Tuesday, 27 October 2015

Secunia CSI Portal

Back to Secunia menu

The first step in a Secunia CSI deployment is to purchase the licenses (the product is licensed per node). You can contact Secunia directly or through a Managed Service Provider (MSP). Ergo Group (my employer) is the Secunia CSI MSP for Republic of Ireland. Your login details will be sent to you via email.

Connect to the CSI Portal. (You must use Internet Explorer (I'll explain this later). Also some of the functionality requires for IE to be launched as Administrator. Therefore I think it's easier just to do this each time).


Welcome to the CSI Portal.

See the navigation tabs on the portal. Some items are missing from the final solution. Where is "Patching" for example? For now we can only see cloud based items that can be configured (User management, for example). We cannot integrate with Active Directory or WSUS/SCCM at this stage.

So what is the problem? Have a look at the bottom of the IE screen. You will see a reference to the CSI Plugin. This is required to add the functionality to integrate with on premise services. Note that the CSI Plugin is only supported by Internet Explorer. If you use another browser you will be able to log in to the portal but you will not be prompted to install the plugin.

Download and install the CSI Plugin.

It's a very straightforward installation with no trick questions.

After the installation you are prompted to reload the portal page.

Now see the additional items. See "Patching". We will be doing a lot of work using this menu.

Also see where we can now integrate with Active Directory.

One final thing to note here - have a look at the bottom right of the screen and see that the portal version is 7.1. When Secunia upgrade the portal (possibly to 7.2) you will have to download and re-install the Plugin for 7.2. Don't worry though. You won't have to redo any configuration.

Next we will carry out the initial configuration. Until then.......

Third party patching with Secunia CSI

Back to main menu

I've recently started using Secunia Corporate Software Inspector (CSI) to deploy third party updates on my customer sites. It's really easy to set up and configure and integrates very well into the existing ConfigMgr monthly updates cycle. Users do not notice that third party applications are now being updated also.

Follow the links below to see the series of blog posts. I hope they will be helpful to you.

Leverage Your ConfigMgr Investment for Third Party Patching
Secunia CSI is a Microsoft Preferred Solution
Secunia CSI Portal
Secunia CSI Portal initial configuration
Inventory and CSI Agent
Patch third party applications

Friday, 23 October 2015

Azure AD Premium features not working

EMS Landing page

I had a strange situation this week while working on a customer site. The customer had purchased Enterprise Mobility Suite licenses and I had added some licenses to test users. So far so good. These users now had access to Azure AD Premium features - or did they?

I tired to configure password writeback for these users but it just didn't work, with no indication where the problem might be.

It seems that there is a known issue that Microsoft are currently investigating. In some cases, even if you add the EMS licenses to users it looks that Azure AD Premium just does not get activated on the tenant. It's easy to solve this with a free support call to Microsoft CSS. However I wanted to share this to prevent others wasting time second-guessing their configuration.

You can create an online support request via Office 365 or Azure Portals.

I hope this helps. Until next time.......

Monday, 12 October 2015

Leverage Your SCCM Investment for Third Party Patching

Back to Secunia menu

Microsoft System Center Configuration Manager (SCCM) is great for patching. It’s the most effective way for you to manage devices across your network, enforce your policies, and apply updates in a swift, automated fashion.

So it’s only natural to think that, with Microsoft SCCM up and running, you’re covered against application vulnerabilities.

But that’s an assumption that leaves your organisation exposed.

77% of vulnerabilities affect third-party applications
According to the Secunia Vulnerability Review 2015, 3,870 vulnerabilities were discovered in 2014. But these weren’t all in Microsoft products – they were spread across 500 different vendors.

In reality, 77% of the vulnerabilities uncovered in 2014 affected non-Microsoft applications. So patching first party software with SCCM only solves part of the problem.

Of course, you’ve already spent time and money implementing SCCM. It’s a familiar tool that you use regularly, but it took time to learn its nuances and start using it efficiently.

Fortunately, you can leverage this existing investment and expertise to secure third-party applications right alongside Microsoft ones.

Using SCCM to find third-party applications
One of the hardest – and most time consuming – parts of effective vulnerability management is achieving full visibility. Until you know the third-party applications that are used across your entire infrastructure, you can’t hope to check for vulnerabilities and patch them where appropriate.

SCCM includes a robust software inventory feature that can be used to scan for third-party applications. And when this is paired with an SCCM-integrated patch management platform, the results can form the foundation of your entire vulnerability workflow.
Secunia CSI takes data from SCCM’s software inventory and compares this against its own remote database, managed by the Secunia Research Team. Covering more than 20,000 programs, the database reconciles SCCM’s knowledge of your network with Secunia’s insight into third-party software, vulnerabilities, and patches.
Bring third-party into Patch Tuesday

While Microsoft attempt to rebrand it as ‘Update Tuesday’, Patch Tuesday is a longstanding part of the IT administrator’s routine. It’s when Microsoft release new patches – or updates – for its software, fixing known security vulnerabilities.

Thanks to its SCCM and Windows Server Update Services (WSUS) integration, Secunia CSI can make third-party patching a seamless part of this established routine.

So, using a familiar interface that doesn’t slow you down, you can:
  • Take stock of the applications across your network
  • Package patches for distribution
  • Deploy patches to every instance of an application
All in record time – and in a single downtime window.

An integrated platform for third-party patching and vulnerability scanning saves time, energy, and – as a direct result – money. So while SCCM doesn’t cover all bases out of the box, you can leverage your existing investment to keep your network defended against the entire spectrum of vulnerabilities.

Secunia CSI

Saturday, 10 October 2015

Top tip when resetting Mobile Device Management Authority

EMS Landing page

Several times in the past I've had a problem with the Mobile Device Management Authority for a tenant. I've started a project to deploy System Center Configuration Manager with Intune but found that the customer had already set the MDM Authority to Intune. This isn't a big technical challenge. You just have to submit a support request with Microsoft CSS to reset this. However the process can take up to 5 working days and is a logistical challenge as it can play havoc with the project schedule.

I had a slight variation on this problem last week. I started a project to deploy standalone Intune. In this case I couldn't set the MDM Authority to Intune as it was already set to Office 365.

Top Tip: When you submit the request to Microsoft CSS in this case do NOT ask for the MDM Authority to be reset for the tenant (as I said this can take 5 working days). You should request that coexistence is configured for the tenant (hybrid of Intune & Office 365).

In my case I asked for coexistence to be configured for the tenant. This was completed in less than 24 hours and the MDM Authority was automatically set to Intune.

Note that there is NO technical reason to prevent you doing this. All Intune features will be available to you. The hybrid merely allows you to manage devices through Office 365 at the same time. The advantage is obvious. You can resolve the problem in a fraction of the time.

(Note that if you want to set Configuration Manager as the MDM Authority you still need a full reset).

I hope this helps others. Until next time.....