Ubuntu and take your device to work

This week I attended through work a presentation about Endpoint Management with a focus around the whole “bring your device to work” megatrend the experts are talking about.  In case you haven’t heard this discussion is all about allowing an end user to purchase or use their own device instead of a corporate device.  Examples given in this presentation are large New York City based banks encouraging people to use their own devices (usually a Mac) as a recruiting tool to help attract top talent.  The presentation focused on how will IT manage these devices (patch, deliver software, track inventory, etc) on a non-corporate device.  In the past someone in IT decided what version of desktop/laptop (either a Dell or an HP) and then decided on an operating system (Microsoft and still for a lot of shops XP).  Now we are seeing a growth of whatever type of device the end user wants (anyone have this at their work?).

The interesting part about the discussion was the focus on Mac and how companies are managing them.  Macs in the corporate environment are growing and growing (heck I moved to one) and companies have to figure out what to do w/ them.  Thankfully the product I consult around (Altiris Client Management Suite) has perhaps the best Mac management outside of Apple. When asked about where the expers see Linux in the corporate world the expert replied it still exists within the walls of the datacenter (whether on premises or off premises in some form of cloud) and it really doesn’t exist in the corporate desktop (at least in the US).

This is a large frustration I have with Ubuntu is that it could focus on the corporate environment and potentially increase market share but instead chooses to focus on TVs and potentially mobile devices.  Canonical could partner with the various Endpoint Management software vendors (Microsoft, IBM, CA, Symantec, Dell, etc.) to support Ubuntu.

When I show up w/ my own laptop running Ubuntu there are certain things I’m required to have or report on including up to date with patches, has up to date antivirus and definitions and is able to be managed by the corporate management solution.  So Canonical, fire up those partnership agreements or whatever is needed and get your operating system supported by more vendors so the corporate desktop market share can grow

Configuring the Symantec Asset Management Workflows

This document covers the Symantec Asset Management Workflows that ship with Asset Management 7.1. There are three workflows out of the box: Hardware Request, Software Request, and Ownership Validation. This document will cover configuring the workflows and assume the following:

• Symantec Management Platform 7.1 is installed
• Asset Management Solution 7.1 is installed
• CMDB 7.1 Solution Installed
• Workflow Solution 7.1 installed with access to ProcessManager and the ProcessManager Database
• Accounts in the CMDB with the following:
  • Manager relationship configured
  • Email address
  • Ownership of a computer

Finding the Workflows

The workflows reside on the Symantec Management Platform that has Asset Management Solution installed. In this example, my workflow server and my SMP are different systems. I will need to publish the workflows on my workflow server.

The workflows are found in the directory that Altiris is installed in, in this case it is d:\program files\Altiris\AssetManagementWorkflows\WorkflowsPacks. These directory looks like the following:

Publishing the Workflows

These steps need to be repeated; in this document we will only cover publishing one of those workflows. To publish a workflow follow these steps:

1. Double click the workflow to unpackage the workflow, when prompted (as per the following screenshot)

   

2. In Symantec Workflow Designer select “Publish Project” and the following screen appears:

   

3. Select the SMP server and select Next until the workflow project is published
4. Repeat these steps for each workflow in the directory

 

Configuring the Workflows

In the 7.0 version of these workflows there was an MSI that installed, published and launched the PostInstall setup wizard to perform the confirgurations needed. We will launch the wizard manually.

1. Open up Internet Explorer and browse to the Postinstall Wizard found at: http://servername/AM.InstallationPostInstallWizard/default.aspx and you should see the following page:

   

2. Login w/ an account that is an Administrator in ProcessManager.
3. Start the configuration by providing the address of the Process Manager, Contact information and Symantec Management Platform information which will look like the following:

   

4. After hitting continue select Next and fill out the email information

   

5. There are several variables that need to be filled out in this step of the workflow. These are used in different parts of the workflow

   

