So I normally do not regurgitate generic technical information that you can find on one of a thousand different blog sites and podcasts unless I feel that there is unique significance to the EDU community. If you attended MMS 2008 or paid attention to the announcements and press releases announced during the Summit, there were three major things and one 'quiet but intriguing thing' that I think will have a HUGE impact in EDU. The three major announcements (and one 'quieter' announcement) were:
- Beta Availability of Operations Manager 2007 Cross Platform Extensions: So an ugly and long title but to put it simply, we are planning to introduce OpsMgr client agents for non-Windows systems including RHEL, Sun Solaris, SLES, HP-UX, and AIX. This is definitely a first and not just for the Management division but for Microsoft as a whole as we will be including actual agents for non-Windows based systems AND these are based on the OpenPegasus initiative which means the agents will be open-sourced. Yes, you read that correctly (read again, if you need to - I know I had to!). Beta 1 of these agents are available now off of the Connect site. For more information on how to obtain these, go here:
http://blogs.technet.com/systemcenter/archive/2008/04/29/operations-manager-2007-goes-cross-platform.aspx
- Beta Availability of Operations Manager 2007 Connectors: This one may not be as shocking as the above as you may have seen this coming when we acquired Engyro a little over a year ago and have since made the Engyro Connectors available 'for free' to licensed OpsMgr customers to connect OpsMgr to their HP OVO, Tivoli management systems and the like. What is significant is that we are basing the connector on the same OpenPegasus stuff and will be open-sourced. Like the extensions above, the beta is publicly available at the same link above.
- Beta Availability of Virtual Machine Manager 2008: Not as big of a surprise as we have been talking about the v.Next version of VMM allowing for management of Hyper-V and VMWare hosts, but very nice to see we are right on track with the public beta availability of this next version. Access to and information on how to get at the bits can be found here: http://www.microsoft.com/systemcenter/scvmm/default.mspx
- Kidaro First Look: Although the acquisition at the time of this writing was not quite complete, there were a few breakout sessions and more detail around the technology that this acquisition will bring. Kidaro will become yet another technology provided to those customers that subscribe to the Desktop Optimization Pack (with no extra price increases planned, BTW) and will allow customers a way to deliver and control virtual OS's to clients via physical media (USB key, DVD, etc.) and/or streaming technologies with complete integration with the end client. Think of it as the best of virtual machines, terminal services, and virtual applications without any of the downsides these technologies have. IMHO, the Kidaro 'stuff' (we still have not picked a formal name for it yet) will solve MANY problems in EDU by allowing you to have a controlled set of OS images complete with your supported applications that can be seamlessly run and delivered to unmanaged machines - such as a student or faculty member's personal machine. Is this VDI? No - it is MUCH, MUCH, better... I am sure more information will be forthcoming once the acquisition is complete but here are some links to check out today:
http://www.kidaro.com
http://blogs.technet.com/james/archive/2008/03/25/mdop-to-get-bigger-more-value-included.aspx
http://blogs.technet.com/virtualization/archive/2008/03/12/Kidaro-to-be-added-to-Microsoft_2700_s-desktop-virtualization-products.aspx
http://blogs.technet.com/technology_trumpet/archive/2008/03/13/i-kidaro-you-not.aspx
So on a topic that is not by any means new, however one in which I have been getting a lot of recurring discussions around lately from my customers...
So there seems to be a lot of different viewpoints on when or whether to re-package software for the purposes of automatic distribution (using ConfigMgr of course!). For years, I have employed the following guidelines - in this order:
1. Does the software natively support MSI? If yes, no need to re-package, use the built-in characteristics of MSI to create a silent install command line (with or without transforms) to get the job done. If not, consider Step 2.
2. Does the software support any documented way to deploy the software silently? If yes, great, use what the vendor gives you to get the job done. If not, or it is not very clear, consider Step 3.
