Archive for category IEM

Don’t Drown in a Sea of Cyberthreats

Security teams can be overwhelmed by a sea of vulnerabilities–without the contextual data to help them focus their efforts on the weaknesses that are most likely to be exploited. Cyberthreats need to be stopped before they cause significant financial and reputational damages to an organization. You need a security system that can detect an attack, prioritise risks and respond within minutes to shut down an attack or vulnerability that could compromise your endpoints and data.

Businessman in crisis

The integration of IBM BigFix with IBM Qradar provide accelerated risk prioritisation and incident response to mitigate potential attacks giving you an integrated threat protection system to keep your corporate and customer data secure.

My colleague Roshan Royan and I provided an overview of both solutions and how they are seamlessly integrated on the following Webinar (recording).

Thanks to everyone who attended the Webinar!

Darryl

Advertisements

Leave a comment

Setting up BigFix Inventory 9.2

IBM BigFix (Endpoint Manager) has released a new Software Usage Analysis (SUA) module. This release includes a number of new capabilities, specifically SQL support.  BigFix Inventory (or SUA) also provides IBM sub-capacity measurement capability. IBM has provided a number of installation and administration guides here.   In the following article, I’ll step you through the key elements to setup SUA 9.2: Prerequisites

  • I’d created a new Windows 2008 R2 server to run SUA 9.2.  My virtual machine had at least 8GB of memory and 2 vCPU
  • On the SUA server I had installed Microsoft SQL 2012 and updates
  • I had installed an IEM Agent and it was reporting back to the IEM server successfully.

Install and Configure the SUA 9.2 Server

  1. From the IEM console, select BigFix ManagementLicense Overview and find the Software Usage Analysis section.   Next to IBM Endpoint Manager for Software use Analysis v9, select Enable
  2. Click on IBM Endpoint Manager for Software use Analysis v9, under the  Computer Subscriptions tab, change the value from No computers to All computers and select Save Changes
  3. Select System Lifecycle – Software Use Analysis – Server Setup and Software Use Analytics.
  4. From the SUA install screen you’ll want to choose a server which will run SUA.  For small environments, SUA could run on the same server as IEM.  However as you grow beyond several thousand endpoints, you’ll want to dedicate a separate server for SUA 9.2.   Select that server and click Deploy Installer.SUA9 install
  5. SUA 9.2 will then show you the following screen as it downloads the SUA 9.2 software and then mirrors it to that server.   In my lab environment this took about 10 minutes.  You can check the progress of the download by looking at the running Actions too:Deployment Status Pending download completed successfully sua installer next steps
  6. On the SUA 9.2 server (my server was called SFTSGSUA9 – as it’s on Softlayer) I ran the installer setup-server-windows-x86_64.bat (as an Administrator).
  7. During the SUA 9.2 installation, select the default including accepting the license agreement. Change the default installation path if required:sua 9 path
  8. I select the default https port 9081 in my environment (you could choose another port if required)
  9. I selected System Account and finally reviewed the settings before clicking Installfinal SUA installer review
  10. When SUA was completed I was shown the following screen: sua 9 installer complete
  11. Click on Done and a web browser is then launched to complete the SUA 9.2 configuration.  You might need to click the certificate warning in your web browser. I entered the following information below to configure SUA.sua config 1 sua config 2 sua config 3sua config 4
  12. After the import was completed (which did take a few hours in my lab), the SUA 9.2 application was then launched:SUA login
  13. Back in the IEM console I could click Finish and configure it with the URL of my IEM9TSUA2 server:SUA Finish launch url
  14. Now SUA 9.2 is up and running,  we’ll now setup the endpoints for SUA scanning.

