Certification Guides

AppSense Blueprint Day 1 – Introduction and features of AppSense DesktopNow Management Suite

“Understand the various components of the AppSense Management Suite, as well as key features of each”

Welcome to the beginning!

What is DesktopNow? DesktopNow is an application suite that provides End-user and VDI solutions for some of the trickiest problems such asProfile management, desktop rights (No more user administrators!), software licensing control (For example Microsoft Office). It’s used in a VMware Horizon View, Citrix XenApp/XenDesktop, Microsoft RDS environment- it’s agent based and managed centrally.

The DesktopNow suite is made up of (Right off the AppSense website):

bg-em AppSense Environment Manager

Set up, configure, personalize, control, lock-down and self-heal users on any desktop.

  • Centralized user management
  • Set up, personalize, lock down, and self-heal desktops
  • Cross-platform personalization
  • Context & location based controls

bg-amAppSense Application Manager

Control application access entitlement, eliminate the need for full Local Administrator accounts, manage URL and network access, and reduce per device application license requirements.

  • Privilege management
  • Application control
  • Software licensing enforcement
  • Compliance and governance

bg-pmAppSense Performance Manager

Dynamically control and allocate CPU, memory and disk resource to improve quality of service, increase user density and reduce hardware requirements.

  • Granular system resource entitlement
  • Improve user experience and response times
  • Enable server consolidation and reduce costs
  • Control run-away or rogue processes

Untitled 2AppSense Management Center

AppSense Management Center is part of AppSense DesktopNow suite of products. It is the framework that enables AppSense user virtualization technologies to be deployed and scale rapidly throughout the enterprise.

  • Manage multiple configurations
  • Deploy agents and patches
  • Monitor Client health and Manage Alerting

Appsense APP-101

Hey all!

I’m going to begin walking through the AppSense Certified Professional (APP-101) exam. This is a Pearson-Vue proctored exam and I don’t see much on the internet for a walkthrough or the test experience.I’m an End User Computing professional by trade, and I want to dig deeper into the stuff AppSense has come out with to resolve user environment issues.

This test covers their DesktopNow application suite.
DesktopNow_productFamily_diagram_bullets

Here is their official blueprint – as the days go on, this table will be hyperlinked with information:

Topic area

Required skill

%

Understanding AppSense functionality

5

Installing AppSense Suite components

10

Configure components

IIS configuration
SQL account requirements
How to connect to the management server Create deployment groups
Install the CCA on managed computers

5

AppSense Management Center

Install packages
Administer package delivery
Install and configure failover servers

15

AppSense Environment Manager

Show understanding of personalization profile roll-back and archive
Use self-healing functionality to ensure critical files, service, and registry keys remain unchanged

Implement application lockdown to remove unwanted functionality such as menu items and other components from the user interface

30

AppSense Application Manager

ANAC functionality
Trusted Ownership requirements
Using digital signatures to secure access
Creating custom rules
Automatically block unauthorized applications without the need for administrative intensive listing techniques.
Configure application access based on user, group, and client rules
Track and audit user activity, including automatic archiving of unauthorized applications

15

AppSense Performance Manager

Default configuration
Ensure quality of service is maintained by applying CPU and memory control to preserve system resources
Ensure that server freezes are eliminated by tuning system resources
Implement a memory optimization schedule to reduce rebasing and excessive RAM usage Understand application and system state control to provide granular control of system resources

15

Monitor events and alerts

Set up alert rules
Monitoring events and interpreting error codes

5

MICROSOFT 70-412: OBJECTIVE 2.2.3 – Perform access-denied remediation

If a user doesn’t have access to a network resource, a file server has not historically given the most user-friendly response: an Access Denied message and an OK button. OK? No, this is not okay for the user and we can do better.

One of the improvements in Server 2012 is Access-Denied Assistance. When a user tries to access a resource that they don’t have access to, they can receive a custom message that can explain WHY they don’t have access as well as who to contact for further help…. or even a Request Assistance button to save the user from typing out an email.

This can be configured individually using File Server Resource Manager or centrally using Group Policy.

