DSC vs. GPO vs. SCCM vs. MDM

Microsoft Windows administrators now have a number of ways for managing their estates.

  • Group Policy (GPO)
    Allows very fine-grained control over every aspect of Windows. Primarily aimed at Windows desktops. Requires Active Directory (AD) and very careful configuration. Requires well trained specialist staff to get it right.
  • System Center Configuration Manager (SCCM)
    Allows central control over software delivery. Also requires AD. Configuration of delivery packages can be complex and very careful change control is required. Software delivery via SCCM can also be intrusive to users. Requires well trained specialist staff to get it right.
  • Desired State Configuration (DSC)
    Though extended by Microsoft this is actually part of a wider open standard “Open Management Infrastructure” and so applies to other platforms as well including Linux. Mainly aimed at server configurations. Falls into the DevOps camp as it defines server configurations in purely text format and so can be put under source control easily. DSC is typically dynamic and enforces the correct configuration (normally every 15 minutes) which greatly helps ensure secure configurations.
  • Mobile Device Management (MDM)
    Primarily aimed at mobile devices, this style of configuration is increasingly applicable to Windows Desktops with the advent of Windows 10. Microsoft InTune is leading the way with other MDM vendors following on. Not everything on the desktop can yet be controlled this way, even with W10 but many key settings and controls are already available. A much simpler method for enforcing desktop settings than the other methods, it allows fewer administrators and much less specialist knowledge.

The article from FoxDeploy covers the first three of those and lays out the purpose of each. Well worth a read.

What is missing is the 4th method which uses Mobile Device Management tooling. The leading contender for this is Microsoft InTune. However, InTune is really only focussed on Windows 10 (desktop and mobile), it has limited control in other Operating Systems.

Servers only ever exist in a given state. If they deviate or we make changes, we refactor and redeploy. DSC drives it all and the machine will be up and running on a new OS, with data migrated in a matter of minutes.

For all practical purposes, the first true large scale management tool we had for Windows systems in the modern era was Group Policy, or GPO as it is commonly truncated.

Comparatively, SCCM and MDT allow us to we import an image from a Windows install disk and then run dozens of individual steps which are customized based on the target machines platform, model, office location and other factors. The sky is the limit.

Curated from DSC vs. GPO vs. SCCM, the case for each. – FoxDeploy.com

Why I Still Don’t Use Bing For Searching

Microsoft continue to reinvent themselves for the 21st Century but Bing lags behind compared to its competition.

Whilst Microsoft seem to continue to reinvent themselves for the 21st Century and are coming out with some excellent products and services that are far more reactive to the views of their customers, there is one product that still lags far behind the competition – at least if you are not in the USA.

The Bing search engine.

With my recent move to a Surface Pro 4 and various recent updates to Windows 10, I thought it a good idea to revisit using Edge as my default browser and to try to stick with Bing as the default search.

But I’m sorry Microsoft, it doesn’t work! Even when not logged in to Google, it consistently returns far more relevant answers as evidenced by the following search for the latest Raspberry Pi flavoured version of the Scratch programming environment “NuScratch”.

Search in Google vs Bing
Search in Google vs Bing

Need to do better!

Mosquitto MQTT Server on a Raspberry Pi

To access an MQTT broker direct from the browser, you need websockets support. On a Raspberry Pi, this used to require a custom build from source. That is no longer required. You can now install direct from the mosquitto.org repository and add a simple config change. This article explains the details.

MQTT is a messaging protocol for the “Internet of Things” (IoT). It allows devices to communicate easily with minimal overheads. The Raspberry Pi of course makes an excellent low cost platform for managing IoT. Not only is it cheap to buy, it is also cheap to keep running.

To use MQTT, you need a “broker” which is simply a service running in the background. Mosquitto is one of the more popular brokers, partly because it is pretty small and therefore ideal for running on a Pi.

If you want to use MQTT from the browser however, you also need the broker to support something called “websockets” since browsers cannot directly talk using the MQTT protocol. In the past, Mosquitto didn’t have websockets compiled in by default and compiling your own version on a Pi is painful to say the least.

