Overview
Pranik Logistics was setting up an Office for 200 users and 300 machines. They required around 150 users to come and work from the office and 50 user from sales team will be working remotely. They wanted strict security and firewall policy to be implemented securing there data.
The client needed to create mailbox for all 200 users. The company will procure 300 machines which needed to be reimaged(OS Installation). On 250 machines Windows 10 needed to be installed and on 50 machines Windows server 2016 needed to be installed. The Client wanted to manage all these devices using a central management tool. They wanted to check health, run software & hardware inventory, Install OS Updated (patching), Install applications/application updates & Policies all using the central management tool.
Client sales team consists of 50 users.
The users in sales team mostly visits customers showing them the products.
For showing/Demoing the products the sales team uses Android and iOS devices.
Client also wanted to manage these devices.
The client wanted us to architect their software needs based on their requirements.
Recommendations
- They needed to setup mail box for 200 users.
- They needed a tool to image(install) OS, apps, policies and updates on 300 machines.
- They needed to secure their infra
- They have 50 remote users who also uses Android and iOS. These devices also needs to be managed.
Solution
- We provided them with O365 licenses which also included Exchange, Skype For Business, Teams, Online Office and other tools. O365 will provide them Single sign-on ability for all SAAS applications.
- For imaging the machine, we used SCCM. SCCM is a paid tool(System Center License is required).
- For securing the infra, the machines were connected to a domain and various GPO’s were applied for security. Bitlocker, device guard, secure boot was also implemented.
- They have 50 remote users who also uses Android and iOS. These devices also needs to be managed – These devices were managed using Intune.
Explanation of the Solution
- First step was to setup active directory/domain(AD, DNS, DHCP)
- DHCP was configured which will provide ip address to all these 300 machines.
- An Azure AD was created. The on-prem AD will be in sync with Azure AD using AD Connect tool. Settings will be made in the backend for Hybrid AD configuration (Domain + AAD).
- All the 300 machines was joined to this domain. When the machines were joined to the domain, they were also be joined to AAD.
- All the 200 user accounts was created in this domain. AD connect tool will sync these users to Azure AD.
- Once all the 200 user accounts were synced to Azure AD, O365 license(E1, E3, E5) were procured and then assigned to users using the O365 Admin portal.
- The 300 machines were deployed using SCCM. SCCM also supports PXE deployment so all the machines were deployed once they were connected to the network.7.
-
- Operating system (Windows 10 & Windows Server 2016) was installed on the machine.
- The machine will be joined to domain.
- All Applications needed by the client were also deployed.
- Operating system update was deployed.
- Bitlocker was enabled.
- Device guard & secure boot was enabled using a script.
- Firewall was enabled.
- Once all the 300 machines were deployed we were then able to manage the health and run Software, Hardware inventory on these machines using SCCM.
- 10. For patching SCCM will work on top of Windows Server update services(WSUS).
- Now, MBAM is integrated with SCCM so, all the 300 Bitlocked machines can be managed using SCCM.
- For managing the iOS & Android device Intune was used. Intune can be implemented as standalone or integrated with SCCM.
- Intune in the backend was connected to Azure AD so, it will get all the details about users and machines from AAD.
- Once Intune was setup, iOS & Android devices were enrolled using Intune and various policies were applied to secure the devices and the data, remote wipe is also possible in case if the device is lost.
- If client further wants to monitor there 50 servers, SCOM or Azure log analytics/Azure sentinel can be implemented for the same.
- Using the above recommendation most of the concern related to security & data privacy can be solved. GPO, Azure policies can be configured to solve the needs of the client.