It was recently reported that a Microsoft Windows and Office vulnerability was already being targeted by criminals. If you search on Google for keywords such a Windows and zero day exploit, it’s interesting to summarise the respective web pages mentions:
- Windows – Approximately 7 Million web pages
- Mac – Approximately 500K web pages
- Linux – Approximately 500K web pages
IBM’s X-Force team publish all new threats via their X-Force Alerts and you’ll see the usual suspects. As outlined in this CRN Article, IBM’s X-Force Team advised that attackers “use a path of least resistance to gain a maximum return on exploits”.
It’s one thing to be notified of these threats, but how do you confidently address them easily within your organisation? This is a particular challenge with thousands of PCs and Macs and a mobile workforce. Some of whom may be travelling for days and not regularly connecting to a corporate network.
The good news is, there are tools that can help. Within hours of vulnerability being identified, IBM’s Endpoint Manager team will package and re-test a published hotfix (or suggested alternative). For example for the Windows and Office vulnerability outlined above, this in in the form of a temporary hot fix. This is then published by IBM in the form of a Fixlet, making this critical fix immediately available for all IBM Endpoint Manager servers and their clients. Each IEM agent then reports to it’s vulnerability status back to the customers IEM console, so you have a realtime view of the number of endpoints effected.
The IEM administrator can “Action this Fixlet” (ie. go ahead and fix those PCs and Servers thanks!), which will dynamically download the hotfix and apply it to tens or hundreds of thousands of endpoints. The administrator can once again view in realtime the remediation status. So at anytime, the IEM administrator report this information to their organisation or security auditors.
In addition to the range of operating system vulnerabilities/patches addressed by IEM, the following is a list of applications managed by the IBM Content Delivery Team include the following (thanks to Peter Tuton for putting together this list):
- Flash Player (including browser plug-ins)
- Shockwave Player
- Remote Desktop
- Internet Explorer
- SQL Server
- Mozilla Firefox
- Nullsoft WinAmp
- Oracle Java Runtime Environment
How is your organisation addressing the Zero Day threat?
IBM Endpoint Manager provides clients with the ability to manage hundreds of thousands of endpoints from a single console. These can be a range of operating system types such as Windows, Linux, Apple Mac OSX and Unix. Oh, don’t forget mobile devices too!
You can install your IEM environment with an relay running in your DMZ, you can also manage your mobile workforce and public cloud resources too. An IEM relay is simply any existing IEM agent thats been given a few more additional tasks. The really provide bandwidth and server scaling benefits and is a proxy between externally managed devices and your internal network.
Your public instances will typically be Windows or Linux operating systems running on your public cloud of choice such as Amazon Web Services (AWS) or IBM Softlayer.
Configuring the IEM Client for Public Internet Instances
Each operating system you wish to manage needs to have the IEM agent installed. IBM offers a range of agents for Windows, Mac OSX, IBM AIX, HP-UX and Solaris. The IEM agent when it’s started, will attempt to register itself back to your IEM server. This will be via details stored within the actionsite.afxm (renamed from the masthead.afxm file). This file is unique to your IEM server and is stored on your IEM server in the Program Files (x86)\BigFix Enterprise\BES Installers\Client directory.
Of course, if you have a public cloud instance the IEM client won’t be able to reach your privately hosted IEM server. You need to provide the client a few additional details so it can ‘phone home’. This will be your relay in the DMZ and it’s DNS name or IP address. These details are stored in the clientsettings.cfg file. The following article provides details on how to configure this, but all it requires is just one or two lines as shown in this example:
Of course, use your DNS server names. The clientsettings.cfg file is used when the IEM client is installed.
Deploying your IEM Clients
You may wish to deploy your IEM clients using the client deployment tool, Active Directory or login script as I detailed here. However for a public cloud environment, some platforms provide image deployment capabilities. Much like VMware’s powerful image template feature, with your cloud provider you will create a ‘gold image’ with your desired operating system, fixes, software and IEM agent installed. You need to follow the instructions in this article so the IEM agent ready to work correctly as new instances are deployed from this image.
