Video Screencast Help

How To Configure Symantec Management Platform, Part 1

Created: 08 Mar 2012 • Updated: 08 Mar 2012 | 6 comments
Language Translations
ziggy's picture
+3 3 Votes
Login to vote

1.     Summary

This document is the next in the series of my experience with the Symantec Management Platform project.  My previous article details the steps I took to perform the installation of the SMP in my environment.  That document may be found here: https://www-secure.symantec.com/connect/articles/how-install-symantec-management-platform-71

This document details the steps I took to configure part of the SMP in my environment. These steps worked flawlessly for me, but should be reviewed with your architect first to ensure they will work for your environment.  Most steps will need to be modified based on your requirements for your environment, so please keep that in mind when reading through this article.

 

2.     Pre-requisites

2.1.    You must have a functioning SMP installed.

2.2.    You need to know the Application Identity (AppId) and password.

2.3.    You should login as that account to do all configurations.

 

3.     Organizational Views

Since we have two distinct departments that will use the SMP to manager their respective groups of computers, we decided to create a Support Organizational View with multiple Organizational Groups inside that would contain the computers that each respective department would manage.  I won’t go through ALL the OG’s, but enough that you will see a variety of the options that are available to you.  Yes, we thought about hierarchy, but with only around 6000 endpoints, hierarchy is not worth the effort.  From what I have heard, you should seriously look into hierarchy if you have over 20,000 endpoints.

3.1.    Click Manage | Organizational Views and Groups.

3.2.    Right click Organizational Views and select New | Organizational View and call it Support Responsibility.

 

3.3.    Right click on Support Responsibility OV and select New | Organizational Group (OG) and create the following OG’s:

1.            ATS Managed Assets: This group will contain computers that the ATS department will see and manage.

2.            CSS Managed Assets: This group will contain computers that the CSS department will see and manage.

3.            Non IS Managed Assets: This group will contain computers that neither department will see and manage.

4.            Shared IS Managed Assets: This group will contain computers that both the ATS and CSS department will see and manage.

5.            Undefined Managed Assets: This group will contain computers that they have not been assigned to one of the above OG’s.  Only a few select people will be allowed access to these and will be responsible for manually assigning them to the correct OG above.

Note: I won't go through the creation of ALL of the above OG's, but I will do some of them so that you can see how they can be configured differently.  By providing these options, I hope that you will be better informed about some of the configurations you can apply to suite the needs of your environment.

 

4.     Organizational Groups

4.1.    Click Manage | Automation Policies.

4.2.    On the Schedules tab click New policy.

4.3.    Name the new policyATS Managed OG and click OK.

4.3.1.  Set the schedule to At date/time, set it for12:15, and set it to repeat every 15 minutes.

Note:  We only have it set for every 15 minutes during our migration phase where moving a computer into 7.1 needs to be showing up in the correct OG so that it can be seen and managed as soon as possible by the respective department.  This was going on for a few months and we have not seen any impact to our systems.  You would need to decide what is appropriate for your environment and check the logs and performance of your systems periodically to ensure optimal performance.

4.3.2.  In the details section, set Data Source to Raw SQL query.

4.3.3.  Click Save changes.

4.3.4.  Click Edit query. (Click OK when it prompts you to leave this page)

4.3.5.  Enter your respective query in theParametrized Query tab.  I created this one:

SELECT DISTINCT vc.[guid]                 

FROM vComputer vc

       JOIN vAsset va WITH (NOLOCK)

       ON va._ResourceGuid = vc.Guid

WHERE vC.Domain IN('BMN','CBTLOCAL',’CBT.local’,'DENTAL','ITC_CLASSROOMS','ITECH','ITRC','JCCC-CAMPUS','JCCC_CAMPUS','JCCC-STUDENT','JCCC_STUDENT','MSHOME','RC','RCIT','SMART%','VUE','WESTPARK','WORKGROUP','WPK','WWW')

       AND vc.name NOT LIKE '[0-9][0-9][0-9][0-9]-%'

       OR

       (

       vc.name LIKE 'COG%'

       OR vc.name LIKE 'KC%'

       OR vc.name LIKE 'KU%'

       OR vc.name LIKE 'LVS%'

       OR vc.name LIKE 'OHEC%'

       OR vc.name LIKE 'WPK%'

       )

OR vc.[IP Address] like '10.22%'

       OR

       (

       (vc.[system type] = 'Macintosh'AND vc.name LIKE 'atb13%')

       OR (vc.[system type] = 'Macintosh'AND vc.name LIKE 'com%26%')

       OR (vc.[system type] = 'Macintosh'AND vc.name LIKE 'lib%')

       OR (vc.[system type] = 'Macintosh'AND vc.name LIKE 'ocb%')

       OR (vc.[system type] = 'Macintosh'AND vc.name LIKE 'rc%245%')

       OR (vc.[system type] = 'Macintosh'AND vc.name LIKE 'rc3%')

       )

4.3.6.  Click OK.

4.3.7.  Under Conditions, leave the Evaluation Rule set toRun for non-empty data.

4.3.8.  Under Actions, click Select a Job or Task…

4.3.9.  Click Jobs and Tasks | System Jobs and Tasks | Notification Server | Automation Policy Tasks | Assign to Organizational Group Task.

