Posted on 5 March 2015
If you have any thoughts or comments about any of the below please contact IT Services.
Most office and classroom machines are currently managed by SCCM 2007. We will shortly be migrating all these machines to the newer version of SCCM which is now 2012. The most noticeable difference following this upgrade will be a change in the way you install applications, from using Run Advertised Programs, to using Software Center. The following article explains the differences in more detail:
SCCM 2012 will also be used to install and reinstall Windows on machines; we’ll provide additional information about how to do this soon. All new desktops and laptops have already been supplied with SCCM 2012 pre-installed.
If you’d like a machine migrated to SCCM 2012 to test in advance please email email@example.com.
We will be using a new tool to help us update and deploy applications on managed machines, providing a more informative and better experience for users.
Here are some of the features that will improve the application update experience:
Example (using an upgrade to Microsoft Office 2013):
Figure 1. Warning to close applications before the install can continue
Figure 2. Notification of uninstalling Office 2010
Figure 3. Notification of installing Office 2013
Figure 4. Prompt to restart computer
All machines should be running Internet Explorer 10 or above. Users have previously been prompted to upgrade manually, but we will be rolling out an automatic upgrade, to those machines still running an older version, over the next few months.
We will also be making Internet Explorer 11 available as an optional upgrade. There are still issues when using Internet Explorer 11 on some websites and users will be warned of this before they install the software.
Currently most managed desktops are using Microsoft Office 2010 Service Pack 1. In order to continue receiving patches and support from Microsoft all machines need to be updated to Service Pack 2. This will be pushed out to the machines that require it over the next few weeks.
We are also looking at the possibility of making Office 2013 available as an optional upgrade to users in the coming few months.
Oracle will be dropping public support for Java 7 in April 2015. To coincide with this we will be removing all legacy versions of Java from individual managed PCs. We will no longer install Java as default on managed office machines. We will continue to provide Java 8 through Run Advertised and Software Center as usual. If you want to continue using Java you will need to reinstall it.
Note: Classroom machines will continue to have Java Runtime and Development Kit installed by default, and will run Java 7 until summer 2015 to avoid disruption to teaching.
We have been testing Google Chrome in PC classrooms since mid December and will soon be making it available to all office machines via Run Advertised and Software Center.
There are however some limitations to using Chrome as your chosen browser on a managed desktop. For example: The settings that Chrome creates won’t roam like other applications on the managed desktop - if you log onto a machine and customise Chrome, then log off and on to another PC those settings won’t follow you, instead Chrome will open with the default settings. For the best experience we recommend you sign into Chrome with your work google account which will syncronise the settings with Google.
Quote from Microsoft:
The Enhanced Mitigation Experience Toolkit (EMET) is designed to help prevent attackers from gaining access to computer systems. EMET anticipates the most common attack techniques attackers might use to exploit vulnerabilities in computer systems, and helps protect by diverting, terminating, blocking, and invalidating those actions and techniques. EMET protects computers even before new and undiscovered threats are addressed by security updates and antimalware software.
The idea is that if someone opens a malicious word file or PDF, EMET will detect the exploit and stop the application, preventing the infection. EMET won’t replace McAfee, it’s designed to work alongside any Antivirus/Antimalware product.
If EMET does detect a problem the users can be notified by a popup:
It’s being used to provide additional protection to the following pieces of software: Internet Explorer, Opera, Firefox, Microsoft Office, Adobe Reader, Java, VLC and 7-Zip.
We’re currently testing EMET 5.1 in some of our classrooms. We’ll continue the rollout in our classrooms and then run a trial it on office PCs before rolling this out further.
The Windows firewall was disabled in Windows XP, for compatibility reasons and Windows 7 was set up the same. As part of improving the security of the managed desktop we’re looking at enabling the Windows firewall on all managed machines.
We’re interested in hearing if any DCOs currently remotely access managed desktops.
It is likely that when enabling the Windows firewall we will leave the Remote Desktop functionality enabled, as this is a popular way for people to get access to their desktop from anywhere on campus or from home. However, once the firewall is enabled you’ll be unable to remotely access any other service unless an exception is created. Please get in touch if you remotely access managed desktops so we can assess the impact of this change. Most popular examples of remote management are mapping a remote machines C drive or using Computer Management/Regedit to connect to remote machines.
Currently an office machine gets the following plugins installed by default: Adobe Flash, Adobe Reader, Adobe Shockwave and Java. Once the migration to SCCM 2012 is complete we want to reduce the default plugins to just Adobe Flash and Adobe Reader. You will be able to install the other plugins from Software Center, they will then be updated and maintained as usual.
The primary reason for this is to improve the security of the managed desktop. By removing unused plugins it reduces the risk that a machine will be exploited to install a virus or malware. We’ve also had comments from users that they don’t like being prompted on a regular basis to update software, by removing software that isn’t used it will reduce the number of notifications.