3. Conduct research on sites such as www.appdeploy.com (one of my favorites, btw) to see if someone in the community has posted steps/tips on your software that allows for silent and automated deployment. If so, employ these in the lab to confirm they work and then deploy. If not, consider Step 4.
4. Utilize your favorite MSI re-packager. ConfigMgr users can use Macrovision's AdminStudio: Configuration Manager Edition to get the job done. But if you have purchased the Wise Installer and like their interface better, go nuts!
As a rule, I always attempt to go down the past of least resistance yet maximizing supportability. I see Step 4 as the worse case and most expensive as it is the most time consuming and you run the risk of the vendor no supporting your deployment if they do not support the re-packaging of their application. IMHO, if the app is not native MSI but has a documented way of silently deploying, I say use it - supportability to speed far outweigh some of the ability built into an MSI wrapper...
Anyway, that's my $.02 - I will stop rambling now...
Finally - the extensions to manage non-windows clients with SMS has now released for ConfigMgr! For more information go here: http://www.quest.com/quest-management-xtensions-configuration-manager/.
I know more than a few of my customers in EDU will be interested in this...
So starting this month, my associates and I on the EDU technology team (Michael Greene - http://blogs.technet.com/offcampus and Steve Straub) are starting to hit the road and meet with various EDU customers to spread the good word about System Center, W08, and Hyper-V. We have completed one such event in the CT/NY area and plan to travel to other parts of the Northeast as well as the St. Louis area and other parts within the Midwest in the next month or so.
We will be posting slide and link information from these events. So far, you can take a look at these:
Slides – http://tinyurl.com/2rvmx5
Links – http://tinyurl.com/3azpxv
We MAY publish video from some of these but have not figured all that out yet...
Finally, if you happen to be in the New Jersey/Washington area, we have our next three events scheduled for early April and you can go here to register for these:
Iselin
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032372199&culture=en-US
Malvern
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032372200&culture=en-US
Washington
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032372201&culture=en-US
Stay tuned on information about Midwest events...
So I don't know if this is documented anywhere, but a customer of mine was looking for a way to implement tighter security within their SoftGrid environment. Specifically, they were looking for a way to thwart a user who has access to SoftGrid applications from copying down their SFT files (which contain the bits of a sequenced app) and using them for their own purposes. In theory, one could essentially 'steal' an SFT file that they have Read access to from the content share (which is essentially what they have by default) and use it in their own SoftGrid Infrastructure without authorization. Or worse, use the MSI Utility to create a portable virtual application ready for use. The following is a way you can protect your SFT assets:
- Leave the content share permissions to at least Read for Everyone.
- Leave the NTFS permissions for all files in the content share to Users, Admins, and System to at least Read (i.e. default or whatever)
- Directly on the SFT file or files you wish to lock down, un-check the ‘Inherit NTFS permissions’ check box and remove all NTFS permissions from this SFT file except for SYSTEM and Administrators.
Now, typical users will be able to stream applications from the content folder, they will be able to ‘see’ the SFT files but they will not be able to copy off the SFT files (should get an Access Denied)… This is how it worked in my lab, anyway…
ENJOY!
Go here for more info and a link to download the MSI utility: http://blogs.technet.com/softgrid/archive/2008/01/03/the-msi-utility-for-microsoft-application-virtualization-and-hfru1-are-now-available.aspx.
This will now give you the ability to un-tether SoftGrid applications from the need for SG Server infrastructure... They can be installed as normal MSI packages (assuming that the SG client is installed on the target and is configured NOT to talk to any SG server).
I have posted a new article that is more 'RTM-friendly' which may help in quickly building up the base components of SCCM in a lab situation for evaluations purposes. Go here for the article.
If you are a College/University and are interested to find out how one of your peers uses the MDOP (specifically SoftGrid), you may want to tune in to this webcast being held November 28: http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032356258&EventCategory=2&culture=en-US&CountryCode=US
Here is the abstract:
IT spends tremendous time and money dealing with application compatibility issues during time-sensitive deployments and updates, maintaining end-user productivity, keeping track of software assets, and securing desktops.
