IBM Earns Leader Placement in Gartner’s 2013 Magic Quadrant for Client Management Tools

IBM Endpoint Manager was recently recognised in the Leaders quadrant in Gartner’s 2013 Client Management Tools.  This is a great endorsement of IEM which excels in patch management, multiplatform support and scalability.

Gartner defines Client Management Tools as:

“End-user computing and support organizations use client management tools to automate system administration and support functions that would otherwise be handled manually. They are configuration management tools that image client systems, track inventory, deploy configuration changes (such as software or patches), enforce configuration standards and assist with troubleshooting. Windows PCs are the primary target of management, but organizations are looking to extend these products to manage Macs, mobile devices and servers as well. Mobile device management (MDM) is still a separate market, but organizations are increasingly looking to use a single vendor and management platform to support their PCs, Macs and mobile devices.”

Hey, what a great endorsement of IEM’s capabilities…  to manage your PCs, Macs AND mobile devices, from a single management platform.

Source:  Gartner

Setting up IBM Endpoint Manager, Software Usage Analysis (SUA) 2.0

I’d previously detailed how you can get up and running with IBM Endpoint Manager, Software Usage Analysis 1.3.   SUA 2.0 is a new release that extends IEM’s software analysis capabilities to Linux/Unix systems and more IBM software products.   The following article details the differences between 1.3 and 2.0 in more detail.

In the following article, I’ll step you through setting up SUA 2.0:

Install and Configure the SUA 2.0 Server

1. From the IEM console, select BigFix Management, License Overview and find the Software Usage Analysis section.   Next to IBM Software Inventory, select Enable
2. Select Manage Sites, IBM Software Inventory.   Under the Computer Subscriptions tab, change the value from No computers to All computers and select Save Changes
3. Select System Lifecycle – Server Setup and Software Use Analytics.  I don’t see any issue with installing the Software Knowledge Base Toolkit (SwKBT) first, however I chose to install SUA 2.0 first.  I’ll talk more about the SwKBT below.
4. From the SUA install screen you’ll want to choose a server which will run SUA.  For small environments, SUA could run on the same server as IEM.  However as you grow beyond several thousand endpoints, you’ll want to dedicate a separate server for SUA 2.0.  In my lab environment, I chose a separate Windows Server 2008 R2 VM for SUA 2.0 as shown below.  Select that server and click Deploy

   

5. SUA 2.0 will then show you the following screen as it downloads the SUA 2.0 software and then mirrors it to that server.   In my lab environment this took about 10 minutes.  You can check the progress of the download by looking at the running Actions too:

   

   

   

   

6. On the SUA 2.0 server (my server was called IEM9TSUA2) I ran the installer and completed the install.  I left SUA 2.0 running on port 80 in my environment (you could choose another port if required)

   

   

   

   
   

7. A web browser is then launched to complete the SUA 2.0 configuration.  It asks you the location of your database (in my case I had setup a separate SUA 2.0 database on a remote Windows SQL 2008 server).  I also didn’t worry about migrating my SUA 1.3 information over to SUA 2.0:

   
   
   
   
   

8. The SUA 2.0 application was then launched:

   

9. Back in the IEM console I could click Finish and configure it with the URL of my IEM9TSUA2 server as shown)

   

   

   

10. Now SUA 2.0 is up and running,  we’ll now need to install the SwKBT and setup the endpoints for SUA scanning too.

 

Install and Configure the Software Knowledge Base Toolkit (SwKBT)

The Software Knowledge Base Toolkit (or SwKBT) is a new component of IEM SUA.  Think of it as the catalog management service.  It requires you to install a separate component,  but I’d expect over time this probably won’t be required.  In most environments, the SwKBT could easily run alongside SUA 2.0 on the same server.  It’s used infrequently – for example as you load in new catalogs or update entries in the catalogs.  In my lab environment, I installed the SwKBT on the same VM as SUA.

1. From the IEM console, select System Lifecycle – Server Setup and Software Knowledge Base Toolkit (SwKBT)
2. From the SUA install screen you’ll want to choose a server which will run SwKBT.   Select that server and click Deploy Installer.  As you see below, the size of the SwKBT is around 650MB so it took well over an hour to download and get mirrored to my SUA2.0 server.

