Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Excerpt

Motivations for, and barriers to, using Cornell's MS Configuration Manager (CM) more powerful tools and capabilities, such as application updating. Especially within Research.

See also

Resources

Interesting CM/Casper/Encryption stats CIT website

CM book. Considering ordering "Mastering System Center Configuration Manager 1st Edition" to save CM training costs.

...

Children Display
depth3
styleh3
excerpttrue
excerptTypesimple

 

Overview

The decision to have CM installed "on all Windows which are in CU AD" is fine within Research as long as the following condition holds true:

  • CM on all Windows within CU AD is OK as long as nothing else is automatically done to those computers via CM simply because the are on CM. No MS patching, no Flexera, etc!
  • See: CM question/expectations/understandings

We can roll out CM within Research ONLY IF we have the option, per computer, to pick and choose CM capabilities to best meet that research computer's business need.

  • KEY requirement: Do not force use of MS updates (OS, Office, etc.) on a computer simply to benefit from other CM services such as CM SCEP or CM Firefox.
  • Many research computers, especially those attached to instruments, must only be updated and restarted by the user, and not forced on them.

CM-related services

Q: What software is forced on a managed computer?

A: Only two enabling applications: CM Client and Flexera CSI (Secunia).

  • KEY: No software is forced-installed (software that would be new to the computer) on Windows except the following, and only under specific circumstances:
Software forced-installedCircumstanceNotes
CM ClientAdded when system added to CU ADNon-issue, right?
Flexera CSI (Secunia)Added when system added to (CIT?) Central PatchingIf only gets installed if a system is added to CIT Central Patching, non-issue, right?
No other software is forced-installed! Forced-installed should not to be confused with patching, action taken on pre-installed software.

Q: What software gets patched?

A: None by default.

Q: What software can get patched, if patching enabled?

A: Either a group of software or individual software gets patched, depending on configurations to enable specific needs.

Q: What software can be installed auto-magically?

A: Either software for which either a Group Policy (GP) or Managed Desktop (MD)

 

 (1A) CU AD(1B) CM clientCIT Central PatchingA&S Central PatchingChemistry Central PatchingA la carte patching (CM)A la carte patching: (GP)A la carte installs (CM)A la carte installs (GP)
What service gets you or does:Gets you CM client automatically (forced install)Enables all other CM services, and depends on CU AD.Patching ONLY if application already on system.Patching ONLY if application already on system.Patching ONLY if application already on system.Patching ONLY if application already on system.   
Pros of service:

Usernames are NetID and NetID passwords.

Enables all other Chemistry IT management tools, including CM-related ones.

Enables other things, by default is passive.       
Cons of service:Enforced password strength.Reports some hardware (applications?) data to CIT's servers (viewable by?)       
How used in Chemistry It uses in supporting Research:All supported Windows able to get on AD get this.Thus, supported Windows able to get on AD get this.    Java patching Java intalls.

Snap-shot of a la carte patching targets:

ApplicationOwnerNotes
   

 

Snap-shot of a la carte installable applications"

ApplicationOwnerNotes
SCEPChemistry IT

If SEP or other anti-virus software already installed, uninstalls that software first.

Created by Michael Hint, and shared with the AS IT Science cluster.

  • Why not made available to anyone at A&S?
  • Why not made available to anyone at Cornell?
Others?  

...

Table tracking concerns, questions, and progress

FunctionGap, as understood by Chemistry ITNotes
Create and maintain easy-to-access page with current list of apps managed by 3rd party updater.Unknown products been installed or updated by 3rd party updater.All or nothing, right?
Enable stand-alone CM SCEP install  
Enable stand-alone CM MS updates with forced rebootsDo not automatically link this capability with any other enrollments.Forced reboots moving from ~2pm to ~4pm, once moved to CIT's schedule.
Ideal: Enable stand-along CM MS updates with non-forced reboots (and/ or other algorithms)The more choice, the more likely to find a good fit to ensure patching. 
Enable stand-alone A&S CM Java installIn progress. A&S testing. 
Enable stand-alone A&S CM Firefox installEasy?Easy since CIT has package already?
Enable stand-alone A&S CM Flexera installDONE! 
Enable stand-alone A&S CM FileZilla installDONE!