How to better manage mobile (iOS and Android), Windows and macOS updates with MaaS360

MaaS360 is well regarded to providing support for a broad range of mobile, PC and Mac operating systems.   MaaS360 currently supports iOS, Android (including ruggedized devices), Windows (from XP to Windows 10) and macOS.

Keeping these devices secure with the latest features and security patches (if applicable for the operating system) can be simplified using MaaS360 Unified Endpoint Management.

Mobile operating systems have different approaches for both providing updates.  Applying patches for Windows operating systems is particular important from a security perspective.

As outlined in the IBM article Six Major Data Breach Trends From 2017“while advanced zero-day attacks can be a formidable threat, they are more often the stuff of fear and legend. In fact, according to the IBM X-Force vulnerability database, less than 1 percent of vulnerabilities in 2016 were considered zero-day vulnerabilities — that is, flaws exploited in the wild for which patches do not exist. Failure to patch existing critical vulnerabilities is most often the cause of havoc on a global scale, particularly when there is a huge number of vulnerable endpoints”

The following article details how MaaS360 can not only provide the visibility organizations require on their cross platform operating systems, but provides a range of technologies to easily update operating systems and 3rd party applications.

Operating System Inventory

The MaaS360 portal allows administrators to easily know the operating system versions across all operating systems as shown below.

Hardware Inventory - OS

MaaS360 includes a readiness report for Windows 10, to allow an organisation to determine if their PC fleet has the hardware resources to support this operating system based on free space, memory and processor speed.

Windows 10 Readiness

Compliance Rules

MaaS360 includes a range of automated compliance rules including minimum and maximum operating system versions.  A minimum version can be details as shown below.

Compliance - OS Version

 

If the operating system version isn’t updated to the minimum, a range of compliance rules can be enabled.

Compliance - Enforcement

MaaS360 Advisor

Made possible by the MaaS360 integration with Watson, MaaS360 Advisor delivers opportunities, risks and general information.  Advisor sources insights from structured data, such as cloud-sourced content from MaaS360 customer environments, and unstructured data, such as information from the X-Force Exchange, giving administrators ample, relevant context to make their most important decisions.  This capability as shown below can highlight particular operating system issues which should be given higher priority.

Watson Advisor

Manage iOS Updates

Apple iOS is renowned for its speed and user experience to update the operating system.  According to Apteligent, iOS 11 is now deployed on over 81% of all devices (as of March 2018)

iOS provides alerts for new updates and allows a convenient scheduled option, to allow updates to occur overnight if the device is plugged into power.

If the iOS devices are supervised, MaaS360 can push iOS updates as shown.

iOS - Push update

MaaS360 also supports the shutdown and restart of iOS supervised devices.

Some organisations need additional time to test their applications on new versions of iOS. Therefore starting with iOS 11.3 and macOS 10.13.4, administrators are able to specify a number of days to delay a software update, with a maximum delay of 90 days. With this option enabled, the user of the device will not see a software update until the specified number of days has passed since the release.

Manage Android Updates

The mix of different Android versions according to Apteligent is quite different.  There is quite an even use of Android KitKat (12.27%), Lollipop (20.16%), Marshmellow (25%) and Nougat (34.7%).  The latest Oreo release is only 3.3% as of March 2018.  Google’s Project Treble will certainly allow Android releases to be updated much faster over time.

MaaS360 supports Android system update management with Android Enterprise (Device Owner operation) as shown below:

Android - Update management

Previously, all users received and installed firmware updates, without IT having any control over it. On top of that, the unplanned firmware updates would sometimes break the enterprise apps due to compatibility issues.

MaaS360 can now address this by managing firmware for Samsung devices.  MaaS360 integrates with Samsung Enterprise FOTA (Firmware Over-The-Air) and includes selective, forced and time controlled firmware management.  For further details, please see this article.

E-FOTA Updates

Manage Windows Updates

MaaS360 supports updates (via patches) of Windows 7 through to Windows 10.  This is provided via our native patch management service.  Patches are delivered via our worldwide content delivery network.  The necessary patches required for each workstation are shown in the portal as follows:

OS Patches - Windows

You’ll also see that MaaS360 supports the patches of a range of 3rd party applications such as Adobe Reader, Flash, Java, Firefox, Notepad and many other applications.

