IBM Endpoint Manager (BigFix) has released a new Software Usage Analysis (SUA) module. This release includes a number of new capabilities, specifically SQL support. SUA also provides IBM sub-capacity measurement capability. IBM has provided a number of installation and administration guides here. In the following article, I’ll step you through the key elements to setup SUA 9.2: Prerequisites
- I’d created a new Windows 2008 R2 server to run SUA 9.2. My virtual machine had at least 8GB of memory and 2 vCPU
- On the SUA server I had installed Microsoft SQL 2012 and updates
- I had installed an IEM Agent and it was reporting back to the IEM server successfully.
Install and Configure the SUA 9.2 Server
- From the IEM console, select BigFix Management, License Overview and find the Software Usage Analysis section. Next to IBM Endpoint Manager for Software use Analysis v9, select Enable
- Click on IBM Endpoint Manager for Software use Analysis v9, under the Computer Subscriptions tab, change the value from No computers to All computers and select Save Changes
- Select System Lifecycle – Software Use Analysis – Server Setup and Software Use Analytics.
- From the SUA install screen you’ll want to choose a server which will run SUA. For small environments, SUA could run on the same server as IEM. However as you grow beyond several thousand endpoints, you’ll want to dedicate a separate server for SUA 9.2. Select that server and click Deploy Installer.
- SUA 9.2 will then show you the following screen as it downloads the SUA 9.2 software and then mirrors it to that server. In my lab environment this took about 10 minutes. You can check the progress of the download by looking at the running Actions too:
- On the SUA 9.2 server (my server was called SFTSGSUA9 – as it’s on Softlayer) I ran the installer setup-server-windows-x86_64.bat (as an Administrator).
- During the SUA 9.2 installation, select the default including accepting the license agreement. Change the default installation path if required:
- I select the default https port 9081 in my environment (you could choose another port if required)
- I selected System Account and finally reviewed the settings before clicking Install
- When SUA was completed I was shown the following screen:
- Click on Done and a web browser is then launched to complete the SUA 9.2 configuration. You might need to click the certificate warning in your web browser. I entered the following information below to configure SUA.
- After the import was completed (which did take a few hours in my lab), the SUA 9.2 application was then launched:
- Back in the IEM console I could click Finish and configure it with the URL of my IEM9TSUA2 server:
- Now SUA 9.2 is up and running, we’ll now setup the endpoints for SUA scanning.
Setup your Endpoints for SUA scanning
- From the IEM console, select System Lifecycle. Then select Software Use Analysis, select Setup – Activate Analysis. You should see seven Analysis as shown in the example below. Activate each of these.
- Next select Setup – Deploy Scanner to Endpoints and select Install Scanner, select Take Action. Select Target and select Dynamic target by property and select All Computers, if you want the scanner applied to every computer with an IEM Agent installed. Otherwise you might create a manual group (called SUA 9 clients) and select it instead. Click OK to run the Action. The scanner will then be deployed to the endpoint.
- Select Setup – Schedule Scans on Endpoints. Select Initiate Software Scan. Select Target and select Dynamic target by property and select All Computers. Select the Execution tab. By default the scanning process will run every 7 days as shown below. You can change this value if you like. Select OK when complete.
- Finally, select Setup – Schedule Uploads on Endpoints. Select the Upload Software Scan Results fixlet. Click OK to run the Action. Select Target and select Dynamic target by property and select All Computers. Select the Execution tab. You’ll see below the Fixlet will run anytime new scan results are available and retry this 3 times if there is an error. Select OK when complete.
Note: As mentioned above, it’s probably a good idea to do each of the three items above on a group basis, so that as you deploy additional endpoints they’ll automatically be setup for SUA processing. Software Catalog Update You’ll want to use the latest software catalog from IBM, which we see has been automatically detected within the console. You’ll need to perform a similar task roughly every month as IBM releases new SUA catalogs. The update process is documented within the Fixlet, so check there on what you need to do, especially if you customise the catalog.
- From the IEM console, select Systems Lifecycle – Software Use Analysis – Software Catalog Update – Software Catalog Update. Select Take Action and select your SUA 9.2 server. The action will download the latest catalog and install this on your SUA 9.2 server.
- Login to the SUA 9.2 server console.
- Go to Management – Catalog Update
- Click Browse and locate the downloaded catalog file (I expanded the ZIP file first)
- Click Upload. Then select Import Now within the SUA console and browse to the file (D:\Program Files\ibm\SUA\sua_catalog) and select the ZIP file.
- Click Upload Note: There is a Fixlet 1002 – Upgrade to the newest Software Usage Analysis 9.x catalog that can be run. This will automatically download the latest catalog to the SUA 9.2 server. The above task of applying this catalog via the SUA console is still required (thank’s David Kosenko for this information).