   

   

   

   

3. On the SwKBT server, I followed the default installation options

   
   
   

    

   

   

   

4. Once I had clicked Finish.   You can login to the SwKBT server by using the following URL – https://localhost:12344/ibm/console/logon.jsp  (change to your server’s host name)

Setup your Endpoints for SUA scanning

1. From the IEM console,  select System Lifecycle.  Then select IBM Software Inventory, select Setup – Activate Analysis.  You should see four Analysis as shown in the example below.  Activate each of these.

   

2. Next select Manage Deployments – Manage Endpoints – Deploy and select Install Scanner,  select Take Action.   The scanner will then be deployed to the endpoint.  Repeat the process for the Install Common Inventory Technology Scanner.    Why are there two scanners?  See here for further information.
3. Once the scanner and CIT scanner are deployed to each endpoint, you can then configure the two scanners to run periodically (by default it runs once per week).   Select Manage Endpoints – Scan/Upload  (note it can take a few minutes before the scanner you’ve deployed is relevant to this Fixlet.  I found this was slower for the CIT scanner in my test lab).
4. Finally, select Manage Endpoints – Scan/Upload again and select your endpoint to send their scanned data to the SUA server via the Upload Scan Results and Upload Common Inventory Technology Scan Results fixlets.

Note:  It’s probably a good idea to do each of the three items above on a group basis, so that as you deploy additional endpoints they’ll automatically be setup for SUA processing.

 

Software Catalog Update

You’ll want to use the latest software catalog from IBM, which we see has been automatically detected within the console.  You’ll need to perform a similar task roughly every month as IBM releases new SUA catalogs.  The update process is documented within the Fixlet, so check there on what you need to do, especially if you customise the catalog.

1. From the IEM console,  select Systems Lifecycle – IBM Software Inventory – Software Catalog Update – Download Software Catalog Update for SUA.  Select Take Action and select your SUA 2.0 server.  The action will download the latest catalog and install this on your SUA 2.0 server.

   

2. If your organization does not customise the software catalog (in most cases you wont),  log in to TEM SUA console
3. Go to Management – Catalog Update
4. Click Browse and locate the downloaded catalog file  (I expanded the ZIP file first)
5. Click Upload.   Then select Import Now within the SUA console  (otherwise it will happen automatically at midnight)

     

6. Within SUA console, you’ll also need to click on this option to import a Fixlet into the IEM console.  This Fixlet is linked to the catalog and will send a small catalog to each endpoint for processing.  I found this a little cumbersome, but expect this process will also be simplified in the future.   I edited the Fixlet and added - April 2013 at the end (see below) so I knew in the future this Fixlet was for the April catalog.

   

   

7. Click OK then select Take Action to target this CIT catalog download task to your applicable workstations (or group as suggested above)

   

 

SUA 2.0 is now available

When you log back into the SUA server you won’t immediately see any software usage information until the clients have sent their data to the server AND the data import task has run  (which you’ll remember was once a day).   You can run the data import process immediately if you want to see information like the following:

That’s it.  SUA is now up and running and you can easily see what software is installed and being utilised in your company.   If you’re familiar with SUA 1.3, I found the following Getting Started with Software Use Analysis 2.0 guide useful in adjusting to the console changes in 2.0.  If you have any problems,  please post your query to the IEM SUA forum.

Are you benefiting from IBM Endpoint Manager SUA?    If so we’d love to hear from you.

Darryl

Setting up IBM Endpoint Manager, Software Usage Analysis (SUA) 1.3

IBM Endpoint Manager Software Usage Analysis (otherwise known as IEM SUA) allows you to easily determine what software is deployed across your organisation and how actively it is being used on each computer.  With SUA you can easily determine whether you’re effectively using more expensive software such as Microsoft Project or Visio on all of your computers.  IEM SUA is not only useful to improve the efficiency of your software but also substantially reduce the amount of work required for software compliance audits.

In the following article, I’ll step you through the installation of SUA 1.3.

Install and Configure the SUA 1.3 Server

To get started,  download the SUA 1.3 server software from this web site.  http://support.bigfix.com/dss/install/downloaddsssam.html   For small environments you could easily run this on the IEM server itself.

