Microsoft IT deploys Work Folders as an enterprise client data management solution Published May 2014 The following content may no longer reflect Microsoft s current position or infrastructure. This content should be viewed as reference documentation only, to inform IT business decisions within your own company or organization. Learn how Microsoft IT is implementing Work Folders to support People-Centric IT and to improve management of sensitive data. Situation Microsoft IT needed to create a new data storage service that embraced people-centric IT by being simple to use and by enabling secure access to files from virtually any Windows-based device including personal devices. Solution Microsoft IT used Work Folders a feature available in Windows-based clients and Windows Server 2012 R2 as the centerpiece of the organization s new managed data storage solution that enables workers to store and access their data and synchronize it with mobile devices. Benefits Improved data storage management and ease of use Improved security Cost savings with excellent total cost of ownership Products and Technology Windows Server 2012 R2 Windows-based client Microsoft Internet Information Services (IIS) Server Windows Intune
2 Technical Case Study Situation Corporations today face significant challenges protecting data in this choose your own device (CYOD) and bring your own device (BYOD) world. From the information worker standpoint, people want flexibility to determine where and how they work. They want to use the device of their choice, and they want their data to be available wherever they are. But this same drive to support BYOD can be at odds with the IT organization s mandate to ensure that sensitive data is managed and stored properly. Whereas enterprise IT organizations commonly impose strict data storage requirements on its employees, Microsoft Information Technology (Microsoft IT) supports a mostly unmanaged, opt-in environment that reflects the company s culture. However, responding to user data storage requests over time has resulted in Microsoft IT providing a fragmented set of storage solutions. Although a proliferation of options gives users choices, it can also generate confusion around products and features, and increase enrollment complexity. Microsoft IT s existing set of storage options had limited support for non-domain-joined devices and was not able to offer extensive managed storage capacity. Furthermore, the organization was spending over $2 million per year for user data-related support, recovery, and unsecure storage purchases (such as USB drives and consumer cloud solutions). Microsoft IT wanted to create a new data storage service that would allow secure access work files from virtually any device even non-domain-joined systems. By developing a People-Centric IT (PCIT) solution, Microsoft IT expected to improve user satisfaction; minimize the risk of data loss and reduced productivity due to lost, damaged, or stolen devices; and ultimately reduce the cost of data-related support. Solution Microsoft IT deployed Work Folders a feature available in Windows-based clients and Windows Server 2012 R2 as the centerpiece of the organization s new managed data storage solution for employees, staff, and vendors. Work Folders was selected for the following reasons: Native Windows-based solution: As a built-in feature to Windows-based clients and Windows Server 2012 R2, Work Folders allowed Microsoft IT to deploy a robust and fully integrated data storage service into the corporate network without the cost associated with developing and maintaining a custom solution. Support of PCIT, CYOD, and BYOD: Work Folders allows users to synchronize work-related files to mobile devices, even if the device isn t joined to the corporate domain. Ensure enterprise-readiness: As the company s first and best customer, Microsoft IT regularly adopts early releases of Microsoft technologies, tests them in a real-world environment, and provides critical feedback to improve products before they are generally available to the public. In the case of Work Folders, Microsoft IT collaborated closely with the product group to launch a pilot deployment of Work Folders as part of pre-release Windows 8.1 dogfood programs. Doing so enabled Microsoft IT to validate features within the Microsoft enterprise environment. Solution architecture Figure 1 below provides a high-level view of the Work Folders pilot deployment, which included the following components: Four Windows Server 2012 R2 Hyper-V file servers within the corporate network, configured as follows:
3 Technical Case Study o 12 TB of storage area network (SAN) storage dedicated for pilot use o Default 25 GB quota limit per user One Windows Server 2012 R2 Hyper-V server for the IIS Redirect server, installed within the corporate network. A virtual private network (VPN) connection to allow non-domain-joined devices to access Work Folders that leverages the company s existing Network Access Protection (NAP) and Intune device management. Note: Microsoft IT decided to utilize a VPN/NAP/Intune-based secure connection technology due to it already being in place and its compliance with the company s edge connection strategy. However, organizations who have a traditional reverse proxy/active Directory Federation Services (ADFS) solution can use it as an entry point into their secure Work Folders environment. Figure 1. Deployment topology for Microsoft IT s implementation of the Work Folders service. User sign-up experience Figure 2 illustrates the streamlined sign-up experience, which involves the user: 1. Accessing an internal portal to sign up for a Work Folders sync share creation. 2. Configuring Work Folders within the Windows 8.1 Control Panel to use an appropriate email address. 3. An IIS Redirect Server then connects the device to the appropriate regional Work Folders server for file synchronization.