   1. Process Managers: Any errors generated by the workflow will be sent here
   2. Purchase Managers: Any successful approval will be sent to this email
   3. Asset Managers: When an item that is outside of the Catalog is added this email address will be notified. If something outside of one of the catalogs is created, the Asset Manager needs to add to the catalog before the purchase order can be created
   4. HR Managers: This email address is used when an asset is no longer owned
   5. Security Managers: This email address is used when an asset is no longer owned

 

1. Once you have filled out those email address and select more information will be filled out:

   

 

1. The next step is to provide the different reasons for a new purchase and any additional reasons for change in ownership of an asset which looks like the following:

   

2. Upon selecting continue the setup process will create the application properties needed for the workflow to work

   

Using the workflows

The workflows are created under a new Service Category called Asset Management and look like the following:

Using these workflows will be covered in a video or an additional article

Altiris 3 Day Workshops Thanksgiving Week

The company I work for, ITS Partners, Thanksgiving week is offering three workshops focusing on Altiris.  These workshops are all offered remote and will include hands on with the Altiris or Service Desk system.  These 3 workshops are $2,000 per person and if you are interested give It’s a call at (877) ALTIRIS.  Slots are limited so reserve yours today.  Workshops available:

• Console Configuration:  This workshop will go over console configurations, security and best practices.  This workshop has been created from feedbck we have received from our customers.  The workshop will be very hands on with you having your own lab environment.  When you are through with the workshop you will be competent in the below areas:
• Go over console security
• How to create console security roles
• How to create organizational views and groups
• How to create filters
• How to create custom menus
• Console management best practices
• Reporting:  This workshop will go over Notification Server native reporting and IT Analytics.  This workshop has been created from feedback we have received from our customers.  Did you know that IT Analytics is included with upgrade protection?  This workshop will be hands on in your own lab environment.  When you are through with the workshop you will be competent in the following areas:
• Data structure
• Where to look for information
• How to use variables in reports
• How to create drill down reports
• How to use security scopes in reports
• How to create Notification rules
• How to use IT Analytics
• Service Desk: This workshop will go over Service Desk and the workshop has been created from feeback we have received.  This workshop will be hands on and you will have your own lab environment.  When you are through with the workshop will be compentent in the following areas:
• Routing rules
• Review built-in process
• Create a simple rule based on priority
• Discuss custom routing based on classification
• Reassignment rules
• Review built-in process
• Create a simple rule based on priority
• Discuss copying routing rules to reassignment rules
• SLA timers
• Review built-in process
• Discuss and demonstrate changing timers
• Changing urgency and impact
• Review where the values are set
• Change the friendly values on the Self Service feeder
• Discuss and demonstrate changing the priority matrix

For more information: http://www.itsdelivers.com/training_details.php?class_index=1251764

A review of ITSM 7.1 Beta: ZOMG it’s a new console

The beta everyone has been waiting for is here, the release where Altiris finally joins the 64-bit age, the release everyone has been waiting for. The screenshots in this guide reference the beta and can and will probably change before release. This is not an exhaustive review of the system, but quick impressions.

The big change is the requirements software/operating system wise that are required:

• Windows Server 2008 R2
  • This is 64-bit only
• SQL Server 2005 and SQL Server 2008
• Microsoft Silverlight
• Microsoft .NET 3.5 SP1 or higher

The biggest thing to note is finally we are moving to a 64-bit platform and I can stop cringing before I explain that Altiris still runs on Windows 32-bit only. There are some minor gotchas during the install but the Install Readiness Check should take care of all of them for you.

Let’s get on to the cool stuff…

The above screenshot covers the new console shown from the computers point of view. The first thing I noticed was it looks a bit like Outlook, but overall pretty excited about the change.

The computer section is broken down into Saved Searches and All Computer Views. Saved Searches is prepopulated with New Computers and Installed Agent. Other saved searches can be created and saved in this location. The All Computer Views is built from the Organizational View and Groups and utilizes what you have setup there.

By clicking on the computer (in this case Beta7) it provides a basic resource manager view on the device (same view as the Resource Summary page in Resource Manager). All other functionality is similar in this section including right click options.