Setup your Endpoints for SUA scanning

  1. From the IEM console,  select System Lifecycle.  Then select Software Use Analysis, select Setup – Activate Analysis.  You should see seven Analysis as shown in the example below.  Activate each of these.activate analysis
  2. Next select Setup – Deploy Scanner to Endpoints and select Install Scanner,  select Take Action.   Select Target and select Dynamic target by property and select All Computers, if you want the scanner applied to every computer with an IEM Agent installed.  Otherwise you might create a manual group (called SUA 9 clients) and select it instead.  Click OK to run the Action.  The scanner will then be deployed to the endpoint.
  3. Select Setup – Schedule Scans on Endpoints.  Select Initiate Software Scan.  Select Target and select Dynamic target by property and select All Computers.  Select the Execution tab.  By default the scanning process will run every 7 days as shown below.  You can change this value if you like.  Select OK when complete.software scan - default
  4. Finally, select Setup – Schedule Uploads on Endpoints.  Select the Upload Software Scan Results fixlet.  Click OK to run the Action.   Select Target and select Dynamic target by property and select All Computers.  Select the Execution tab.  You’ll see below the Fixlet will run anytime new scan results are available and retry this 3 times if there is an error.  Select OK when complete.upload scan results

Note:  As mentioned above, it’s probably a good idea to do each of the three items above on a group basis, so that as you deploy additional endpoints they’ll automatically be setup for SUA processing. Software Catalog Update You’ll want to use the latest software catalog from IBM, which we see has been automatically detected within the console.  You’ll need to perform a similar task roughly every month as IBM releases new SUA catalogs.  The update process is documented within the Fixlet, so check there on what you need to do, especially if you customise the catalog.

  1. From the IEM console,  select Systems Lifecycle – Software Use Analysis – Software Catalog Update – Software Catalog Update.  Select Take Action and select your SUA 9.2 server.  The action will download the latest catalog and install this on your SUA 9.2 server.sua 9 catalog update
  2. Login to the SUA 9.2 server console.
  3. Go to Management – Catalog Update
  4. Click Browse and locate the downloaded catalog file  (I expanded the ZIP file first)
  5. Click Upload.   Then select Import Now within the SUA console and browse to the file (D:\Program Files\ibm\SUA\sua_catalog)   and select the ZIP file.
  6. Click Upload 

    Note:  There is a Fixlet 1002 – Upgrade to the newest Software Usage Analysis 9.x catalog that can be run.  This will automatically download the latest catalog to the SUA 9.2 server.  The above task of applying this catalog via the SUA console is still required (thank’s David Kosenko for this information).

That’s it!   SUA is now up and running and you can easily see what software is installed and being utilised in your company.   If you have any problems,  please post your query to the new Bigfix forum. Are you benefiting from IBM Endpoint Manager SUA?    If so we’d love to hear from you. Darryl

Leave a comment

IBM BigFix (Endpoint Manager) Windows 7 Migration Cookbook

IBM BigFix can not only provide software distribution but also Operating System Deployment (or OSD).  OSD includes the ability to upgrade operating systems (such as Windows XP to Windows 10) but also perform bare metal installations.  I’ve recorded two edited video’s of OSD in action for an upgrade and bare-metal installation.

windows-7

OSD is a feature of IEM’s Lifecycle Management service and a lot of detailed documentation is available here.   My colleagues have now produced an excellent step-by-step guide of the setup and use of OSD.

Topics include:

  • Setup of OSD
  • Deploying the Windows 7 Image to a Windows XP system
  • Bare Metal Imaging
  • Quick Reference Guides

This guide can be downloaded from IBM developerWorks from here.   If you have any questions on OSD, you can post them to the IEM forum.

Darryl

 

2 Comments

IBM Closes Acquisition of Fiberlink Communications

Today IBM announced the aquisition closure of Fiberlink Communications.  Fiberlink have developed an amazingly simple to use Enterprise Mobility Management (EMM) service.  MaaS360 is one of the few MDM products, where you can literally use their MDM product in minutes.  A customer can register their details at www.maas360.com for a 30 day trial, and take it for a test drive within minutes.  No waiting for sales contacts to contact you first,  no migration to other services if you like to use the product after the trial.

maas360globalheader

I’ve found MaaS360 extremely easy to use.  Which is feedback I’ve also heard from clients evaluating other MDM solutions.  The MDM in minutes video provides a great overview:

The team at Fiberlink also provide PC and Mac management, which is based on IBM Endpoint Manager (BigFix) technology.  So I look forward sharing with you how IBM Endpoint Manager technology will integrate with MaaS360 in the future.  I’ll also post my experiences and insights into MaaS360 on this blog too.

