|
|
|
|
| Author |
|
|
It'll be legen-waitforit
Join Date: Jan 2002
Location: Calgary, Canada
Posts: 6,969
|
Surface Pro 3 in the Enterprise
For you geeks..
I am working at a clients and they (and I) are evaluating Surface Pro 3's as a tablet/laptop replacement option. I suggested they treat it as a laptop as it relates to joining the domain and patching it, yet the old school thinking they are caught up in is lock it down like a laptop/Desktop. I am trying hard to convince them they need to start thinking outside the box and enable the mobility of it by not restricting the capability. Seems to be a tough sell, right now they want to create a "gold Image" for provisioning and again I suggested not to; several reasons but the main one being the lifecycle difference between a traditional device and the newer mobile technologies like the Surface - I don't think they could keep up the cadence. The GPO(s) are currently killing me as well as I can't do certain things with it. Wanted to get some input if any of you have gone through a similar situation. Thanks in advance, Bob James
__________________
Bob James 06 Cayman S - Money Penny 18 Macan GTS Gone: 79 911SC, 83 944, 05 Cayenne Turbo, 10 Panamera Turbo |
||
11-15-2014, 08:49 AM
|
|
|
The Unsettler
Join Date: Dec 2002
Location: Lantanna TX
Posts: 23,885
|
It sounds like you are dealing with possibly non technical decision makers or tight ass type A engineer types.
You are correct in your position that a device of that nature is better utilized when not crippled. Figure out the $ argument. Tell them you can save them 100% of the dollars that they have not yet expended. When they ask how recommend they kill the initiative all together since the result of not doing it and doing it the way they want will have the exact same end result.
__________________
"I want my two dollars" "Goodbye and thanks for the fish" "Proud Member and Supporter of the YWL" "Brandon Won" |
||
|
11-15-2014, 09:10 AM
|
|
|
Registered
|
We have surface pro 3's in our enterprise. We manage about 20k computers and have a dozen or so surface pro 3's. We treat them as laptops. In fact it presents itself as a laptop in wmi. We have a single golden image to support all 26 models of systems in our environment including the surfaces. We're using sccm 2012. If you post more details about your problem I might be able to lend a hand. How are they trying to lock it down and what gpo are you having trouble with?
|
||
|
11-17-2014, 03:54 AM
|
|
|
Registered
|
I've deployed a handful. Also treated them like laptops and joined to the domain getting the same GPOs as laptops. No real hard-core lockdown policies in my case though.
To me, the advantage of the surface is that it IS a real laptop. It has the full functionality to run all the same applications, use your AD accounts, AD integrated apps, etc. If you don't treat it like a laptop you lose the functionality that allows it to be a laptop replacement. |
||
|
11-17-2014, 05:12 AM
|
|
|
Driver, not Mechanic
Join Date: May 2013
Location: SF Bay Area
Posts: 2,998
|
BYOD is the way to go...
|
||
|
11-17-2014, 11:02 AM
|
|
|
Slippery Slope Victim
Join Date: Oct 2001
Location: Brooklyn, NY USA
Posts: 4,379
|
We use them for our field supers and foremen. The ease of use for Windows applications, Outlook and Excel primarily. The fact that they can go thru a hole in our firewall to access the server from a jobsite for plans and submittal data easily are a huge plus for productivity. Mind you that these are not tech savvy guys that I am talking about.
__________________
MikeČ 1985 M491 |
||
|
11-17-2014, 11:34 AM
|
|
|
|
It'll be legen-waitforit
Join Date: Jan 2002
Location: Calgary, Canada
Posts: 6,969
|
Thanks guys, met with Microsoft today and got some good feedback re the GPO's, one chalkenge we have is if you disable windows ipdates this also causes grief with Windows app downloads.
It's really just a new mindset; Microsoft went over the options for whether to image or not, and that just getting the base config abd putting a light touch on it (domain join, av, patching, SCCM client) is in fact a viable way to go and they have many clients do it. My concern is with one of two techs they are not ready for the high cadence of updates/patches/firmware changes that will come with this new platform. They also told me windows 10 will have a 1 month update cycle (not just patches) so our client needs to start thinking different. I'm not saying a gold image is not the way to go, just a lot less agile than i think is going to be required. Now I just need they to allow the tile apos to talk to Activesync It's always fun dealing with the old boy mentality of we've always done it this way when introducing dusruptive technologies......surprisingly the client is very advanced in the cloud space...
__________________
Bob James 06 Cayman S - Money Penny 18 Macan GTS Gone: 79 911SC, 83 944, 05 Cayenne Turbo, 10 Panamera Turbo |
||
|
11-17-2014, 06:12 PM
|
|
|
Registered
|
[QUOTE=stealthn;8358358]Thanks guys, met with Microsoft today and got some good feedback re the GPO's, one chalkenge we have is if you disable windows ipdates this also causes grief with Windows app downloads.[\QUOTE]
SCCM should control your updates (You mention SCCM client so assuming that is your System Management Software). We disable the app store in Windows 8.1 as all software comes from SCCM. In our environment users are prohibited from installing any software including updates. This helps us keep a consistent environment and also prevents bad updates from being installed. We've had to pull several updates this year due to bad updates from Microsoft. Had users been allowed to install updates they would have blue screened their computers. So using GPO we disable automatic updates and then create a few reg keys to point to our SCCM Windows Update Server. We haven't had any issues with regards to app installs through SCCM or GPO. Quote:
In addition, We refresh our gold image every two months with all updates since the last update cycle. We add additional drivers to support new hardware and other functionality at this time as well. I would recommend setting the surfaces up as you would any other laptop. The more hardware agnostic your management strategy is the easier it will be to scale. Our process for deploying systems doesn't change for desktop, laptop or surface. We incorporate bitlocker and our wireless setup within our task sequence in addition to department specific applications. Of course, all of this needs to be built out on the backend so the front end looks simple. 
|
||
|
11-18-2014, 11:44 AM
|
|
|
It'll be legen-waitforit
Join Date: Jan 2002
Location: Calgary, Canada
Posts: 6,969
|
I appreciate your input, IMHO I want people to have a little more freedom with this device, ie a little more tabletesque. Try windows store and see how and why there are apps people use. I don't want a locked down device when I am on an hour flight and I can't do something. Again, my opinion.
What other than apps store and windows update did you restrict with the GPO? As well are you buying a Ethernet dongle for every device or using the same one when imaging?
__________________
Bob James 06 Cayman S - Money Penny 18 Macan GTS Gone: 79 911SC, 83 944, 05 Cayenne Turbo, 10 Panamera Turbo |
||
|
11-18-2014, 04:26 PM
|
|
|
Registered
|
Quote:
Most of our campuses are wifi enabled so users can roam using wifi and be on our network. They can connect to other wifi networks as needed. The decision to purchase a dongle is up to purchasing and the requesting manager. For imaging they use the same dongles. We had to tweak our pre-flight script to work around issues with imaging different systems with the same mac address. We don't have any other restrictions on the OS. They just can't install software from the app store. They can install software from our software catalogue if it's available to them. |
||
|
11-18-2014, 07:14 PM
|
|