Thankfully, this is no longer a problem since the authors of Mosquitto now provide a repository containing ARM versions which work fine on the Pi. See mosquitto.org for the details.

Once installed from the repository, you will need to add a suitable configuration since websockets are not part of the default configuration.

To turn it on, you should add a new file to /etc/mosquitto/conf.d/ containing something like:

# See: http://mm011106.github.io/reference/mosquitto_conf.html

# Standard Listener
listener 1883
protocol mqtt
allow_anonymous false
password_file /etc/mosquitto/passwords.txt

# Websockets Listener
listener 9001
http_dir
Set the protocol to accept for this listener. Can be mqtt (the default), or websockets.
protocol websockets

Note that you can create more than one listener of the same type. You might, for example, want to create another listener that is restricted to a subset of topics so that you can allow access to that over the Internet. Perhaps you would restrict it to listing only sensor data but not control messages for your home automation project for example.

Once you have enabled websockets access to Mosquitto, you can do some interesting things directly from web pages. Get hold of MQTT.js for the browser and you can both listen to and send messages from/to the broker. Combined with a framework such as REACT allows you to, with only a few lines of code, display all the messages that arrive at your broker.

 

A simple mail filer for Microsoft Outlook (VBA)

Like many people I receive an unmanageable amount of email each day. Many days I get through only around 1/3 of the email I receive.

However, the role I am in professionally requires me to retain a large proportion of correspondence. Some because it relates to ongoing projects, other because of security, audit or compliance reasons.

In addition, I work across many projects. It isn’t unusual for me to be involved in two dozen projects at any one time on top of my day-to-day management work.

So I have many folders – hundreds in fact – and filing email into the right folder has become a real drag. It can take an appreciable amount of time to hunt down the correct folder and Outlook does not provide any way to search/filter folder names in the UI.

Thankfully, I have access to VBA in Outlook. While the experience of using VBA macro’s to control Outlook is rarely pleasant, it does get the job done – mainly.

My requirements for the utility were as follows:

  • Must let me select multiple emails, if any have already been filed, show me the folder(s) so I can quickly file new email to the same folder as the rest of the conversation.
  • Must give me a list of all my folders with a simple way of filtering the list by typing a few letters.
  • Must also let me open a folder for viewing instead of filing or cancelling.

A couple of hours later, I was able to create a new utility. This has been published to Github and you can find it at:

https://github.com/TotallyInformation/outlook-filer

No Code Business Solutions in Microsoft SharePoint

Resources to show you how to create code-free business solutions in Microsoft SharePoint

It used to be that you had to be an expert Microsoft developer to create business solutions in Microsoft SharePoint but that is no longer true.

There are many ways for users and power users to create incredible solutions with no coding at all.

Here are two resources that show you how:

Home Automation Hub using Node-Red

The Internet of Things (IoT) comes alive with the help of Node-Red, a Flow-Based Programming (FBP) tool designed to help link together sensors, switches, logic and displays. With hardware magic from Arduino’s, Raspberry Pi’s, low cost sensors and wireless switches. We can easily build a bespoke home automation and monitoring hub.

Having got into some electronics with my son over the last couple of years, I’ve found a new enthusiasm for doing some home automation and monitoring. In the process joining a much overhyped band of people creating the so-called “Internet of Things” (IoT)

Between Arduino’s and Raspbery Pi’s, some simple low cost sensors and a fair bit of patience, it is amazing what can be achieved.

One of the big tasks though is trying to link everything together. Generally, this involves either using a big pre-build tool such as the popular Domoticz or programming your own monitoring and control hub from the bottom up. Personally, I find the former approach too restrictive with the packages rarely doing what I need so that I am always fighting with them. But I find the latter approach too time consuming to ever get very far.

Thankfully, some great folks at IBM have come to the rescue by creating a tool called “Node-Red“. This uses an approach called “Flow-Based Programming” (FBP). Indeed, FBP was invented at IBM in the 1970’s so it seems only logical that the IBM Emerging Technology team should carry on the good work.