Darryl

Leave a comment

IBM BigFix for Managed Service Providers (MSPs)

IBM BigFix is popular with Managed Service Providers (MSPs) for it’s ability to manage hundreds of thousands of endpoints via a single multi-tennant architecture.  BigFix provides MSP’s the flexibility for either centralised or delegated administration models.

Overall Architecture
Bigfix is typically installed in a centralised architecture as show below.  A single Bigfix server is installed at the MSP to manage several clients from one platform.   The BigFix server may be installed with Distributed Server Architecture (DSA) for larger environments.  Some MSP’s prefer to leverage virtualisation technologies for disaster recovery such as VMware Site Recovery Manager (SRM).

BigFix can manage thousands of separate customer networks (each with thousands of endpoints), without requiring a VPN connection to each client. This is achieved via BigFix relays.  A relay is essentially any endpoint but performing some additional responsibilities.  BigFix can also manage roaming endpoints which may have left those clients and are working at other remote locations (home, hotels etc).

MSP IEM Architecture

Top Level Relays (MSP Relays)
To manage these endpoints, the MSP will need to separate the BigFix server from the public internet via one or more relays.  These relays can be designated relay1, relay2, relay3 etc. as extra capacity is required.  The suggested guideline is approximately one of these MSP’s will support  1000 child relays, which you can think of is approximately 1000 MSP managed customers.

Including another relay for redundancy is good practice.  So for most MSP’s with two top level relays, this could support around 2000 child relays (or managed customers).  For the purposes of this.. example, I have called this top level relay relay1.msp.com.

IEM MSP Relay1

Client Relays
At each customer office that will be managed by the MSP, it’s recommended to install a relay.  If you don’t, each endpoint will communicate back directly to the top level relays.  So there is additional bandwidth requirements.  Each endpoint will most likely need to have command polling enabled.  So each endpoint ‘phones home’ on a regular basis.

If you deploy a relay, this can be an existing server already in the DMZ (running a range of Windows, Linux or Unix operating systems).  The BigFix agent is installed which communicates back to the top level relay called relay1.msp.com.  The server relay1.internal.org is promoted as a relay using Fixlet ID 1642 Install IBM Endpoint Manager Relay (Version 9.0.787.0).  Check of course for later versions.

Network and DNS Requirements
Ensure you have TCP ports 52311 open at both the MSP and client firewalls.  You can check this by performing the following telnet commands:

telnet relay1.msp.com 52311
telnet relaycust1.msp.com 52311

You can also also use a web browser and browsing to the relay’s address and append  :52311/relaydiagnostics  as shown below:

relay-diagnostics

The MSP should designate the DNS name of the top level relays for client registration purposes (see below).  The MSP doesn’t need to define DNS entries for the client relays (such as the name relaycust1.msp.com), although you might simple do this to assist with future network diagnosis.

Client Registration
Endpoints at each of the remote offices need to register back to the MSP’s BigFix server.  This is not possible via direct communication.  It’s achieved by configuring the remote client to register via a nearby relay.  In our example above, this is to relay1.internal.org as detailed in this article. The client then registers all the way back to the MSP’s BigFix server via the relay servers.

Client Identification
Most MSP’s allocate each client a unique Client Identification (CID) as outlined in this wiki article.   They do this so all the endpoints can be easily classified and grouped together.  Select Computers, ToolsManage Properties and create the following cid property:

Client ID

The cid value can be defined at endpoint registration time via a clientsettings.cfg setting.  This number can be allocated from the BigFix console, by selecting the server, clicking the right mouse button,  then selecting Edit Computer Settings…   Then select Add, and enter a setting name of cid and the appropriate number you’ve designated.  ie. 0001.  Once you’ve clicked ok, it can take a few minutes for this new value to be applied to the endpoint and the results sent back to the BigFix console.

You can define separate administrator accounts to only manage those clients endpoints.  To do this, create a local account or LDAP role.  Then as shown below, only assign computers that match the appropriate cid value.  When the user logs back into the BigFix console, they will only be able to administer computers with the cid of 0001.

