Information technology tools and resources at the UW
20160321: Managed Workstation Newsletter (March 2016)
Welcome to the semi-annual Managed Workstation service newsletter, which brings you valuable updates and information to help you make the most of our services.
New Capabilities and Improvements
Windows 10 Self-service Upgrade: In January, we released a self-service mechanism that allows users to upgrade their Windows 7 or Windows 8.1 computer to Windows 10. More info here. This has been an overwhelming success, with over 20% of Managed Workstations having already made the switch to Windows 10. Customers running Windows 8 or 8.1 should strongly consider upgrading to Windows 10 as we have reduced the support capabilities provided to those operating systems.
‘What Does the Managed Workstation Rate Include?’ Documentation: A common source of confusion surrounding the Managed Workstation Service is understanding our business model and when something is included in the Managed Workstation rate versus something for which we charge an hourly consulting rate. We’ve tackled this question directly in some new documentation which conceptually explains where the line is, and then dives into concrete examples to help you understand the difference.
Capability Map: We developed a capability map for the Managed Workstation Service. Capability maps are a mechanism to facilitate discussion about what capabilities a given service, organization, or technology provides. The purpose for a capability map is that the audience is better able to engage–whether that is to ask for more details, identify and raise unmet needs, or understand the business better including what is planned for the future. Please do ask any questions this inspires–your question may help us to refine the map or prioritize our investments more appropriately.
Infrastructure Upgrades: There have been a series of replacements and improvements related to infrastructure mechanisms behind the Managed Workstation service. Most of these activities are hidden from you as a customer, and it’s great when we can keep these things from impacting the work you do. These include:
- replacing an aging Sophos AntiVirus server,
- replacing our aging System Center Configuration Manager servers (SCCM) – which provide software packages,
- retiring the Internet Explorer Exempt mechanism
Self-service User Eligibility and Accounts: Since the last newsletter, we’ve completed the work to align the user eligibility group mechanism to automatically provision and deprovision the user-oriented capabilities provided by the Managed Workstation service. This puts you in the driver seat of adding and removing users from the Managed Workstation service. If you don’t understand the user eligibility group mechanism, either read the documentation at the link or ask us to explain–this is really important to understand.
This means you no longer request a “Nebula account” when a new employee or person joins your department. Instead, you simply add them to your eligibility group. If you need an Exchange mailbox, you can still ask us to help facilitate that. If you need the new user to have access to a Nebula file service location, in the future, you will also have a self-service mechanism to do that–see the Group Management item below. NOTE: The Managed Workstation service does not provide the Exchange mailbox, we are simply helping you ask the service which does provide that.
A corollary of not requesting a Nebula account is that the Nebula2 user account is no longer required for Managed Workstation services. Metrics suggest only 660 users are still using a Nebula2 user account. By default, we no longer create Nebula2 user accounts for customers because the Managed Workstation service design does not require them. Existing use of Nebula2 user accounts should stop, with customers encouraged to instead use NETID user accounts. We still provide assistance in making this change on your Managed Workstation at no additional cost.
Group Management Services Removed: We will no longer make group membership changes on your behalf. In the far past, the service design for Nebula file services required that the Managed Workstation service manage the groups which owned a given file directory. Several years ago, we changed that design to allow customers to manage the groups which owned a given file directory. We are now requiring customers to take over management of their groups, so if you request a change to one of the groups which currently only we can manage, we will transfer management of that group to you. More information about why we made this change and especially why we think you’ll agree this is a step in the right direction is available here.
Mac VPN – End of Life: We plan to move Nebula VPN services for Mac clients to end of life in the near future. At this time, we do not have a specific date to communicate as we are waiting for the general purpose campus VPN solution to be released. Existing customers of the Mac VPN will have a month after the campus VPN is released to transition to that general offering. We’ll send a separate announcement about this change.
Windows 10 and Office 2016 available: We made an Office 2016 software package available in early January. You can install it via the mechanism described here. Office 2016 is also standard in the Windows 10 image, and in a new Windows 7 image that should be available shortly. In December we made a Windows 10 image available via Lite Touch and full service. In early January we moved Windows 10 to baseline support status, released the self-service upgrade capability mentioned previously, and provided the Windows 10 image via CDW.
NOTE: We also updated our Windows 7 image. Both are available via CDW or Lite Touch.
Home Directory Purge: In mid-February, we deleted undesired home directories. This constituted almost 5200 home directories using 6 TB of space. Under current practices, there is still a copy of that deleted data for a year but a change is pending to only retain deleted data 90 days. More info here.
FY17 Rates: We are in the period of the year where rates for cost-recovery services are under review and being submitted for central review. We can’t say anything definitive about what rates will be, but at this time, we don’t expect any of the rates to increase. Budgeting for approximately the same costs for Managed Workstation Services should be relatively safe. We’ll share more information about rates when they are finalized.
