Overview
This documentation contains the technical product description for the Managed OS v2 service. Contract-relevant information can be found in the respective customer contract and the service description.
Managed OS v2 comprises the operation of a server operating system by Swisscom as a service provider. The table shows an overview of the most important functions:
| Functions | Managed OS v2 Service |
|---|---|
| SLA on the OS | X |
| Monitoring | X |
| Alarming | Swisscom |
| Troubleshooting | Swisscom |
| Malware Protection | X |
| Patching | X |
| Reporting | X |
| Lifecycle (Swisscom Agents and Tools) | X |
On a Managed OS v2 VM, only Swisscom has administration or root authorization on the server. The flag SeDenyRemoteInteractiveLogonRight is set for Windows service accounts.
| Rights | Managed OS v2 Service |
|---|---|
| Administration rights on the server | Swisscom |
The application of temporary administration rights by the customer is possible, but leads to the suspension of the SLA.
Prerequisites and general conditions
The supported operating systems and versions as well as the other prerequisites for the purchase of the two product versions are described in this chapter
- A operating system certified accordingly by Swisscom. An operating system is certified by means of compliance checks, which are an integral part of the requirements.
- The virtual machine must be based on an Swisscom Enterprise Service Cloud Blueprint
Supported operating systems and versions
The Managed OS v2 Service can be ordered for the following operating systems and versions:
Operating systems Microsoft Windows:
- Microsoft Windows 2019
- Microsoft Windows 2022
Requirements
To obtain Managed OS v2 Service, the following requirements must be met, among others:
- The server must have run through the Swisscom ESC staging process and provisioned with a Managed OS v2 blueprint.
- No customer-specific malware protection solution (agent) must be installed on the server.
- The operating system must not be connected to a customer-specific patching solution.
- The server must not be a domain controller server or installed any other domain services.
- No customer configuration agent (Puppet, SCCM, LANdesk, etc.) may be installed or configured on the server.
- The current VMware Tools must be installed on the server.
- The server must be "hardened" according to Swisscom specifications.
- The compliance check must be successfully completed. If one of the tests fails, Managed OS v2 Service cannot be offered. The customer is informed and can resolve the problems or apply to Swisscom for an exception. This can either be approved or rejected.
Note: Detailed technical details on the requirements can be found in the compliance checks section
For Managed Windows, the following prerequisite must also be fulfilled:
- No applications may be installed on drive C:.
- Service accounts must not be in the local administrator group.
- The local user account Administrator (SID: S-1-5-21Domain-500) will switch to the responsibility of Swisscom.
- The password for the User Administrator will be changed.
Compliance Check Exception
A succesful compliance check is prerequisite for using Managed OS v2. If one of the tests fails, Managed OS v2 Service cannot be offered. The customer is informed and can resolve (recommended solution) the issue or apply to Swisscom for an exception. This can either be approved or rejected. The approval needs to be requested via ESC Service Request.
Active Directory Resource Domain
Each Managed Windows VM is member of a Active Directory Resource Domain owned and managed by Swisscom. For each customer at least one resource domain is built into which a Managed Windows VM is added. The Active Directory Resource Domain belongs to Swisscom in any case and cannot be reclaimed by the customer without the resource domain being deleted.
Between the customer domain and the resource domain there is a one-way trust. This means the resource domain trusts the customer domain. This also ensures that Swisscom employees cannot see or have access to objects in the customer domain.
Access to objects in the resource domain is controlled by delegations (View & Edit). This ensures that only the objects that are necessary for the customer are visible from the customer domain.
