Storm watch

Hurricane Isaias is making itself known. Wind gusts are pounding the house, making it shake like a freight train. The girls are up, Missus let them start a movie this morning despite my protests. She woke up early because of the storm and apparently isn’t planning on doing any work till later this morning.

Alerts have been popping up on my phone all morning as our managed servers have been going dark across the board. Internet and power have been dropping across the region as the storm makes its way across the area. It’s not really that much more work for me, since there’s not much I can do about it. Hopefully I’ll be able to get some work done on my two main goals at work: converting a client over to Microsoft’s mobile device management, and building a C++ build pipeline for some embedded controller software.

The RMM vendor that we work with integrated IBM’s MaaS360 product into their offerings two years ago, and we signed on one of our clients for it. It was a bit more involved than we expected for such a small deployment. We had to get a management certificate issues from Apple, which wasn’t too bad, but then we had to manage eleven Apple IDs, one for each user, before we could even enroll the phones. This involved downloading a special management app and profile. The client wanted content filtering on the phones, which meant the deployment of MaaS’s Secure Browser, which involved several more steps. Then we thought we were done, and I just ignored the deployment until about a month ago.

The client contact me about installing a new service app on the phone, and after figuring out how to login to the management portal I found that nine out of the elven mobile devices hadn’t checked in, some in over eighteen months. After contacting my RMM vendor for some support and getting frustrated at their lack of knowledge, I started searching for solutions. I new Microsoft had been offering some options through O365, and since most all of our clients are 365 clients, I thought that any solution that can be managed through it would be a plus. What I found is that the latest MDM offerings, included free with O365, actually gives us a lot of what we need, which is security profiles on the device itself, and the ability to control the software installed on the device. I did a quick test with our O365 tenant and my personal device, and I’ve been holding on to a client phone for about a week to test and document procedures so that they can setup the rest of the devices. I’ve been talking to other MSPs in our network, and let me say that there’s a lot of interest in the fact that I’ve been able to setup federation between O365 and Apple Business Manager.

The other project I’m trying to work on involves setting up automated deployments for a development project. The developer workstations are based off of an Ubuntu 16 VirtualBox image with a custom IDE and hardware libraries installed. The process to setup runs about five or six pages, and hasn’t been replicated by the client, so I’m hoping to go through the document and create a full script that can be replicated to set things up for new employees, or whenever the developer config changes. I’d like to get them up to Ubuntu 18, at a minimum, but the eventual goal is to make sure that we have a build process that exists outside of the IDE and can be automated via a build job as part of the version control process.

The problem I was running into is that my own computing resources are kind of limited right now. I already run my Windows workstation in a Ubuntu KVM instance, so running another VirtualBox wasn’t really an option. So I decided to use some of my Azure credits that I get from my Microsoft Service Provider benefits. I recently used an Azure VM to stage an on-prem domain deployment, scripting it out using Desired Configuration State (DCS). I was able to validate my AD and DHCP scripts on the Azure server, then copy the files down to the on prem server, run them, and have my deployment up and running in about an hour. The scripts will need some improvements before it’s really useful, but it’s a start.

So before I got started yesterday, I decided to explore deploying my VM via the Azure CLI. I went through a couple exercises yesterday to practice, and today I’m ready to get started with the actual projects.

A couple days ago, a marketing employee at Zombie made a comment to me that they were thinking about becoming a technician, and I told her to look at cloud engineer tracks, cause AWS and Azure jobs are among the highest paying and in demand, besides data scientists. Spurred by my own comments, I started exploring the training options for AWS, and started going through the AWS Cloud Practitioner track. The exam is only $120, and why not. I actually prefer AWS over Azure cause of the pricing — good luck finding a $15 a month Azure VM! — and want to really have a handle on it since that’s where I’ll probably be focusing my own entrepreneurial projects. I’m still locked into Microsoft at work, so learning Azure is going to help me, but everything Microsoft does is convoluted and complicated.

Will having a handle on both AWS and Azure make me a double threat? Doubtful, since I wager most large shops will use one or the other, not both, but that’s just my situation now. So I’m stuck between the two. Jack of all trades, master of none.