App Updates - Windows

Alternatively, MaaS360 can configure Windows 10 to apply firmware updates to be applied directly from Microsoft or an internal WSUS server as shown below:

Windows 10 - Update Management

Manage macOS Updates

MaaS360 also provides an integrated service to update Apple macOS and 3rd party applications as shown below:

macOS - OS Patches

Alternatively, MaaS360 can configure macOS to apply updates from a software update server and App Store settings as shown below:

macOS - Software Update Settings

Unified Endpoint (OS) Management

As outlined above, MaaS360 provides organizations a truly unified management platform to keep all devices updated and therefore more secure.

If you have any questions on any of the above capabilities, please feel free to post your query to our community forum, or contact me directly via my blog contact page.

Advertisements

Enable secure mobile Intranet access in less than 30 minutes with IBM MaaS360

Many organisations provide mobile access to corporate email/calendar services. Enabling more advanced collaboration services can be more complex and expensive to deploy.  MaaS360 offers a new approach to deploy a range of new mobile collaboration services:

  • Secure Document access (SharePoint, Fileshares, CMIS, Box, One Drive for Business, Connections, Google Drive)
  • Web Browser Intranet access
  • Mobile Application Intranet access

These services can be accessed without the need to deploy a more powerful and typically expensive VPN solution.

Clients love MaaS360’s unified mobility management features and new mobile application and App Catalog look and feel as shown below:

container1      appcatalog2

Mobile collaboration is enabled by deploying the MaaS360 Cloud Extender/Enterprise Gateway on-premises.  This provides a micro-VPN service from your company Intranet to the MaaS360 application on each device protected by FIPS 140-2 compliant / AES-256 encryption.  Regardless of the security of the mobile device, MaaS360 protects all information inside of the encrypted MaaS360 application.

This article steps you through the steps to enable this capability in less than 30 minutes.

Step 1: Start your free 30 day MaaS360 production trial

If you haven’t already, go to MaaS360.com/trial and enter your details to start a MaaS360 trial.  This is a production trial so everything you configure / setup is available beyond the trial period without any activation charges.

Once you’ve started a trial, enrol a number of devices and get familiar with the MaaS360 portal.  The MaaS360 administrator portal is very easy to use, however you can also review this video which provides a great overview.

Step 2: Install the MaaS360 Cloud Extender

Next install the MaaS360 Cloud Extender (CE) on an internal Windows server.  This allows you to connect on-premises resources such as Active Directory, Certificate Authorities to the MaaS360 SaaS service.  You can follow the instructions here to install and configure the CE.

Step 3: Install and configure the Mobile Enterprise Gateway (MEG)

The following instructions detail how to enable the Enterprise Gateway as a feature within the Cloud Extender.

  1. Next contact our ops team via the 24×7 technical chat service 3 - maas360 chat and ask for the Enterprise Gateway service to be enabled for your trial account. Also advice them to select either the US, Europe or AP hub if you use the MEG in relay mode.
  2. Next select SetupServices and enable Enterprise GatewayMEG 0.8
  3. Start the Cloud Extender Configuration Tool and select Enterprise Gateway.  Select either Active Directory or LDAP directory using the same configuration you used for User Authentication/User Visibility.

    MEG 1

  4. The config tool will perform a number of checks for connectivity and Active Directory authentication:MEG 3  MEG 4
  5. Next select the Standalone configuration mode, choose a name for your MEG gateway (ie. in my case I chose MEG1-AP) and the gateway Relay mode.  You should then see in the drop down box the correct relay server.

    MEG 5

  6. It’s important to ensure you select WebDav Server Setup for Network File Share access. You might also like to select the checkbox to re-use the user’s credentials.MEG 6

    Ensure you do not select Internet Proxy Settings.  This will route all requests for your intranet to a proxy first.  Only select this feature if really needed.

    MEG 7

  7. Next within the MaaS360 Workplace persona policy, enable the following services:MEG 8
  8. Next under BrowserEnterprise Gateway, select your MEG gateway and choose the DNS wildcard for all your Intranet services.MEG 9
  9. From your mobile device using the MaaS360 secure browser, you should be able to access your company Intranet as shown.