Operator to cid0001 computers

Custom Sites
As outlined in this article,  circumstances may arise whereby the MSP is required to manage and/or deploy custom content for a specific customer. To avoid all customers BigFix Clients downloading and evaluating this custom content, the MSP must create “Custom Sites” and subscribe only the specific customers BigFix Clients to that site.  Create custom sites for each client and assign computers to them using the following example:

Custom Site

Also note that by default, the BigFix Operator accounts you create for each customer cid will have no access to the IBM External sites, such as Patches for Windows, Asset Discovery, Inventory & License, etc, so you will need to give “Reader” access for any of these sites that are required by these customer specific BigFix Console Operator accounts.

Running Actions to remote endpoints
With the above BigFix architecture in place, the administrator can deploy a patch to a remote endpoint and see it’s progress in realtime.  Here is a short five minute video showing a small Microsoft hotfix being applied to a remote server.  Remember that this server is isolated at the remote clients network, and has no direct communication to the Internet or central MSP BigFix server.  All communication is performed via the BigFix relays.

You can see how BigFix provides a flexible multi-tenant service for Managed Service Providers (MSPs) without complex networking or server requirements.

Darryl

2 Comments

Keep calm with IBM BigFix

It was recently reported that a Microsoft Windows and Office vulnerability was already being targeted by criminals.  If you search on Google for keywords such a Windows and zero day exploit, it’s interesting to summarise the respective web pages mentions:

  • Windows – Approximately 7 Million web pages
  • Mac – Approximately 500K web pages
  • Linux – Approximately 500K web pages

IBM’s X-Force team publish all new threats via their X-Force Alerts  and you’ll see the usual suspects. As outlined in this CRN Article, IBM’s X-Force Team advised that attackers “use a path of least resistance to gain a maximum return on exploits”.

It’s one thing to be notified of these threats, but how do you confidently address them easily within your organisation?  This is a particular challenge with thousands of PCs and Macs and a mobile workforce.  Some of whom may be travelling for days and not regularly connecting to a corporate network.

keep-calm-with-ibm-bigfix

The good news is, there are tools that can help.  Within hours of vulnerability being identified, IBM’s BigFix team will package and re-test a published hotfix (or suggested alternative).  For example for the Windows and Office vulnerability outlined above, this in in the form of a temporary hot fix.   This is then published by IBM in the form of a Fixlet,  making this critical fix immediately available for all IBM Endpoint Manager servers and their clients.  Each IEM agent then reports to it’s vulnerability status back to the customers BigFix console, so you have a realtime view of the number of endpoints effected.

The BigFix administrator can “Action this Fixlet” (ie. go ahead and fix those PCs and Servers thanks!), which will dynamically download the hotfix and apply it to tens or hundreds of thousands of endpoints.  The administrator can once again view in realtime the remediation status.   So at anytime, the BigFix administrator report this information to their organisation or security auditors.

In addition to the range of operating system vulnerabilities/patches addressed by BigFix, the following is a list of applications managed by the IBM Content Delivery Team include the following  (thanks to Peter Tuton for putting together this list):

Adobe 

  • Acrobat
  • Flash Player (including browser plug-ins) 
  • Reader
  • Shockwave Player

Apple 

  • iPhoto
  • iTunes 
  • Keynote
  • QuickTime
  • Remote Desktop
  • Safari
  • Xcode

Microsoft 

  • Internet Explorer
  • Lync
  • Office
  • Project
  • SQL Server
  • Visio

Google

  • Chrome

Others

  • Mozilla Firefox
  • Nullsoft WinAmp
  • Oracle Java Runtime Environment
  • RealPlayer
  • Skype
  • WinZip

How is your organisation addressing the Zero Day threat?

Darryl

Leave a comment

Manage Amazon (AWS), Softlayer or Azure instances with IBM BigFix

IBM BigFix provides clients with the ability to manage hundreds of thousands of endpoints from a single console.  These can be a range of operating system types such as Windows, Linux, Apple Mac OSX and Unix.  Oh, don’t forget mobile devices too!

You can install your BigFix environment with an relay running in your DMZ,  you can also manage your mobile workforce and public cloud resources too.  A BigFix relay is simply any existing IEM agent thats been given a few more additional tasks.  They provide bandwidth and server scaling benefits and a proxy between externally managed devices and your internal network.