New to the computer view is the fly-out on the right side of the console that include options such as the Resource Manager, Installed Software Reports, and other right click options (see the following screenshot).

The Jobs and Tasks and Policies sections are similar to navigating to Manage -> Jobs and Tasks or Manage -> Policies. See the following screenshot.

The other that has gone through a lot of change is the “Software” portion of the console (see the next screenshot) and is broken into three sections: Installed Software, Metered Software, and Deliverable Software.

All of the software listed here is either from the software catalog or from software inventory. Since I have Asset Management installed, I have the ability to add or manage my license for the particular piece of software. Metered Software allows me to leverage Usage Tracking and create new Application Metering policies. Deliverable Software is where I work w/ the Software Catalog and have the ability to create software delivery policies.

When I select a piece of software and click on “Manage this software” a new window opens:

From here I can define the inventory information, whether or not I am metering the software, configure the software delivery information, and then if you are using Asset what software licenses.

Adding a new software resource is done through managing the software catalog.

One of the cool things I haven’t figured out is the changes to Workflow in ITSM 7.1. The following screenshot shows some of the changes.

The Workflow Enterprise Management provides health of your different workflow servers. But I don’t know much more about it and looking forward to learning more.

 

I hope this brief overview of some of the changes to ITSM 7.1

Asset Management Ownership Validation Workflow

In Asset 7 there are three pre-built workflows that ship from Symantec:

• Hardware Request
  
• Software Request
  
• Ownership Validation
  

I’ve previously talked about setting up the workflows on the server, this post is going to cover the Ownership Validation workflow.

The workflow is exposed via a right-click menu in the Management Console.  To run the validation workflow against a computer, right click on a computer in the management console and select Ownership Validation as shown in the following screenshot:

After clicking on the workflow the process is launched as per the following screenshot:

In this case, I am listed as the owner on the device. An email will be sent to the address listed, this information is coming from the Users listed in the management console, which is synced from Active Directory.

If I switch over to my email, I will an email asking me to get started with the Ownership Validation:

The text for this email can be customized through the workflow designer to better meet the needs of your organization.

After clicking on the link (View Ownership Validation) a webform is opened.

In the above screenshot all of the machines that I am listed as being an owner in the Symantec Asset Management system are displayed. I have two options, either Have or Not Owned. Once I have selected a status, the computer will show up in the correct location.

NOTE: No changes will be actually be made in the management platform through this workflow. If you would like that to happen the workflow would have to be modified in the workflow designer.

 

After selecting the correct status, click on the Next button and proceed to the next portion of the webform.

In this case there are two machines that I am not the owner of. I will need to provide a reason why the machines are no longer owned by me. These reasons are setup in the installation of the workflows (see the earlier article on installing the workflows). The default options are Lost and Retired.

By changing the status, I will generate an email to asset administrator (as setup in the installation of the software).

The above screenshot is the notification to change the status of the devices and is the end of the ownership validation. As mentioned, this workflow does not change the status in the console, it just notifies the asset administrator of the changes that need to be done.

Drop me a note if you have further questions

Setting up the Altiris Asset Management Workflows

This blog post will cover configuring and setting up the pre-built Asset Management Workflows that ship with Altiris Asset Management 7. It took me several times to figure out how these are setup and working, so I am trying to pass these hints and trips on to you. While KB Article 51165 talks about installing the workflows, there are still some issues that need to be addressed, specifically on a fresh install.

The first step is extracting these workflows which can be found under the NSCAP share (\\servername\nscap\) in a zip.

Once those files are extracted you will need to run setup.exe to launch the installation.

Setup will launch and the pre-requisite check starts

A couple of things to point out here:

1. You must have workflow installed and setup first
2. Workflow portal must be installed

If none of these items are installed or configured the installation will fail. NOTE: The first time I ran the install, I did not have the process manager installed and ran into a problem when I exited the installation, installed Process Manager and retried the workflow installation

.