1. Run the SUA installer exe.   Select Next, Accept the licensing terms and click Next
2. Select the SUA folder installation and click Next, click Install
3. Once the install is completed click Finish
4. Once SUA has been installed,  the configuration wizard will automatically after after a few seconds.  Click Next
5. I’ve included a number of screen captures for configuring SUA during the install below.  I used NT authentication, however you may wish to use SQL authentication.

   Note:  Notice how I changed the default port for SUA from port 80 to 81 below  (so I didn’t have a clash with Web Reports).  I also used a local account for my test server (which already exists).  You’ll most likely have your SUA server a member of a Windows domain, in which you may want to use an authorised service account.

    

    

    

   
   
   

6. Progress for the SUA installation is shown below:
7. Once the install is completed click OK and then click Finish 

   When I’ve installed SUA,  I’ve sometimes been prompted with the following error installing SUA   “Execution of user code in the .NET Framework is disabled. Enable “clr enabled” configuration option”.  This requires running this command on the SQL Management Studio before I configure SUA and then restarting the server.You can download the SQL Management Studio from here if applicable - http://www.microsoft.com/en-us/download/details.aspx?id=8961.

8. Run your web browser and browse to http://localhost:81  (port 81 if applicable).  Enter the SUA administrator and password as shown:
9. Configure the datasource as shown below:

    

10. Next select create a new Datasource.  Enter details as shown below, along with an EXE scan location of  C:\Program Files (x86)\BigFix Enterprise\BES Server\UploadManagerData\BufferDir\sha1   (change to another drive letter if appropriate)Select Test and one confirmed ok, select Save
11. We’ll also schedule how often we want SUA 1.3 to import the data uploaded to the server from the clients.  To do this, select Import options and enter the following details to run the import once per day.   Select Save.
12. You will now have SUA installed, so we’ll now go to the IEM console and configure the clients which will send software usage information to the SUA server.

Setup your Endpoints for SUA scanning

1. From the IEM console, select BigFix Management, License Overview and find the Software Usage Analysis section.   Next to DSS SAM, select Enable
2. Select Manage Sites, Tivoli Endpoint Manager for Software Usage Analysis.   Under the Computer Subscriptions tab, change the value from No computers to All computers and select Save Changes
3. Select System Lifecycle.  Then select Setup – Activate Analysis.  You should see three Analysis as shown in the example below.  Activate each of these.
4. Next select Setup – Deploy Scanner to Endpoints and select Install Scanner,  select Take Action.   The scanner will then be deployed to the endpoint.
5. Once the scanner is deployed to each endpoint, you can then configure the scanner to run periodically (by default it runs once per week).   Select Setup – Schedule Scan on Endpoints  (note it can take a few minutes before the scanner you’ve deployed is relevant to this Fixlet).  If you review the Execution tab, you can see the scanner will run by default every 7 days.
6. Finally, select Setup – Schedule Uploads on Endpoints and select your endpoint to send their scanned data to the SUA server.

Note:  It’s probably a good idea to do each of the three items above on a group basis, so that as you deploy additional endpoints they’ll automatically be setup for SUA processing.

There is a nice SUA health dashboard as shown below:

If relevant, new software catalog updates will be shown here along with instructions to download and install these on your SUA server.

Note:  When you log back into the SUA server you won’t immediately see any software usage information until the clients have sent their data to the server AND the data import task has run  (which you’ll remember we set on a once a day basis).   You can run the data import process immediately if you want to see information like the following:

That’s it.  SUA is now up and running and you can easily see what software is installed and being utilised in your company.   It’s worthwhile watching the following video which gives an overview of the SUA 1.3 console.   If you have any problems,  please post your query to the IEM SUA forum.

Are you benefiting from IBM Endpoint Manager SUA?    If so we’d love to hear from you.

Darryl

Installing IBM Endpoint Manager 9.0 in less than 15-Minutes

My brother (who is a chef) tells me I can’t cook.  I assemble food.  So I’ve really enjoyed Jamie Oliver’s 15 minute meals and trying new ideas at home.  So in the spirit of cooking a meal in 15 minutes, I thought I’d document how easy it is to install the latest release of IBM Endpoint Manager (version 9) in less than 15 minutes.