Amazon Web Services (AWS)
With AWS, you can create your gold image by creating an instance, shutting it down and selecting Actions – Create Image. You then have an AMI from which you can deploy new Instances as shown below. AWS provide the EC2Config service to also provide Sysprep and other image configuration features.
With Softlayer, you can use the same approach with their Flex Image. Softlayer also provide the ability to execute a script which will be executed on a newly provisioned SoftLayer device, which is another approach to configure client settings if required.
When your instances start for the first time, they will automatically register to the IEM server and be visible in the console. You’ll then be able to provide the following services from your console. This is possible for your private AND public instances !
- Patch Management – Operating System Patches, plus a number of 3rd party applications such as Java, Adobe etc.
- Core Protection – Anti-virus/Anti-malware
- Security and Compliance – security checklists such as CIS, DISA STIG, FDCC and USGCB.
- Software Usage
- Remote Control
If you have IEM baselines enabled, you can then be assured that those endpoints are automatically patched to a minimum level and an appropriate security posture is applied. IBM Endpoint Manager provides per server licensing, so you pay as those instances need to be managed. It would be great to hear from you if you’re managing Windows or Linux instances on AWS or Softlayer.
Buried inside many devices we don’t consider as PCs lurks Windows XP. These are devices like cash registers, vending machines, parking meters and automatic teller machines (ATMs).
Whilst Linux is one alternative, Windows XP has provided the right mix of a reliability, multitasking and wide device support many organisations have needed. This trusty operating system was released back in 2001 and it’s support is finally ending on April 8, 2014. That’s less than 162 days from now!
For your home PC, popping in a Windows 7 DVD and doing an upgrade isn’t a big deal. However for organisations running ‘purpose specific’ devices on XP, this will involve an incredible amount of time and effort.
A recent article by Kevin Casey from Information Week advised that presently “around 75% of ATMs in the U.S. are based on XP”. I recently met with a retailer who advised their cash registers were tuned only for Windows XP. They simply won’t have the CPU and memory resources to run Windows 7. When you consider they have thousands of cash registers that might need to be replaced, it’s a significant outlay. So many organisations are understandably looking for solutions to manage XP for longer if they can.
The good news is that IBM Endpoint Manager (IEM) continues to support the Windows XP operating system. This includes our Core Protection module which provides anti-virus/anti-malware. This capability is critical for ATM’s and cash registers, as hackers being to target these devices. For example, the reported example of malware detected on ATM’s in Mexico running Windows XP.
If you are in the position to upgrade these devices, IBM Endpoint Manager has an operating system deployment capability. This means you can remotely upgrade these endpoints to Windows 7 or Windows 8 (whether that be in-place or bare metal).
IBM Endpoint Manager can protect hundreds of thousands of endpoints, even those connected on very low bandwidth and high latency networks. This capability ensures a bank running IEM can update their ATM’s reliably from a single console. For another financial client SunTrust, this meant their patch cycle times reduced from 2-3 weeks to 2-3 days.
How are you preparing to migrate from Windows XP? How will you support it if you don’t?
Apple’s latest and greatest mobile operating system iOS 7, is now available. From all reports, over 30% of all iOS devices were updated in just 16 hours! I’m still making the adjustment to doing things a little differently than before. I found it ironic that I needed to call on Google to find the answers I needed. For example, like how do I search in iOS 7 or kill running apps. Overall, I do like the new look and feel.
For organisations, Apple has released a range of new Mobile Device Management (MDM) features too. IBM Endpoint Manager provided same day support for iOS 7 as per previous iOS releases. Since IEM leverages a cloud service to distribute updates for Windows, Mac, Linux and Unix, it can update the product itself to leverage these new services immediately.
There has been a lot of great coverage on iOS 7 MDM from experts such as Jack Madden who has explained the key features and benefits. I noticed that Apple has just updated it’s iPhone in Business web page to reflect iOS 7 too.