Microsoft’s recently introduced Desktop Optimization Pack. MDOP is a suite of five advanced technologies—including application virtualization, asset and group policy management, error monitoring, and diagnostic/recovery tools— that helps slash deployment and support costs, enable delivery of applications as centrally managed services, and allow for much easier management and better control of enterprise-wide desktops.
Join Microsoft and Northeastern University to learn how:
• Northeastern University uses Microsoft SoftGrid Application Virtualization—part of the MDOP solution set—as a foundation of its “Northeastern On-Demand” initiative. Northeastern’s Navid Atoofi, Director of Systems and Production Services, will show you how SoftGrid is helping it vastly reduce annual application management costs and application deployment time.
• MDOP technologies accelerate and simplify application deployment, speed desktop repair, reduce end-user downtime, enhance group policy management, and improve software asset tracking and compliance. At less than $10/seat for all the products combined, and a typical 3-year ROI exceeding 210%, you’ll see why it’s a fantastic value.
• Microsoft Windows Vista works with MDOP to deliver the most cost-effective and flexible means for managing your Windows desktops.
Keep watching this link: https://www.microsoft.com/technet/prodtechnol/scp/configmgr07.aspx...
DCM Config Packs for SCCM 2007 have already been posted and rumor has it there will be DOZENS more in the next few weeks!!!
SP1 for OpsMgr 2007 has been released in RC-1 form as of this weekend. Go to http://connect.microsoft.com to register and download! Click the 'My Participation' link and search for the 'System Center Operations and Service Management' link in the list...
...NOW AVAILABLE: http://www.microsoft.com/downloads/details.aspx?FamilyId=1A83E112-8677-4E03-83C3-F1B7EBFC3A4B&displaylang=en
Oh and the first official OpsMgr Resource Kit utility to now available for download. Maybe now I can stop handing out these handy utilities on a reactive basis now!!
And for those who cannot wait for SoftGrid 4.5 to 'Machine Target' and/or the upcoming MSI Utility described in my blog entry below simply does not meet their requirements (maybe because you don't like the fact you lose on-demand streaming and such), here is one way to get this to target systems.
Coming off of a conversation on the WinHED mailing list, Steven Bornn-Gilman of Occidental College contributed the following workaround. Basically, you would still need to enable your sequenced applications and ensure that a general group of users in AD have access permissions to the app, but the below procedure can help you 'hide' the application from those machines you do not wish users to see and subsequently stream and run the application.
- Create a dependency in the OSD file for the application. You can create a dependency in the OSD file which will launch a script that will check whether or not the application should run on the system. The dependency inside the OSD would look something like this:
<DEPENDENCY>
<SCRIPT TIMING="PRE" EVENT="STREAM" WAIT="TRUE" PROTECT="TRUE"
SUCCESSRESULT="1" ABORTRESULT="0">
<HREF>c:\windows\system32\wscript.exe SGOUCheck.vbs NameOfApp</HREF>
</SCRIPT>
</DEPENDENCY>
- Create a script that determines the 'SUCCESSRESULT' (1) or ABORTRESULT (0) from above. The sample script below makes a determination based on the computer's current OU membership in AD:
Set args = wscript.arguments
SGApp = args(0)
Set objSysInfo = CreateObject("ADSystemInfo")
set pc = getObject("LDAP://" & objSysInfo.ComputerName) Set container = getObject(pc.parent) OUpath =container.adspath OU = Mid(container.name,4)
Select Case (SGApp)
Case "NameOfApp"
If OU <> "NameOfOU" Then NotAuth ()
Case "SomeBioApp"
If OU <> "BioLab" Then NotAuth ()
Case "SomeMathApp"
If OU <> "MathLab" Then NotAuth ()
Case "SomeLibraryApp"
If instr(OUpath,"Library Labs") = 0 Then NotAuth ()
'OUpath lets you include a whole tree of OUs End Select
Public Sub NotAuth()
msgbox "The computer you are using in " & ucase(OU) & " is not authorized to run " & ucase(SGApp) & "." & vbCrlf & vbCrlf & "Please contact the ITS HelpDesk for assistance."