Let’s turn up those hot plates to full and start cooking…

1. First start by downloading the server software from here.  If your trying out the software (30 days/30 devices) download the evaluation version, otherwise you’ll want the non-evaluation version (IBM will have supplied you access to the license key center where you can download a license file)
2. Run the BigFix-BES-9.0.586.0.exe installer
3. Select Next and then either Evaluation or Production and then Next
4. Accept the license agreement and click Next
5. As I had used a production licenses I chose the top option here
6. Enter an appropriate DNS name for your IEM server.  You cannot change this later, so consider having a DNS alias if required that can be mapped to a server in your organisation.  If you’re setting up IEM on the Internet for a cloud service, consider using services like no-ip.com or elastic ip with AWS.
7. I then selected the license file I had downloaded and clicked Next
8. Enter a unique password for your IEM’s private key.  Don’t forget this password !
9. Save location of the private key.  I usually create a License folder on the server and save it there.  For production environments this may be in a secure key location.
10. You will now submit your IEM server information to IBM.  If you can browse the Internet with Internet Explorer you should be ok, however in some cases you might need to perform this via a two step process (the second option)
11. Now create a masthead file for your environment.  This file is used for clients to locate and securely communicate to your IEM server
12. Choose the location for where IEM will save the Installers directory.  This is the location where the Server, Console and Clients will be installed from below.  You can accept the default directory, or maybe select a larger D: drive if appropriate.   Then click Finish when complete

    Time so far, 7 minutes….

13. You’ll be prompted with the following window where you’ll then install the Server, Console and a Client on the server.
14. Select Install Server and then select Install the Server on this computer 
15. Select Next and the following items you can leave as default and click Next
16. Select Single or Master Database  (larger environments can have a replicated database option)
17. Select Use Local Database.  If you have SQL already installed, it will use it to host the IEM databases.  Otherwise it will use SQL Server 2005 Express (test environments).  You can also use a remote SQL server however ensure it’s connected to the IEM server via a high speed connection.
18. Chose the location of SQL 2005 Express if applicable
19. Chose the location of the IEM server and click Next
20. Select Next to accept the IEM web server location and URL  (used by the clients to communicate to the server on port 52311)
21. Select Next to accept the default Web Reports settings.  Note that port 80 is being used, so if you install other services like SUA on this server in the future, chose another web server port.
22. The server is about to be installed, click Next.  IEM will now install the server.
23. Select your private key and now enter in the default IEM administrator account.  I like to use IEMadmin so it’s a different name to Windows Administrator.

    

    

    

24. You can now run the diagnostics tool to ensure IEM is setup ok.  The client isn’t installed yet, so that will be done shortly.

    Time so far, 11 minutes….

25. Install Install Console and then Install the Console on this Computer
26. Select Next, and Install.   I usually don’t run the console just yet until the local client is installed (next steps)

    Time so far, 12 minutes….

27. Select Install Clients.  Select Install the Client on this Computer
28. Select Next, Next and Install  and Finish when complete

Hows that timer going?   13 minutes.   Done!

You can now start the console and start using the product.

There’s a great blog by Daniel Heth who details how to get going with the IEM console here

Oh, I really like the Flying Steak Sandwich

IBM Endpoint Manager for Mobile Devices Evaluator’s Guide

Last year my colleague and I put together an Evaluator’s Guide for the Mobile Device Management (MDM) service in IEM.  We wanted to provide our clients and business partners with a easy to follow guide, so they could quickly start testing the product.  It’s a quick-start guide you can read when you don’t really want to start reading the manual… just yet !

The guide is divided into the following main sections:

• Introduction
• Description of IEMfMD components
• Setting up the IEMfMD components
• Evaluation Tasks
• Helpful Resources

Here’s another view of the various sections within the guide:

The Evaluator’s guide has been very popular and is available for download via IBM Partnerworld and by asking your nearest IBMer.    I’m also happy to email you a copy directly if you would like to provide your details below.

Name(required)

Email(required)

Company(required)

Number of mobile devices(required)

Comment

If you have any feedback on our MDM product, we’d love to hear from you.  You can also post your queries to our developerWorks forum too.  Oh, if you would like further details on MDM including the user and admin guides, you can find them here too.