    MEG 13
     

  10. Next from the MaaS360 administrator portal, select DocsContent Sources.  Add a Windows File share using the example below.  It’s important to get the Folder path correct including upper/lower case letters.  Ensure you can browse to the file share without any issues from the Cloud Extender server itself.MEG 10
  11. From your mobile device, you should be able to also access the documents from the file share from with the MaaS360 Docs application as shown:

    MEG 12
    MEG 11

That’s it !  As you can see, it’s quick and easy to provide company information securely to your mobile workforce.  With the comfort that this information is protected and leveraging additional mobile services such as MaaS360 Threat Protection (integrated anti-malware for iOS and Android).

If you would like further information, please ask a question on the new MaaS360 forum or contact me directly via my blog contact page.

Darryl

Ten things you might not know about IBM MaaS360

As we start 2016, there is a renewed focus on doing more with less.  Our clients are looking more than ever to consolidate and simplify their IT management solutions.

IBM MaaS360 resonates with our clients when we detail it’s unique unified mobility management capabilities.  This management is available across a wide variety of mobile, PC and Mac devices.  MaaS360 was recently named the clear leader in the Forrester Wave: Enterprise Mobile Management, Q4 2015 report.

1-MaaS360 Overview

The following article outlines ten solution capabilities, which are unique to the enterprise mobility management (EMM) market.

#1 – Fastest Time to Trust (Trial and On-premises components)

The MaaS360 solution is unique, in that anyone can easily start a production trial in just a few minutes.  Simply go to www.maas360.com/trial and start a free 30-day trial of our solution.  As part of the 30 day trial you’ll be provided technical assistance as you need it at anytime (via remote Webex or 24×7 chat service).

The trial is in our production service, so you can the validate how easy our solution is to use.  When you wish to proceed as an active client, there is no additional migration effort or activation fees.  Your account status is changed in a few minutes, it’s that easy.

Likewise, the on-premises components are very easy to setup and configure.  For the example the Cloud Extender is a small Windows executable (which can be downloaded from the MaaS360 portal).   The MaaS360 Cloud Extender (CE) communicates outbound to our SaaS platform on port 443, so is very firewall and proxy friendly.  You can typically install and setup the cloud extender in less than 30 minutes. The Enterprise Gateway is now an activated module as part of the CE, so also very easy to enable too.

2-MaaS360 Architecture

#2 – Multi Tenant Hierarchy for Mobile Service Providers (MSPs)

As mentioned in a previous post, IBM MaaS360 provides inherant multi-tenancy services, which provides the following services for a MMS organisation:

  • Multi-Tenant Hierarchy
  • Easily supports multi-channel model
  • Easily onboard new customers/partners
  • Single login to manage customers
  • Branding
  • Dashboards and Reports

This is depicted in the following diagram:

MaaS360 multitenant architecture

The key benefit for MSPs (and large organisations) is the speed and simplicity in managing large number of devices with complete separation (client or division).  The ability for an MSP to provide their clients a unique trial URL is very compelling.  This allows an MSP’s client to start a production trial in less than 3 minutes.

#3 – Flexible Branding Options

Various elements of MaaS360 can be easily branded via the MSP portal.  This includes the trial registration page, service name, portal logo etc.  Elements of MaaS360 can also be branded for each client of the MSP too (such as inside the Secure Productivity Suite, the logo can be changed).

3 - Flexible Branding

#4 – Secure Container for iOS, Android and Windows Phone

MaaS360 Secure Productivity Suite (secure container) keeps your staff work services in one secure easy-to-use app. They can manage all their emails, contacts, calendars, enterprise applications and the web (+intranet) from an isolated workspace on their mobile devices.

4 - SPS 3 in one

This is great for BYOD and is available for iOS, Android and even Windows Phone !   The application is fully encrypted (includes FIPS 140-2 compliant, AES-256 encryption for iOS, Android and Windows Phone) so doesn’t rely on any device encryption or policies.