Staffing changes: In January we were sad to see service team member Kay Lutz retire. Kay had served on this team for many years, and we will miss her. Her position is still unfilled, but we hope to return to full strength soon. In September 2015, we welcomed Brian W Smith to the service team. Brian came to us from a customer department, and has shored up our depleted engineering ranks. Brian brings a positive, customer results focused attitude that the entire team has appreciated. Brian replaced the ancient server providing Sophos Antivirus services to Managed Workstations with a minimum of impact on customers, and helped put together the Windows 10 upgrade capability.
Additional Security Offerings: If you have confidential data needs and/or regulatory compliance issues that aren’t currently being addressed, please let us know. We’re designing a solution in this area with a customer. Knowing you would like such a solution will help us to secure central funding to build a capability that addresses this gap. We are currently exploring the following options (which would have some additional ongoing cost):
- File service with encryption by default, with additional protections available based on metadata classification or manually intervention,
- Audit log collection and analysis to detect undesired/anomalous activity,
- More administrative controls on a per computer basis on who has access to desktops,
- Managed Workstation encrypted drives (via Bitlocker) with the option to have this on by default,
- Password manager (this helps users manage passwords by suggesting strong ones, storing them securely, and provides the option to supply them).
Send an email to firstname.lastname@example.org with “Managed Workstation high security” in the subject line if you have interest.
Below are metrics across the Nebula service. The takeaway statement following each graph compares metrics in the last 6 months to the prior 6 month period. For information specific to you or your department, the MyIT portal has more data: https://support.nebula.washington.edu/myIT/Default.aspx.
Operating System Versions
Takeaways: +0 Total Windows (~3300 today), +550 Windows 10 (~600 total today), -80 Windows 8.1 (~420 total today), -500 Windows 7 (~2250 total today), -10 MacOS (~10 total today)
Takeaways: +15 sessions on average (~55 sessions average with a peak of 80)
Takeaways: +0 Public network (~2500 total today), +0 Private network (~550 total today)
NOTE: This is a new metric we are tracking so net change is not yet available
Nebula2 User Account Status
Takeaways: +100 Enabled (~5300 total today), +100 Disabled (~4600 total today)
NOTE: This is a new metric we are tracking so net change is based on less than 6 month period
Managed Workstation User Logons
Takeaways: +0 Active User (~2150 total today), -220 Nebula2 (~660 total today), +200 NETID (~2040 total today)
NOTE: This is a new metric we are reporting
Takeaways: Support requests have decreased by 0.8%; 4166 Nebula support records resolved vs. 4203 in prior 6 month period.
Takeaways: Incidents have increased by 406%; 73 Nebula incidents resolved vs. 18 in prior 6 month period.
NOTE: We believe this significant change reflects a couple factors:
- Our guidance to customers to ask for incidents when they are experiencing a work stoppage due to a non-functional Managed Workstation
- Increased maturity within the service team in tracking incidents
- An increase in unexplained anomalies with Nebula File Services. We have put in place some mechanisms to help us determine the cause for future instances of this, but there is some technical debt here which is part of the reason we do not consider this solution as viable long-term.
Our objectives for the next six months include:
- Bring Mac VPN to end of life, assist Mac based customers in transitioning to new Husky OnNet VPN service, evaluate whether Windows VPN should also move to end of life
- Infrastructure replacement, including:
- Complete the replacement of the servers behind our aging software deployment infrastructure (System Center Configuration Manager). There will be some customer noticeable changes which we’ll share before we make this transition.
- Replace the servers providing the database powering much of the Managed Workstation capabilities. This should not be customer noticeable.
- Replace the server providing the Windows File Services, transitioning that into an offering that can handle confidential data with the ability to encrypt data at-rest by default
- Activities related to the Nebula2 user transitions.
- Begin planning for computer migrations to NETID domain.
- In concert with above computer migration planning, transition Nebula’s software deployment capabilities to the UW Windows Infrastructure service so a broader set of the UW can leverage this capability and contribute packages Managed Workstation customers might use.
- Reorganize customer documentation and address any gaps
- Continue explorations in our partnership with the UW-IT Service Desk to improve the quality of customer handling & routing, and reduce the Managed Workstation rate by identifying activities which they can provide
Of the objectives we listed 6 months ago, here is a summary of our progress:
- 4 complete: Office 2016, Windows 10 support, customer routing improvements, OS deployment
- 3 significant progress, work continues: Mac VPN, software deployment infrastructure replacement
- 3 some progress, work continues: Nebula2 user transitions, planning for computer migrations to NETID, confidential data/high security need explorations
Supporting your needs for Managed Workstation capabilities is our priority, so we welcome feedback on how we can make the Managed Workstation service more valuable to you. The nebula-announce and nebula-discuss mailing lists are good sources of information. We recommend that each customer have at least one individual join the nebula-announce mailing list. See https://www.washington.edu/itconnect/wares/nebula/contact-us/ for more on how to join.
You can voice your support for future objectives to help us rank priorities, ask for things that aren’t yet on our radar, or simply contact us via email@example.com.
UW-IT, Managed Workstation Service Manager and Service Owner