The key MDM features of iOS 7 are:
- Open In management - Protect corporate data by controlling which apps and accounts are used to open documents and attachments
- Per app VPN – Configure apps to connect to a VPN when launched
- App Store License management - Companies can assign apps to their users while keeping full ownership and control over app licenses
- New MDM configuration options – see below
- Streamlined MDM enrolment – Devices can be automatically enrolled in MDM during activation
- Enterprise Single Sign-on – Authentication can be done once to a number of applications
I haven’t yet found the ‘definitive list’ of iOS 7 MDM features, so I decided to put one together like I had for Samsung SAFE. So companies and their staff then clearly know what features can be configured and controlled with iOS 7. So here it is, if you have any omissions or corrections please let me know.
There are five new Apple iOS 7 configuration profiles:
- AirPlay – Add Airplay devices and their passwords
- AirPrint – Add Airprint printers
- Font – adding Fonts. Maybe if you have corporate Fonts on devices?
- Single Sign-On Account – Define the SSO account and Kerberos rhelm name
- Web Content Filter – Enable AutoFilter, whitelist bookmarks and blacklist web sites. This article provided more details.
Then there is a range of detailed configuration items listed here:
- Allow fingerprint to unlock device
- Allow Account Modification (Supervised Only)
- Allow Cellular data usage for Apps (Supervised Only)
- Allow Host Pairing (Supervised Only)
- Allow Wifi and Airplane Mode on Locked Screen
- Allow Open Documents from managed to unmanaged apps
- Allow Open Documents from unmanaged to managed apps
- Allow over the air PKI Updates
- Allow Airdrop (Supervised Only)
- Allow Find My Friends (Supervised Only)
- Limit ad tracking (Supervised Only)
- Allow apps to autonomously enter Single App Mode (Supervised Only)
- Allow Find my Friends (Supervised Only)
- Allow Cloud Keychain Sync
- Additional AppLock configuration settings
- Lock Screen
- Allow Access to Control Center
- Allow Notification View in Notification Center
- Allow Today View in Notification Center
As I do more testing with iOS 7, I’ll share my experiences and other applicable news on this blog.
Divide is a container solution for Apple iOS and Android devices. Divide is an app that acts as a workspace, or container, that mimics device capabilities while isolated from the rest of the device. This container solution allows information within Divide to be secured and managed separately from the rest of the device.
The latest release of IBM Endpoint Manager for Mobile Devices can also manage endpoints with Divide containers. So you can have the best of both worlds, managing mobile devices with their native management features or users with corporate services within a container.
You will want to have installed the Divide client on your mobile devices and you can request a trial of their enterprise console here.
I’ve documented the steps to integrate IEM with Divide below:
- Select the Setup and Configuration Wizard and open Setup Enterproid Divide Management Extender. Note that you’ll need to obtain an access token by clicking on the link provided. Enterproid sent me an access token for our companies domain name.
- Select Deploy Management Extender for Enterproid Divide and then select Take Action
- Select the server where this will be installed. I chose the same server as my MDM Management Extender. Ensure this server has TCP port 443 access to api.divide.com
- It takes a number of minutes for the appropriate software to be downloaded automatically from IBM’s cloud service and installed. If you specifically define which computers are members of the MDM site, ensure the Divide plugin is included too (see device type plugin explained here)You’re then ready to select Configure Extenders
- Select the Divide Container as shown. Then enter your Divide domain name and access token. I copied the access token into Notepad just to ensure there wasn’t any incorrect spaces or extra characters.
- Finally select Configure Enterproid Divide Management Extender, then the applicable container device and click OK. It will take a few minutes for the configuration to complete.
Once the configuration was complete all containers from the Divide cloud were displayed in the IEM console as shown (along side other Android and iOS devices which are managed too)
If I selected my iPad with the Divide container installed, I was able to perform a number of container controls:
What was nice, is that I can also define Divide polices from with the IEM console too:
I really like the user interface of the Divide client, which is the most critical factor with any container solution. Some container solutions have the reputation for not being that user friendly, so users end up trying to work their way around how they access their corporate email and applications. Which of course defeats the purpose of providing a container in the first place!
