Monday, 10 June 2019

Microsoft Licencing for a serverless school.

Going serverless challenges every preconception regarding networking and application delivery and that includes Microsoft licencing.  Working on the premise that nobody really understands this subject let’s try and keep things simple.

First we must assume that the adoption of Office 365 or G Suite for Education and associated SaaS applications has removed the requirements for SQL Server, Exchange and Remote Desktop Service (RDS).  It’s hard to believe that in 2019 a school would still be licencing a local Exchange server rather than the free Office 365 A1 tier for faculty and students. There’s really no excuse for this capital crime against the school finances.

However, while the school still runs Windows OS with local file and print services and MS Office 2019 installed on the desktop you still require a base set of licences.
  • A licence to install and update the Windows desktop OS.
  • A licence to install and upgrade the Microsoft Office suite.
  • A licence to install and upgrade the Windows Server OS.
  • Client Access Licences (CALS) for either devices or users to access resources on the server(s).
While it’s possible to licence each item individually most schools choose to purchase a ‘bundle’ under one of the Microsoft educational plans such as Open Value Subscription Agreement for Education Solutions (OVS-ES).

This approach has one major advantage. In addition to simplifying ordering, the bundled set carries a ‘student benefit’ option. This means that if the school buys licences for all staff members (defined as Full Time Employees or FTE’s) the same licence covers the student body as well.

Clearly this scheme has the potential for significant cost savings. In fact for any school operating a shared deployment of Windows devices, a Mac OS ICT suites running Office, a teaching and administrative department embedded with Microsoft Office and a multi-node Hyper-V Server farm it’s a deal not to be missed but what if you’ve gone serverless ?

In this situation the annual renewal cost for the bundle can look pretty steep, especially if the school needs to purchase a licence for each staff member regardless of whether they even have a network logon.  If the school derives value from the licence bundle that’s fine but with a serverless school that's unlikely to be true

For example the bundle includes a server user CAL which is not much use to a school that doesn’t run file and print services or host local Active Directory.

Similarly if pupils access a large shared pool of Windows 10 devices with Office 2019 installed the student benefit option makes financial sense but if they using Chromebooks or iPads to access G Suite or Office 365 web apps you're paying for something you don't need.

So what would Microsoft licensing look like for a serverless school that still needs to maintain a Windows 10 environment ?

This will vary from school to school but there are some pointers.

Manage Windows devices using InTune.
Schools need to move towards Windows 10 by January 2020 as support for Windows 7 depreciates.  Take this opportunity to place the new image under InTune control rather than falling back to a legacy process that requires local licensing. InTune offers a simple device licensing model which can factored into the price of the device. Alternatively InTune licences can be allocated to individual users.

Only licence what you need.
Why purchase Office 2019 licences for every staff (and student) member when only the SLT team actually need it to fulfill their duties. Office can be licenced as an add-on subscription to the free A1 tier and then allocated to those member of staff who need it. Everybody else can use the Office web apps which covers most situations.

If you ask a member of staff if they need Office 2019 the answer will be always be yes. If you then ask for a contribution towards the licencing costs you’ll probably find that, after due consideration the Office365 web apps will be fine after all.

Google has recently announced a new facility that allows the native editing of Office documents directly from G Drive. This may not meet the needs of the office macro ninja but it could reduce the need to licence Office for ad-hoc access and will certainly allow students to edit legacy document sets.

Make use of the new initiatives.
Microsoft is aware that the current EDU licence model is not ideal for the SaaS based school and is working hard to make it more attractive. One of these initiatives is the Shape the Future K-12 education program.

The major benefit of this scheme is the ability to order devices from Microsoft Partners with Windows 10 Pro preloaded. Units can then be manually enrolled into InTune without requiring an additional upgrade licence (Home -> Pro) or delivered direct to the user in a ready to run state through the AutoPilot scheme.

Schools with new hardware stock not covered by the scheme can still purchase an upgrade licence through OVS-ES but it’s far easier to absorb the discounted cost in the initial purchase price and enjoy the benefits of a more streamlined deployment process.