#5 – Integrated Mobile Threat Management

MaaS360 is the only leading EMM with integrated mobile anti-malware capability.  This includes anti-malware services for iOS and Android.

Threat Management detects, analyses and remediates mobile risks delivering a new layer of security (without the need of another application or system).  Threat Protection leverages IBM Security Trusteer® using over the air updates to protect against:

  • Mobile malware (iOS and Android)
  • Suspicious system configurations
  • Compromised devices
  • Seek out hiders & active hiding techniques that try to mask detection of jailbroken & rooted devices

Here is a link to a great video overview.

#6 – Leading technology integrations

MaaS360 provides a range of integration capabilities with IBM and 3rd party solutions.  For example:

  • Directory Services – Microsoft Active Directory, Open LDAP, Novell eDirectory, SAML, Open LDAP
  • Email Systems – Exchange, Office 365, Google Apps, Lotus, Blackberry BES
  • Certificate PKI – Microsoft, Symantec and Entrust
  • Network Access – Cisco, ForeScout, Aruba, Bluecat, Juniper, F5, BlueCoat, Airpatrol, Aruba, Dell SonicWALL
  • IT Service Management – ServiceNow, Continuum, LabTech, Spiceworks
  • Content Repositories – Sharepoint, Office 365, Box, DAV, Connections
  • Mobile App Platforms – Worklight, Xamarin
  • Containers – Android for Work, Samsung Knox
  • APIs – REST
  • Security Information Event Management (SIEM) – QRadar
  • Single Sign-On – IBM Security Access Manager
  • App Reputation – Trusteer (Integrated), Veracode, Appthority, Checkpoint

No matter what your IT environment, we’re sure to have you covered!

#7 – Manage PCs (Windows 7 – 10) and Mac OS X

MaaS360 has a number of unique PC and Mac Management capabilities, even for older operating systems as far back as Windows XP!

7 - PC and Mac

The following is a summary of MaaS360’s PC and Mac services:

Gain Instant Insight

  • Hardware inventory
  • Software inventory
  • Security & compliance
  • Custom attributes
  • Operating system details, patch levels
  • Location history

Take Immediate Action

  • Enroll over-the-air
  • Locate, lock, restart or shutdown device
  • Deploy OS patches for latest security updates
  • Distribute software and documents
  • Send message
  • Wipe the hard drive
  • Update Antivirus definitions
  • Patch Management (Windows)

I highlighted some of those unique capabilities above in bold.  With MaaS360 you can distribute software to Windows PC and Apple Mac OS X.

#8 – MaaS360 can work alongside an existing MDM

For those clients who have an existing MDM and cannot yet change, MaaS360 can also work alongside those MDM solutions.  For example, iOS only allows one MDM solution to be managing a device at a time.  MaaS360 can still be deployed to provide a secure productivity suite or enterprise application distribution capabilities.

8 - Alongside another MDM

This capability has proven effective for clients who have struggled with an existing legacy MDM solution. Particularly those solutions which struggle to scale with larger numbers of enterprise applications.

#9 – SaaS scalability and automatic updates & monitoring

The MaaS360 multi-tenant SaaS service provides a number key benefits.  Clients are always on the latest version of the product and new mobile features from iOS, Android and Windows Phone.    This delivers much faster time-to-value than any on-premises solution, with set-up measured in minutes.  See here for further information.

In addition, the on-premises components included integrated health check and monitoring services.  This is particularly valuable for clients and mobile service providers (as no customer monitoring is required)

9 - SaaS monitoring

#10 – Readily Delivered MaaS360 Packages (Per device/Per User)

With MaaS360 clients pay only for what you need, when you need it: start managing a small group of users now, and scale upwards as needed.  Clients can choose the license bundles they need, plus IBM can provide a fixed MaaS360 licensing in Australian or New Zealand dollar licensing.  Both per device or per user (unlimited number of devices) is available.

10 - MaaS360 bundles

When we’ve outlined some of the above features with organisations, they recognise how MaaS360 can provide a powerful platform for their clients.   Of course, if you would like to try out MaaS360, you can register for a free 30-day trial by going to www.maas360.com/trial.

If you would like further information, you can contact me via my blog contact page.