This new capability allows clients to both manage devices via traditional MDM (iOS, Android, Windows, Blackberry) and now a powerful container capability. This is on top of managing Windows, Mac, Linux and Unix from the one console.
If you have any queries, feel free to contact me or post a question to our developerWorks forum.
P.S. Article renamed to reflect Enterproid name change to ‘Divide’ (Oct 2013)
IBM Endpoint Manager for Mobile Devices requires a certificate to manage iOS devices – through Apple’s Push Notification Service (APNS). This APNS certificate allows the Management Extender to establish a secure, trusted channel of communication with the iOS devices. This setup is straightforward and is detailed here. Our MDM evaluators guide provides step by step instructions with screen captures. Contact me if you don’t have a copy.
If you’ve installed IEM to manage some devices, you’ll note that for iOS devices you have to install a self signed certificate first. You can remove the requirement for this by installing a well known or trusted certificate from Verisign, Godaddy, Gotrust etc.
The steps to install IEM with a trusted certificate below. I want to acknowledge the great article by Orb Data which provided me some great info, and explained certificates in PEM format.
- Complete Step 1: Deploy the Management Extender Fixlet and Step 2: Obtain certificate to manage Apple iOS devices to install the Management Extender. Save the final APNS certificate as push.cer and place it in a directory on your IEM server, say D:\ManagementExtender\APNS\push.cer. Now this has the certificate covered for IEM communicating with Apple’s APNS service.
- Now for the certificate for device to IEM server communication, we need to create a certificate request that a certificate authority can process. I was using Godaddy to define a certificate for the domain name mdm.darrylmiles.me. On a Mac I used OpenSSL I would run this command:openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr
For my domain name, I entered: openssl req -new -newkey rsa:2048 -nodes -keyout darrylmiles.me.key -out darrylmiles.me.csr
I was able to the use the command illustrated on Godaddy’s web site here.
The result of this command is two files:
- Now on your certificate authority web site, take the text from within your CSR file (in my case darrylmiles.me.csr) and copy this into appropriate request page:
- Once the certificate request was accepted, I downloaded it as shown:
- The ZIP file contained two files gd_bundle.crt and mdm.darrylmiles.me.crt. Both files contained the certificate information in PEM format, ie.—–BEGIN CERTIFICATE—–
Lots of letters/numbers here…
—–END CERTIFICATE—–I renamed the files as follows:
gd_bundle.crt to gd_bundle.crt
mdm.darrylmiles.me.crt to mdm.darrylmiles.me.cer
- I copied the darrylmiles.me.key, mdm.darrylmiles.me.crt and mdm.darrylmiles.me.cer to the IEM server to a directory called D:\ManagementExtender\Cert\
- I then configured the management extender using these settings:
- That’s it. Once the management extender is configured it’s now ready to accept device enrolments. Here are some screen captures of an iOS device being enrolled:
That’s it. IEM is now setup with a trusted certificate. If you have any queries, feel free to contact me or post a question to our developerWorks forum.
IBM Endpoint Manager for Mobile Devices provides a range of Android device management. Samsung have extended this capability for their devices via Samsung SAFE (Samsung for Enterprise).
End users with Samsung Devices
Users simply install the IBM Mobile Client from Google Play. Once the app is installed, it will also prompt the user to install the additional IBM Mobile Client for Samsung which provides the additional device support.
IBM Endpoint Manager Administrator
The administrator from within the IEM console, simply opens Mobile Device Management – Android Settings – Samsung Approved for Enterprise (SAFE). They then select +New Profile, choose a name and select a profile type from the list below. I’ve chosen System Restrictions in the following example:
Now select this Fixlet and click Take Action, and choose your Android device(s) you wish to configure.