Node-Red ScreenshotFlow-based programming uses diagrams to connect together small functions, in this case referred to as “nodes”. Rather like putting together a flowchart. Node-Red is aimed at people creating connections between IoT things such as sensors and switches so it is ideal for what I wanted. Even better is that it is based on my chosen programming and automation tool, Node.JS which runs everywhere, is lightweight, fast, flexible and powerful. Node.JS uses Javascript as its programming language and so I only need to learn 1 language to programme for both the server (the back-end) and the client (browser, the front-end or user interface).

Why not give Node-Red a try? It is getting more and more attention with lots of new node types being contributed by the community. There is a site for reviewing new nodes and examples at flows.nodered.org. There is a Slack site and a lively Google news group. There is also some good documentation at the docs site.

You may also find Node-Red useful for a lot more than just IoT as it makes it easy to work through computing tasks, reducing coding to a minimum.

Cloudflare Now Active

After the recent high-profile vulnerabilities, I decided to turn on the free version of CloudFlare for this domain.

CloudFlare provides a reverse proxy service that sits in front of your domain. It will serve content where it can on your behalf (caching), optimise content where it can (e.g. minimising JavaScript, HTML, CSS, etc.). But even more important from my perspective is their ability to protect against a number of vulnerabilities.

The most obvious protection – because this is where CloudFlare started – is DDOS protection. DDOS is a way of throwing very large numbers of requests at your domain, preventing legitimate access. But CloudFlare also now provide protection against other threats and it is interesting to look at the dashboard and seeing a bunch of threats being filtered out every few days.

A recent add-on, especially to the free service, is the ability for CloudFlare to provide SSL security for free. This means that your whole site can present as HTTPS (encrypted HTTP) & you can even enforce this so that visitors cannot connect without encryption. This is easily done without the hassle normally associated with creating and maintaining SSL security.

Kudos to CloudFlare for providing this excellent service and for providing a useful free version. I’m happy to recommend it to everyone who runs a web site or service.

Outlook 2013 URL Protocol Handler

Outlook has a custom URL protocol that allows interaction with different elements such as folders, mail and calendar items and contacts, Since Outlook 2007, this has been restricted for use only within Outlook itself but there are some tremendous opportunities for use from simple web systems. This post explains how to turn it on, even for Outlook 2013 (Office 365 version). It also gives pointers to other articles on how to use the protocol.

One of the nice features about older versions of Microsoft Outlook was that it had a set of URL Protocol Handlers (like outlook:inbox) defined that could be used system wide to trigger actions in Outlook such as opening a folder, creating or editing an item.

Unfortunately, along the way, these got gradually toned down so that they only worked from within Outlook itself.

This can still be useful. I’m not sure how many people realise that you can create “folders” in your Outlook mailbox. Choose Properties .../Home Page and set a URL – maybe your blog or Intranet. Now when you click on the folder, you will see the web page instead of a set of mail items or whatever.

When using this feature to do some more clever stuff such as creating To Do lists from incoming mail, you might choose to use a dynamic web system to handle the list. CouchDB or Node.JS are lightweight web systems that come to mind.

Then you might find yourself wishing that you could create links in your To Do system back to the original email in Outlook. Well you can! Sort of.

It turns out that, although the external use of the Outlook: protocol hasn’t been available since Outlook 2003, it can still be turned on, even in Outlook 2013. There is a useful article on the TeamScope web site that shows you how to turn on the outlook: protocol system-wide.

One minor wrinkle though if you use Office from an Office 365 subscription – the location for Microsoft Office applications is different! You will find them at: C:\Program Files\Microsoft Office 15\root\office15.

Here then is the registry code that you need to enable the protocol:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\outlook]
"URL Protocol"=""
@="URL:Outlook Folders"

[HKEY_CLASSES_ROOT\outlook\DefaultIcon]
@="\"C:\\Program Files\\Microsoft Office 15\\root\\office15\\OUTLOOK.EXE\""

[HKEY_CLASSES_ROOT\outlook\shell]
@="open"

[HKEY_CLASSES_ROOT\outlook\shell\open]
@=""

[HKEY_CLASSES_ROOT\outlook\shell\open\command]
@="\"C:\\Program Files\\Microsoft Office 15\\root\\office15\\OUTLOOK.EXE\" /select \"%1\""

Simply save this into a .reg file and open it to install the changes.