Run an appliance not a server
If your students and staff are taking resources from the cloud (including directory services) your local appliance should be reduced to running network support processes (DHCP, DNS). File storage will be managed using OneDrive/ Teams / Google Drive / Shared Drives while the print server role moves to a SaaS platform such as as Printix that integrates closely with both InTune and G Suite.

If you are running Windows Server you still need to licence the server cores but so long as your clients are not accessing local resources (application/file/print) there is no requirement for CALS. And of course you don't have to run Windows Server 2019 to provide basic network support.

Microsoft licencing becomes simple again. If you need a Windows device the total six year cost** is

Cost of device + Cost of the InTune device license + Cost of upgrade licence (if required).

       ** An InTune device licence is valid for six years.

A new staff member becomes

Cost of an annual Office Pro subscription licence (if required for role) otherwise use the free A1 Faculty.

The Office Pro licence, like the InTune user licence is transferable so you can work with a small free pool to make it more flexible.

Reevaluating Microsoft licensing in this way can bring substantial savings. There may be good operational reasons why this might not be immediately possible but in the future the serverless school shouldn’t be bundling up.

Friday, 10 May 2019

Managed Chrome from the Cloud (p2)

A first look at the Chrome Cloud managed browser.

Once enrolled the Chrome browser turns up as fully managed object in the G Suite admin console and shares with users and chromebooks the ability to take policy based on a position in the organisational structure. Like Chromebooks, managed browsers get a dedicated section in the Chrome management dialog joining an ever increasing list of devices types.

Opening the new Managed Browsers section displays a page layout similar to Chromebooks but without the filter options.  Each machine hosting a Chrome creates an inventory entry with the Machine name as the key.

Selecting the Machine Name open a dialog that presents a wealth of information about the browser and the device hosting the browser.

If your dialog looks a little empty it might be because the data collection feature needs to be enabled for the device. Under the User and browser setting for the OU controlling the browser object you need to set Cloud Reporting to Enable managed browser cloud reporting.

This policy pushes out a small Chrome extension that handles the data collection and reports back to the console. Once enabled you can see the extension load on the browser.

There’s little point listing all the reporting elements as they are well documented by Google and fairly obvious but some of the actions are worth a mention.

In the Installed apps and extensions card you get the option to select an element that has been reported and then Block the object from all other browser.

The option allows you to select the root OU object for the action and remove the extension from all browsers in scope, blocking all future installs. This may be of limited use in schools where the policy  is restrictive by default but for organizations with a loser structure this could be a useful feature.

The machine policy section gives a centralised view of the information you would see on the local chrome policy page which is very useful. As you might expect CloudManagementEnrollmentToken shows up as the only Local Machine Policy but for other policies the status flag seems a bit misleading. The fault code is

“More than one source is present for this policy, but the values are the same” 

which is hardly surprising as most of the policies will have two sources, one taken from the user OU and one from the browser OU. Since the policy is actually applied it hardly seems to merit a large red exclamation mark and an Invalid status.

User Profile policies are broken out in the section below and list those policies that override the browser settings by being Locally applied for the user object. If you don’t see this section it’s because you have no valid user policies set.

Policy information is updated by a reboot of the device but there doesn’t seem to be a way to control it directly through the extension directory.

Browser Extension List.
For the curious admins that scroll all the way down to the bottom of the Chrome Management dialog they will be rewarded with a new option Browser extension list.

This allows the admin to view an aggregated list of all Chrome browser extensions organised by extension rather than device.

Apart from selecting the extension name and moving directly to the Chrome Store page there’s also the same Block / Force install feature that you can access from the action menu at the end of each entry.

What might not be so obvious is the fact that the data items themselves are selectable.

This action creates a pull-out from the right hand side that contains extended information including the rights granted to the extension and the extension ID:

This seems to be a new navigation type in the console that we might see in other locations in the future.

Saturday, 27 April 2019

Managed Chrome from the Cloud (p1)

A first look at the Chrome Cloud managed browser.