This is where the install gets a bit tricky and is not documented in the knowledge base article. On the next screen there is a link to launch the configuration wizard of the Asset Workflows. One of the problems I have run into is the default admin account (admin@logicbase.com) is not a part of the administrators group in process manager. The configuration wizard requires the account you are using to be a member of the administrator group. The following screen shots will walk you through configuring and adding a user to the Administrators group. To access the process manager, open your browser to http://servername/processmanager and login.

When you login as the administrator you have access to multiple tabs, the portion we will be working under the Admin tab and then Users.

After selecting the admin group on the right we need to select “Manage Groups” and add the Administrator group.

All of these changes can be done while you have the installation process up and running. After that select the “Open Setup Wizard” to configure the workflows.

 

The next screen requires certain information to be filled out before the configuration will move on. Besides filling out the location of the Symantec Management Platform and location of process manager, you must provide an Error Contact Name and an Error Contact Info. The screen looks like the following:

 

 

The next screen deals with email configuration. This screen tripped me up several times as my test lab did not have email configured, connection to a SMTP server and reply-to-address is required.. The screen looks like the following:

In the next screen we will configure 5 different accounts, Process Manager Group, Purchase Managers Group, Assets Managers Group, HR Managers Groups, and Security Managers Group. These emails must be configured and valid for the configuration to complete successfully. Below is the screen shot:

The next to the last step is assigning users to the different roles: Process Managers, Purchase Managers, and Asset Managers. These users are found within your Process Manager, and the following screenshot shows what it looks like:

The last step in configuration is to setup the business justifications and reasons for loss of ownership. The business justification is used in the Software/Hardware Request workflow and the loss of ownership is used in the Ownership Verification Workflow. If you are going to use additional values you can add them in at this time.

Congratulations these workflow are now configured and can be accessed through the process manager. Also the Ownership Validation Workflow can be accessed through a right click option in the Symantec Management Platform.

What is missing from Ubuntu?: Manageability

A recent blog post on planet.ubuntu.com, argues the one thing that is missing is manageability of the Ubuntu system.  I couldn’t agree more with this post.  In the post the author argues the problem with Ubuntu adoption in business is not how shinny things look, or how well the software works in the cloud, the problem is management of systems.

A little background here:  For the last 4 years or so I have been an endpoint management consultant (laptops/desktops/severs).  I have clients that manage anywhere between 50 desktops and 150,000 desktops.  For Windows desktops there are numerous companies that allow you to manage those machines and reduce full time equivalencies (FTE’s).  Some examples are:  Altiris, Landesk, Kace, etc.  Canonical has created its own solution Landscape instead of working with the existing companies to get their product (Ubuntu) supported.

What really stands out from this entry is this section:

And so, Microsoft continues to win on the desktop. Not because an individual PC running Windows is easier for most people to use, but because its easier to set up Active Directory to work with Outlook and Exchange than it is to roll your own directory service with the tools available out of the box on Ubuntu. Bug #1 will never be solved until directory services and authentication are integrated into every aspect of Ubuntu.

And he couldn’t be more correct.  Until there is a true competitor to Active Directory, Exchange, Outlook, and the MANAGEMENT of the machines Ubuntu will not succeed in the Enterprise.

Take a look at the blog and all the blueprints that have withered without focus in regards to the issue:  (List taken from the blog)

• Turnkey identity management
• Identity management reference/test config
• Default LDAP DIT for user and group management
  
