Deployment Solution

Hi,

Let me start with a little back history of my problem.  I am the Altiris admin for my company.  We are using DS 7.1  We have around 6500 workstations in our environment.  We have a PC group that manages these workstations.  So in the console I have setup security that allows the tech's to manage only these workstation class machines via Organizational views/AD. One of our tech's accidentally (or so he claims) pushed a very critical piece of software to the entire firm at once, basically causing a very large scale problem in a matter of minutes. 

That being said, I have now been tasked with finding some way to allow the tech's to still manage machines, but not be able to "accidentally" schedule a push of any kind to the entire group at once.  Upper management has basically made it clear that unless we come up with this solution, we will not be using this product any more.  Does anyone have any idea's or best practices, or anything at all that would allow me to accomplish this in some fashion? My only thought was to somehow allow the "quick run" option on jobs/tasks, but not the "schedule" option. Thus allowing all techs to handle "one off' type jobs, and not be able to setup a schedule against a filter or multiple machines, and leave that up to a very small group of people.  However I haven't found a way to accomplish this via the security settings.

This is the first time i've posted on these forums, so forgive me if i forgot sometihng.  Any help would be great. Thanks.

A common system is to let the helpdesk distribute software by using AD groups, if a user wants a piece of software the helpdesk gets their PC number and puts the PC record in AD into the appropriate Security Group in AD for the piece of software. They have no Altiris access.

The system wide rollouts are done by the Altiris admin.

Try to only use Jobs & Tasks for one off maintenance tasks outside of Deployment Solution.

Otherwise could you set up security on Filters so that they can only distribute to filters that you have approved for them to use?

Thanks for the reply. 

I understand where you are going with this. However I'm going to have a hard time explaining why we have to manage software distrobutions through AD, when we own a product that is supposed to handle it natively in the first place.  Even if Altiris is handeling the actual distrobution on the backend. 

I'm guessing this would involve creating security groups for the various pieces of software needing to be distributed, and then applying policies against those groups? How does the tech normally diagnose if the install went successfully or not then? A lot of our work/software installs happen while a user is on the phone with the tech actually waiting for the package to be done. 

I could setup security on filters and/or org views, which is basically what i have now. The problem is any tech needs to be able to distribute software to any pc at any given time, just not to all of them at the same time.  At least thats what im being mandated.  

If I have to set things up this way beacuase there is no other option then I don't have much choice. Just trying to see any available options at this point. 

Thanks

Usually users don't expect software immediately, a reasonable SLA is 24 hours, typically it normally gets delivered within 15 mins AD replication plus 60 mins max AD update interval plus max 30 mins filter update interval plus max 60 mins agent update interval=less than 3 hours.

You shouldn't need to diagnose if the install went OK or not, they should almost always work if well tested. The admin will run Software Execution reports and look for repeated failures, I recommend using a policy that runs once immediately and repeats every 24 hours, so even if the first install fails for a one off reason it will install 24 hours later.

Have you considered the Software Portal for user requests?

I can't think of an easy answer, I'm afraid. You need to present this as a management problem, not an Altiris problem. Your management want to allow tech to install to any PC but not all PCs.