That’s it! SUA is now up and running and you can easily see what software is installed and being utilised in your company. If you have any problems, please post your query to the new Bigfix forum. Are you benefiting from IBM Endpoint Manager SUA? If so we’d love to hear from you. Darryl
The IT industry loves buzzwords and acronyms. We we have RAM, SOA, EMM, VM, AJAX, HTTP… luckily we have Glossary‘s available to help us decode what we’re talking about!
I suggest there is another acronym that is growing in popularity, UEM or Unified Endpoint Management.
In the past, organisations ran “traditional” server management tools, which extended to managing Windows PCs. These are the traditional on-premises solutions such as IBM Endpoint Manager (IEM/BigFix), Microsoft Systems Center Configuration Manager (SCCM) etc. Some solutions such as IEM did a great job to manage a variety of new devices, even when the devices were disconnected from the office network.
As smartphones arrived, IT needed a way to provide visibility and ensure devices were secured if they were lost or stolen. So independently, new mobile device management (MDM) solutions emerged.
Some MDM solutions have since evolved to provide advanced device and data security management. These advanced solutions such as MaaS360, include secure container solutions which separate business from persons personal data. MaaS360 provides a secure container across a range of mobile form factors such as iOS, Android and Windows Phone. These solutions are what Gartner, and the industry have termed Enterprise Mobility Management or EMM solutions.
However very few EMM’s are also providing a true Unified Endpoint Management or UEM solution. Integrated solutions which can manage new and old PCs, Macs and mobile devices. Many claim “we manage PCs and Macs”, but when you scratch below the surface, you soon realise it’s only the latest operating systems and via an initial set of management API’s in Windows 8 or Mac OS X.
MaaS360 has been managing PCs and Macs for over 10 years. So it provides a set of more advanced PC and Mac management services. Even those running Windows XP SP3!
So you can implement a SaaS solution in minutes, that can manage a wide variety of form factors from old Windows XP PCs to Microsoft SurfacePro 3, iOS, Android, Mac OS X, Windows Phone and Blackberry.
I conducted a Webinar on Thursday 27th 2014. You can register here and see a replay of the recording plus slides.
IBM has released a new extender for IBM Endpoint Manager (IEM) to MaaS360. The extender (or connector) allows MaaS360 mobile device information to be accessible within IEM alongside PC, Mac and Server endpoints. Hence the Unified Reporting capability.
The setup is relatively straightforward and the development team have created some excellent documentation here. With some information provided by Fiberlink which is specific to your MaaS360 account, you’re ready to get started.
You start by activating the MaaS360 site and deploying the Management Extender for MaaS360. I decided to use a dedicated virtual machine which was already an IEM relay in my test environment.
The only issue I came across was the information I received wasn’t correct for my MaaS360 account. I was provided a Platform ID of 3, and the extender didn’t function after I configured it. After re-confirming this with firstname.lastname@example.org, they provided a Platform ID of 5 for my account. The extender was then configured correctly, and a list of mobile devices from my MaaS360 account was displayed!
I’ve included a bunch of screen captures from the setting up the extender, to the list of devices, and drilling down to an iOS device and obtaining inventory information and sending commands to a device.
This capability allows clients to view a mixture of endpoint types from a single console. I expect more integration will be progressively released over time.
IBM Fiberlink MaaS360 a Leader in the 2014 Gartner Magic Quadrant for Enterprise Mobility Management
MaaS360 has earned IBM Fiberlink a leadership position in the Magic Quadrant for the 3rd year in a row.
IBM was selected a Magic Quadrant leader for Enterprise Mobility Management (EMM) based on completeness of vision and ability to execute.
Gartner highlighted the MaaS360 mature shared-processing multi tenant architecture. In addition, reference customers who consistently praise MaaS360’s ease of use for both end-user and administrator.
MaaS360 is one of the few MDM products, where you can literally use their MDM product in minutes. A customer can register their details at www.maas360.com for a 30 day trial, and take it for a test drive within minutes
Get your complimentary copy of Gartner’s latest report for in-depth analysis of where enterprise mobility by registering your details here.
Please contact me if you need any information on MaaS360.
IBM Endpoint Manager (IEM) can not only provide software distribution but also Operating System Deployment (or OSD). OSD includes the ability to upgrade operating systems (such as Windows XP to Windows 7) but also perform bare metal installations. I’ve recorded two edited video’s of OSD in action for an upgrade and bare-metal installation.
OSD is a feature of IEM’s Lifecycle Management service and a lot of detailed documentation is available here. My colleagues David Kosenko and John Golembiewski have now produced an excellent step-by-step guide of the setup and use of OSD.
- Setup of OSD
- Deploying the Windows 7 Image to a Windows XP system
- Bare Metal Imaging
- Quick Reference Guides
MaaS360’s Secure Productivity Suite (SPS) or secure container is available on iOS, Android and now Windows Phone. Clients have been particularly interested in MaaS360’s secure container for Windows Phone. The different mobile experience and something different is quite a discussion point in live demonstrations.