• implement simply DIT for Ubuntu server
• Make Ubuntu authenticate against Network Authentication services
• Single User Interface to Join and Participate in Microsoft Active Directory Domains
• Architecture of a directory infrastructure
• Enable user login to leverage a directory infrastructure
• Identity management and network authentication in Hardy
• Integrated Active Directory Logon
• 389 Directory Server Inclusion in Karmic
• Directory service included in Ubuntu Server
• Configuration of services to integrate with a directory
• Enable services to leverage a directory infrastructure
• Open Directory Service package
• Integrate OpenDS in Jaunty
• Search for a published printer in an Active Directory
• EdubuntuUserManagement
• Easy active directory integration for EDUbuntu
• An integrated directory server for Ubuntu-server
• LDAP Integration
• Ubuntu Server MS Integration Proxies
• Seamless integration into a Windows domain environment (Active Directory)
• Make a LDAP Server as easy to install as a LAMP Server
• Managing the directory
• System Security Services Daemon for Ubuntu
• Make LDAP the default configuration backend for Ubuntu
• Create new tasksel tasks for common server use cases
• Free Identity Policy Audit infrastructure for Ubuntu as the freeipa.org project
• Authentication/Authorization/Access control/Accounting/Auditing services in the cloud
• Extend mail stack in Ubuntu-server
  

Getting caught up on links

Have a lot of links in my browser tonight but haven’t had a chance to digest and really understand all of them.

So this post is a dump of a bunch of them, to come back later with more thoughts on

1.  25 Scenes from Symantec Vision:  Missed Vision this year but didn’t hear much about it.  Find it interesting how they comment on things us old Altiris people take for granted, such as Steve Morton’s Keynote style, Usergroup challenge, etc.

2.  DLP: Million Problems – One Solution:  Haven’t read this one yet, but looking forward to it

3.  DLP – Protecting What Matters Most:  Seems to be an overview of DLP, will have to read this one through

4. States’ Rights Come to Security Forefront

5.  DLP Primer

6.  Data Loss Prevention comes of Age

ITS is hiring

I know all of you follow and check into our website every day, but we are announcing we are looking for a new Altiris Consultant to join our company.  ITS is one of the National Partners that Symantec has and we are looking for a new consultant.

From our website:

ITS is currently looking for experienced Altiris Consultant / Engineers to be responsible for providing on-site, enterprise systems/process design and implementation services for our clients and partners. This individual will be responsible for implementing lifecycle management solutions and services.

Non-Technical Requirements

• Prior on-site consulting experience is preferred.
• Effective presentation and communication of technical product details and best practices.
• Assisting customers with product implementations.
• Creating design, implementation, detailed process and post engagement documentation.
• Travel required.
• Knowledgeable in the assessment, planning, design and implementation of systems and/or availability management tools.
• Familiarity with ITIL best practices and processes.
• Assume leadership on engagements and work without direct supervision, interfacing with the customer IT and business-function leaders.
• Active role in the Altiris Sales Process which includes proposal creation, Altiris presentations, sales calls, research, and project scoping.

Technical Requirements

Working knowledge of system management software is preferred.

• Altiris
  • Asset Management Suite
  • Client Management Suite
  • Deployment Server
  • WISE Studio
  • Helpdesk / Service Desk 7
  • Symantec Workflow Solution
• LAN Desk
• Microsoft SMS

For more information see our website: www.itsdelivers.com/about.php

Introduction to Altiris Deployment Solution 7.1

I recently delivered a webcast for my company on Altiris Deployment Solution 7.1 and wanted to post this to share more thoughts and also maybe expand on some of the things covered there.

Deployment Solution 7.1 is currently in the release candidate stage and can be found at beta.altiris.com under the IT Management Suite, which include Client Management Suite (Inventory, Patch, Deployment, etc), Server Management (Deployment Solution, Monitor Solution, Patch Management, etc), Workflow Solution, Asset Management, CMDB, and Service Desk.

The first thing we need to talk about when discussing DS 7.1 is that it is built on the Symantec Management Platform 7. When the 7.X platform was first announced there was much talk about the integration between DS and NS and whether or not it actually would happen. DS 7.1 is where this integration occurs.

Let’s expand on this integration a bit before going further. For a long time we have told the story of one agent, one console, one database, however as we all know this is not the case. We have the dagent, the aclient, the eXpress database, the Win 32 Console, the Altiris Agent, the Symantec_CMDB, the NS Console, etc… Now that has all changed, because DS 7.1 is built on the SMP (the old Notification Server) we are leveraging all parts. We now truly have one agent, one console and one database. Gone is the Win32 console, the aclient, the eXpress database and even the slow DS Web Console.