Now you can use the outlook: protocol anywhere on the system, great for dynamic web systems.

One minor word of warning though – there are dangers! Don’t open links unless you know what they are, where they go and what they do!

To find out how to use the Outlook protocol handler, try one of the following articles:

One final note. I’m now looking to create some tools that link between Outlook and CouchDB. CouchDB provides a very lightweight NOSQL database that uses JSON and JavaScript to great effect. I’m already using it to track statistics on incoming/outgoing emails, linking the web interface back to Outlook via the home page method mentioned at the start. I’m going to have a go at creating a task monitor too if I get the time. I am currently reading only around a quarter of the emails in my work inbox and I really need some tools to improve the situation. Food for some more blog posts hopefully.

New Laptop: Lenovo ThinkPad Yoga

I have the pleasure of trying a new laptop right now as we consider them for work.

The Lenovo ThinkPad Yoga.

We have this configured with an Intel i5, 8GB RAM, 1TB HDD with 16GB SDD speed boost, the touch & pen screen.

It is a nice laptop with a screen that folds right over so you can use it as a slightly chunky tablet, the keyboard locks in this mode so you don’t accidentally press keys.

It is great to finally be able to afford a laptop with a proper, pressure sensitive pen interface, it is a joy to use with tools such as Microsoft OneNote.

The touch pad is also the best I’ve ever used. The pad itself is a proper mechanical button and once used, you will never want to go back to a trackpad that doesn’t provide such positive feedback and natural feel.

We have Windows 8.1 Pro on it and the usual ups and downs of that operating system apply. Personally, I find W8.1 less reliable than Windows 7 but I suspect that it comes down to the software you use. I can say categorically that the “Modern UI” apps are a disaster. In particular they do not fully close when you think you’ve closed them (check in the Task Manager) and I’ve often noticed a significant slow-down after having started and “closed” several Modern UI apps.

The laptop is certainly nice to use overall, it isn’t too heavy and can be used on one arm for 5-15 minutes without discomfort, longer than that becomes noticeable though. So not a complete tablet replacement. Great when sat however with it perched on a knee or supported with a table. No more scrappy paper notes for me! It is OneNote all the way.

The Good

  • Pen and touch with Windows 8.1 and Microsoft Office, a great combination.
  • Fairly thin considering the features available.
  • The fold-over screen is easy and natural to use.

The Indifferent

  • The Windows architecture doesn’t handle very high resolution screens well. I blame this on the development tools and Windows graphical UI libraries mainly. Too many applications do not correctly scale.
  • Only 2 USB ports. About average for a thin laptop but very limiting when there as so many devices needing USB.
  • After many years, Lenovo have finally changed their power connectors. Annoying though necessary, all those spare power supplies scattered around aren’t so useful now. Fortunately, you can buy a converter cable if you want to.
  • Some windows behave oddly, changing font sizes drastically for no apparent reason. Not sure if this is Windows or something to do with the laptop.

The Bad

  • The power button is in the wrong place, it gets clicked by mistake too often. It is on the right hand side of the base at the front. Right next to the volume buttons.
  • No drive LED indicator – really?! When using a PC this is essential if you want to know whether a pause in response is due to disk activity or something more serious.
  • Mini-HDMI interface. This is not good for a business laptop, we already have full and mini Display Link adaptors and now we need to have HDMI as well.
  • No native LAN interface. You have to give up one of the 2 USB ports and to get a USB-to-LAN cable if you want a wired connection. Again poor for a business laptop.
  • The usual pointless spamware is pre-installed. However, Lenovo are better than most, not installing too much and their own wares do seem to actually serve a purpose mainly (I probably kept 1/2 of their own tools and removed everything else). Driver and software updates seem regular.
  • Windows 8.1 Modern UI apps continue to be a very uncertain proposition with poor quality being rife and even the better quality apps seeming to regularly result in ongoing reduced performance on the PC. (Not Lenovo’s fault of course).

Conclusion

A worthy, flexible tool if you need or want both touch and pen interfaces. If not, save some money and go for a Lenovo X240. Possibly the most affordable convertible with pen and touch, at last such devices are in reach of mortals!