{"id":2300,"date":"2014-01-03T00:01:00","date_gmt":"2014-01-03T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2014\/01\/03\/security-series-using-powershell-to-enable-byodpart-3\/"},"modified":"2022-06-16T10:14:12","modified_gmt":"2022-06-16T17:14:12","slug":"security-series-using-powershell-to-enable-byodpart-3","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/security-series-using-powershell-to-enable-byodpart-3\/","title":{"rendered":"Security Series: Using PowerShell to Enable BYOD\u2014Part 3"},"content":{"rendered":"<p><strong>Summary<\/strong>:\u00a0Guest blogger and security expert, Yuri Diogenes, completes his series about enabling BYOD.<\/p>\n<p>Microsoft Scripting Guy, Ed Wilson, is here. Today\u2019s guest blogger is <a href=\"\/b\/heyscriptingguy\/archive\/tags\/yuri+diogenes\/\" target=\"_blank\" rel=\"noopener\">Yuri Diogenes<\/a>, who continues his security series about enabling BYOD. Yuri is a senior knowledge engineer, and he is a coauthor of the book <a href=\"http:\/\/www.amazon.com\/Windows-Server-2012-Security-Beyond\/dp\/1597499803\/ref=sr_1_1?ie=UTF8&#038;qid=1386105398&#038;sr=8-1&#038;keywords=Windows+Server+2012+Security+from+End+to+Edge+and+Beyond\" target=\"_blank\" rel=\"noopener\">Windows Server\u00a02012 Security from End to Edge and Beyond<\/a>. You can follow him on Twitter at <a href=\"http:\/\/www.twitter.com\/yuridiogenes\" target=\"_blank\" rel=\"noopener\">@YuriDiogenes<\/a>.<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/book.PNG\"><img decoding=\"async\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/book.PNG\" alt=\" Image of book cover\" title=\" Image of book cover\" \/><\/a><\/p>\n<p>This is the last post of a series, and before we start, I would like to recap what has been documented so far:<\/p>\n<ul>\n<li>In <a href=\"https:\/\/devblogs.microsoft.com\/scripting\/security-series-using-powershell-to-enable-byodpart-1\/\" target=\"_blank\" rel=\"noopener\">Using PowerShell to Enable BYOD\u2013Part 1<\/a>, I explained how to enable device registration to allow the Contoso, Ltd. IT department to have awareness of users\u2019 devices and to perform second-factor authentication.<\/li>\n<li>In <a href=\"https:\/\/devblogs.microsoft.com\/scripting\/security-series-using-powershell-to-enable-byodpart-2\/\" target=\"_blank\" rel=\"noopener\">Using PowerShell to Enable BYOD\u2013Part 2<\/a>, I explained how to enable Web Application Proxy to allow Contoso IT to publish internal resources for users coming from the Internet.<\/li>\n<\/ul>\n<p>This post will continue the Contoso IT story to embrace \u201cbring your own device\u201d (BYOD). If you want to know more about BYOD, read the General Considerations Regarding BYOD section in <a href=\"http:\/\/social.technet.microsoft.com\/wiki\/contents\/articles\/20554.bring-your-own-device-byod-survival-guide-for-microsoft-technologies.aspx\" target=\"_blank\" rel=\"noopener\">Bring Your Own Device (BYOD) Survival Guide for Microsoft Technologies<\/a>. I also encourage you to listen to my two parts interview with TechNet Radio about BYOD:<\/p>\n<ul>\n<li><a href=\"https:\/\/channel9.msdn.com\/Shows\/TechNet+Radio\/TechNet-Radio-Part-1-Understanding-BYOD-What-it-Means-for-My-Company\" target=\"_blank\" rel=\"noopener\">TechNet Radio: (Part 1) Understanding BYOD: What it Means for My Company<\/a><\/li>\n<li><a href=\"https:\/\/channel9.msdn.com\/Shows\/TechNet+Radio\/TechNet-Radio-Part-2-Understanding-BYOD-How-to-Make-it-Happen\" target=\"_blank\" rel=\"noopener\">TechNet Radio: (Part 2) Understanding BYOD: How to Make it Happen<\/a><\/li>\n<\/ul>\n<h2><strong>Scenario 3: Protect data that resides on users\u2019 devices<\/strong><\/h2>\n<p>Talking about BYOD without covering file share and how these files will reside on the user\u2019s device isn\u2019t a compelling story. Even knowing that now we have technologies, such as SharePoint and SkyDrive, which allow users to share files by using web technologies, the reality is that traditional file server access by using the Universal Naming Convention (UNC) path is still there, and it won\u2019t go away soon. Users are used to accessing files that are shared on a server, and they also want to be able to store some of their files in a shared location that can be accessible via a UNC path.<\/p>\n<p>By using a new capability in Windows Server\u00a02012\u00a0R2 called <a href=\"\/b\/filecab\/archive\/2013\/07\/09\/introducing-work-folders-on-windows-server-2012-r2.aspx\" target=\"_blank\" rel=\"noopener\">Work Folders<\/a>, you can enable users to access shared folders that are located on an internal file server, and synchronize the data with their device. The following image shows the core infrastructure for this scenario:<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/1777.1.PNG\"><img decoding=\"async\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/1777.1.PNG\" alt=\"Image of flow chart\" title=\"Image of flow chart\" \/><\/a><\/p>\n<p>Notice that Windows Application Proxy will be used to publish the resource and AD\u00a0FS will be used for authentication and authorization.