There is quite a large list of Samsung SAFE settings in Version 1.0 + 2.0 available, so I put together a list of configuration settings from the console below:
Device Management with Samsung SAFE devices
- Create ActiveSync Profile
- Enable SAFE internal storage encryption
- Application Blacklist
- Restrict Roaming
- Shutdown device
- Certificate Import
- Roaming Data
- Roaming WAP Push
- Roaming Account Sync
- Android Market
- Android Browser
- Background Data
- Bluetooth Tethering
- Cellular Data
- Factory Reset
- Home Key
- Mock Location
- Near Field Communication Adapter
- Non Market Apps
- Screen Capture
- SD Card
- Setting Changes
- USB Debugging
- USB Mass Storage
- USB Media Player
- Voice Dialer
- WiFi Tethering
- Outgoing Calls
- Pairing the device with desktop computers
- Data (files and network) transfer over bluetooth
- Make the device discoverable
- Discoverable only for devices that know its ID
- Pairing with other devices
Samsung are now extending this management with Samsung Knox with the Galaxy S4, which I’d certainly like to test at later date.
IBM Endpoint Manager was recently recognised in the Leaders quadrant in Gartner’s 2013 Client Management Tools. This is a great endorsement of IEM which excels in patch management, multiplatform support and scalability.
Gartner defines Client Management Tools as:
“End-user computing and support organizations use client management tools to automate system administration and support functions that would otherwise be handled manually. They are configuration management tools that image client systems, track inventory, deploy configuration changes (such as software or patches), enforce configuration standards and assist with troubleshooting. Windows PCs are the primary target of management, but organizations are looking to extend these products to manage Macs, mobile devices and servers as well. Mobile device management (MDM) is still a separate market, but organizations are increasingly looking to use a single vendor and management platform to support their PCs, Macs and mobile devices.”
Hey, what a great endorsement of IEM’s capabilities… to manage your PCs, Macs AND mobile devices, from a single management platform.
I’d previously detailed how you can get up and running with IBM Endpoint Manager, Software Usage Analysis 1.3. SUA 2.0 is a new release that extends IEM’s software analysis capabilities to Linux/Unix systems and more IBM software products. The following article details the differences between 1.3 and 2.0 in more detail.
In the following article, I’ll step you through setting up SUA 2.0:
Install and Configure the SUA 2.0 Server
- From the IEM console, select BigFix Management, License Overview and find the Software Usage Analysis section. Next to IBM Software Inventory, select Enable
- Select Manage Sites, IBM Software Inventory. Under the Computer Subscriptions tab, change the value from No computers to All computers and select Save Changes
- Select System Lifecycle – Server Setup and Software Use Analytics. I don’t see any issue with installing the Software Knowledge Base Toolkit (SwKBT) first, however I chose to install SUA 2.0 first. I’ll talk more about the SwKBT below.
- From the SUA install screen you’ll want to choose a server which will run SUA. For small environments, SUA could run on the same server as IEM. However as you grow beyond several thousand endpoints, you’ll want to dedicate a separate server for SUA 2.0. In my lab environment, I chose a separate Windows Server 2008 R2 VM for SUA 2.0 as shown below. Select that server and click Deploy
- SUA 2.0 will then show you the following screen as it downloads the SUA 2.0 software and then mirrors it to that server. In my lab environment this took about 10 minutes. You can check the progress of the download by looking at the running Actions too:
- On the SUA 2.0 server (my server was called IEM9TSUA2) I ran the installer and completed the install. I left SUA 2.0 running on port 80 in my environment (you could choose another port if required)
- A web browser is then launched to complete the SUA 2.0 configuration. It asks you the location of your database (in my case I had setup a separate SUA 2.0 database on a remote Windows SQL 2008 server). I also didn’t worry about migrating my SUA 1.3 information over to SUA 2.0:
- The SUA 2.0 application was then launched:
- Back in the IEM console I could click Finish and configure it with the URL of my IEM9TSUA2 server as shown)
- Now SUA 2.0 is up and running, we’ll now need to install the SwKBT and setup the endpoints for SUA scanning too.
