Software Management Framework Quick Start – ITMS 7.1 SP2
This guide is intended as a quick start preface to Joel Smith’s excellent “Symantec Software Management 7.1 Best Practices”, which should be considered essential further reading for anyone using Software Management. In this guide I’ll assume you haven’t set up a Software Library.
First of all we’ll open the Symantec Management Console and set the defaults for Software Delivery. Go to Settings > All Settings > Software > Managed Delivery Settings. I just add two schedules, “00:00 No Repeat” and “12:10 Daily”. The first one ensures that any PC will run the policy as soon as it receives it, the second that the PC runs the policy daily to check the software is still in compliance (i.e. installed usually).
It can be easier to let Altiris discover the Software before you package it. I have created an Inventory task that I can run on my test PC with the software installed, to add it to the Software catalog.
Software Resource Creation
Download the software (preferably an msi) from the vendor’s website to its own folder on a UNC path, or the NS. Normally you’d check for prerequisites and download and package those first.
Browse to Manage > Software > Newly discovered Software and see if that version of the software is already discovered in your organisation, if so note its name.
Right-click on the white space below “Newly discovered Software”, select “Import” and wait for the Import Software: Software Details screen to appear. Unless you know it’s an Update or Service Pack, leave Software Type at the default of Software Release, but don’t forget to change this if it is an Update or Service Pack – it cannot be changed later. Select the source according to where you downloaded the msi, click Add, browse to the location and select the folder (if you are using the Software Library you can just select the msi file). If the installation file is not shown in bold, select it and click “Set as installation file”. Click Next and wait while file hashes are created (and files are uploaded to the Software Library if used).
If you found that version of the software already discovered in your organisation select “Update an existing software resource” and browse to the software you noted earlier; version number is often a good search term to use. Otherwise make sure “Create a new software resource” is selected, check the Company and Version are correct, leave “Open software resource for editing when finished” selected and click OK.
Software Resource Properties tab
Once the Software Resource opens for editing, check the details on the "Properties" tab are correct. You should make sure that there is a correct version for the Software Product to use later. Also try and use the “known as” mappings and merging of Company resources features elsewhere in the console to make sure there is only one version of the “Company” available in the drop down, although you can leave this until later.
Software Resource Package tab
Select the "Package" tab and then double click the package. Click the “Package Server” tab and make sure the package is assigned to the package servers you require.
Check the command lines, for the default install for MSIs I add ‘/l*v “%temp%\msiname.log”’. You might want to add REBOOT=ReallySuppress too. The “Installation file type” is used when you define custom error codes, which you can enter in "Settings > All Settings> Software > Software Catalog and Software Library Settings > Installation Error Code Descriptions". The “Installation file type” does not affect the way the Symantec Management Agent runs the command; for example, a Windows Batch Installation file still needs to have CMD /C “filename.bat” as the command line. Vbscript files will need "cscript" or "wscript" entered similarly.
Beware of copying command lines from word processor documents where the quotes may be ‘66’ ‘99’ type quotes, not ASCII ones the command processor will recognise.
If you set a default Uninstall command line it can be used in future by Policies installing later versions of this software, if you think the previous version’s uninstall should be run first.
If you put explicit success codes, don’t forget to include ‘0’.
Software Resource Rules tab
The easiest way to create a detection rule is when you import an msi and the import creates a rule based on the MSIs Product Code. Otherwise, remember when you create a detection rule that it will be used if you want to create a targeted Software Inventory later; so make it specific. But also remember that updates may change minor version numbers, so Project 2010 should look for WinProj.exe>14 AND WinProj.exe<15 rather than WinProj.exe=14.0.4673.1000
Applicability rules are typically to say “64 bit only”, and/or to make sure that the install won’t run over future versions. Applicability rules don’t run for uninstalls invoked by the “Automatically Upgrade…” feature of Policies but do if the Uninstall is directly added to the Policy.
Both Applicability and Detection Rules are listed together; I use a ‘D’ and ‘A’ prefix when I create them. If you have had a version of Patch Management prior to 7.1 SP2 installed on your NS then you may have Inventory Rules from this you can use as examples, although they do sometimes have blank entries where you will not be allowed blanks.
Software Resource Associations tab
These update both this Software Release and any Software Resource selected. So selecting Software Resource B in “Software Resources that are superseded by this software resource” will show this Software Release under “Software Resources that supersede this software resource” in Software Resource B.
Conflicts with: Produces a red text warning in Policies etc, prompts to use Software Virtualisation in the Managed Software Delivery [Policy] Wizard.
Contains: For example the Lync 2010 client package includes Silverlight. Not sure what the effect of specifying this here is.
Depends on: The Managed Software Delivery [Policy] Wizard will prompt to include these Software Resources in the Policy, where their default Install commands will run before the command line for this Software Release. Make sure they too have a detection rule at least.
Software Channel Targets Software Release: used by Patch Management for Linux patching.
Supersedes: If a Software Delivery Policy has the “Automatically upgrade software that has been superseded by this software” option set then it will invoke the default Uninstall command for all Software Releases listed under “Software Resources that are superseded by this software resource”. Software Policies containing those Software Releases will then have the “Do not install if a newer version of this software is already installed” option available. Again, you need to make sure all the superseded software with a default Uninstall command has Detection rules and this Software Release also has a sufficiently precise Detection rule.
Updates…: Similar to “Depends on” but will give the option to add this Software Release when the Managed Software Delivery [Policy] Wizard is run for the referenced Software Release is run. Updates run after the updated Software Release default Install command runs, Service Packs run after all the installs in the Policy have run.