Your public instances will typically be Windows or Linux operating systems running on your public cloud of choice such as Amazon Web Services (AWS), IBM Softlayer or Microsoft Azure.

clouds

Configuring the IEM Client for Public Internet Instances
Each operating system you wish to manage needs to have the BigFix agent installed.  IBM offers a range of agents for Windows, Mac OSX, IBM AIX, HP-UX and  Solaris.  The BigFix agent when it’s started, will attempt to register itself back to your BigFix server.  This will be via details stored within the actionsite.afxm  (renamed from the masthead.afxm file).  This file is unique to your IEM server and is stored on your IEM server in the Program Files (x86)\BigFix Enterprise\BES Installers\Client  directory.

Of course, if you have a public cloud instance the BigFx client won’t be able to reach your privately hosted BigFix server.  You need to provide the client a few additional details so it can ‘phone home’.   This will be your relay in the DMZ and it’s DNS name or IP address.  These details are stored in the clientsettings.cfg file.  The following article provides details on how to configure this, but all it requires is just one or two lines as shown in this example:

   __RelayServer1=http://yourrelay.domain.com:52311/bfmirror/downloads/
   __RelayServer2=http://yourrelay2.domain.com:52311/bfmirror/downloads/

Of course, use your DNS server names. The clientsettings.cfg file is used when the BigFix client is installed.

Deploying your IEM Clients
You may wish to deploy your BigFix clients using the client deployment tool, Active Directory or login script as I detailed here. However for a public cloud environment, some platforms provide image deployment capabilities. Much like VMware’s powerful image template feature, with your cloud provider you will create a ‘gold image’ with your desired operating system, fixes, software and IEM agent installed. You need to follow the instructions in this article so the IEM agent ready to work correctly as new instances are deployed from this image.

Amazon Web Services (AWS)
With AWS, you can create your gold image by creating an instance, shutting it down and selecting Actions – Create Image. You then have an AMI from which you can deploy new Instances as shown below. AWS provide the EC2Config service to also provide Sysprep and other image configuration features. 

aws-ami

Softlayer
With Softlayer, you can use the same approach with their Flex Image. Softlayer also provide the ability to execute a script which will be executed on a newly provisioned SoftLayer device, which is another approach to configure client settings if required.

Console Management
When your instances start for the first time, they will automatically register to the BigFix server and be visible in the console. You’ll then be able to provide the following services from your console. This is possible for your private AND public instances !

  • Patch Management – Operating System Patches, plus a number of 3rd party applications such as Java, Adobe etc.
  • Core Protection – Anti-virus/Anti-malware
  • Security and Compliance – security checklists such as CISDISA STIGFDCC and USGCB.
  • Software Usage
  • Remote Control

If you have BigFix baselines enabled, you can then be assured that those endpoints are automatically patched to a minimum level and an appropriate security posture is applied. IBM BigFix provides per server licensing, so you pay as those instances need to be managed. It would be great to hear from you if you’re managing Windows or Linux instances on AWS or Softlayer.

Darryl

1 Comment

IBM Earns Leader Placement in Gartner’s 2013 Magic Quadrant for Client Management Tools

IBM Endpoint Manager was recently recognised in the Leaders quadrant in Gartner’s 2013 Client Management Tools.  This is a great endorsement of IEM which excels in patch management, multiplatform support and scalability.

IEM Logo

Gartner defines Client Management Tools as:

“End-user computing and support organizations use client management tools to automate system administration and support functions that would otherwise be handled manually. They are configuration management tools that image client systems, track inventory, deploy configuration changes (such as software or patches), enforce configuration standards and assist with troubleshooting. Windows PCs are the primary target of management, but organizations are looking to extend these products to manage Macs, mobile devices and servers as well. Mobile device management (MDM) is still a separate market, but organizations are increasingly looking to use a single vendor and management platform to support their PCs, Macs and mobile devices.”

Hey, what a great endorsement of IEM’s capabilities…  to manage your PCs, Macs AND mobile devices, from a single management platform.

Source:  Gartner

1 Comment

Setting up IBM Endpoint Manager, Software Usage Analysis (SUA) 2.0

I’d previously detailed how you can get up and running with IBM Endpoint Manager, Software Usage Analysis 1.3.   SUA 2.0 is a new release that extends IEM’s software analysis capabilities to Linux/Unix systems and more IBM software products.   The following article details the differences between 1.3 and 2.0 in more detail.

