Coming off the LABMAN conference from a few weeks ago, I know many in the EDU community rely on disk protection and lock down tools such as Faronic's DeepFreeze and SteadyState. At the end of last week, we made SteadyState 2.5 available for free download - big deal here is now we can lock-down and disk protect Vista workstations. You can get this here. Here is a bullet list of the new features:
New features in SteadyState version 2.5 include the following:
• Full support for Windows Vista
• Full support for Internet Explorer 7 and tabbed browsing
• Overall improved performance
• Faster booting
• Faster system caching
• Remote management of Windows Disk Protection through scripting
• Improved importing & exporting of user information
Also, I thought I blogged about this in the past but apparently I have not (or at least I cannot find the post), but yes, with SteadyState, you do have the ability to control the state of 'Disk Protection' via command line by making calls to the machines WMI interface - KB938355 explains this. Also this old forum post gives some sample scripts to turn WDP on and off as well. For you folks familiar with DeepFreeze this would be going from 'frozen' to 'thaw'. Granted, not as fancy as DeepFreeze as we do not offer a GUI console for SteadyState, but our price is a bit better (free download) if you are comfortable with making changes via script (or better yet, using something like ConfigMgr to modify the protection states when changes are needed).
The ConfigMgr homepage may not be up to date yet but here is the direct download link to download SP1: http://www.microsoft.com/downloads/details.aspx?FamilyId=5AAE62E8-4B7F-4AF7-BE01-AEFAA4BF059A&displaylang=en
This release (among the usual bug fixes) brings forward these new features:
1. More complete support for management of Windows Vista SP1 (Vista SP1)and Windows Server 2008 (Server 2008).
2. Support for SCCM 2007 Server Site roles on Server 2008.
3. Out of band and in band management of Intel AMT devices.
4. Asset Intelligence 1.5 which is our first release with a connection back to System Center Online for regular updates to the Asset catalog
Enjoy!
So I normally do not regurgitate generic technical information that you can find on one of a thousand different blog sites and podcasts unless I feel that there is unique significance to the EDU community. If you attended MMS 2008 or paid attention to the announcements and press releases announced during the Summit, there were three major things and one 'quiet but intriguing thing' that I think will have a HUGE impact in EDU. The three major announcements (and one 'quieter' announcement) were:
- Beta Availability of Operations Manager 2007 Cross Platform Extensions: So an ugly and long title but to put it simply, we are planning to introduce OpsMgr client agents for non-Windows systems including RHEL, Sun Solaris, SLES, HP-UX, and AIX. This is definitely a first and not just for the Management division but for Microsoft as a whole as we will be including actual agents for non-Windows based systems AND these are based on the OpenPegasus initiative which means the agents will be open-sourced. Yes, you read that correctly (read again, if you need to - I know I had to!). Beta 1 of these agents are available now off of the Connect site. For more information on how to obtain these, go here:
http://blogs.technet.com/systemcenter/archive/2008/04/29/operations-manager-2007-goes-cross-platform.aspx
- Beta Availability of Operations Manager 2007 Connectors: This one may not be as shocking as the above as you may have seen this coming when we acquired Engyro a little over a year ago and have since made the Engyro Connectors available 'for free' to licensed OpsMgr customers to connect OpsMgr to their HP OVO, Tivoli management systems and the like. What is significant is that we are basing the connector on the same OpenPegasus stuff and will be open-sourced. Like the extensions above, the beta is publicly available at the same link above.