Darryl

Setting up IBM BigFix Compliance for PCI DSS

Payment Card Industry Data Security Standard (PCI DSS) is a well know IT security standard for organisations that handle credit card data.  The PCI standard is actually mandated by the Payment Card Industry Security Standards Council, and the potential fines for non compliance and ramifications for a business if they hacked can be significant.

For example in 2013 Target was hacked and the credit card details of over 40 million customers were stolen.  A report for the US Congress in February 2015 provided some sobering statistics:

“Target has reported data breach costs of $248 million. Independent sources have made back-of-the-envelope estimates ranging from $240 million to $2.2 billion in fraudulent charges alone. This does not include additional potential costs to consumers concerned about their personal information or credit histories; potential fines or penalties to Target, financial institutions, or others; or any costs to Target related to a loss of consumer confidence. The breach was among the largest in U.S. history.”

pci dss logo

How can BigFix Compliance assist ?

The PCI DSS standard consists of 12 requirements as outlined here.  The BigFix Compliance PCI DSS Add-on provides reporting and compliance services for server and workstations.   IBM also provides solutions such as Netcool and Qradar to assist with other network and security components for PCI DSS.  So clients have a set of tools to provide a holistic PCI DSS solution.

The continuous monitoring and compliance features of BigFix are well known.  In 2012, Orb-Data wrote an excellent article outlining how IBM BigFix (Endpoint Manager) can assist clients in a number of areas of the PCI DSS standard.  Previously, clients would develop their own Fixlets for PCI DSS, potentiallly leveraging content shared by the BigFix community or professional services.

In June 2015, IBM released the first set of PCI DSS content, which will be expanded with additional content and features over the next 12 months. An overview video is available here.

Setting up BigFix Compliance

To install BigFix compliance, follow the steps below:

  1. From the IEM console, select BigFix ManagementLicense Overview and find the Security and Compliance section.   Next to SCM Reporting select Enable
  2. Click on SCM Reportingunder the  Computer Subscriptions tab, change the value from No computers to All computers and select Save Changes
  3. Select Security Configuration – Configuration Management – IBM BigFix Compliance Install/Upgrade
  4. Select the IBM BigFix Compliance 1.7 First-Time Install Fixlet
  5. Select Take Action and select the server where BigFix Compliance will operate.  The latest installer will be automatically downloaded and sent to the server.
  6. From the nominated BigFix Compliance server, run the ibm_bfc_1.8.exe self-extracting archive located in the “C:\Program Files (x86)\BigFix Enterprise\BES Installers\TEMA” directory
  7. After extracting, open the resulting directory and as an Administrator run the bfc_setup.exe file, which will open the IBM BigFix Compliance install wizard
  8. Follow the steps in the IBM BigFix Compliance install wizard, including the browser-based configuration steps following the completion of the wizard.  Some of the screens from my installation are shown below:SCA - 1 SCA - 2 SCA - 3 SCA - 4
  9. Once BigFix Compliance is installed, it automatically launched a web browser and I configured the server.  Settings from my install are also shown below:SCA Config - 1 SCA Config - 2 SCA Config - 3 SCA Config - 4
  10. BigFix Compliance is now installed.  BigFix Compliance consists of a wide variety of security such as CISDISA STIGFDCC and USGCB.  In the next section we’ll then add PCI DSS too.

Enabling the PCI DSS Add-On

You must be licensed for this feature or ask your local IBMer to have it enabled as a trial.  To enable the PCI DSS Add-On, follow the steps below:

  1. From the IEM console, select BigFix ManagementLicense Overview and find the PCI DSS Security and Compliance section.   Next to the various checklists such as PCI DSS Checklist for Windows 7 and PCI DSS Checklist for SQL 2012 select Enable
  2. Click on each of the PCI Sites you enabled in the previous stepunder the  Computer Subscriptions tab, change the value from No computers to All computers and select Save Changes
  3. For each checklist you can enable the require Analysis for specific items where you would like data collected from those endpoints.  ie. Analysis – Password requirements. Maximum age should be 90 days.  If you enable this Analysis it will collect the Maximum password age setting from all computers.The information from these Analysis can be accessed by selecting Configured View and selecting Measured Values.  As shown below:measured values - 1
    measured values - 2
  4. The PCI DSS checklists will automatically download and be tested against the computers in your environment.
  5. When you login to the BigFix Compliance portal, it will start reflecting compliance information.  I’ve included a number of screen captures from my lab environment.