In the following article, I’ll step you through setting up SUA 2.0:

Install and Configure the SUA 2.0 Server

  1. From the IEM console, select BigFix ManagementLicense Overview and find the Software Usage Analysis section.   Next to IBM Software Inventory, select Enable
  2. Select Manage SitesIBM Software Inventory.   Under the Computer Subscriptions tab, change the value from No computers to All computers and select Save Changes
  3. Select System Lifecycle – Server Setup and Software Use Analytics.  I don’t see any issue with installing the Software Knowledge Base Toolkit (SwKBT) first, however I chose to install SUA 2.0 first.  I’ll talk more about the SwKBT below.
  4. From the SUA install screen you’ll want to choose a server which will run SUA.  For small environments, SUA could run on the same server as IEM.  However as you grow beyond several thousand endpoints, you’ll want to dedicate a separate server for SUA 2.0.  In my lab environment, I chose a separate Windows Server 2008 R2 VM for SUA 2.0 as shown below.  Select that server and click Deploy

    2 - SUA Install

  5. SUA 2.0 will then show you the following screen as it downloads the SUA 2.0 software and then mirrors it to that server.   In my lab environment this took about 10 minutes.  You can check the progress of the download by looking at the running Actions too:

    3 - SUA Download

    4 - SUA Download Progress

    5 - SUA2 deployed

    6 - SUA Install to Start

  6. On the SUA 2.0 server (my server was called IEM9TSUA2) I ran the installer and completed the install.  I left SUA 2.0 running on port 80 in my environment (you could choose another port if required)

    7 - SUA 2 directory

    8 - SUA port

    9 - System Account

    10 - Start Config

  7. A web browser is then launched to complete the SUA 2.0 configuration.  It asks you the location of your database (in my case I had setup a separate SUA 2.0 database on a remote Windows SQL 2008 server).  I also didn’t worry about migrating my SUA 1.3 information over to SUA 2.0:

    11- SUA 2 config
    12 - Skip Migration
    13 - SUA2 account
    14- SUA2 databases

  8. The SUA 2.0 application was then launched:

    15 - SUA 2 running

  9. Back in the IEM console I could click Finish and configure it with the URL of my IEM9TSUA2 server as shown)

    16 - SUA install finished

    17 - Launch Analytics

    18 - Enter SUA URL

  10. Now SUA 2.0 is up and running,  we’ll now need to install the SwKBT and setup the endpoints for SUA scanning too.

 

Install and Configure the Software Knowledge Base Toolkit (SwKBT)

The Software Knowledge Base Toolkit (or SwKBT) is a new component of IEM SUA.  Think of it as the catalog management service.  It requires you to install a separate component,  but I’d expect over time this probably won’t be required.  In most environments, the SwKBT could easily run alongside SUA 2.0 on the same server.  It’s used infrequently – for example as you load in new catalogs or update entries in the catalogs.  In my lab environment, I installed the SwKBT on the same VM as SUA.

  1. From the IEM console, select System Lifecycle – Server Setup and Software Knowledge Base Toolkit (SwKBT)
  2. From the SUA install screen you’ll want to choose a server which will run SwKBT.   Select that server and click Deploy Installer.  As you see below, the size of the SwKBT is around 650MB so it took well over an hour to download and get mirrored to my SUA2.0 server.

    21 - SKBT progress

    22 - SwKBT download progress

    23 - SkKBT ready to install

    24 - SwKBT install instructions

  3. On the SwKBT server, I followed the default installation options

    25 - SwKBT English

    26 - SwKBT Click Next

     28 - Identifier

    29 - SwKBT userid

    30 - SwKBT start

    31 - SwKBT complete

  4. Once I had clicked Finish.   You can login to the SwKBT server by using the following URL – https://localhost:12344/ibm/console/logon.jsp  (change to your server’s host name)

Setup your Endpoints for SUA scanning

  1. From the IEM console,  select System Lifecycle.  Then select IBM Software Inventory, select Setup – Activate Analysis.  You should see four Analysis as shown in the example below.  Activate each of these.

