allowing the 400 million Live ID’s to use Open ID sites and visa versa.

Those are massive simplifications of course. 

Brought together these services and solutions could make life much easier for a lot of people.

- As an Enterprise we would be able to provide services from an Azure platform without any worry about authentication or identity.  Whether that be hosted Exchange, SharePoint, or just some internally developed apps the existing AD and it’s accounts can be used.

- ISV’s can provide solutions knowing that they’ll never have to worry about managing accounts and passwords for people.   No need to worry about password resets - the customer will deal with that for you.  Selling a license to a company?  No need to worry about employees leaving and still having access - the customer will remove their accounts anyway (well it depends who they are selling to I guess, but you get the idea). 

- As an end user my work username and password will get me seamless access to my work systems, and my personal ID (whether LiveID or OpenID) will work on more sites, so less accounts and passwords to remember.

I’ve just been watching this session on the ‘Identity Roadmap for Software + Services‘ over on the PDC site.  It gives are really good overview of what’s being planned and demo’s some scenarios where these new services might help.  It’s well worth a look.

I just found this pretty good video on the apple site describing - at a high level - Mac integration with Active Directory. 

http://seminars.apple.com/seminarsonline/activedir/apple/

For someone from a Windows background (like me) it’s worth a look.  It’s also interesting to see the difference in style between the Apple and MS.  Given the brand personas of the two companies you’d expect the styles to be reversed, with the more friendly informal stuff coming from Cupertino rather than Redmond.  But, you can’t fault the content.

Apologies for this post, I’m writing it to collect together my own thoughts so it’ll probably be even more disjointed than usual!

So… we’re more or less a Microsoft shop here.  We run a standardised Windows XP desktop supported by Active Directory, Systems Management Server (SMS) and a host of Windows based application services.  This is all managed by a pretty skilled operations team and support by a decent service desk and desktop support organisation.  In summary pretty much all the technology and skill is Windows/PC focused.

We’re now seeing an increasing demand for Mac desktops and laptops, especially from the design community.   I need to work out what the impact of adopting a multi-platform desktop fleet will be both technically and from a service management perspective.

I no particular order I reckon I’ll need to consider the following to some degree or another.  It’s probably worth noting here that some of this may have obvious solutions, but I’ve no really experience of Macs - looking forward to learning though!

Software Delivery
Any computer is pretty much useless unless you have applications to run on it, so this is a fairly important point.  At the moment we have fairly robust software delivery and asset management.  End users request an application through a web ’shop’ and the software gets delivered through SMS onto their computer. 

How will this work with Mac’s?  We don’t really want to go back to a word where we’re handing out CD’s - the asset management of that is too hard.  So from a technology perspective we’ll need some way delivering the applications. 

That will include amendments to our shop front so that people can select between PC and Mac versions of Applications, and also the actual delivery solution.  Given that for now the Mac user base is likely to be much smaller than the PC base, it would seem to make sense to try and use SMS rather than adopt a new system - we already know and use SMS.  it looks like there are a few solutions out there to achieve this.

Applying Policy
There are certain company policies and configuration that we have to apply to our corporate desktops - proxy server settings for example.  Within the Windows world we use AD Group Policy to achieve this.  How do I go about doing this with Mac’s?  Again, there appear to be tools out there which help.

Patching
This is where my ignorance of Mac’s starts to show… :)  Now I understand that Apple runs a Software Update service, and that from the client you can select which updates to install, which to hide etc.  What I’m not sure about at the moment is whether there is a WSUS equivalent that will allow an organisation to administratively select and schedule updates from a central point.   It’s possible the software delivery solution will deal with this, but for now I’m not sure.

Desktop Support
Speaking to friends at other companies that support Mac’s it would seem that although Mac’s require less overall support than a PC, the hardware does tend to fail more regularly.  Whether this is true I’ll wait and see (flame suite on none the less…). 

In either case there’s a skills gap here as we don’t currently have any Mac support skills in-house.  Potentially this might mean we could bring someone in to help, at least in the short-medium term to get us over the initial learning curve.  It’s something we would need to address fairly early on in order to provide a decent level of service.

With hardware support the likes of HP and Lenovo have hoards of guys just waiting to warranty repair faulty kit.  The impression I get so far is that the same isn’t likely to be true with Apple.  Potentially that means we’ll have to have Mac’s in stock and on-site to replace faulty units quickly whilst repairs are organised out of band.

SharePoint Compatibility
We use SharePoint to deliver our intranet and provide the usual team and project workspaces, so compatibility with this and the workflow and applications built on it is pretty important.  This will probably drive which browsers we provide, but may also have lower level implications.

Exchange Compatibility
As with the SharePoint item above, corporate email is provided through Exchange so compatibility is critical.  I’ve not looked into this yet, but I’m guessing there will be some fairly well established solutions available.

Remote Access
Within our PC platform, remote access is provided though a Cisco based VPN solution.  Although some services are also available of web based interfaces, compatibility with this VPN solution will be important for mobile and remote users.

Looking through the Cisco site it looks like there is a client available so hopefully this shouldn’t be a problem.

Authentication
All authentication is provided though Active Directory.  All users have accounts within AD, and where ever possible applications use Windows integrated authentication for sign-on.  To provide an integrated service to the Mac users i think its important that this can be maintained as far as possible - nothing worse than log on prompts interrupting your work!

There’s lots of decent information on this on the Apple site, so pending me reading through it all I’m not too worried about getting this working.