Darryl

IBM Customized VMware ESX 5.1 released

IBM recently released the VMware vSphere (ESXi) Hypervisor with IBM Customization  (or customized ESXi…  well, I say customised).   The readme details a number of Broadcom, Brocade, Emulex, LSI and Qlogic drivers  as well as additional management support.  I still don’t know what concretejob does yet.

Anyhow, here is the Readme in PDF format and the link to where you can download it.

If you have any queries on this release, please post them to the System x forum on developerWorks

Minimise your Data Roaming Bill Shock with IEM for Mobile Devices

When talking to clients about mobile device management,  almost everyone highlights examples within their organisation of bill shock from data roaming charges.   It’s discussed further on the following ABC Australia video.    Whilst people are being educated on cost implications and there are calculators like this one from Telstra,  many people are still getting caught out with huge bills.   It also appears to be a particularly bigger issue in Asia Pacific for some reason.

Companies can minimise their user and corporate bill shock, by implementing a data roaming policy using IBM Endpoint Manager for Mobile Devices.   To do this for iOS devices, an administrator simply follows the steps below:

1. From the Endpoint Manager console,  simply select Management Commands and Disable Data Roaming – Apple iOS.  You’ll see that for my environment I have 52 of 205 applicable mobile phones that have Data Roaming enabled.
2. Select Take Action, then select Policy (so that the Action will re-apply as required).    I could then simply select any applicable mobile devices (ie. one or more phones), however I’ve setup an Automatic Group called iOS Devices and have selected that as shown below.   Finally select OK.
3. You’ll then see your iOS devices reporting and their status changed to Fixedas shown below:

If a user then goes back in and turns the data roaming setting back ON,  the MDM client (via the Apple MDM API’s) will change this back to OFF at the next refresh interval.  This by default is every 3 hours.   Personally,  I’d like the ability to fully disable this feature entirely (like we can by disabling the Camera) or for a period of time/data, however Apple doesn’t allow this for now.   I’ve tested this feature with iOS 5.x and 6.0.   Just today,  IBM has updated our MDM service to include the new MDM features in iOS 6

The latest release of IEM for MDM includes Data Usage information as shown below.   The last three months of 3G-data usage provided to the server, which will store a larger archive for history checking.

I also created a custom copy of this Fixlet to also display a user message when the Data Roaming was turned off.  You can download a copy here.

With this MDM policy, organisations can still minimise the chances of users returning from their overseas trip to an expensive phone bill !

If you have any queries or feedback, please post them on the developerWorks forum here.

Darryl

Enabling the Self Service Portal with IBM Endpoint Manager for Mobile Devices

Following my post last month on Enabling Authenticated Enrollment,   I’ve also detailed below the process for enabling the Self Service Portal (SSP).   The IBM Mobile Devices Self Service Portal is a web-based method that allows you to manage your personal device without logging onto the TEM console.

Enabling the Self Service Portal

The SSP fits in with the overall IEM for MDM architecture as detailed here.    In most cases, the SSP will be located on your intranet for users to access as required.

Start with the Setup and Configuration Wizard, and open Install Additional MDM Features, then select Setup Self Service Portal as shown below.

You’ll note that Authenticated Enrollment has been configured via these steps.   Select Deploy Self Service Portal and then Take Action.

Select the server that will host the SSP and click OK.

IEM will then automatically begin downloading the required components for the Self Service Portal and install them on the server as shown below.

Once the SSP is installed next click on the third step to Configure the Self Service Portal.

Enter in the details for your Web Reports and TEM Console  (which in most cases will probably be the one server).   An example screen capture is shown below.  Click Configure SSP and it will take a few minutes for this configuration to be completed.

If you have any issues with setting up the SSP, a handy URL to have is https://yourSSPservername/ssp/diag  which provides some SSP diagnostic information:

User access to the Self Service Portal

Your users will access the SSP via a web browser,  ie.  https://yourSSPservername/ssp    Once logged in,  they can select one or more devices they have registered to IEM.   They can then see information similar to the following for each of their mobile devices:

Users can then lock their device, clear passcode or even remotely wipe the device.   I expect IBM will add additional functionality to the SSP in coming releases.    A handy end user guide on the SSP is provided here

So all done!  You now have the SSP up and running.   If you have any queries or feedback, please post them on the developerWorks forum here.