Below is a screenshot of SMP 7 and DS 7.1:

When Symantec started talking about integrating the DS and NS the first complaint was “Does this mean we are going to lose the drag and drop functionality of the DS Console?” Shortly followed by “Will this new console be as slow as the current DS Web Console?” Symantec has addressed this by leveraging Microsoft’s Silverlight technology to give us not only a faster web browser, but drag and drop capability.

The DS Portal is where you will spend most of the time working w/ Deployment Solution 7.1. This has the look and feel of the Win32 console with my computer, my jobs and tasks and information about the current computer all displayed on it.

One thing on the DS Portal to get used to is the “Getting Started” flyout that is visable as an arrow on the left side of the screen and is pictured below

 

The first step will be to discover the computers you have, then push out the DS Plug-in to them. These plug right into the NS Agent, once again no separate agent to worry about. From the “Getting Started” portion we can continue the setup of the solution, from how disk images work, what type of drivers we are loading, multi-casting and even PXE server configuration.

Let’s take a minute right now and put it right out in the open… Yes DS 7.1 supports PXE. This is a question that I am always asked when I start talking about DS 7.1. The confusion is DS 7, which came with the first release of CMS 7 only supported Automation Partitions. Now DS 7.1 supports both Automation Paritions and PXE booting. More on this later.

Back to the integration… One of the key parts of SMP is the ability to use Organizational Views and Groups. Because of the integration, we can leverage the groups in DS 7.1. Let me explain how this works… I setup my organzational groups (or import them from AD) and then assign management rights to users (this replaces NS 6 secured collections). Now a user can see and manage only the computers he has permission to. See the following screen shot for an example:

So now as a local admin of the Grand Rapids office I can only run jobs and tasks on the computers in and I don’t see any of the computers in Chicago and Atlanta. By leveraging Organizational Vies and Groups we change how the security was set in DS 6.9.

Another key part of the integration is the ability to leverage hierarchy and replication. In SMP 7 we now have true parent/child relationships, the ability to set policies/packages/etc from the parent and have them filter down to the child. This includes images and DS jobs and tasks. Most enterprises have multiple Deployment Solutions and it has always been a pain to keep them synchronized. By leveraging hierarchy we are solving that problem.

So we’ve spent some time talking about the integration and leveraging some of the benifits of the Symantec Management Platform, let’s now talk about tasks, imaging, etc.

As mentioned earlier, the DS Portal built on Microsoft’s Silverlight technology gives us the drag and drop that we came to expect in the Win32 console. To access the DS Portal, from the Management Console select Home -> DS Portal.

To create a new job under the DS Portal, right click under the folder and you would like to use and select New Job. The following screenshot shows the Jobs and Tasks portion of the DS Portal.

Under the Deployment and Migration folder is where any default jobs and tasks. (You can create other folders as well, based on your security and permissions.) When I select New Job, it displays the following image:

This interface is the Job and Task interface from Task Server which you might not be familiar with if you haven’t used it before. There are two ways to add tasks to a job, one create a new tasks or add an existing task. Because we are leveraging the task server portion of the SMP, any task we have created in the SMP we can use as part of a DS job. An example would be deploying an image, pushing software with software delivery, running an inventory, and then pushing out patches; all leveraging a DS job. The options are endless.

 

The screenshot above shows the deploy an image task. Once an image is selected for deployment I select whether or not I’m using DeployAnywhere or not and if there are any credentials I need to pass to the image. To deploy this image I would drag the job to the computer I want to image and it will run.

Creating an image is about the same, it is a task that runs through the Symantec Management Platform but has different options which are shown in the following screenshots:

Selecting compression and maximum file speed

Capture an image over http

Once an image has been created it can be deployed as another job using the Deploy Image task.

This has been a quick overview and whirlwind tour of Deployment Solution 7.1. If you have any questions drop me or note or if you want to see an email drop me an email as well..