Software Resource File Inventory tab
If you already have an install of this software you can browse to it and add the executable (exe & dll) files. If you used “Update an existing Software resource” earlier, this tab may already be partially or fully populated.
Software Resource File Software Publishing tab
This is one of two places you can publish to the Software Portal. Using the Managed Software Delivery Policy you will create next is preferred as that will use the Detection and Applicability rules, this option will not.
Once you’ve finished editing the Software Resource, you can click on the drop down box and select Actions > Managed Software Policy to start the wizard; I recommend you click OK to save the Software Resource first. Then find it in the Software Releases section, right click and do the same.
I suggest you have a filter containing your test PC before running the Managed Software Delivery wizard.
Managed Software Delivery [Policy] Wizard
You will see a red warming if the selected Software Release has been superseded or has conflicts, both from the Resource Associations section above. A Conflict warning will prompt you to use a Software Virtualisation virtual layer.
The default Install command line will be selected, although you may select another at this point.
If this Software Resource has a “Supersedes” association you will have the option to “Automatically upgrade software that has been superseded by this software”. This will add the default Uninstall commands for all software with a Superseded association; but you will only be able to see these on a Symantec Management Agent that has this Policy applied – they do not show in the Policy in the console. Applicability rules for these “hidden” uninstalls do not run, those for Uninstalls explicitly added to the policy do run.
Unfortunately the “Do not install if a newer version of this software is already installed” option is only available if there is a “Superseded by” association. When using the wizard for new software this will not usually be the case; you’ll have to remember to go back and select it once a newer Software Release is created with a “Supersedes” association.
I usually use Quick Apply and select the filter that I have set up to contain my test PC. You have to select something.
Hopefully you’ll have set up defaults in Settings > All Settings > Software > Managed Delivery Settings that suit.
I try and always click “Next” here rather than “Deliver Software” to check on Dependencies, Updates and Service packs.
Specify dependencies and updates
Check and set those you want. Don’t forget that, if you’ve set your detection rules correctly, install of these Software Releases will only run if required.
I always start with Exclude Computers not in “Windows Workstations” to make sure I don’t install to servers by accident.
You can right-click on the Software Release > Actions > Create Installed Software Filter and then exclude that filter from the Target of your Policy. This means the Policy is applied to a Target containing fewer machines, with a consequent small reduction in processing on the NS and clients but if the software is removed from a client you have to wait for inventory to update before the Policy applies again and is reinstalled.
To see what Symantec consider a Software Product, go to Manage > Software Catalog and, under “Managed software products” select “included pre-defined software products”. Primarily it is the licensable entity, so Adobe Acrobat 8.0 and 8.1 use the same licence, Adobe Acrobat 9.0 would need a different licence. However, depending on how you want to track quantities and usage of Software, you may want to create more or less restrictive definitions. Although you need Asset Management Solution (AMS) to track licenses automatically in the console, even if you don’t have AMS it is a good idea to use this principle when creating Software Products.
Where the Symantec supplied definitions are inaccurate, Support have advised creating a new one rather than correcting the Symantec supplied one. For example the v6 Enterprise Vault client is reported by Inventory as ‘Veritas’ whereas the Symantec supplied definition specifies ‘Symantec’ so create a new Software Product for Veritas Enterprise Vault 6
A Software Release will not show under a Software Product until it has been discovered by inventory, even if you create the Software Product from your new Software Release. However this is still a good way to create a new Software Product if one is not pre-defined, although you will need to edit most of the default entries it will populate.
Create Software Product
Open Manage > Software Products. You can create a new Software Product either by finding the newly created Software Release in Newly discovered/Undefined Software (if it’s already been discovered by Inventory) and selecting the top ‘>’ symbol or selecting “Add Product”
Name: Select a name to reflect the scope, remove version numbering but leave things like ‘2010’.
Company: Select one from the list.
Version: To reflect the scope, usually, unlike the “Identify Inventory” tab version, not dotted.
Category: As required.
[Icon] Change: You can do a Google image search and save as JPG or PNG. Or you can use a program like NirSoft’s IconExtract.
Identify Inventory tab
If you have used an existing resource to create the Software Product you may wish to clear these three fields before you start. You can use Operators such as ‘+’ and ‘|’. You can see the effect of changing the filters as you go.
Software name: See what is listed below when you enter different terms, but remember that only Software Resources that are currently discovered in your organisation will be listed. Filter uses spaces:
“Lync + 2010” returns Lync 2010 but not Lync2010
“Lync+2010” returns Lync 2010 and Lync2010
Company: Unlike the “Company” field above, you don’t have to use the list. You can put Sun|Oracle.
Version: Usually the Major version followed by a period, ‘1.’ ‘1’ without the period would return ‘10’ as well.
The other tabs can be left for later.
To check how well Policies operate in practice you can look on the Symantec Management Agent itself or use the Remote Altiris Agent Diagnostics (RAAD) tool:
You should regularly right click on a policy and run the “Software Execution Report”, you’ll have to manually populate the name. You can sort by Return Code to see failures, but remember the negative return codes appear at the other end of the report to the positive ones with the ‘0’ success ones filling up the middle.
Read Joel Smith’s more detailed “Symantec Software Management 7.1 Best Practices” guide:
Unfortunately Symantec recently cut off the headline of all comments, which contained the first line of most of my posts.
You can also read Joel Smith’s “Technical White Paper - Inventory Rules, Detection and Applicability Checks”:
All comments and corrections welcome here. If you’ve got a specific problem or technical query about your environment, please post in the main Q&A forum.