Darryl

Enabling Authenticated Enrollment with IBM Endpoint Manager for Mobile Devices

The update of IBM Endpoint Manager for Mobile Devices last month included the new Authenticated Enrollment feature.   In the article below,  I’ll detail how you can easily enable this and configure user enrollment questions too.

MDM Architecture

Before you do, it’s a good idea to recap the overall MDM architecture once more.  You’ll already have your Endpoint Manager server running on your internal network and the Management Extender for iOS on a server in your DMZ (servers shown below in grey).   You’ll then want to have a very small server to run the Trusted Service Provider/Self-Service Portal components as highlighted in green below  (I’ll cover the Self-Service Portal in a future post).  Whilst I don’t see any reason why these new services couldn’t also run on your TEM server, you’d need to ensure you don’t have a possible clash with Web Reports running on port 80.   For larger environments a dedicated server would be preferable.   Ensure you’ve made any DMZ firewall rules as required.

Enabling Authenticated Enrollment

By default, devices can be managed by MDM without any authentication.  You can now restrict access to your MDM deployment to only authenticated users who log in with a username and password from an LDAP/Active Directory service.

Start with the Setup and Configuration Wizard, and open Install Additional MDM Features.  The Enrollment Server comes installed automatically on the Management Extender for iOS.   So Step 1) and 2) will already be completed from your updated you completed here.

Next, click on Deploy Trusted Service Provider,  which will present you with the following window:

Select the server which will host the Trusted Service Provider service (in my case IEMMDMSP1)

The IEM Server will then automatically download the required files from the Internet as shown below.

In about five minutes in my test environment, the installation was complete and the server was in a Pending Restart status.   The install seemed to have completed just fine, so just to be sure all was ok,  I restarted my server.  Maybe I should have been more patient and waited, but all was ok.  After the server restarted the status updated to Completed.

Next I configured the enrollment as shown below.   Note for my Active Directory server (dc1.home.int)  I deselected SSL and entered the Login Attribute of userPrincipalName.   Ensure you test your settings.   When you click on Configure Authenticated Enrollment, it took a minute or two for this to be all setup on the Management Extender for iOS server.

So, once all this has been setup when you enroll your iOS device you’ll now be asked to authenticate as shown below  (where I’m entering in my Active Directory user account and password)

Custom Enrollment Questions

Finally, you can also present the user with a range of Custom Enrollment Questions, such as where they work, department ID, accepting an End User License Agreement (EULA).   Questions can be presented with links, checkboxes, radio buttons etc.  An example list of questions are shown below:

This is then presented to the user as shown below:

This information is then visible to the administrator in the console as follows:

So all done!  You now have authenticated enrollment up and running.   If you have any queries or feedback, please post them on the developerWorks forum here.

Darryl

Upgrading IBM Endpoint Manager for Mobile Devices (June 2012 release)

Last week, IBM announced the next release of IBM Endpoint Manager for Mobile Devices (see the announcement here).   This update included a bunch of new goodies such as Self Service portal, Enhanced Enrollment Options, Location Services for iOS and Office 365 support.   I’ll include further information on these updates on this blog in the coming weeks.

So just how easy is it to upgrade your current IEM for MDM to this latest release?    I’d say it took me less than ten minutes, and I’ve included some screen captures of the process below.   OK, let’s get started…

On my server, I first went to the Health Checks window as shown below.   Instead of the Status being all green,  it showed two items with a red Fail status.

I proceeded to the Upgrade Management Extender for Apple iOS and clicked on the link.   IEM automatically detected the component that needed upgrading and I then clicked on Take Action.

IBM Endpoint Manager then automatically downloaded the updated software components from our cloud based content servers as shown:

Approximately five minutes later, the update was applied, yay !

You’ll remember in the Health Check window,  I had to also activate two new analysis.  So again, I clicked on the link to do these too.

 

The Heath Checks dashboard will now have a green Pass status.

All done.

Easy hey!  It’s expected that in the new few days the endpoint applications will be automatically available too on the Apple AppStore and Google Play.   If you have any queries on this release, feel free to post them on our developerWorks forum.

Darryl