In a previous series of posts we looked at how you could manage Chrome and other Google products such as File Stream using Microsoft InTune in a school that has no servers.

At Next 19 Google announced a cloud managed browser capability which makes the whole process much simpler.  The two approaches are not mutually exclusive and using both together can bring dividends to the network admin.

In this post we’ll take a look at what the new managed browser feature brings to the table, show how the technology integrates with InTune and then follow up with a more in-depth look at the G Suite management console in a later post.

The introduction of a managed Chrome browser is a big event for the Google administrator.

Up until now the G Suite organizational structure could only contain two types of object, a user or a chromebook. Now it has a third - a instance of Chrome running on a Windows, MacOS or Linux platform The Chrome browser has finally taken its rightful place as a fully managed object within the console.

In the past it was possible to manage Chrome on the desktop but it always involved a third party system such as Microsoft Active Directory, Managed Preferences on Mac or, as we have seen, an MDM like InTune.

This approach has two major weaknesses.

First, there isn’t a unified policy set for the Chrome browser. For organisations adopting Chromebooks the user environment is governed through the G Suite admin console while the Windows/MacOS Chrome desktop experience is controlled through an entirely different mechanism.

Second, there isn’t a single reporting console for Chrome. The G Suite admin console can access Chromebook information but it’s completely blind to Chrome browser metrics. Tasks like examining what extensions are installed or reporting on the versions of Chrome deployed across various platforms was simply not possible.

For schools this might be an irritation but for enterprise it can be a deal breaker so Google have solved the problem in a pretty elegant fashion. There are no licencing implications and the feature is free across all recent G Suite offerings. It’s also very easy to get started and there are only a couple of prerequisites.
  • The admin console must have the feature pushed out.  More than likely you already have the update. If your Chrome management tab reads User and browser instead of just User and you can see the new group icon shown above you’re good to go.
  • You must have Chrome V73 or later running on Windows, Mac and Linux computers. Android and iOS are not currently supported.

Preparing the Console.
Managed Chrome needs to be turned ON as it’s OFF by default. It’s important to realise that none of these actions will affect Chromebooks. User-level policies apply to Chrome devices even if Managed Chrome is turned off. Also you can turn this on at the root without any immediate effect as the browser has to be enrolled before anything happens.

Note: If you’d like to play around first, create an OU  called “Managed Browsers” and set it here.

From the G Suite admin console Home page, go to Device management and then Chrome management.  Click on User and browser settings.

Go to the Chrome Management for Signed-in Users section and change the setting to Apply all user policies when users sign into Chrome.

This policy is little misleading. It should really read Chrome Management for Signed-in users and managed browsers. As we'll see quite a few of the console policies descriptions need to be updated to reflect the new responsibility.

Preparing Desktop Chrome.
Just like Chromebooks, desktop browsers have to be enrolled into G Suite and to do that you need to create an enrollment key.

From the Admin console home page, go to Device management and select Managed Browsers.

At the bottom, click  +  to generate an enrollment token.

A couple of important points to note about the key.

It’s only useful at the point of enrollment and has no function after the event. Once the key is presented to the browser (we’ll come to that later) and the browser taken under management the key can be deleted or updated without affecting devices already enrolled. In some respect it works like the joiners code in Google Classroom.

The generated key is specific to the OU level. Any chromebook enrolled with this key will be placed at the same point in the tree and take policy from that level. In this case the analogy would be the ‘follow the user’ feature for chromebook enrollment.

Note: If you are just testing at this stage create the key for the new “Managed Browser” OU and set your policies here.

A browser under management will display a new information tag at the base of the About dialog.

Managed Chrome Browser Policies.

For organisations running Chromebooks it’s worth noting that none of the policies under the Device section have any bearing on Managed Chrome. Device policies are strictly limited to Chromebooks, no red line has been crossed.  All policies relating to Managed Chrome are to be found in the User and browser section, hence the change of name.

So how does Managed Chrome differ from a simple synchronised Chrome user session ?