4.3.10.  Click OK.

4.3.11.  Click Edit input parameter and select ATS Managed Assets for Custom Value of Organizational Group.

4.3.12.  For Action, select Must at least contain.

4.3.13.  Select Results as CSV for Resources and click OK.

4.3.14.  Click Save Changes.

4.3.15.  Click Test Automation Policy.

4.3.16.  Turn on the Policy.

 

5.     Shared IS Support Organizational Group

5.1.    No Automation policy is needed for the Shared IS Supported Assets OG since computers can only be manually placed into this OG by those people with access.  This is a small group of people, hence the restrictive access.

 

  

6.     Undefined Support Organizational Group  

6.1.    Click Manage | Automation Policies.

6.2.    On the Schedules tab click New policy.

6.3.    On the Schedules tab click on New policy.

6.4.    Name the new policyUndefined Managed OG and click OK.

6.4.1.  Set the schedule to At date/time and Time to 12:01,and to repeat every 1 hour.

6.4.2.  In the details section set the data source Raw SQL query.

6.4.3.  Click Save changes.

6.4.4.  Click Edit query. (Click OK when it prompts you to leave this page).

6.4.5.  Enter your respective query in theParametrized Query tab.  I created this one:

SELECT DISTINCT vc.guid

FROM vcomputer vc

WHERE vc.Guid  NOT IN

       (

       SELECT ResourceGuid FROM ScopeMembership

       WHERE ScopeCollectionGuid = 'ACF86CFE-6455-4DEC-9DDC-DFBEBF026790' --ATS Managed OV

       OR ScopeCollectionGuid = '4D2C8121-A6D9-4354-A067-A6DC644649A8' -- CSS Managed OV

       OR ScopeCollectionGuid = 'E16DA46E-8443-42F2-8B8D-849E050064D7' -- Non IS Managed OV

       OR ScopeCollectionGuid = '6D6F6AED-D46E-4AAF-80CE-AB54BD353E50' -- Shared Managed OV

                                                   )

6.4.6.  Click OK.

6.4.7.  Leave the Evaluation Rule toRun for non-empty data.

6.4.8.  Click Select a Job or Task…

6.4.9.  Click onJobs and Tasks | System Jobs and Tasks | Notification Server | Automation Policy Tasks | Assign to Organizational Group Task.

6.4.10.  Click OK.

6.4.11.  Click Edit input parameter and select Undefined Managed Assets for Custom Value of Organizational Group.

6.4.12.  For Action, select Must at least contain.

6.4.13.  Select Results as CSV for Resources and click OK.

6.4.14.  Click Save Changes.

6.4.15.  Click Test Automation Policy.

6.4.16.  Turn on the Policy.

 

7.     Automation Policies

7.1.    Click Manage | Automation Policies

7.2.    Enable and edit whichever automation policies you desire and set them to email whomever you want.  I choose to enable these.

  1.   Machine changed identity.
  2.   Managed computers with zero or more than one Agent Settings Policy applied.
  3.   Package Server account creation failure
  4.   Package Server account locked
  5.   Package Server DC account creation failure
  6.   Package Server password expiry
  7.   Product License AUP Expiration Notice
  8.   Product License Count Notice
  9.   Product License Termination Date Notice
  10.   Scalability Check
  11.   Sites without unconstrained Package Servers
  12.   Symantec Management Agent not Installed after 7 days.

 

8.     Plug-ins rollout

I don’t need to get into which plug-ins to enable or disable because that is so specific to an environment and what solution you have, it would be cumbersome.  I will, however, provide some general tips and tricks that I have learned.

8.1.    Clone policies and then modify them.  This leaves the default one in place should you ever need to revert to, or reference it.

8.2.    Prepend ALL custom items (filter, policies, tasks, jobs, plug-ins, et cetera) with a custom name, like your company name.  And/or create a folder with ALL your custom (read: not out-of-box) items and put them in there.  This will serve as a great way to ensure that your not hunt-and-pecking around for something (even though the search box in 7.1 is MUCH improved over 6.5, it is still no Google J ).  Another benefit of this method, is that you can easily backup/export/import them anytime.

Examples

All our custom automation polices start with ‘JCCC’. (omitted in this document for simplicity)

All custom reports are in a Folder called JCCC that was created right under the ‘Reports’ folder. (omitted in this document for simplicity)

8.3.    Don’t enable any Deployment and Automation policies until you KNOW how they will be used and how they will impact your endpoint.  Simply put, brush up on your DS knowledge and keep up-to-date on it.