That’s it!   BigFix Compliance for PCI DSS is now up and running and you can easily report on your compliance.   If you have any problems,  please post your query to the new Bigfix forum.   If you’re interest in more details, please contact me.

Darryl

Is your organisation ready for iOS 9?

With the release of iOS9 just around the corner, is your organisation ready?  Your staff will be eager to upgrade to the latest capabilities once the final release is made available.  No longer can you ask your staff not to upgrade their iOS device, they will be doing it !

ios9

Since June, IBM has offered an Upgrade Service for iOS 9 to ensure your enterprise applications are ready.

IBM is also ensuring our solutions will be ready for iOS9, particularly MobileFirst Protect (MaaS360) our enterprise mobility management (EMM) service.  MaaS360 clients have been testing our solution (in the production SaaS solution) for several weeks.  You can see some of the new Restriction settings in the screen capture below:

ios9_maas360

You can be confident that the moment iOS 9 is available, MaaS360 will instantly support these new management capabilities.  This is without any effort or upgrade charges for your organisation.

You can register for a free 30 day trial of MaaS360 at www.maas360.com and take it for a test drive within minutes.

Please contact me if you need any information on MaaS360.

Darryl

Both named Gartner Leaders: IBM MobileFirst Protect (MaaS360) and IBM BigFix (Endpoint Manager)

IBM MobileFirst Protect (MaaS360) has earned IBM a leadership position in the Magic Quadrant for the 4th year in a row.

IBM was selected a Magic Quadrant leader for Enterprise Mobility Management (EMM) based on completeness of vision and ability to execute.

Gartner highlighted the MobileFirst Protect’s mature shared-processing multi tenant architecture.  In addition, reference customers who consistently praise MobileFirst Protect’s ease of deployment.

ibmMobileFirstProtect_circleBlue

Likewise, it was the 4th year in a row for IBM BigFix (Endpoint Manager) to be named a leader in the Gartner Client Management Tools Magic Quadrant.

Gartner highlighted how BigFix excels in patch management, multiplatform support and overall scalability. In additional organisations also frequently use it to manage servers, particularly midsize organisations that prefer a single tool to manage PCs and servers.

Get your complimentary copy of Gartner’s latest report for enterprise mobility by registering your details here.

Please contact me if you need any information on either IBM solution.

Darryl

Setting up BigFix Inventory 9.2

IBM BigFix (Endpoint Manager) has released a new Software Usage Analysis (SUA) module. This release includes a number of new capabilities, specifically SQL support.  BigFix Inventory (or SUA) also provides IBM sub-capacity measurement capability. IBM has provided a number of installation and administration guides here.   In the following article, I’ll step you through the key elements to setup SUA 9.2: Prerequisites

  • I’d created a new Windows 2008 R2 server to run SUA 9.2.  My virtual machine had at least 8GB of memory and 2 vCPU
  • On the SUA server I had installed Microsoft SQL 2012 and updates
  • I had installed an IEM Agent and it was reporting back to the IEM server successfully.