Put simply, once enrolled a user policy can be applied to the Chrome browser without the user having to authenticate with Google. The policies are set in the Chrome User and Browser OU that the browser object lives in.

If user attempts to access a resource such as GMail they will be presented with a logon box in the normal way but at this point the browser is already under cloud user policy control so you’re able define things such as valid logon domains - but not using the policy you might expect.
The domain filter for Chromebook authentication is set in the Device policy but as we know Device policies have nothing to do with managed browsers. Therefore the policy you need to set is User and Browser - Sign-in Within the Browser in the OU that the managed Chrome browser resides in.

Using the settings shown above the user will only be able to authenticate using a account, the value being controlled by a Google cloud policy and not local platform policy.

Note: Clearly the description of this policy isn’t entirely accurate and neither is the little light bulb which says the policy only applies to Chrome devices.  Some housekeeping is required on the console to bring everything into line.

Policy Precedence.
You now have three policy sets for the Chrome user experience. Using Google's own terminology they are ;
  • Platform Policy - These are the old policies pushed out locally through GPO or MDM.
  • Cloud Policy - Managed Browser.  User and Browser set at the browser OU.
  • Cloud Policy - Authenticated User. User and Browser set at the user OU

So what happens if you set the same policy in all three areas - which one applies ?

The rule is (pretty) simple.

The Cloud Policy - Managed Browser policy will always apply except for two situations.
  1. A policy set at the Platform level will trump any Cloud Policy.
  2. Any policy explicitly set at the User level and not explicitly set at Managed Browser level will be applied.
In plain English what happens is this.

The browser takes the full user policy set from the Cloud Policy - Managed Browser OU with the understanding that any Local Platform Policies will overwrite individual settings.

When a user logs onto Chrome any policies that are locally applied on the user OU will override policies inherited at the Managed Browser level so long as they don’t clash with a Local Platform Policy which always wins out.

If a Cloud and Managed Browser policy is Locally applied in both areas the Managed Browser version is used. At no stage are list based policies merged.

You can clearly see the effect of the policy interactions if you run chrome://policy

First thing to note is the enrollment token is now shown as part of the machine policy. The only platform policy is the one that applies the Cloud Management Enrollment Key, all the others are set directly from the cloud from the User and browser policy of the OU that holds the browser object.

The only exception is one policy that has come down as part of the user sync process because it’s set as ‘Locally applied’ in the user OU but only ‘Inherited’ in browser OU and so it has precedence.

Enrolling a Chrome browser.
As mentioned earlier enrolling a Chrome browser is very straightforward - you just need to present the enrollment key either as a platform policy or through the execution of a .reg file.

In our serverless school the platform policy will be delivered by InTune so let’s see how easy this is.

Note: If need you need a refresher on using InTune to push policies to Chrome please refer to the earlier posts.

Managing Chrome on Windows is now reduced to the deployment of a single platform policy which tells Chrome to look to your Google organization for all other settings.

In this case the OMA-URI value is;


with the value set to ;

<enabled/> <data id="CloudManagementEnrollmentToken" value="1f5e6ab4-3ebe-4e0c-b959-86a3eeb4e0c"/>

Obviously you need you insert your own value for the Enrollment Token but after that you can manage Chrome using G Suite using the same policy set that controls Chromebooks.

Now you have Chrome on a Windows 10 desktop, fully managed from the cloud using an unified policy set within G Suite. Cool or what!

Next we’ll take a closer look at the features of the admin console that relate to managed browsers and see how the story gets even better for the serverless school.


Taking feedback from other early users (Kim Nilsson and Roger Nixon) I've checked back on the policy application logic and there's one point that needs clarifying.

As described the process does indeed 'loopback' on the user policy looking for the Locally Applied status but only if the policy for the User OU has

Chrome Management for Signed in Users set to Apply all user policies when users sign into Chrome.

This has to be set at the browser and user account OU.  If not you only ever see browser policies.

>>>  Managed Chrome from the Cloud (p2)