<\/p>\n<h3><strong>Scenario definition<\/strong><\/h3>\n<p>Contoso IT is moving to the third phase of their deployment. Now they need enable users to be able to sync their work data to their devices, and still be able to classify information and apply protection to sensitive data. They also want to centralize the data\u2014that is, ensure that a copy of the information is kept within the corporate realm so that the information is available, backed up, and subject to corporate business rules.<\/p>\n<p>The steps to enable Work Folders by using Windows PowerShell are quite simple. However, there are some prerequisites that must be in place before you enable this capability. To review the requirements that must be in place before you deploy this role, see <a href=\"http:\/\/technet.microsoft.com\/en-us\/library\/dn479242.aspx\" target=\"_blank\" rel=\"noopener\">Designing a Work Folders Implementation<\/a>.<\/p>\n<p>After the core infrastructure it is in place, you can enable the Work Folders role in Windows Server\u00a02012\u00a0R2 by using the following Windows PowerShell command:<\/p>\n<p style=\"margin-left:30px\">\n  Add-WindowsFeature FS-SyncShareService\n<\/p>\n<p>The following image shows an example of this operation:<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/7853.2.PNG\"><img decoding=\"async\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/7853.2.PNG\" alt=\"Image of command output\" title=\"Image of command output\" \/><\/a><\/p>\n<p>After you enable this feature, you should plan where you are going to enable the <em>sync share<\/em>. Please read <a href=\"\/b\/filecab\/archive\/2013\/11\/01\/performance-considerations-for-large-scale-work-folders-deployments.aspx\" target=\"_blank\" rel=\"noopener\">Performance Considerations for Work Folders Deployments<\/a> to be aware of the performance impact of this feature. When you enable the <strong>FS-SyncShareService<\/strong> feature, Windows adds the <strong>SyncShare<\/strong> module to Windows PowerShell. Then, when you plan the sync share location, you can use\u00a0the <a href=\"http:\/\/technet.microsoft.com\/en-us\/library\/dn296635.aspx\" target=\"_blank\" rel=\"noopener\">New-SyncShare<\/a> cmdlet to create a new sync share. Following is an example of this operation:<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/7658.3.PNG\"><img decoding=\"async\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/7658.3.PNG\" alt=\"Image of command output\" title=\"Image of command output\" \/><\/a><\/p>\n<p>You could also provide password policy enforcement at the end of the command. For example, if the company requires an automatic lock screen policy every 15 minutes, you could add the <strong>RequirePasswordAutoLock $true<\/strong> parameter. By enforcing this policy, you also enforce the following policies:<\/p>\n<ul>\n<li>Password minimum length of six characters<\/li>\n<li>User account lockout after a maximum of 10 failed sign-in attempts<\/li>\n<\/ul>\n<p>For Contoso IT, it is also important to encrypt the data, so you need to add the <strong>\u2013RequireEncryption $true<\/strong> parameter. For more information about the parameters that are available when you create a new sync share, read <a href=\"http:\/\/technet.microsoft.com\/en-us\/library\/dn296635.aspx\" target=\"_blank\" rel=\"noopener\">New-SyncShare<\/a>.<\/p>\n<p>It is important to notice the group that is used in the previous example is <strong>ContosoSales<\/strong>. This is a security global group in Active Directory. When you deploy Work Folders, we recommend that you plan which users should be authorized to synchronize their data with their devices, and then create groups (or utilize the groups you already have) to enable only users that belong to those groups to perform this operation. For Contoso IT, is also important that this capability is available via SMB access. This requires that the group you give access to has the Read\/Write share permission level.<\/p>\n<p style=\"margin-left:30px\">\n  <b>Note\u00a0<\/b> You need to share the folder. To do that, open Windows Explorer and navigate to <b>This PC<\/b>. Right-click the <b>Sales<\/b> folder, click <b>Share with<\/b>, and then click <b>Specific people<\/b>. Add <b>Contoso\\ContosoSales<\/b> and change the permission level to <b>Read\/Write<\/b>.