Install and Configure the SUA 9.2 Server

  1. From the IEM console, select BigFix ManagementLicense Overview and find the Software Usage Analysis section.   Next to IBM Endpoint Manager for Software use Analysis v9, select Enable
  2. Click on IBM Endpoint Manager for Software use Analysis v9, under the  Computer Subscriptions tab, change the value from No computers to All computers and select Save Changes
  3. Select System Lifecycle – Software Use Analysis – Server Setup and Software Use Analytics.
  4. From the SUA install screen you’ll want to choose a server which will run SUA.  For small environments, SUA could run on the same server as IEM.  However as you grow beyond several thousand endpoints, you’ll want to dedicate a separate server for SUA 9.2.   Select that server and click Deploy Installer.SUA9 install
  5. SUA 9.2 will then show you the following screen as it downloads the SUA 9.2 software and then mirrors it to that server.   In my lab environment this took about 10 minutes.  You can check the progress of the download by looking at the running Actions too:Deployment Status Pending download completed successfully sua installer next steps
  6. On the SUA 9.2 server (my server was called SFTSGSUA9 – as it’s on Softlayer) I ran the installer setup-server-windows-x86_64.bat (as an Administrator).
  7. During the SUA 9.2 installation, select the default including accepting the license agreement. Change the default installation path if required:sua 9 path
  8. I select the default https port 9081 in my environment (you could choose another port if required)
  9. I selected System Account and finally reviewed the settings before clicking Installfinal SUA installer review
  10. When SUA was completed I was shown the following screen: sua 9 installer complete
  11. Click on Done and a web browser is then launched to complete the SUA 9.2 configuration.  You might need to click the certificate warning in your web browser. I entered the following information below to configure SUA.sua config 1 sua config 2 sua config 3sua config 4
  12. After the import was completed (which did take a few hours in my lab), the SUA 9.2 application was then launched:SUA login
  13. Back in the IEM console I could click Finish and configure it with the URL of my IEM9TSUA2 server:SUA Finish launch url
  14. Now SUA 9.2 is up and running,  we’ll now setup the endpoints for SUA scanning.

Setup your Endpoints for SUA scanning

  1. From the IEM console,  select System Lifecycle.  Then select Software Use Analysis, select Setup – Activate Analysis.  You should see seven Analysis as shown in the example below.  Activate each of these.activate analysis
  2. Next select Setup – Deploy Scanner to Endpoints and select Install Scanner,  select Take Action.   Select Target and select Dynamic target by property and select All Computers, if you want the scanner applied to every computer with an IEM Agent installed.  Otherwise you might create a manual group (called SUA 9 clients) and select it instead.  Click OK to run the Action.  The scanner will then be deployed to the endpoint.
  3. Select Setup – Schedule Scans on Endpoints.  Select Initiate Software Scan.  Select Target and select Dynamic target by property and select All Computers.  Select the Execution tab.  By default the scanning process will run every 7 days as shown below.  You can change this value if you like.  Select OK when complete.software scan - default
  4. Finally, select Setup – Schedule Uploads on Endpoints.  Select the Upload Software Scan Results fixlet.  Click OK to run the Action.   Select Target and select Dynamic target by property and select All Computers.  Select the Execution tab.  You’ll see below the Fixlet will run anytime new scan results are available and retry this 3 times if there is an error.  Select OK when complete.upload scan results

Note:  As mentioned above, it’s probably a good idea to do each of the three items above on a group basis, so that as you deploy additional endpoints they’ll automatically be setup for SUA processing. Software Catalog Update You’ll want to use the latest software catalog from IBM, which we see has been automatically detected within the console.  You’ll need to perform a similar task roughly every month as IBM releases new SUA catalogs.  The update process is documented within the Fixlet, so check there on what you need to do, especially if you customise the catalog.

  1. From the IEM console,  select Systems Lifecycle – Software Use Analysis – Software Catalog Update – Software Catalog Update.  Select Take Action and select your SUA 9.2 server.  The action will download the latest catalog and install this on your SUA 9.2 server.sua 9 catalog update
  2. Login to the SUA 9.2 server console.
  3. Go to Management – Catalog Update
  4. Click Browse and locate the downloaded catalog file  (I expanded the ZIP file first)
  5. Click Upload.   Then select Import Now within the SUA console and browse to the file (D:\Program Files\ibm\SUA\sua_catalog)   and select the ZIP file.
  6. Click Upload 

    Note:  There is a Fixlet 1002 – Upgrade to the newest Software Usage Analysis 9.x catalog that can be run.  This will automatically download the latest catalog to the SUA 9.2 server.  The above task of applying this catalog via the SUA console is still required (thank’s David Kosenko for this information).

That’s it!   SUA is now up and running and you can easily see what software is installed and being utilised in your company.   If you have any problems,  please post your query to the new Bigfix forum. Are you benefiting from IBM Endpoint Manager SUA?    If so we’d love to hear from you. Darryl