    1 - Activate Analysis

  2. Next select Manage Deployments – Manage Endpoints – Deploy and select Install Scanner,  select Take Action.   The scanner will then be deployed to the endpoint.  Repeat the process for the Install Common Inventory Technology Scanner.    Why are there two scanners?  See here for further information.
  3. Once the scanner and CIT scanner are deployed to each endpoint, you can then configure the two scanners to run periodically (by default it runs once per week).   Select Manage Endpoints – Scan/Upload  (note it can take a few minutes before the scanner you’ve deployed is relevant to this Fixlet.  I found this was slower for the CIT scanner in my test lab).
  4. Finally, select Manage Endpoints – Scan/Upload again and select your endpoint to send their scanned data to the SUA server via the Upload Scan Results and Upload Common Inventory Technology Scan Results fixlets.

Note:  It’s probably a good idea to do each of the three items above on a group basis, so that as you deploy additional endpoints they’ll automatically be setup for SUA processing.

 

Software Catalog Update

You’ll want to use the latest software catalog from IBM, which we see has been automatically detected within the console.  You’ll need to perform a similar task roughly every month as IBM releases new SUA catalogs.  The update process is documented within the Fixlet, so check there on what you need to do, especially if you customise the catalog.

  1. From the IEM console,  select Systems Lifecycle – IBM Software Inventory – Software Catalog Update – Download Software Catalog Update for SUA.  Select Take Action and select your SUA 2.0 server.  The action will download the latest catalog and install this on your SUA 2.0 server.

    33 - SwKBT catalog update

  2. If your organization does not customise the software catalog (in most cases you wont),  log in to TEM SUA console
  3. Go to Management – Catalog Update
  4. Click Browse and locate the downloaded catalog file  (I expanded the ZIP file first)
  5. Click Upload.   Then select Import Now within the SUA console  (otherwise it will happen automatically at midnight)

    34 - SUA 2 catalog update XML 35 - SUA 2 catalog import 36 - Import Now button

  6. Within SUA console, you’ll also need to click on this option to import a Fixlet into the IEM console.  This Fixlet is linked to the catalog and will send a small catalog to each endpoint for processing.  I found this a little cumbersome, but expect this process will also be simplified in the future.   I edited the Fixlet and added – April 2013 at the end (see below) so I knew in the future this Fixlet was for the April catalog.

    37 - CIT Download Fixlet

    37 - CIT Download Fixlet Edited

  7. Click OK then select Take Action to target this CIT catalog download task to your applicable workstations (or group as suggested above)

    38 - CIT Download Fixlet Run

 

SUA 2.0 is now available

When you log back into the SUA server you won’t immediately see any software usage information until the clients have sent their data to the server AND the data import task has run  (which you’ll remember was once a day).   You can run the data import process immediately if you want to see information like the following:

SUA 2 console

That’s it.  SUA is now up and running and you can easily see what software is installed and being utilised in your company.   If you’re familiar with SUA 1.3, I found the following Getting Started with Software Use Analysis 2.0 guide useful in adjusting to the console changes in 2.0.  If you have any problems,  please post your query to the IEM SUA forum.

Are you benefiting from IBM Endpoint Manager SUA?    If so we’d love to hear from you.

Darryl

9 Comments

Setting up IBM Endpoint Manager, Software Usage Analysis (SUA) 1.3

IBM Endpoint Manager Software Usage Analysis (otherwise known as IEM SUA) allows you to easily determine what software is deployed across your organisation and how actively it is being used on each computer.  With SUA you can easily determine whether you’re effectively using more expensive software such as Microsoft Project or Visio on all of your computers.  IEM SUA is not only useful to improve the efficiency of your software but also substantially reduce the amount of work required for software compliance audits.

In the following article, I’ll step you through the installation of SUA 1.3.

Install and Configure the SUA 1.3 Server

To get started,  download the SUA 1.3 server software from this web site.  http://support.bigfix.com/dss/install/downloaddsssam.html   For small environments you could easily run this on the IEM server itself.