4 Technical Case Study Figure 2. The streamlined Work Folder sign-up and configuration process. Implementation steps 1. Microsoft IT performed an initial proof-of-concept (POC) at corporate headquarters that included 10 users running 20 Windows 8.1 machines. In this POC, Microsoft IT: a. Allocated a single Windows Server 2012 R2 Hyper-V server for testing Work Folders. b. Verified Work Folders encryption and configuration. c. Tested URL paths. d. Developed a Windows PowerShell script that used configuration policies and Windows Intune to automate the user sign-up experience with a single-click join capability. 2. Upon successful completion of the POC phase, Work Folders moved into a pilot phase where Microsoft IT: a. Enhanced the Windows PowerShell script to allow pilot participants to use email addressing instead of long URL strings when configuring their Work Folders. Other script enhancements improved manageability, reporting, and monitoring of Work Folders across the company s global multi-domain environment. b. Added security features on the server side to the Work Folders role that established enterprise-level security and ensured that users would comply with Microsoft IT security compliance requirements, including: i. Requiring device password and lock policies ii. Encrypting files in the device
5 Technical Case Study iii. iv. Agree to remote wipe function for lost or stolen devices Microsoft IT security and device polices for domain-joined devices v. Using VPN to meet NAP compliance requirements vi. Using Auto-Connect VPN via Windows Intune for non-domain joined devices c. Added three additional Windows Server 2012 R2 Hyper-V servers to the POC s single server in support of the pilot s scaling to all the company s regions, URLs, and domains. d. Used Windows Intune to enroll unmanaged (non-domain-joined) devices into IT Services. By enrolling a device into Windows Intune, the device becomes registered and can then obtain a policy that grants access to Work Folders. 3. Microsoft IT completed the pilot phase in January 2014 and is moving its Work Folders service into production. Current efforts include: a. Continuing the large-scale deployment of Work Folders as a production service to all regions. b. Investigating interoperability with a variety of platforms and form factors. c. Providing ongoing feedback to the product group to enhance the service in future releases. Benefits By the end of the four-month pilot period, more than 1,800 participants signed up to use Work Folders which was more than triple the initial participant estimate of 500. Furthermore, almost 83 percent of the participants indicated they were satisfied or very satisfied with the service. Additional results from the pilot are provided in Table 1. Table 1. Work Folders pilot results. Description Number of participants Number of files Average files/user Total storage used (GB) Total number of devices Total personal (non-domain-joined) devices User satisfaction level (percent) Value 1,819 3,643,271 2,002 17,908 3,442 672 82.7 Improved data storage management and ease of use Improves user experience for end users: As a built-in feature of Windows 8.1, Work Folders ensures a simple, consistent experience across Windows 8.1 devices, giving users a centralized location within a familiar interface to store work files that can be accessed from anywhere using corporate or personal machines (see Figure 3).
6 Technical Case Study Figure 3. Work Folders as viewed through Windows Explorer. Improves management for administrators. As shown in Figure 4, Work Folders provides a simple configuration interface in Windows 2012 R2 File Server. By setting the appropriate options, Microsoft IT is able to maintain control of how users store sensitive infomation. Data is protected, and file backups and synchronization are secured. Figure 4. Managing Work Folders in Windows 2012 R2 File Server. Improved security Promotes secure storage and backups. The ease of use of this PCIT solution promotes using Work Folders as a secure backup solution for business-critical data, which is preferable to using less secure external storage devices or not using any backup source at all. Enforces device security. As shown in Figure 5, Microsoft IT can enforce user device policies such as encryption and lock-screen passwords to protect data that resides on a device.
