Centero’s PAM product Carillon to Get Support for Azure AD

Advanced Customers Help Our Product Development

Centero’s software development unit is currently working with Carillon. We’ve been already waiting for this feature for Carillon: a proper support for managing devices connected to Azure AD. The wishes for this new feature have been mainly coming from our customers that benefit from modern workstation management. And these are precisely the wishes Centero’s people at the customer interface are eager to pass on to product development.

This year the development has taken leaps especially in further development of Centero Software Manager product family’s latest addition, CSM for Intune. CSM for Intune is now at a stage where we have been able to allocate manpower to Carillon development as well. CSM for Intune and Carillon’s Azure AD support go together like knife and fork. Both go straight to the top of Christmas wishes for anyone that does modern Windows 10 device management for a living!


What is Azure AD connection?

But before we release the latest version of Carillon, let’s chat with the wizards at product development and ask them what is what.

Here’s how Mr. Carillon a.k.a Juha Haapsaari puts it: “What we are doing is making it possible to target the Carillon rules directly to Azure AD’s groups and devices. New Azure AD devices can be brought directly into Carillon, meaning we’re eliminating a lot of manual work.”

Centero’s  Janne Tjäder, who is leading our software development unit adds his two cents: “If the customer has devices that are only connected to Azure AD, their management takes a big leap here.”

A fair number of Centero’s customers are IT service providers, so do tell: does this feature work on multi-tenant-basis as well? Not to worry, says Juha: “Multi-tenant management works for Azure Ad’s tenants as well.”


What is Carillon?

It’s a so-called PAM product (Privileged Access Management). Carillon enables centralized management of local access rights and genuinely temporary admin upgrades in Windows devices.

With the product you can say goodbye to any permanent admin privileges you were giving out to users and that were causing cyber security concerns. If you do need admin rights, it’s easy to give a user a temporary upgrade to admin level access rights. The users can also, on their own device, perform fully as a self-service an operation that requires admin rights.

Carillon’s history goes back to 2007, and the product development has been constant. Previously the management-related rules were targeted mainly to the on-premise AD groups, but the development leap we are describing here brings the Azure AD’s groups on board as well. The leap is especially significant in the organizations that have bid farewell to the on-premise AD, or were never using it in the first place, and have their Windows 10 -workstations connected to Azure AD. You can find more information on Carillon here.

A simplified image of Carillon infrastructure

How does the development unit work, then?

It’s always nice to know what’s going on under the hood, so let’s hit the mechanics with a few questions. This is how Janne Tjäder describes their work: “First we write out the specs on how the thing should work. Antti [Veikkolainen] then does his magic on the execution side. And the Scrum-meetings are for following up on how the execution is going.”

Janne gives a short summary on the progress: “Antti has, for instance, built the functionalities that we need in the Carillon-portal to add the Azure AD tenant. At the same time, we are making a new version of Carillon’s workstation client, as that also requires some related changes.”

And, as we are talking about coding, let’s here out our coder Antti and what he has to say about the programming languages: “Mainly we use C# as a programming language, and the user interface is HTML.”


How to start using the Azure AD connection?

Once the product development unit has finished their work, it’s time for the customers to start using the new product version. And you obviously want to find out how it’s done. For this topic, Juha Haapsaari is the person you need to hear:

“The customer configures an Azure AD application at the Azure AD’s end. This application is given permission to read the Azure AD groups and devices. You need to create a so-called client secret into the Azure AD application. Once this is done, you can add an Azure AD tenant for management at the Carillon end. For this you need the tenant’s name, the application id, and the client secret just mentioned. With this information Carillon can read the information it needs from Azure AD.”

Does this then require any changes at the Carillon server end from our current customers? Here’s Juha: “You need to update Carillon’s components into the latest version, and you have to make sure Carillon is able to communicate with Azure AD.” As Janne already mentioned, the client will go through some changes, meaning the new client is of course deployed onto the devices with Intune or another deployment system.


So, when is it ready?

As we said, Carillon’s new edition has been eagerly awaited. When is it available for customers? Janne Tjäder has a promising message: “It looks like it’ll be ready in December. In an optimistic scenario might be November even.”

Here I want to quote an ancient wisdom: “Always multiply a coder’s time estimate with two or more.”    But in this case, we are looking at rather minor changes, so I’d say we can easily deliver during 2020. We’ll let you know the minute the day arrives!