wscript.quit 0 'return exit code of 0, softgrid app doesn't launch End Sub
wscript.quit 1 'return exit code of 1, softgrid app launches
- Finally, use another method to publish the SoftGrid icons in order to not confuse end-users. So the above should do the trick but if you go ahead and use SoftGrid to publish the shortcuts, you will have users on 'non-authorized' machines with shortcuts that will error out when they try to launch. To fix this, you can simply configure SoftGrid to NOT publish the shortcuts and use some other means to copy them to the desired systems like via SMS, file copy, assemble an MSI package and roll that out, etc., etc.
I am traveling and am not able to confirm the above in my lab but the above seems straight forward enough. Again, credit Steven Bornn-Gilman of Occidental College for the above example as this is how he 'system targets' SoftGrid applications in his environment! Thanks for sharing, Steven!!!
Today we made a fairly subtle announcement around a little utility due to release later this calendar year which I think many customers looking at application virtualization options (i.e. SoftGrid) are really going to find awesome. We have gone public with our plans to offer a utility which will allow you to convert existing or new sequenced applications into MSI packages which require no SoftGrid server infrastructure to deploy or run. In short, you will be able to create and deploy SoftGrid virtualized applications without having to be tehered to ANY SoftGrid infrastructure whatsoever. This announcement is somewhat buried in the PressPass found here.
Particularly, this section:
The Windows Installer Utility for Microsoft Application Virtualization, which will be available later this year, will extend the benefits of SoftGrid technology by transforming existing and future SoftGrid virtual application assets into a standardized format for Microsoft Windows Installer (MSI). We expect this MSI Utility to be available for download before the end of the year. Customers will be able to use our MSI utility with any electronic software distribution application — including Microsoft Systems Management Server, System Center Configuration Manager and third-party systems — to deliver their virtual applications just like they deliver installed applications. This means organizations can begin accruing the benefits of virtualized applications right away on their current infrastructure while future-proofing their investment in SoftGrid technology. This continues our approach of managing physical and virtual — in this case, applications — from the same management platform.
So if you ever wanted to be able to deploy virtualized application without having to go through the fuss of building out SoftGrid servers, your day will arrive very soon!
One of the gazillion new and improved features of the soon to be released Windows Server 2008 is that we now have the ability to perform enhanced multicasting when deploying OS images right out of the box. The new Windows Deployment Services (WDS) will now support an enhanced multicast feature which will allow you to multicast out your Windows OS's from Windows Server 2008. This is not 'new' news as I believe we have documented that this will be a feature for quite some time, but one that I feel is overlooked given all of the other many features of the new product.
There will be two types of multicast supported:
- Scheduled-Cast: This is your traditional multicast scenario where you can specify a time or certain number of clients requesting an image before a session begins for all at the same time. You can also start the session manually once all clients are in the 'waiting' state and ready to go.
- Auto-Cast: As soon as an allowed client requests an image, a multicast transmission begins. Other clients can then join this same session in progress and can 'make up' what they missed earlier by dropping back to a unicast session at the end. To me, this is a pretty cool feature as it allows one to set up an 'always on' multicast session to your environment that can be invoked at any time and by multiple different folks pulling down the same image. This gives you maximum flexibility and efficient use of bandwidth. Below is a screen shot from my lab that show two machines on the same multicast session - note the different session times and % complete:
I know that this has been a huge ask from my HED and K12 customers responsible for installing entire labs of machines on a regular basis. Now we have a solution 'in-the-box' with W08 to address this. Now all that is left to do is to integrate this multicast functionality with SCCM's OS deployment features - don't worry, this is already being worked on!!!