- Beta Availability of Virtual Machine Manager 2008: Not as big of a surprise as we have been talking about the v.Next version of VMM allowing for management of Hyper-V and VMWare hosts, but very nice to see we are right on track with the public beta availability of this next version. Access to and information on how to get at the bits can be found here: http://www.microsoft.com/systemcenter/scvmm/default.mspx
- Kidaro First Look: Although the acquisition at the time of this writing was not quite complete, there were a few breakout sessions and more detail around the technology that this acquisition will bring. Kidaro will become yet another technology provided to those customers that subscribe to the Desktop Optimization Pack (with no extra price increases planned, BTW) and will allow customers a way to deliver and control virtual OS's to clients via physical media (USB key, DVD, etc.) and/or streaming technologies with complete integration with the end client. Think of it as the best of virtual machines, terminal services, and virtual applications without any of the downsides these technologies have. IMHO, the Kidaro 'stuff' (we still have not picked a formal name for it yet) will solve MANY problems in EDU by allowing you to have a controlled set of OS images complete with your supported applications that can be seamlessly run and delivered to unmanaged machines - such as a student or faculty member's personal machine. Is this VDI? No - it is MUCH, MUCH, better... I am sure more information will be forthcoming once the acquisition is complete but here are some links to check out today:
http://www.kidaro.com
http://blogs.technet.com/james/archive/2008/03/25/mdop-to-get-bigger-more-value-included.aspx
http://blogs.technet.com/virtualization/archive/2008/03/12/Kidaro-to-be-added-to-Microsoft_2700_s-desktop-virtualization-products.aspx
http://blogs.technet.com/technology_trumpet/archive/2008/03/13/i-kidaro-you-not.aspx
So on a topic that is not by any means new, however one in which I have been getting a lot of recurring discussions around lately from my customers...
So there seems to be a lot of different viewpoints on when or whether to re-package software for the purposes of automatic distribution (using ConfigMgr of course!). For years, I have employed the following guidelines - in this order:
1. Does the software natively support MSI? If yes, no need to re-package, use the built-in characteristics of MSI to create a silent install command line (with or without transforms) to get the job done. If not, consider Step 2.
2. Does the software support any documented way to deploy the software silently? If yes, great, use what the vendor gives you to get the job done. If not, or it is not very clear, consider Step 3.
3. Conduct research on sites such as www.appdeploy.com (one of my favorites, btw) to see if someone in the community has posted steps/tips on your software that allows for silent and automated deployment. If so, employ these in the lab to confirm they work and then deploy. If not, consider Step 4.
4. Utilize your favorite MSI re-packager. ConfigMgr users can use Macrovision's AdminStudio: Configuration Manager Edition to get the job done. But if you have purchased the Wise Installer and like their interface better, go nuts!
As a rule, I always attempt to go down the past of least resistance yet maximizing supportability. I see Step 4 as the worse case and most expensive as it is the most time consuming and you run the risk of the vendor no supporting your deployment if they do not support the re-packaging of their application. IMHO, if the app is not native MSI but has a documented way of silently deploying, I say use it - supportability to speed far outweigh some of the ability built into an MSI wrapper...
Anyway, that's my $.02 - I will stop rambling now...
Finally - the extensions to manage non-windows clients with SMS has now released for ConfigMgr! For more information go here: http://www.quest.com/quest-management-xtensions-configuration-manager/.
I know more than a few of my customers in EDU will be interested in this...
So starting this month, my associates and I on the EDU technology team (Michael Greene - http://blogs.technet.com/offcampus and Steve Straub) are starting to hit the road and meet with various EDU customers to spread the good word about System Center, W08, and Hyper-V. We have completed one such event in the CT/NY area and plan to travel to other parts of the Northeast as well as the St. Louis area and other parts within the Midwest in the next month or so.
We will be posting slide and link information from these events. So far, you can take a look at these:
Slides – http://tinyurl.com/2rvmx5
Links – http://tinyurl.com/3azpxv
We MAY publish video from some of these but have not figured all that out yet...
Finally, if you happen to be in the New Jersey/Washington area, we have our next three events scheduled for early April and you can go here to register for these:
Iselin
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032372199&culture=en-US
Malvern
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032372200&culture=en-US
Washington
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032372201&culture=en-US
Stay tuned on information about Midwest events...
So I don't know if this is documented anywhere, but a customer of mine was looking for a way to implement tighter security within their SoftGrid environment. Specifically, they were looking for a way to thwart a user who has access to SoftGrid applications from copying down their SFT files (which contain the bits of a sequenced app) and using them for their own purposes. In theory, one could essentially 'steal' an SFT file that they have Read access to from the content share (which is essentially what they have by default) and use it in their own SoftGrid Infrastructure without authorization. Or worse, use the MSI Utility to create a portable virtual application ready for use. The following is a way you can protect your SFT assets:
- Leave the content share permissions to at least Read for Everyone.