Setting Access-Denied Assistance with File Server Resource Manager

  1. Open up File Server Resource Manager, right-click on local (or connect to another server first) and select Configure Options.
  2. On the dialog that opens, select the Access-Denied Assistance tab on top:
    Microsoft 70-412 Certification Exam Blueprint Walkthrough - Dynamic Access Controls - Perform access-denied remediation
  3. Check the box next to Enable access-denied assistance
  4. If desired, you can configure email requests by selecting the button toward the top:
    Microsoft 70-412 Certification Exam Blueprint Walkthrough - Dynamic Access Controls - Perform access-denied remediation
  5. Notice the item Generate an event log entry for each email sent. This is checked by default, and we can use it to look for (and remediate) access issues.

Setting up Access-Denied Assistance using Group Policy

  1. Open Group Policy Management. In Server Manager, click Tools, and then click Group Policy Management.
  2. Right-click the appropriate Group Policy, and then click Edit.
  3. Click Computer Configuration, click Policies, click Administrative Templates, click System, and then click Access-Denied Assistance.
  4. Right-click Customize message for Access Denied errors, and then click Edit.
  5. Select the Enabled option.
  6. Configure the following options:
    1. In the Display the following message to users who are denied access box, type a message that users will see when they are denied access to a file or folder.

      You can add variables customized text:

      • [Original File Path] The original file path that was accessed by the user.
      • [Original File Path Folder] The parent folder of the original file path that was accessed by the user.
      • [Admin Email] The administrator email recipient list.
      • [Data Owner Email] The data owner email recipient list.
    2. Select the Enable users to request assistance check box.

MICROSOFT 70-412: OBJECTIVE 2.2.2 – Implement Policy Changes and Staging

This section is a bit confusing, mostly because I don’t see the exact phrasing used in relation to Dynamic Access Control.. So:

Not too sure what is being asked here. The only relevant thing I could find on TechNet was the below:
You must enable staged central access policy auditing to audit the effective access of central access policy by using proposed permissions. You configure this setting for the computer under Advanced Audit Policy Configuration in the Security Settings of a Group Policy Object (GPO). After you configure the security setting in the GPO, you can deploy the GPO to computers in your network.

If you have any idea what’s being asked here, please let us all know in the comments!

MICROSOFT 70-412: OBJECTIVE 2.2.1 – Configure user and device claim types

A claim is a unique piece of information about a user, device, or resource that has been published by a domain controller. These are very often attributes that you find if you open the properties of an object in Active Directory – things like a user’s title, department or location are claims that you can define, so is the department classification of a file, or the health state of a computer. An entity can involve more than one claim, and any combination of claims can be used to authorize access to resources. The following types of claims are available in the supported versions of Windows:

  • User claims   Active Directory attributes that are associated with a specific user.
  • Device claims   Active Directory attributes that are associated with a specific computer object.
  • Resource attributes  Global resource properties that are marked for use in authorization decisions and published in Active Directory.

Claims make it possible for administrators to make precise organization- or enterprise-wide statements about users, devices, and resources that can be incorporated in expressions, rules, and policies.

Creating a Claim:

  1. Open up the Active Directory Administrative Center. Select Dynamic Access Control from list on left:

    Microsoft 70-412 Certification Exam Blueprint Walkthrough - Dynamic Access Controls - Creating Claims

  2. Right-Click on Claim Types and select New:
    Microsoft 70-412 Certification Exam Blueprint Walkthrough - Dynamic Access Controls - Creating Claims
  3. Select the attribute you want to use for the claim – If we keep the example used when I introduced Dynamic Access Controls, we should create a claim based on the department the user works in…. Finance.
    Microsoft 70-412 Certification Exam Blueprint Walkthrough - Dynamic Access Controls - Creating Claims
  4. To keep with the scenario, I’m going to add a claim for office location (Office) and the AD VDI container:
    Microsoft 70-412 Certification Exam Blueprint Walkthrough - Dynamic Access Controls - Creating Claims
  5. ???
  6. Profit!

