United Kingdom Endpoint Management User Group

 View Only
Back to Library

A plug for ITMS / CMS 

Dec 10, 2015 06:23 AM

Are you waiting for a compelling reason to switch to Symantec Altiris IT Management Suite or Client Management Suite?

One of the best wins for us was ‘Compliance’.  The way to set rules within the CMS tool that let it know when policies applied to computers are required or not depending on whether the computer is in a state of compliance.

For example: the other day we started rolling out Internet Explorer 11 to a subset of our estate.  The detection rule for compliance checking we used was:
Is this reg value data:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\svcVersion

… set to:

Version >= 11.0.0.0  (greater than or equal to).

This compliance rule means that even if any future version of IE is installed, then providing it updates that registry value, the computer will remain compliant.

Once we are sure the policy to deliver IE 11 is never required, we will be disabling it though.  Good compliancy detection rules can’t completely make up for poor housekeeping!

Here is a screenshot from the Symantec Management Console for ITMS.  This partial view shows our policy compliance position for a bunch of our policies.

compliance_part.png

The policy in this list means it’s on, green means computer received policy and is compliant.  Red means policy received and not yet compliant, and the grey line part means the computer is yet to check in and receive the policy.  And as a bonus when you click on the green, red or grey part of the compliance indicator, then an ad-hoc filter is created with the list of computer names & IPs in a right-hand window pane.

Compliance:  an excellent reason to look at Managed Software Delivery using ITMS / CMS.

Statistics
0 Favorited
1 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

TeleFragger
Mar 16, 2016 01:18 PM

in the agent window... 

so example... if you have a piece of software and check off User must turn on from Symantec Management Agent (under schedule> user interaction)

then install the software. Once it is installed and says compliant - go and make a change to the policy and save. Check the machine back in and it should go back to non compliant

andykn101
Feb 27, 2016 07:13 AM

In the earlier 7.n ITMS versions Patch Management used to use the regular detection rules. I noticed that for something like IE11 the rule would be both >11.0.0.0 AND less than 12.0.0.0
Otherwise, when 12.0 comes out you'll find that where the detection rule runs it will show as having IE11 in some reports even though it's got 12.
I then use an applicability rule to say don't run if >= 12.0.0.0. I then have to remember in the Policy to set Advanced Options > Result-based actions > Upon failure to "Continue".
You can also then create a dummy uninstall command for the IE11 Software Release, run it on all PCs and it will tell you what's still got IE11 when you want to upgrade to 12, solving the problem of trying to Inventory for Internet Explorer versions.

TeleFragger
Jan 11, 2016 10:17 AM

i used to clone in 6 and when we went to 7.1 I was making everything in DEV environment. Then export/import into TEST and PROD environments... this had many issues so now I do it all...

andykn101
Jan 08, 2016 06:28 AM

I shy away from Cloning policies since the 7.1 days when they didn't clone at all well.

Darren Collins
Jan 07, 2016 05:59 AM

Hi TeleFragger, in a similar scenario we would not alter a live policy like that, we would clone it and use the clone, then disable the old one if appropriate.

However the point about the word 'compliance' is valid: it could easily lead management to believe actual compliance (which it can if a managed software delivery is fully set up with good detection rules and proper exit codes configured) but can sometimes just mean "the script returned zero" depending on what you are getting the policy to do.  And as we all know, without proper error management a VBScript will always return zero!

andykn101
Jan 06, 2016 05:26 AM

Where does it show as "Non Compliant"?

TeleFragger
Jan 05, 2016 02:45 PM

There is a CON about the word "Compliance"

In my area that word sends chills down the techs spines. If I deploy an app to all computers they will show up as "Compliant", however if I edit the policy and change nothing and just click Save. When all machines check back in they show "Non Compliant"... took some time explaining to our QA people that "Compliant" isnt something that they need to use as it will change... they didnt like that.. 

TeleFragger
Jan 05, 2016 10:19 AM

Check out this article I did a bit ago. We had to figure out IE versions due to XP EOL and I created a custom inventory which allows very detailed IE version reporting...

 

hope this helps you out 

 

https://www-secure.symantec.com/connect/downloads/custom-inventory-ie-version

andykn101
Dec 21, 2015 05:17 AM

Some reports allow you to select a filter to run the report against. if you can't find one there's a template one attached to TECH 213008 "How to Export/Save a List of Computers from a Filter or Group"
http://www.symantec.com/docs/TECH213008

Darren Collins
Dec 18, 2015 10:04 AM

Hi, below is the SQL we use to report on IE versions.

select distinct vc.Guid,vc.name,vc.domain,vc.[OS Name], vw.ProductVersion As [Full File Version]
 from vWindowsFile vW
 join Inv_Installed_File_Details ifd
 on vw.Guid=ifd.FileResourceGuid                
 join vComputer vC
 on ifd._ResourceGuid=vc.Guid
 where vw.Name like 'iexplore.exe'
 and vw.ProductName like '%Explorer%'
 and Path not like '%windows.old%' -- to exclude entries from upgraded machines with legacy windows.old folders
 order by vc.Domain, 'Full File Version'

You'd need to have enabled software inventory scans to collect the .exe information into your database.  It uses the file version of iexplore.exe that was collected by the executable file inventory.  Don't forget that sorting by version is an alphanumeric sort.

Migration User
Dec 18, 2015 09:00 AM

Andy - Can you please explain on "run any report that is filter based on that filter". I have not run reports based on filters. How do you do that ? Please advise. Thanks !

andykn101
Dec 17, 2015 06:38 PM

You need to create a Software Release for IE11 separate from the one you use for delivery.
Add a dummy uninstall command CMD / C "dir".
Create a detection rule for it that looks for iexplore.exe >11.0.0.0 and iexplore.exe <12.0.0.0.
Create a Managed Software delivery to run that on all your computers every day at 12.30.
Then right-click on the Software Release and create an Installed Software filter.
Then you can run any report that is filter based on that Filter.

Migration User
Dec 17, 2015 02:22 PM

Andy - We recently rolled out IE11 through Software delivery policy.  We need to report on weekly basis on how many PC's got IE 11 installed company wide. Is there a quick report for it ? We use to look at the Add / Remove programs application description for IE10 & IE8. But that won't work with IE 11. Please advise.

Migration User
Dec 10, 2015 10:08 AM

Excellent.  I will have to remind our compliance trackers of this feature.  Thank you.

Stefan S
Dec 10, 2015 07:44 AM

Thanks.

Darren Collins
Dec 10, 2015 07:09 AM

Hi Stefan,

In the Symantec Management Console from v7.5, when in 'Manage Computers' you should see a double chevron as ringed here:

blog1.png

If you don't see the chevrons (and you have ITMS / CMS 7.5), then click on Computer View 'All Computers' first.

Then after you click that the flip book should open up to something like this:

blog2.png

Hope this helps!

Regards, Darren.

Stefan S
Dec 10, 2015 06:56 AM

I cannot seem to find this view? How do I navigate to this view? Or have you built this view yourself?
 

Related Entries and Links

No Related Resource entered.