- Leave the NTFS permissions for all files in the content share to Users, Admins, and System to at least Read (i.e. default or whatever)
- Directly on the SFT file or files you wish to lock down, un-check the ‘Inherit NTFS permissions’ check box and remove all NTFS permissions from this SFT file except for SYSTEM and Administrators.
Now, typical users will be able to stream applications from the content folder, they will be able to ‘see’ the SFT files but they will not be able to copy off the SFT files (should get an Access Denied)… This is how it worked in my lab, anyway…
ENJOY!
Go here for more info and a link to download the MSI utility: http://blogs.technet.com/softgrid/archive/2008/01/03/the-msi-utility-for-microsoft-application-virtualization-and-hfru1-are-now-available.aspx.
This will now give you the ability to un-tether SoftGrid applications from the need for SG Server infrastructure... They can be installed as normal MSI packages (assuming that the SG client is installed on the target and is configured NOT to talk to any SG server).
I have posted a new article that is more 'RTM-friendly' which may help in quickly building up the base components of SCCM in a lab situation for evaluations purposes. Go here for the article.
If you are a College/University and are interested to find out how one of your peers uses the MDOP (specifically SoftGrid), you may want to tune in to this webcast being held November 28: http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032356258&EventCategory=2&culture=en-US&CountryCode=US
Here is the abstract:
IT spends tremendous time and money dealing with application compatibility issues during time-sensitive deployments and updates, maintaining end-user productivity, keeping track of software assets, and securing desktops.
Microsoft’s recently introduced Desktop Optimization Pack. MDOP is a suite of five advanced technologies—including application virtualization, asset and group policy management, error monitoring, and diagnostic/recovery tools— that helps slash deployment and support costs, enable delivery of applications as centrally managed services, and allow for much easier management and better control of enterprise-wide desktops.
Join Microsoft and Northeastern University to learn how:
• Northeastern University uses Microsoft SoftGrid Application Virtualization—part of the MDOP solution set—as a foundation of its “Northeastern On-Demand” initiative. Northeastern’s Navid Atoofi, Director of Systems and Production Services, will show you how SoftGrid is helping it vastly reduce annual application management costs and application deployment time.
• MDOP technologies accelerate and simplify application deployment, speed desktop repair, reduce end-user downtime, enhance group policy management, and improve software asset tracking and compliance. At less than $10/seat for all the products combined, and a typical 3-year ROI exceeding 210%, you’ll see why it’s a fantastic value.
• Microsoft Windows Vista works with MDOP to deliver the most cost-effective and flexible means for managing your Windows desktops.
Keep watching this link: https://www.microsoft.com/technet/prodtechnol/scp/configmgr07.aspx...
DCM Config Packs for SCCM 2007 have already been posted and rumor has it there will be DOZENS more in the next few weeks!!!
SP1 for OpsMgr 2007 has been released in RC-1 form as of this weekend. Go to http://connect.microsoft.com to register and download! Click the 'My Participation' link and search for the 'System Center Operations and Service Management' link in the list...
...NOW AVAILABLE: http://www.microsoft.com/downloads/details.aspx?FamilyId=1A83E112-8677-4E03-83C3-F1B7EBFC3A4B&displaylang=en
Oh and the first official OpsMgr Resource Kit utility to now available for download. Maybe now I can stop handing out these handy utilities on a reactive basis now!!
And for those who cannot wait for SoftGrid 4.5 to 'Machine Target' and/or the upcoming MSI Utility described in my blog entry below simply does not meet their requirements (maybe because you don't like the fact you lose on-demand streaming and such), here is one way to get this to target systems.