Install and Configure the Software Knowledge Base Toolkit (SwKBT)
The Software Knowledge Base Toolkit (or SwKBT) is a new component of IEM SUA. Think of it as the catalog management service. It requires you to install a separate component, but I’d expect over time this probably won’t be required. In most environments, the SwKBT could easily run alongside SUA 2.0 on the same server. It’s used infrequently – for example as you load in new catalogs or update entries in the catalogs. In my lab environment, I installed the SwKBT on the same VM as SUA.
- From the IEM console, select System Lifecycle – Server Setup and Software Knowledge Base Toolkit (SwKBT)
- From the SUA install screen you’ll want to choose a server which will run SwKBT. Select that server and click Deploy Installer. As you see below, the size of the SwKBT is around 650MB so it took well over an hour to download and get mirrored to my SUA2.0 server.
- On the SwKBT server, I followed the default installation options
- Once I had clicked Finish. You can login to the SwKBT server by using the following URL – https://localhost:12344/ibm/console/logon.jsp (change to your server’s host name)
Setup your Endpoints for SUA scanning
- From the IEM console, select System Lifecycle. Then select IBM Software Inventory, select Setup – Activate Analysis. You should see four Analysis as shown in the example below. Activate each of these.
- Next select Manage Deployments – Manage Endpoints – Deploy and select Install Scanner, select Take Action. The scanner will then be deployed to the endpoint. Repeat the process for the Install Common Inventory Technology Scanner. Why are there two scanners? See here for further information.
- Once the scanner and CIT scanner are deployed to each endpoint, you can then configure the two scanners to run periodically (by default it runs once per week). Select Manage Endpoints – Scan/Upload (note it can take a few minutes before the scanner you’ve deployed is relevant to this Fixlet. I found this was slower for the CIT scanner in my test lab).
- Finally, select Manage Endpoints – Scan/Upload again and select your endpoint to send their scanned data to the SUA server via the Upload Scan Results and Upload Common Inventory Technology Scan Results fixlets.
Note: It’s probably a good idea to do each of the three items above on a group basis, so that as you deploy additional endpoints they’ll automatically be setup for SUA processing.
Software Catalog Update
You’ll want to use the latest software catalog from IBM, which we see has been automatically detected within the console. You’ll need to perform a similar task roughly every month as IBM releases new SUA catalogs. The update process is documented within the Fixlet, so check there on what you need to do, especially if you customise the catalog.
- From the IEM console, select Systems Lifecycle – IBM Software Inventory – Software Catalog Update – Download Software Catalog Update for SUA. Select Take Action and select your SUA 2.0 server. The action will download the latest catalog and install this on your SUA 2.0 server.
- If your organization does not customise the software catalog (in most cases you wont), log in to TEM SUA console
- Go to Management – Catalog Update
- Click Browse and locate the downloaded catalog file (I expanded the ZIP file first)
- Click Upload. Then select Import Now within the SUA console (otherwise it will happen automatically at midnight)
- Within SUA console, you’ll also need to click on this option to import a Fixlet into the IEM console. This Fixlet is linked to the catalog and will send a small catalog to each endpoint for processing. I found this a little cumbersome, but expect this process will also be simplified in the future. I edited the Fixlet and added - April 2013 at the end (see below) so I knew in the future this Fixlet was for the April catalog.
- Click OK then select Take Action to target this CIT catalog download task to your applicable workstations (or group as suggested above)
SUA 2.0 is now available
When you log back into the SUA server you won’t immediately see any software usage information until the clients have sent their data to the server AND the data import task has run (which you’ll remember was once a day). You can run the data import process immediately if you want to see information like the following:
That’s it. SUA is now up and running and you can easily see what software is installed and being utilised in your company. If you’re familiar with SUA 1.3, I found the following Getting Started with Software Use Analysis 2.0 guide useful in adjusting to the console changes in 2.0. If you have any problems, please post your query to the IEM SUA forum.
Are you benefiting from IBM Endpoint Manager SUA? If so we’d love to hear from you.
IBM Endpoint Manager Software Usage Analysis (otherwise known as IEM SUA) allows you to easily determine what software is deployed across your organisation and how actively it is being used on each computer. With SUA you can easily determine whether you’re effectively using more expensive software such as Microsoft Project or Visio on all of your computers. IEM SUA is not only useful to improve the efficiency of your software but also substantially reduce the amount of work required for software compliance audits.