  1. Run the SUA installer exe.   Select Next, Accept the licensing terms and click Next
  2. Select the SUA folder installation and click Next, click Install
  3. Once the install is completed click Finish
  4. Once SUA has been installed,  the configuration wizard will automatically after after a few seconds.  Click Next
  5. I’ve included a number of screen captures for configuring SUA during the install below.  I used NT authentication, however you may wish to use SQL authentication.

    Note:  Notice how I changed the default port for SUA from port 80 to 81 below  (so I didn’t have a clash with Web Reports).  I also used a local account for my test server (which already exists).  You’ll most likely have your SUA server a member of a Windows domain, in which you may want to use an authorised service account.

    2 - SUA Configure 1 

    3 - SUA Configure 2 

    4 - SUA Configure 3 

    5 - SUA Configure 4

    6 - SUA Configure 5

  6. Progress for the SUA installation is shown below:7 - SUA Install8 - SUA installed
  7. Once the install is completed click OK and then click Finish 

    When I’ve installed SUA,  I’ve sometimes been prompted with the following error installing SUA   “Execution of user code in the .NET Framework is disabled. Enable “clr enabled” configuration option”.  This requires running this command on the SQL Management Studio before I configure SUA and then restarting the server.1 - SQL CommandYou can download the SQL Management Studio from here if applicable – http://www.microsoft.com/en-us/download/details.aspx?id=8961.

  8. Run your web browser and browse to http://localhost:81  (port 81 if applicable).  Enter the SUA administrator and password as shown:9 - First SUA user
  9. Configure the datasource as shown below:10 - Configure Datasource

     

  10. Next select create a new Datasource.  Enter details as shown below, along with an EXE scan location of  C:\Program Files (x86)\BigFix Enterprise\BES Server\UploadManagerData\BufferDir\sha1   (change to another drive letter if appropriate)Select Test and one confirmed ok, select Save11 - Create Datasource
  11. We’ll also schedule how often we want SUA 1.3 to import the data uploaded to the server from the clients.  To do this, select Import options and enter the following details to run the import once per day.   Select Save.12 - Schedule Import
  12. You will now have SUA installed, so we’ll now go to the IEM console and configure the clients which will send software usage information to the SUA server.

Setup your Endpoints for SUA scanning

  1. From the IEM console, select BigFix Management, License Overview and find the Software Usage Analysis section.   Next to DSS SAM, select Enable
  2. Select Manage Sites, Tivoli Endpoint Manager for Software Usage Analysis.   Under the Computer Subscriptions tab, change the value from No computers to All computers and select Save Changes
  3. Select System Lifecycle.  Then select SetupActivate Analysis.  You should see three Analysis as shown in the example below.  Activate each of these.2 - Activate Analysis
  4. Next select SetupDeploy Scanner to Endpoints and select Install Scanner,  select Take Action.   The scanner will then be deployed to the endpoint.13 - Install Scanner
  5. Once the scanner is deployed to each endpoint, you can then configure the scanner to run periodically (by default it runs once per week).   Select Setup – Schedule Scan on Endpoints  (note it can take a few minutes before the scanner you’ve deployed is relevant to this Fixlet).  If you review the Execution tab, you can see the scanner will run by default every 7 days.14 - Schedule Scan
  6. Finally, select Setup – Schedule Uploads on Endpoints and select your endpoint to send their scanned data to the SUA server.14 - Schedule Scan Info

Note:  It’s probably a good idea to do each of the three items above on a group basis, so that as you deploy additional endpoints they’ll automatically be setup for SUA processing.

There is a nice SUA health dashboard as shown below:

15 - Dashboard

If relevant, new software catalog updates will be shown here along with instructions to download and install these on your SUA server.

16 - Catalog Updates

Note:  When you log back into the SUA server you won’t immediately see any software usage information until the clients have sent their data to the server AND the data import task has run  (which you’ll remember we set on a once a day basis).   You can run the data import process immediately if you want to see information like the following:

17 - SUA running screen

That’s it.  SUA is now up and running and you can easily see what software is installed and being utilised in your company.   It’s worthwhile watching the following video which gives an overview of the SUA 1.3 console.   If you have any problems,  please post your query to the IEM SUA forum.

Are you benefiting from IBM Endpoint Manager SUA?    If so we’d love to hear from you.

Darryl

Leave a comment