Organisations realise that Windows Phone will be a viable third force in mobile devices. Windows Phone 8 is just beginning to see broader adoption in the U.S. and in Europe, and I’d agree in Australia and Asia Pacific too.
I’m still looking for a OS X / iPhone Reflector equivalent for Windows Phone (if possible) for live demonstrations. So for the clients who have asked, I wanted to share a number of screen captures of Windows Phone 8 running the MaaS360 SPS (‘secure container’).
You’ll notice the MaaS360 SPS not only features email and calendar, but also the ability the securely share documents and your internal web resources via the secure browser.
I look forward to doing more testing with the Windows Phone 8 and MaaS360, and demonstrating this capability to our clients.
Samsung Australia were kind enough to loan me Galaxy Note 3 to test it’s capabilities with MaaS360. It’s a fantastic smartphone and the screen resolution was amazing.
MaaS360 provides a range of Android device management. Samsung have extended this capability for their devices via Samsung SAFE (Samsung for Enterprise). MaaS360 also has the capabilities to provide remote control of these devices, just like a traditional PC or Mac.
Enrolling a device to MaaS360 is very simple. The administrator can configure all users to enrol in a pre-defined URL, which they can then be authenticated to a companies Active Directory server. The following are a set of screen captures when I enrolled my device.
The Samsung phone would then register to MaaS360 and I could then manage the device. I was then able to distribute the MaaS360 Remote Control application.
The user would install the application as shown in these screen captures:
The MaaS360 administrator can then select to remote control the device as shown:
The user is then prompted on their phone to accept remote control.
After a few seconds, the administrator can view and take control of the device as shown in this video.
MaaS360 is a multi-tenant SaaS based Enterprise Mobility Management (EMM) solution. It not only manages mobile devices (iOS, Android, Windows etc) but also your traditional Windows and Apple Macs (OS X) too. To provide visibility of a companies internal resources such as Active Directory, Exchange, Domino or Blackberry in a secure manner to MaaS360, Fiberlink created the “Cloud Extender” (CE). The Cloud Extender is a small Windows application that you can install on an internal Windows server (physical or virtual machine) as shown in the following diagram:
This article details how I setup the Cloud Extender in our lab running on Softlayer, which consists of Active Directory (x2) and Exchange 2010 server (I tested with the Exchange 2007 Exchange Management Tool and PowerShell options below).
Setting up the Cloud Extender on your internal server
- The setup guide and Cloud Extender Configuration Tool executable is available from the Setup MaaS360 console as shown
- On your nominated intranet server, run the MaaS360_Cloud_Extender.exe and follow the defaults until it is installed.
- Run the Cloud Extender Configuration Tool and select if it’s communicating to the Internet directly or via a proxy. The CE needs communication to *.fiberlink.com and *.maas360.com on ports 80 and 443:
- Select the Services to be configured. You can select various Exchange versions, Lotus Traveller, Blackberry BES, User Authentication (Active Directory or LDAP), User Visibility (Active Directory or LDAP) and Certificate Integration:
- The Cloud Extender Configuration Tool runs a series of prerequisite checks:
- I next configured the Service account to communicate to Active Directory and Exchange. I then tested Authentication:
- I didn’t apply any device managmeent restrictions as shown below:
- The Cloud Extender then completes it’s configuration and it automatically downloads any required components from MaaS360:
- The Cloud Extender has an Automatic Software Update feature which is nice. Finally click Finish.
Cloud Extender from the MaaS360 console
Now login to the MaaS360.com console and select Setup and Cloud Extender. You can see the range of services configured and last communication times.
You can then run a series of tests to ensure the Extender running correctly.
So that’s it! Incredibly easy and I took less than 30 minutes to walk myself through the installation and configuration. If you have any questions, the MaaS360 MDM forum looks a great place look first. Of course, if you would like to try out MaaS360, you can register for a free 30-day trial by going to www.maas360.com/IBM.
Today IBM announced the aquisition closure of Fiberlink Communications. Fiberlink have developed an amazingly simple to use Enterprise Mobility Management (EMM) service. MaaS360 is one of the few MDM products, where you can literally use their MDM product in minutes. A customer can register their details at www.maas360.com for a 30 day trial, and take it for a test drive within minutes. No waiting for sales contacts to contact you first, no migration to other services if you like to use the product after the trial.
I’ve found MaaS360 extremely easy to use. Which is feedback I’ve also heard from clients evaluating other MDM solutions. The MDM in minutes video provides a great overview:
The team at Fiberlink also provide PC and Mac management, which is based on IBM Endpoint Manager (BigFix) technology. So I look forward sharing with you how IBM Endpoint Manager technology will integrate with MaaS360 in the future. I’ll also post my experiences and insights into MaaS360 on this blog too.