In the following article, I’ll step you through the installation of SUA 1.3.
Install and Configure the SUA 1.3 Server
To get started, download the SUA 1.3 server software from this web site. http://support.bigfix.com/dss/install/downloaddsssam.html For small environments you could easily run this on the IEM server itself.
- Run the SUA installer exe. Select Next, Accept the licensing terms and click Next
- Select the SUA folder installation and click Next, click Install
- Once the install is completed click Finish
- Once SUA has been installed, the configuration wizard will automatically after after a few seconds. Click Next
- I’ve included a number of screen captures for configuring SUA during the install below. I used NT authentication, however you may wish to use SQL authentication.
Note: Notice how I changed the default port for SUA from port 80 to 81 below (so I didn’t have a clash with Web Reports). I also used a local account for my test server (which already exists). You’ll most likely have your SUA server a member of a Windows domain, in which you may want to use an authorised service account.
- Progress for the SUA installation is shown below:
- Once the install is completed click OK and then click Finish
When I’ve installed SUA, I’ve sometimes been prompted with the following error installing SUA “Execution of user code in the .NET Framework is disabled. Enable “clr enabled” configuration option”. This requires running this command on the SQL Management Studio before I configure SUA and then restarting the server.You can download the SQL Management Studio from here if applicable - http://www.microsoft.com/en-us/download/details.aspx?id=8961.
- Run your web browser and browse to http://localhost:81 (port 81 if applicable). Enter the SUA administrator and password as shown:
- Configure the datasource as shown below:
- Next select create a new Datasource. Enter details as shown below, along with an EXE scan location of C:\Program Files (x86)\BigFix Enterprise\BES Server\UploadManagerData\BufferDir\sha1 (change to another drive letter if appropriate)Select Test and one confirmed ok, select Save
- We’ll also schedule how often we want SUA 1.3 to import the data uploaded to the server from the clients. To do this, select Import options and enter the following details to run the import once per day. Select Save.
- You will now have SUA installed, so we’ll now go to the IEM console and configure the clients which will send software usage information to the SUA server.
Setup your Endpoints for SUA scanning
- From the IEM console, select BigFix Management, License Overview and find the Software Usage Analysis section. Next to DSS SAM, select Enable
- Select Manage Sites, Tivoli Endpoint Manager for Software Usage Analysis. Under the Computer Subscriptions tab, change the value from No computers to All computers and select Save Changes
- Select System Lifecycle. Then select Setup – Activate Analysis. You should see three Analysis as shown in the example below. Activate each of these.
- Next select Setup – Deploy Scanner to Endpoints and select Install Scanner, select Take Action. The scanner will then be deployed to the endpoint.
- Once the scanner is deployed to each endpoint, you can then configure the scanner to run periodically (by default it runs once per week). Select Setup – Schedule Scan on Endpoints (note it can take a few minutes before the scanner you’ve deployed is relevant to this Fixlet). If you review the Execution tab, you can see the scanner will run by default every 7 days.
- Finally, select Setup – Schedule Uploads on Endpoints and select your endpoint to send their scanned data to the SUA server.
Note: It’s probably a good idea to do each of the three items above on a group basis, so that as you deploy additional endpoints they’ll automatically be setup for SUA processing.
There is a nice SUA health dashboard as shown below:
If relevant, new software catalog updates will be shown here along with instructions to download and install these on your SUA server.
Note: When you log back into the SUA server you won’t immediately see any software usage information until the clients have sent their data to the server AND the data import task has run (which you’ll remember we set on a once a day basis). You can run the data import process immediately if you want to see information like the following:
That’s it. SUA is now up and running and you can easily see what software is installed and being utilised in your company. It’s worthwhile watching the following video which gives an overview of the SUA 1.3 console. If you have any problems, please post your query to the IEM SUA forum.
Are you benefiting from IBM Endpoint Manager SUA? If so we’d love to hear from you.