8.4.    Don’t enable Out Of Band unless you know what you’re doing.  Configuring the entire OOB solution is a whole separate ball of wax that I plan to address in a separate document all together.

8.5.    Check mark the Disable download via multicast option if you are seeing ANY delay in the plug-ins being installed in a timely manner.  There may be network timeout or other related issues that are not easy to find or diagnose.  We disabled it and it went fine.  We left the multicast option enabled in the SMA –targeted agents (see further down) so that we can control the use of multicast on a case-by-case basis.

8.6.    Make sure you have well-documented plans on how you will use Patch Management solution (which includes the default software Update Plug-in policy) before you go off half-patching. 

8.7.    And the most important of all: Always test any changes in a non-production environment before rolling them to production.

 

9.     Maintenance Windows

Maintenance Windows can work for or against you.  In addition to using maintenance windows, we also are using a blockout.  See below on more details as to how I created maintenance windows and blockouts for our environment.

9.1.    Click Settings | Agents/Plug-ins | All Agent/Plug-ins.

9.2.    Click Agents/Plug-ins | Symantec Management Agent | Settings | Maintenance Windows.

9.3.    Clone the All Managed Computers policy.

9.4.    Name it ATS Maintenance Window.

9.4.1.  Set Start to 10:00 a.m. and End to 7:45 a.m.

9.4.2.  Set Repeat to Week and choose M, T, W, U, F, andSat.

9.4.3.  Click Apply To and choose Computers.

9.4.4.  Click Add rule and set it to:

1.  exclude computers not in Group ATS Managed Assets.

2.   exclude computers not in Filter Computers with Inventory data older than one day.

Note: By excluding computers without inventory older than one day, we can be assured that new systems are getting plugins and running policies as soon as possible within the first 24 hours and don’t have to worry about a maintenance window interfering with that initial roll-out.  I know, I know, you can check mark to ‘ignore maintenance windows’ on most items, but then you would have to have a separate policy/job/tasks/item that is just for newly installed systems and then one for your day-to-day jobs.

9.4.5.  Clickupdate results then click OK.

9.4.6.  Enable the policy.

9.4.7.  Click Save Changes.

 

10.            SMA Agent Settings

10.1.  Click Settings | Agents/Plug-ins | Symantec Management Agent | Settings | Symantec Management Agent Install.

10.1.1.  Click Settings in the right pane.

10.1.2.  On the Install Agent tab, click the Settings button.

10.1.3.  Uncheck Show the Symantec Management Agent in the System tray.

10.1.4.   Click OK.

10.2.  Click Agents/Plug-ins | Symantec Management Agent | Settings | Symantec Management Agent Settings –Targeted.

10.3.  Clone the All Desktop computers (excluding ‘Site Servers’) policy and name it Custom All Desktop computers (excluding ‘Site Servers’) w/o Inv data.

Note: This policy is applied to those items WITHOUT inventory data.  You will see why down below, but for those who can’t wait, it is because we want all new agent installs (that haven’t reported inventory) to check-in sooner.

10.3.1.   On the General tab remove all existing filters in the Apply To section.

10.3.2.   Click Apply To and choose Computers.

10.3.3.   Click Add rule and set it to exclude computers in Filter Computers with Inventory data.

10.3.4.   Click Add Rule and set it toexclude computers in Filter Site Servers.

10.3.5.   Click update results then clickOK.

10.3.6.   Set the following and click Save changes:

Setting

PreProd

Production

Download new configuration every:

5 min.

5 min.

Upload basic inventory every:

1 hour

1 hour

Compress events over:

200 kb

200 kb

Note:  For every agent install, the agent waits 15 minutes after receiving a GUID before checking back in.  It is hard-coded and non-editable.   After that 15 minute window is over, we want the agent to get polices, plug-ins, tasks, jobs, et cetera as soon as possible.  So we have the check-in time set to 5 minutes to minimize the wait time.  Yes, it still is dependent on the ‘Resource Membership Update’ schedule, but at least we aren’t dependent on the agent checking in. 

10.3.7.   On the Downloads tab, uncheck Use bandwidth throttling and check mark Allow SMA to use multicast for downloading packages.

10.3.8.   On the Advanced tab, check mark theEnable tickle on Symantec Management Agents.

10.3.9.   Enable the policy on the General tab.

10.3.10.  Click Save changes.

10.4.  Click on the All Desktop computers (excluding ‘Site Servers’) policy.

10.4.1.  On the General tab, set the following:

Setting

PreProd

Production

Download new configuration every:

30 min.

2 hours

Upload basic inventory every:

1 day

1 day

Compress events over:

200 kb

200 kb

10.4.2.   On the Downloads tab, uncheck Use bandwidth throttling and check mark Allow SMA to use multicast for downloading packages.

