Are you ready to discover one of the most hidden and underestimated Windows 2012 R2 features called "Work Folders"?
Work Folders allows you to leverage your investment in File Servers while simultaneously providing end users with anywhere access to their data from their work PC as well as their personal devices. In this session, you will learn about the challenges to securely implement and manage "traditional" home folders to the BYOD (bring your own device) world. Learn how to deploy and manage Work Folders servers and clients, gain an understanding of how Work Folders operates end-to-end and integrates into your existing infrastructure, and how Work Folders takes advantage of capabilities like multi-factor authentication, Workplace Join and Selective Wipe to ensure that corporate data remains secure wherever it goes.
ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a secure manner to modern devices
1. Tweet and win an Ignite 2016 ticket #itproceed
Delivering traditional File Server Workloads in a
secure manner to modern devices
Kenny Buntinx, Tim De Keukelaere
4. Microsoft NDA Confidential
What are Work Folders ?
System Architecture and server deployment
Client deployment
Behind the scenes
Troubleshooting
Data protection and security
9. “Work Folders is a brand new direction for
enabling access to data in offline scenarios, along
the lines of Citrix ShareFile , Onedrive for Business
and Dropbox, but without the cloud and sharing
features.“
11. USERS can SYNC
THEIR WORK DATA
to their devices
Users can REGISTER
THEIR DEVICES to be
able to sync data when IT
enforces CONDITIONAL
ACCESS
IT can publish access directly
through a reverse proxy, or
CONDITIONAL ACCESS
can be enforced via device
registration through the
WEB APPLICATION PROXY
IT can configure a file server to provide
WORK FOLDER SYNC SHARES for
each user to store data that syncs to
their devices, including integration
with RIGHTS MANAGEMENT
IT can SELECTIVELY WIPE
the corporate data from
multiple platforms ( IOS , WP )
ACTIVE DIRECTORY
DISCOVERABILITY
provides users Work
Folders location
12. - Windows 8.1 and above
- Windows 7
- http://blogs.technet.com/b/filecab/archive/2014/04/24/work-folders-for-windows-7.aspx
Domain join is required
- IOS - iPad / iPhone
- http://scug.be/sccm/2015/04/10/work-folders-app-for-iphone-finally-released/
- Android ?
13.
14. Step 1
• Install Work Folders Role
Step 2
• Configure Work Folders Server with SSL
Step 3
• Configure the Work Folders Server for ADFS Authentication
Step 4
• Setting the Relying Party settings in ADFS
Step 5
• Configure the Web Application Proxy
Step 6
• Create the necessary DNS records
16. In order to publish Work Folders with Web Application Proxy, it must use AD FS (OAuth2)
authentication instead of Windows Authentication.
You can use PowerShell to configure the Work Folder Server for AD FS authentication using the
following command: Set-SyncServerSettings -ADFSUrl <AD FS URL>
17. $ECSIdentifier = "https://Windows-Server-Work-Folders/V1";
$ECSDisplayName = "EnterpriseClientSync";
$TransformRuleString = '@RuleTemplate = "LdapClaims" @RuleName = "Ldap" c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer
== "AD AUTHORITY"] => issue(store = "Active Directory", types =
("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"), query =
";userPrincipalName,displayName,sn,givenName;{0}", param = c.Value);' ;
$AuthorizationRuleString = '@RuleTemplate = "AllowAllAuthzRule" => issue(Type =
"http://schemas.microsoft.com/authorization/claims/permit",Value = "true");' ;
Add-ADFSRelyingPartyTrust -Identifier $ECSIdentifier -Name $ECSDisplayName -
IssuanceTransformRules $TransformRuleString -IssuanceAuthorizationRules
$AuthorizationRuleString -EncryptClaims:$false -EnableJWT:$true -AllowedClientTypes
Public;
The Relying Party settings must include the UPN in the claims since the Work Folders will use it to
impersonate as the user. Unfortunately there is no such file, we used a PowerShell script to create the
RP.
23. 1. Local change detected
2. Initiate sync session with server
3. Upload file to server
4. Server applies change to data dir
5. Sync initiated by second client
6. Download file from server
7. Client applies change to data dir
• Client limited to 1 partnership per user per device
• Client always drives sync
• Device applying the change responsible for conflict resolution
24.
25. On the Web Application Proxy
Applications and Services
LogsMicrosoftWindowsWe
b Application ProxyAdmin
On the ADFS Server
Applications and Services
LogsADFSOperational
26. On the client
Applications and Services LogsMicrosoftWindowsWorkFoldersOperational
For the end user :
27.
28.
29.
30.
31.
32.
33. And win a Lumia 635
Feedback form will be sent to you by email
Give me feedback