Windows 10 Provisioning packages FTW

My company has spent the last few weeks trying to prep customers for the death of Windows 7, which happened officially earlier this month. I’ve been less than happy with the amount of buy in that we were able to get from clients, most of whom are either too broke or too stubborn to deal with the expense. We’ve had a few that are taking things seriously and are upgrading their machines, so I’m preparing to do a lot of installs.

In the past, when I worked in Enterprise, we would do images for the various models of desktop and laptops that we deployed. It made sense because of the scale. My work in the SMB space doesn’t necessitate this type of operation, since deployments are sporadic and smaller in quantity. Plus there’s so much churn in the OEM hardware market that it just doesn’t make sense.

As a managed service provider (MSP) with dozens of clients, I’ve been trying to standardize our operations as much as possible, but it doesn’t scale very well. We have a Remote Monitoring & Management tool (RMM) that we deploy to all our endpoints that installs our remote access and security tools, but we wind up with different installers for each site. We can create scripts to deploy some software, but it’s clunky and I don’t like using it. I’ve had some success deploying things like Chrome and Acrobat Reader, but it’s useless for some of the more obscure line of business vendors that haven’t packaged their installers for silent installations.

A majority of our clients are either on Windows Active Directory domains or Office 365, which uses Azure AD, so I’ve managed to write and collect a number of Powershell scripts to repeat common tasks, but even after seven years I haven’t been able to reach the level of automation that I’d like to be at. I’ve written about my attempts to integrate some of our platform APIs, but doing things at the user level is really difficult when you’re dealing with small sites of five or ten users.

Recently I extracted the installer from our RMM provider, and found that the package is just another executable with a settings file. One of the lines in this settings file contains our client’s unique ID in their system, and discovered I could use this as the base for a universal installer. I wrote a PS script to search and replace this string based on a hash map, and I even added a little popup selection box to run it. It wasn’t anything fancy, but it made my life just a little bit easier.

One of the things that’s always been a pain in the ass is dealing with the ‘out of the box experience’ (OOBE) that Windows presents the first time you turn it on. We’ve got a standard operating procedure for naming the default admin account and password, machine names, but for some reason it still gets screwed up. So I wrote another small script that I can run in Audit mode that imports an XML file to skip OOBE, create the account, and install the RMM tool. Life easier, but still buggy.

Lately I’ve been playing with Windows Configuration Designer. It creates Provisioning Packages (PPKG), which can be used by end users to do a lot of these things. It’s got some useful features: device naming; enroll in AD or Azure AD; local admin account; and adding applications. You can even specify WLAN authentication for wireless deployment. Unfortunately, it’s not a panacea as debugging packages (especially application installs) is a pain. One, WCD is buggy. The advanced editor started acting buggy when I started changing the application install order, garbling friendly and file names in the XML and finally throwing errors during compile time that forced me to start from scratch. And if the package installation fails, it can’t be run again.

I made the mistake of trying to wing the installation of some of the applications. It’s really good about MSI packages, but you better have your command switches right for everything else. I kept running into issues with Acrobat Reader. Apparently it was still throwing up the GUI, waiting for a finish, which caused the PPKG to stall. And after restarting the machine and trying to run the PPKG again throws an obscure error message that is not well documented. And don’t even think about running the package in audit mode. It won’t skip OOBE, and seemed to undo the Azure AD join that I did.

I wound up splitting the device and account setup into a separate package that I could rerun while I troubleshot the application installations through the main package. Eventually I started using a VM workstation that I could restore a snapshot on, but it was only seven laptops that I needed to deploy. I finally had a working package by the time I got to the seventh!

I’m starting to see the larger picture for a program that can edit the XML to dynamically generate provisioning packages for all of our clients. Grabbing the Azure token might take more time to work out, but I just need to swap out a few variables for device name, local admin, and could individually select applications to install.

One last thing about Azure AD, apparently, joining a Windows 10 device to Azure causes Bitlocker to be enabled. Decryption keys are synced to the cloud, which is a nice feature.