Coming off of a conversation on the WinHED mailing list, Steven Bornn-Gilman of Occidental College contributed the following workaround. Basically, you would still need to enable your sequenced applications and ensure that a general group of users in AD have access permissions to the app, but the below procedure can help you 'hide' the application from those machines you do not wish users to see and subsequently stream and run the application.
- Create a dependency in the OSD file for the application. You can create a dependency in the OSD file which will launch a script that will check whether or not the application should run on the system. The dependency inside the OSD would look something like this:
<DEPENDENCY>
<SCRIPT TIMING="PRE" EVENT="STREAM" WAIT="TRUE" PROTECT="TRUE"
SUCCESSRESULT="1" ABORTRESULT="0">
<HREF>c:\windows\system32\wscript.exe SGOUCheck.vbs NameOfApp</HREF>
</SCRIPT>
</DEPENDENCY>
- Create a script that determines the 'SUCCESSRESULT' (1) or ABORTRESULT (0) from above. The sample script below makes a determination based on the computer's current OU membership in AD:
Set args = wscript.arguments
SGApp = args(0)
Set objSysInfo = CreateObject("ADSystemInfo")
set pc = getObject("LDAP://" & objSysInfo.ComputerName) Set container = getObject(pc.parent) OUpath =container.adspath OU = Mid(container.name,4)
Select Case (SGApp)
Case "NameOfApp"
If OU <> "NameOfOU" Then NotAuth ()
Case "SomeBioApp"
If OU <> "BioLab" Then NotAuth ()
Case "SomeMathApp"
If OU <> "MathLab" Then NotAuth ()
Case "SomeLibraryApp"
If instr(OUpath,"Library Labs") = 0 Then NotAuth ()
'OUpath lets you include a whole tree of OUs End Select
Public Sub NotAuth()
msgbox "The computer you are using in " & ucase(OU) & " is not authorized to run " & ucase(SGApp) & "." & vbCrlf & vbCrlf & "Please contact the ITS HelpDesk for assistance."
wscript.quit 0 'return exit code of 0, softgrid app doesn't launch End Sub
wscript.quit 1 'return exit code of 1, softgrid app launches
- Finally, use another method to publish the SoftGrid icons in order to not confuse end-users. So the above should do the trick but if you go ahead and use SoftGrid to publish the shortcuts, you will have users on 'non-authorized' machines with shortcuts that will error out when they try to launch. To fix this, you can simply configure SoftGrid to NOT publish the shortcuts and use some other means to copy them to the desired systems like via SMS, file copy, assemble an MSI package and roll that out, etc., etc.
I am traveling and am not able to confirm the above in my lab but the above seems straight forward enough. Again, credit Steven Bornn-Gilman of Occidental College for the above example as this is how he 'system targets' SoftGrid applications in his environment! Thanks for sharing, Steven!!!
Today we made a fairly subtle announcement around a little utility due to release later this calendar year which I think many customers looking at application virtualization options (i.e. SoftGrid) are really going to find awesome. We have gone public with our plans to offer a utility which will allow you to convert existing or new sequenced applications into MSI packages which require no SoftGrid server infrastructure to deploy or run. In short, you will be able to create and deploy SoftGrid virtualized applications without having to be tehered to ANY SoftGrid infrastructure whatsoever. This announcement is somewhat buried in the PressPass found here.
Particularly, this section:
The Windows Installer Utility for Microsoft Application Virtualization, which will be available later this year, will extend the benefits of SoftGrid technology by transforming existing and future SoftGrid virtual application assets into a standardized format for Microsoft Windows Installer (MSI). We expect this MSI Utility to be available for download before the end of the year. Customers will be able to use our MSI utility with any electronic software distribution application — including Microsoft Systems Management Server, System Center Configuration Manager and third-party systems — to deliver their virtual applications just like they deliver installed applications. This means organizations can begin accruing the benefits of virtualized applications right away on their current infrastructure while future-proofing their investment in SoftGrid technology. This continues our approach of managing physical and virtual — in this case, applications — from the same management platform.
So if you ever wanted to be able to deploy virtualized application without having to go through the fuss of building out SoftGrid servers, your day will arrive very soon!
