Saturday 12 August 2017

Going serverless with Microsoft

Over the last few months Microsoft have been developing a blueprint for a fully serverless cloud architecture based on Office365 and InTune for Education.

The individual elements for a serverless school have existed for some time but we now have a Microsoft strategy document that brings all the pieces together with a clear technical direction.

The document is updated regularly so there’s little to be gained from summarising it, other than to note it includes the two core elements mentioned above plus School Data Sync, One Note, Whiteboard and Teams while avoiding any mention of local servers, Active Directory and the System Center Configuration Manager (SCCM) management suite.

Sounds great, but how practical would it be migrate to this his model today?

First, it’s clear that the Microsoft vision of a serverless school requires Windows 10 clients in order to link into the security and management features of the Azure cloud based directory.

Therefore Step 1 is migrate all clients to Windows 10 and when that’s done you can move onto Step 2.  A full client upgrade program would be a good sized step for Neil Armstrong never mind an school with a mixed set of legacy hardware but currently it’s a prerequisite for a Microsoft cloud solution.

However, let's assume we’re already at Step 2. What other obstacles do we face?

The first is the same stumbling block that challenges other initiatives in this area  - how to support locally installed Windows applications ?

In this instance Redmonds approach has an advantage since we have a fully featured Microsoft operating system and the ability to deploy and maintain applications using InTune.

Things become less clear when we consider how well this model applies to shared devices in a teaching environment. If the toolset is fairly static across the user base it might be practical but if you have applications required for specific classes, students moving between computers and large installation packages being pulled across an internet connection, it could get messy quite quickly.

Strangely there is no mention of Windows 10 S in the document. This is the Windows OS which works exclusively with apps from the Windows Store and is aimed directly at  educational deployments.  This might be because the post is focused on a migration scenario but I would still expect a mention, if only to position Windows 10 S within the overall strategy.

Perhaps the idea is not present too many disruptive concepts all at once.

A school that has moved to Azure AD automatically gains access to Microsoft's ecosystem of Single Sign On (SSO) web applications. While this is mainly focused on the workplace the directory already contains over one hundred web resources marked for education including well known names such as Khan Academy, Discovery Education, My Homework, Edmodo and ClassDojo.

Once a school starts to take advantage of the rapidly evolving pool of SaaS applications with built-in SSO  the deployment issue disappears and Windows 10 S becomes a good news story for everyone, with perhaps the exception of software houses still shipping an .msi file on an annual release cycle.

Locally installed applications of any type do not work well in shared device deployments that require a degree of differentiation. Until 1:1 rollouts are commonplace, SaaS will win out every time and a cloud based directory with integrated SSO can only accelerate this process, unless of course your students are really looking forward to next years release of SameOldProg V8.

It’s also worth examining how the integration with the Azure directory will be managed.

Third party software such as classroom control, content filtering, payment schemes and print management need to read data from the user directory. In the future this will be in the cloud and not on a local domain controller. All this is fine except that Azure AD does not support LDAP or Kerberos, the two access methods that every management tool sold to education in the last twenty years expects to use.
Azure AD has it’s own convention (Microsoft Graph API) which is better suited to modern internet protocols than either LDAP or Kerberos.
Therefore vendors of firewalls and content filters will need to embed support for this new directory source before schools can consider moving to the cloud.
In a completely unscientific survey I recorded the Lightspeed content filter as capable of working with an Azure directory.  If you know of any  others please let me know and I’ll compile a list.

Wireless might also have a problem with a Microsoft serverless school. A common security method uses the RADIUS protocol to query group and user information and in the past this was normally provided by a local Windows server that accessed information from a domain controller.

The problem is - not only are we a server short, we don’t have a domain controller either !

Anybody know of any vendor initiatives in this area ?

Microsoft and Google are going head to head for this market and now both vendors are essentially proposing the same serverless approach which will only drive innovation at an even faster rate.

In the short term Microsoft has the advantage because they are are the incumbents in this space and now have an offering which appears to match Google GSuite for Education in certain areas.

However these are early days and few would describe the Microsoft strategy as fully defined offering. A number of roadblocks remain but over the next few months we should expect new features to emerge at a rapid rate to fill the gaps. Overall the outlook is pretty exciting and whatever your technical point of view, schools will benefit massively from the one upmanship as the two tech giants slug it out.

The real challenge is convincing education to assess the alternatives with an open mind and then invest some time in constructing a development plan that will take advantage of this unique opportunity to get things right.

No comments:

Post a Comment