IBM Endpoint Manager (IEM) is popular with Managed Service Providers (MSPs) for it’s ability to manage hundreds of thousands of endpoints via a single multi-tennant architecture. IEM provides MSP’s the flexibility for either centralised or delegated administration models.
IBM Endpoint Manager is typically installed in a centralised architecture as show below. A single IEM server is installed at the MSP to manage several clients from one platform. The IEM server may be installed with Distributed Server Architecture (DSA) for larger environments. Some MSP’s prefer to leverage virtualisation technologies for disaster recovery such as VMware Site Recovery Manager (SRM).
IEM can manage thousands of separate customer networks (each with thousands of endpoints), without requiring a VPN connection to each client. This is achieved via IEM relays. A relay is essentially any endpoint but performing some additional responsibilities. IEM can also manage roaming endpoints which may have left those clients and are working at other remote locations (home, hotels etc).
Top Level Relays (MSP Relays)
To manage these endpoints, the MSP will need to separate the IEM server from the public internet via one or more relays. These relays can be designated relay1, relay2, relay3 etc. as extra capacity is required. The suggested guideline is approximately one of these MSP’s will support 1000 child relays, which you can think of is approximately 1000 MSP managed customers.
Including another relay for redundancy is good practice. So for most MSP’s with two top level relays, this could support around 2000 child relays (or managed customers). For the purposes of this.. example, I have called this top level relay relay1.msp.com.
At each customer office that will be managed by the MSP, it’s recommended to install a relay. If you don’t, each endpoint will communicate back directly to the top level relays. So there is additional bandwidth requirements. Each endpoint will most likely need to have command polling enabled. So each endpoint ‘phones home’ on a regular basis.
If you deploy a relay, this can be an existing server already in the DMZ (running a range of Windows, Linux or Unix operating systems). The IEM agent is installed which communicates back to the top level relay called relay1.msp.com. The server relay1.internal.org is promoted as a relay using Fixlet ID 1642 Install IBM Endpoint Manager Relay (Version 9.0.787.0). Check of course for later versions.
Network and DNS Requirements
Ensure you have TCP ports 52311 open at both the MSP and client firewalls. You can check this by performing the following telnet commands:
telnet relay1.msp.com 52311 telnet relaycust1.msp.com 52311
You can also also use a web browser and browsing to the relay’s address and append :52311/relaydiagnostics as shown below:
The MSP should designate the DNS name of the top level relays for client registration purposes (see below). The MSP doesn’t need to define DNS entries for the client relays (such as the name relaycust1.msp.com), although you might simple do this to assist with future network diagnosis.
Endpoints at each of the remote offices need to register back to the MSP’s IEM server. This is not possible via direct communication. It’s achieved by configuring the remote client to register via a nearby relay. In our example above, this is to relay1.internal.org as detailed in this article. The client then registers all the way back to the MSP’s IEM server via the relay servers.
Most MSP’s allocate each client a unique Client Identification (CID) as outlined in this wiki article. They do this so all the endpoints can be easily classified and grouped together. Select Computers, Tools – Manage Properties and create the following cid property:
The cid value can be defined at endpoint registration time via a clientsettings.cfg setting. This number can be allocated from the IEM console, by selecting the server, clicking the right mouse button, then selecting Edit Computer Settings… Then select Add, and enter a setting name of cid and the appropriate number you’ve designated. ie. 0001. Once you’ve clicked ok, it can take a few minutes for this new value to be applied to the endpoint and the results sent back to the IEM console.
You can define separate administrator accounts to only manage those clients endpoints. To do this, create a local account or LDAP role. Then as shown below, only assign computers that match the appropriate cid value. When the user logs back into the IEM console, they will only be able to administer computers with the cid of 0001.
As outlined in this article, circumstances may arise whereby the MSP is required to manage and/or deploy custom content for a specific customer. To avoid all customers TEM Clients downloading and evaluating this custom content, the MSP must create “Custom Sites” and subscribe only the specific customers TEM Clients to that site. Create custom sites for each client and assign computers to them using the following example:
Also note that by default, the IEM Operator accounts you create for each customer cid will have no access to the IBM External sites, such as Patches for Windows, Asset Discovery, Inventory & License, etc, so you will need to give “Reader” access for any of these sites that are required by these customer specific IEM Console Operator accounts.
Running Actions to remote endpoints
With the above IEM architecture in place, the administrator can deploy a patch to a remote endpoint and see it’s progress in realtime. Here is a short five minute video showing a small Microsoft hotfix being applied to a remote server. Remember that this server is isolated at the remote clients network, and has no direct communication to the Internet or central MSP IEM server. All communication is performed via the IEM relays.
You can see how IEM provides a flexible multi-tenant service for Managed Service Providers (MSPs) without complex networking or server requirements.