7 Technical Case Study Figure 5. Work Folders security policies are set on users systems with a single checkbox. Cost savings Excellent total cost of ownership. For Microsoft IT, the server infrastructure for Work Folders is part of the organization s existing Windows Server 2012 R2-based file server offering, which means that the organization is able to provide this data storage service without having to invest in any additional technology or servers. Figure 6. Because Work Folders runs on top of Microsoft IT's existing file server infrastructure, it provides a critical service with an excellent total cost of ownership (TCO). Reduces support costs. Microsoft IT estimates saving approximately 40 percent of the annual $2M support costs that have been traditionally associated with supporting lost data. Reduces storage costs. Because Work Folders uses Windows Server 2012 R2 technology, Microsoft IT anticipates saving an average 30 percent on drive storage costs through the server s built-in Deduplication storage optimization feature.
8 Technical Case Study Improves productivity. Microsoft IT also recognizes the potential significant productivity savings that Work Folders offers by providing a simple, automated backup solution for users who would otherwise have lost critical business data. Best Practices Microsoft IT followed these best practices when implementing Work Folders. General implementation Prepare your data center(s) in advance of deploying Work Folders. This includes planning to deploy into multiple data centers to support worldwide operations, evaluating the types of servers (virtual machine versus physical), and ensuring that client-server performance within the network is sufficient to support Work Folder file synchronization. For Microsoft IT, all Work Folder servers are run in virtual machine environments, and the remaining infrastructure components are already in place. Consider applying throttling where performance might be degraded or establishing usage quotas where data storage capacity might be limited. Certain user roles such as those working with large video files might require a larger amount of storage than what is available. Similarly, certain regions WAN environments might not be able to support unrestricted amounts of synchronization. In these circumstances where upgrading the infrastructure is not an option, you might want to consider applying throttling or establishing usage quotas. Build Windows PowerShell scripts to automate the user setup process. Microsoft IT developed Windows PowerShell scripts that allow workers to use email addressing instead of having to provide long URL strings when configuring their Work Folders. Other scripts streamline Work Folders management and monitoring, which is especially valuable in the organization s multidomain, multiple Active Directory forest environment. Protect IP addresses. Configure a static IP address to protect your Work Folders service from any DHCP conflict or outage. Security Create a secure access point for non-domain-joined systems. Determine what form of secure connection you will employ that will allow non-domain-joined devices to access Work Folders securely. Examples could include Web app proxy (reverse proxy w/adfs), VPN, DirectAccess, or similar technology. Microsoft IT enhanced security by limiting Work Folders access to registered devices by using its existing VPN/NAP/Windows Intune-based secure connection technology. Secure file transfers with SSL. Utilize SSL certificates to ensure secure in-transit data transmissions. Enforce appropriate encryption policies. Use encryption policies to ensure that documents in client devices Work Folders are encrypted with an enterprise ID, which for Microsoft IT is the user s primary SMTP email address by default. Enable selective wipe. Selective wipe allows administrators to have control over the corporate data stored in an employee s personal device by eliminating access to the device s data when the device or user is no longer allowed access (such as when the device is stolen, or if the user chooses not to use the personal device at work). Because the corporate data is encrypted with an Enterprise ID key that can be revoked by an administrator when the device is deemed invalid, any corporate data is rendered inaccessible.
9 Technical Case Study Monitoring and reporting Use the Windows Server 2012 R2 File Server Resource Manager (FSRM) to monitor quota usage. Microsoft IT uses FSRM for user quota management, reporting for file size, file type, file counts and monitoring for file screening, file classification, and more. Consider developing a Windows PowerShell script on top of FSRM to enhance server monitoring. Write Windows PowerShell scripts to enhance your server s out-of-box monitoring and logging capabilities. As an example, Microsoft IT developed a telemetry data script for monitoring performance that records machine details for each user, synchronization history, usage time, server side file screening, and file size and type details. For More Information For more information about Microsoft products or services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada Order Centre at (800) 933-4750. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information via the World Wide Web, go to: http://www.microsoft.com http://www.microsoft.com/microsoft-it 2014 Microsoft Corporation. All rights reserved. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.