10.4.3.   On the Blockouts tab, click Add blockout period and set the duration for 20 minutes and the Unit to Download.

Note : Download mean s that the agent won't download any software delivery packages, but it will still send events and receive policy requests from the SMP.  The other option is Total, which means complete blockout for ALL communication between the SMP and the agent on the endpoint.  You can find more information on pages 348-349 of the SMPlat User Guide.

10.4.4.  On the Advanced tab, check mark the Enable tickle on Symantec Management Agents.

10.4.5.  Click Save changes.

10.5.  Click on the Deployment Pre-Boot Environment policy.

10.5.1. On the General tab, set the following and click Save changes:

Setting

PreProd

Production

Download new configuration every:

5 min.

5 min.

Upload basic inventory every:

1 hour

1 hour

Compress events over:

Disabled

Disabled

10.5.2.  On the Downloads tab, uncheck Use bandwidth throttling.

10.5.3.  On the User Control tab, uncheck Show client tray icon.

10.5.4.  On the Advanced tab, check mark theEnable tickle on Symantec Management Agents.

10.5.5.  Click Save changes.

Note: I didn’t mention check marking the multicast option.  That is because it is not necessarily applicable to systems in the Pre-Boot environment.

10.6.  Set the remaining ones to however you see fit.

10.7.  Enable these two policies to ensure your non-site systems receive the complete agent.  We have found that our ‘Altiris 6.5 Agent’ removal script/process (which uses aexagentutil.exe /clean and /uninstallagents)  leaves some kind of remnant around that doesn’t let the inventory plug-in install, hence an incomplete 7.1 agent.  Enabling these two polices (for x64 and x86 systems respectively) fixed our issue.  YMMV.  Be sure you check the box to Disable download via multicast.  We didn’t have to worry about it on our site servers because they were out-of-the box fresh installs.

 

11.             Configure App Metering Solution

Configure your Application Metering to suit the needs of your company.  Here is how I configured it for our environment.

11.1.  Navigate to Settings | All Settings.

11.2.  Click Settings | Discovery and Inventory | Inventory Solution | Application Metering Configuration.

 

12.            Configure Resource History

12.1.  Click Settings | All Settings

12.2.  Click Settings | Notification Server | Resource and Data Class Settings | Resource History.

12.3.  Expand  Basic Inventory, place a check mark next to whatever Data Classes you want, and set the Keep History Duration to whatever you want.

12.4.  Click Save Changes.

 

13.            Configure Resource Membership Update

Again, these settings work for our environment and the solutions we use  (we don’t use Service Desk or Workflow (yet, but it will be on a separate box)).  We will only have about 6000 endpoints when all is said and done.

13.1.  Click Settings | All Settings

13.2.  Expand Settings | Notification Server | Resource and Data Class Settings.

13.3.  Click on the Resource Membership Update.

13.4.  Set the Delta update schedule to repeat every 1 hour.

13.5.  Set the Complete update schedule to repeat every 1 day.

13.6.  Set thePolicy update schedule to repeat every 30 minutes.

13.7.  Click OK.

Comments 6 CommentsJump to latest comment

andykn101's picture

agent is recommended:

http://www.symantec.com/docs/TECH169424

I no longer clone the plug-in policies, but I do create a custom target for them.

I also have them set to run daily as they will only run if the install failed previously.

Authorised Symantec Consultant (ASC) with Endpoint Management Limited, an Authorised Symantec Delivery Provider based in the UK.

Connect Etiquette: Please "Mark as Solution" posts that fix your problem.

0
Login to vote
andykn101's picture

It's much easier when OOB is desired if the plug-ins are already deployed instead of having to manage a whole new plug-in deployment.

Authorised Symantec Consultant (ASC) with Endpoint Management Limited, an Authorised Symantec Delivery Provider based in the UK.

Connect Etiquette: Please "Mark as Solution" posts that fix your problem.

0
Login to vote
ziggy's picture

I did not know that about the PMS policy.  We haven't seen that issue (and we are running SP2 currently), but maybe we just haven't seen it?

For OOB, it depends.  In our OOB implementation, we were restricting the roll-out for testing purposes, not to mention all the overall issues we had with it.  I will be posting a seperate OOB document to show more details.  But it is fine to deploy the OOB plug-in whenever you are ready, whether that be up front, or later on.  Your choice.  I appreciate your comments very much.

0
Login to vote
anthonypascucci's picture

As described in your 10.4.3. topic - you apply a download blockout staring at midnight (0:00) and it last 20 minutes; what reason for this?

Anthony

0
Login to vote
ziggy's picture

@anthonypascucci:That blockout is for the first 20 minutes following the startup of the SMA service, not starting at midnight.

0
Login to vote