You would create claims to meet the business objectives for securing data- the actual attributes that you use to achieve that goal will likely be very different than what I’m using in this scenario, but I hope I’m showing you the power and flexibility afforded with setting up claims.

PowerShell:
The relevant PowerShell cmdlet for setting/reading/creating/deleting claims is ADClaimType:
Set/Get/New/Remove ADClaimType

MICROSOFT 70-412: OBJECTIVE 2.2 – Dynamic Access Controls

Dynamic Access Control is the story of file access rules (called..access rules believe it or not) based on user and device criteria (Called claims).

These rules function as logical if-then statements built on the attributes of files, users, and devices. An example:
IF a user is an employee in the finance department AND has an office at the main campus AND is connecting from a device that is located on the main campus, then s/he can access the Payroll directory”

In order to lock down access with DAC in the above scenario, the administrator will need to set up claims for each of the objects, and a corresponding access rule on the Payroll folder.
Sub-Objectives:

1) Configure user and device claim types
2) Implement policy changes and staging
3) Perform access-denied remediation
4) Configure file classification
5) Create and configure Central Access rules and policies
6) Create and configure resource properties and lists

Microsoft 70-412: Objective 2.1 – Configure Advanced File Services

Hey everyone! I’m just getting over a few days of being pretty sick, so I apologize for the delay in getting the next post of the series out to you. The content in this post was pretty deep, so it was a good post to get back in the swing of things!

Table Of Contents

1) Configure Network File System (NFS) data store
2) Configure BranchCache
3) Configure File Classification Infrastructure (FCI) using File Server Resource Manager (FSRM)
4) Configure file access auditing

(more…)

Microsoft 70-412: Objective 1.4 – Manage Virtual Machine Movement

Hooray, the last post in section 1! I hope this series is helping you study as much as it is for me!
This post deals with Objective 1.4, which handles some common Virtual machine operations:

Table of Contents:
Perform live migration
Perform quick migration
Perform storage migration
Import, Export, and Copy VMs
Configure VM network health protection
Configure drain on shutdown

(more…)

MICROSOFT 70-412: OBJECTIVE 1.3 Manage Failover Clustering Roles

MCSA 70-412: 1.3 Configure Failover Clustering

It’s Friday, and there isn’t a terribly large amount of content for this portion of Failover Clusters. This post may be the smallest of the series, but time will tell!

 

Table of Contents:
1) Configure role-specific settings, including continuously available shares
2) Configure virtual machine (VM) monitoring
3) Configure failover and preference settings
4) Configure guest clustering

(more…)

Microsoft 70-412: Objective 1.2 Configure Failover Clustering

MCSA 70-412: 1.2 Configure Failover Clustering

A failover cluster is a group of independent servers that run a highly available service or application (called a clustered role). If one or more nodes fail, the other nodes begin to provide the services in their place. there is service reliability as well: if a cluster role becomes unresponsive for any reason, it can be restarted or brought up on another node.

Unlike the Network Load Balancer feature, a Windows Failover Cluster is designed to provide true high availability to mission critical applications. There are important differences between NLB clusters and failover clusters; where nodes in an NLB are all running the same application and load balancing between them, a Windows failover cluster has only one server running the role with the remaining cluster members waiting to take over if needed.

Additionally, failover cluster introduce shared storage amongst the cluster nodes- this is ideal for application and data consistency. Although not limited to these roles, you will traditionally find Windows failover clusters protecting database server, mail servers and file servers.

Looking over the Exam objectives, I’m somewhat surprised that the exam (allegedly) doesn’t include the initial set up of a Failover Cluster. I’m including a full walkthrough as an addendum.

Table of Contents

1. Configure quorum
2. Configure cluster networking
3. Configure cluster storage
4. Configure storage spaces
5. Configure and optimize clustered shared volumes
6. Implement Cluster-Aware Updating
7. Configure clusters without network names
8. Upgrade a cluster
9. Restore single node or cluster configuration

Addendum: Full installation
Addendum: Powershell cmdlets for Failover Clusters

(more…)