Motivations for, and barriers to, using Cornell's MS Configuration Manager (CM) more powerful tools and capabilities, such as application updating. Especially within Research.
See also
Resources
Interesting CM/Casper/Encryption stats CIT website
CM book. Considering ordering "Mastering System Center Configuration Manager 1st Edition" to save CM training costs.
- https://www.amazon.com/dp/1119258456/ .
- Publisher: Sybex; 1 edition (January 24, 2017)
Overview
The decision to have CM installed "on all Windows which are in CU AD" is fine within Research as long as the following condition holds true:
- CM on all Windows within CU AD is OK as long as nothing else is automatically done to those computers via CM simply because the are on CM. No MS patching, no Flexera, etc!
We can roll out CM within Research ONLY IF we have the option, per computer, to pick and choose CM capabilities to best meet that research computer's business need.
- KEY requirement: Do not force use of MS updates (OS, Office, etc.) on a computer simply to benefit from other CM services such as CM SCEP or CM Firefox.
- Many research computers, especially those attached to instruments, must only be updated and restarted by the user, and not forced on them.
CM-related services
Q: What software is forced on a managed computer?
A: Only two enabling applications: CM Client and Flexera CSI (Secunia).
- KEY: No software is forced-installed (software that would be new to the computer) on Windows except the following, and only under specific circumstances:
| Software forced-installed | Circumstance | Notes |
|---|---|---|
| CM Client | Added when system added to CU AD | Non-issue, right? |
| Flexera CSI (Secunia) | Added when system added to (CIT?) Central Patching | If only gets installed if a system is added to CIT Central Patching, non-issue, right? |
| No other software is forced-installed! | Forced-installed should not to be confused with patching, action taken on pre-installed software. |
Q: What software gets patched?
A: None by default.
Q: What software can get patched, if patching enabled?
A: Either a group of software or individual software gets patched, depending on configurations to enable specific needs.
Q: What software can be installed auto-magically?
A: Either software for which either a Group Policy (GP) or Managed Desktop (MD)
| (1A) CU AD | (1B) CM client | CIT Central Patching | A&S Central Patching | Chemistry Central Patching | A la carte patching (CM) | A la carte patching: (GP) | A la carte installs (CM) | A la carte installs (GP) | |
|---|---|---|---|---|---|---|---|---|---|
| What service gets you or does: | Gets you CM client automatically (forced install) | Enables all other CM services, and depends on CU AD. | Patching ONLY if application already on system. | Patching ONLY if application already on system. | Patching ONLY if application already on system. | Patching ONLY if application already on system. | |||
| Pros of service: | Usernames are NetID and NetID passwords. Enables all other Chemistry IT management tools, including CM-related ones. | Enables other things, by default is passive. | |||||||
| Cons of service: | Enforced password strength. | Reports some hardware (applications?) data to CIT's servers (viewable by?) | |||||||
| How used in Chemistry It uses in supporting Research: | All supported Windows able to get on AD get this. | Thus, supported Windows able to get on AD get this. | Java patching | Java intalls. |
Snap-shot of a la carte patching targets:
| Application | Owner | Notes |
|---|---|---|
Snap-shot of a la carte installable applications"
| Application | Owner | Notes |
|---|---|---|
| SCEP | Chemistry IT | If SEP or other anti-virus software already installed, uninstalls that software first. Created by Michael Hint, and shared with the AS IT Science cluster.
|
| Others? |
Table tracking concerns, questions, and progress
| Function | Gap, as understood by Chemistry IT | Notes |
|---|---|---|
| Create and maintain easy-to-access page with current list of apps managed by 3rd party updater. | Unknown products been installed or updated by 3rd party updater. | All or nothing, right? |
| Enable stand-alone CM SCEP install | ||
| Enable stand-alone CM MS updates with forced reboots | Do not automatically link this capability with any other enrollments. | Forced reboots moving from ~2pm to ~4pm, once moved to CIT's schedule. |
| Ideal: Enable stand-along CM MS updates with non-forced reboots (and/ or other algorithms) | The more choice, the more likely to find a good fit to ensure patching. | |
| Enable stand-alone A&S CM Java install | In progress. A&S testing. | |
| Enable stand-alone A&S CM Firefox install | Easy? | Easy since CIT has package already? |
| Enable stand-alone A&S CM Flexera install | DONE! | |
| Enable stand-alone A&S CM FileZilla install | DONE! | |