\n<\/p>\n<p>After the SMB share access is granted to the users\u2019 group, the default setting is that the server will verify the folder for synchronization every five minutes. You can change this time by using the following command:<\/p>\n<p style=\"margin-left:30px\">\n  Set-SyncServerSetting -MinimumChangeDetectionMins <NumberInMinutes>\n<\/p>\n<h3><strong>Validate the environment<\/strong><\/h3>\n<p>At this point, you should be able to validate the environment. To perform this validation, follow the **Client Setup **section in the topic <a href=\"\/b\/filecab\/archive\/2013\/07\/10\/work-folders-test-lab-deployment.aspx#4\" target=\"_blank\" rel=\"noopener\">Work Folders Test Lab Deployment<\/a>. Notice that you need to add the registry keys that are mentioned in the topic for validation purposes in your lab environment\u2014don\u2019t add them in a production environment. The following image shows what you will see on the client computer when you create a file and observe the synchronization status:<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/6560.4.PNG\"><img decoding=\"async\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/6560.4.PNG\" alt=\"Image of menu\" width=\"450\" height=\"301\" title=\"Image of menu\" \/><\/a><\/p>\n<p>Notice that the file name appears in green font because it is encrypted with EFS on the user\u2019s device.<\/p>\n<p>On the server, you can use <a href=\"http:\/\/technet.microsoft.com\/en-us\/library\/dn296650.aspx\" target=\"_blank\" rel=\"noopener\">Get-SyncUserStatus<\/a> to obtain more information about the sync status for a particular user and share as shown in the following example:<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/5.PNG\"><img decoding=\"async\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/5.PNG\" alt=\"Image of command output\" title=\"Image of command output\" \/><\/a><\/p>\n<h3>Additional resources<\/h3>\n<ul>\n<li>For more information about how to monitor Work Folders, see <a href=\"\/b\/filecab\/archive\/2013\/10\/15\/monitoring-windows-server-2012-r2-work-folders-deployments.aspx\" target=\"_blank\" rel=\"noopener\">Monitoring Windows Server\u00a02012\u00a0R2 Work Folders Deployments<\/a>.<\/li>\n<li>To set up your environment to test this functionality, follow the instructions in <a href=\"\/b\/filecab\/archive\/2013\/07\/10\/work-folders-test-lab-deployment.aspx#4\" target=\"_blank\" rel=\"noopener\">Work Folders Test Lab Deployment<\/a>.<\/li>\n<\/ul>\n<p>I hope you liked this series about BYOD. Have a great 2014!<\/p>\n<p>~Yuri<\/p>\n<p>Thank you for your expertise, Yuri. This has been an awesome series.<\/p>\n<p>I invite you to follow me on <a href=\"http:\/\/bit.ly\/scriptingguystwitter\" target=\"_blank\" rel=\"noopener\">Twitter<\/a> and <a href=\"http:\/\/bit.ly\/scriptingguysfacebook\" target=\"_blank\" rel=\"noopener\">Facebook<\/a>. If you have any questions, send email to me at <a href=\"mailto:scripter@microsoft.com\" target=\"_blank\" rel=\"noopener\">scripter@microsoft.com<\/a>, or post your questions on the <a href=\"http:\/\/bit.ly\/scriptingforum\" target=\"_blank\" rel=\"noopener\">Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n<p><strong>Ed Wilson, Microsoft Scripting Guy<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Summary:\u00a0Guest blogger and security expert, Yuri Diogenes, completes his series about enabling BYOD. Microsoft Scripting Guy, Ed Wilson, is here. Today\u2019s guest blogger is Yuri Diogenes, who continues his security series about enabling BYOD. Yuri is a senior knowledge engineer, and he is a coauthor of the book Windows Server\u00a02012 Security from End to Edge [&hellip;]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[56,3,63,45,420],"class_list":["post-2300","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-guest-blogger","tag-scripting-guy","tag-security","tag-windows-powershell","tag-yuri-diogenes"],"acf":[],"blog_post_summary":"<p>Summary:\u00a0Guest blogger and security expert, Yuri Diogenes, completes his series about enabling BYOD. Microsoft Scripting Guy, Ed Wilson, is here. Today\u2019s guest blogger is Yuri Diogenes, who continues his security series about enabling BYOD. Yuri is a senior knowledge engineer, and he is a coauthor of the book Windows Server\u00a02012 Security from End to Edge [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/2300","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=2300"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/2300\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=2300"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=2300"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=2300"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}