Maximize your protection, eliminate business risks.
Optimize and modernize with cloud transformation.
Empower your people to work securely from anywhere.
Let us handle IT so you can focus on growing your business.
Get multichannel 24/7/365 expert end-user support.
Protect, detect, and respond—Dataprise keeps your business secure.
Maximize uptime with with industry-leading DRaaS.
Swiftly mitigate cyber threats and restore security.
Improve efficiency, productivity and outcomes with cloud.
Ensure all mobile devices, everywhere, are secure.
Gain a competitive edge with strategic IT solutions.
This battle-tested checklist enables your team to swiftly initiate a ransomware response.
IT for businesses of all sizes, in any industry.
Empower institution growth with custom IT solutions.
Ensure your firm is always in compliance.
Improve patient care and staff morale.
Deal with pressing legal matters, not IT.
Keep up with the evolving digital landscape.
Focus on your mission by outsourcing IT.
Keep production running with secure, always-on IT.
Accelerate PE client deals and secure data.
Empower Your Municipality with Secure, Reliable IT Services
Execute initiatives and develop IT strategies.
Get the latest industry insights and trends.
Join us at events in person and online.
Hear from clients and learn more about strategic IT.
See how Dataprise can make IT your greatest asset.
Get informative technical resources from IT experts.
Stay on stop of emerging cybersecurity threats.
Discover the key areas of DR your organization needs to address to ensure downtime is minimized.
Gain a strategic asset by bringing harmony to IT.
Ensure 24/7 support and security with dedicated teams.
Drive business forward by partnering with Dataprise.
Meet our one-of-a-kind leadership team.
Discover the recognition Dataprise has earned.
Help us help businesses with strategic IT.
Grow through acquisition and partnership with Dataprise.
Embracing different perspectives and backgrounds.
Find a Dataprise location near you.
Dataprise is committed to empowering more women to consider a career in technology.
Explore our trusted partnerships with leading tech innovators.
Posts
By: Stephanie Hamrick
Table of content
Revision Control in SCCM is not easy, but it does work extremely well if you are willing to put some effort into it.
My personal use case scenario for for this is attaching security scopes to Task Sequences for the purpose of version control.
This approach is a bit ham-fisted, but it requires the least privileges to be given to the ‘Operator’ and the least amount of training–which in turns allows more time for writing blogs. Most importantly it prevents your helpdesk guy who somehow has admin access to SCCM from deleting all the things.
One of the strategies you can use to keep track of changes to your Task Sequences is to force your admins to make a copy of the Task Sequence every time they want to alter it.
Four extra steps you can perform to enforce this behavior:
What we’re doing here is preventing an admin from making ‘improvements’ to a production Task Sequence without testing it.
Pretty basic, it’s a single click.
Be default the first account that installs SCCM gets the ‘All’ Security Scope added to it. Most organizations just add a single Security Group called ‘SCCM Admins’ which inherits the ‘All’ Security Scope. We need to change this.
Definition of Scopes:
ALL – All current permissions and future permissions. Does NOT respect Security Scopes.
DEFAULT –As above except it DOES Respect Security Scopes. New objects receive ‘Default’ scope.
Steps to Remove ‘All’ and apply our new scope:
In my example we are only preventing the ‘Backup’ task sequences from being modified, deleted, or otherwise ‘improved’. Best practice would be to apply these changes to production Task Sequences but this will make your phone ring. Either approach allows you to restore a TS within seconds and without having to yourself make a call to the backup admin.
In the screenshot above we removed ‘Default’ scope. This step is mandatory, otherise default permissions will not be removed.
So far in steps 1-3 we have completely removed the permissions for non-authorized users to delete or modify Task Sequences. What we have NOT done is disallow access to altering these permissions.
This is acutally by design. As it stands right now no user, other than yourself, can delete or modify the highlighted Task Sequences but any admin worth their salt can undo changes we made in Step 3 and re-gain access.
If this is not desirable, you will need to modify copy and reassign ‘Full Administrator’ role to all users / groups (except yourself) and remove the ‘Modify Security Scopes’ permission while you do it.
One thing we did not cover yet is what is an admin to do with an old task sequence after he created and deployed a new one? Since we removed their ability to delete these, how do they move forward?
Here is a simple workflow your admin goes through in order to update a Task Sequence in this scenario:
This is the final step. Instead of Deleting a task sequence which they now do not have permission to, the admin should delete the Deployment of this task sequence and preserve the original as a backup.
JacobR, PEI
INSIGHTS
Subscribe to our blog to learn about the latest IT trends and technology best practices.