Video Screencast Help

Software Applicability rule

Created: 16 Mar 2011 • Updated: 17 Mar 2011 | 9 comments
This issue has been solved. See solution.

How would I go about creating a rule that would only allow the software to install on Laptops?  I could create a filter to get this information but from what I can tell the expression creation does not allow you to use a filter or a group.

 

Please help.

 

Also is there anyway to see the results of your rule you create?  So you can determine if you are doing what you believe you are trying to accomplish.

Comments 9 CommentsJump to latest comment

mclemson's picture

This is really something where you would use a Filter to target laptops, perhaps by creating a filter based on Chassis Package Type = 9 (laptop) or 10 (notebook), or by creating a filter that only returns computers whose model contains 'Latitude' in the model name, for example.  Applicability rules have to do with operating systems and applications, not hardware.  If you want to restrict based on hardware, you'll need to use a filter.

Applicability rules and detection rules are tested in very similar manners.  Apply them to test systems, I typically use a Managed Software Delivery that checks for compliance every 15 minutes, and then tweak settings to try to break the logic of the software resource within the MSD.  For example, uninstall pre-requisites, corrupt the primary program, target a 64-bit system even though your MSD contains a software resource that is applicable to 32-bit OS's only, and so forth.

For example, I once created a detection rule that .NET 2.0 needed to have a version containing the substring 2. in the registry, but determined in testing that a registry value of, say, 3.042.67 would have validated as having .NET 2.0.  I changed the detection rule to include a version greater than or equal to 2.0 and less than or equal to 3.0.

Mike Clemson, Senior Systems Engineer, ASC
Intuitive Technology Group -- Symantec Platinum Partner
intuitivetech.com

andykn101's picture

because Dynamic Disks are not allowed on laptops:

http://support.microsoft.com/kb/234308

"The following registry value is checked to determine whether or not Dynamic disk support is enabled:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IDConfigDB\CurrentDockInfo\

DockingState:REG_DWORD:0

A value of 0x1 indicates that Dynamic disks are not supported."

So create a rule that checks if that key is 1.

But ask yourself if it's really laptops that you are checking for. For example, although it's rarer now, in many larger organisations there used to be one or two desktop machines with modems for certain banking or financial transactions.

Seeing the results of a rule is trickly for the same reason you can't use filters, they're executed on the target. The agent log does show if it evaluates true or false.

Authorised Symantec Consultant (ASC) with Endpoint Management Limited, an Authorised Symantec Delivery Provider based in the UK.

Connect Etiquette: Please "Mark as Solution" posts that fix your problem.

SOLUTION
jlawson's picture

First thank you as this looks like it could be my solution.

Second in response to your questions on is it laptops I'm looking for the answer is 100% yes.  We purchase an application which this rule is being built for that was purchased only for laptops and laptops only.  We do not have the licensing for this to get accidently installed on a desktop.

Zac H's picture

Now, I have no idea how efficient this query is, because Im TERRIBLE at SQL - but this is the query I use in a laptop filter.

 

 

SELECT DISTINCT
 
ch._ResourceGuid
 
FROM
 
Inv_HW_Chassis ch
 
WHERE
 
ch.[Chassis Package Type] = '8'
OR ch.[Chassis Package Type] = '9'
OR ch.[Chassis Package Type] = '10'
OR ch.[Chassis Package Type] = '12'
jlawson's picture

Zac H,

Thanks for the query I have added a bit to it to verify the results and I will make a filter with this but...

SELECT DISTINCT

i.name,

ch._ResourceGuid,

ch.[Chassis Package Type],

cs.[Identifying Number] [Serial Number],

cs.Manufacturer [System Manufacturer],

cs.Model [Computer Model]

FROM

Inv_HW_Chassis ch

JOIN dbo.vComputer i

ON ch.[_ResourceGuid] = i.Guid

JOIN dbo.vHWComputerSystem cs

ON i.Guid = cs._ResourceGuid

 

WHERE

ch.[Chassis Package Type] = '8'

OR ch.[Chassis Package Type] = '9'

OR ch.[Chassis Package Type] = '10'

OR ch.[Chassis Package Type] = '12'

order by i.name

 

To you and mclemson.  As I stated in the orginal post?  How can I use a filter in a  software applicability rule?  As I don't believe I can.

Now I can use the filter to create a deployment based on it but I want to make sure this never gets installed on a desktop and with other users in Altiris I can't do that without using a Software Applicability rule.  A filter does not stop another users or myself from making a mistake and accidently deploying this software where it should not be.

mclemson's picture

First, you can create a Managed Software Delivery which uninstalls the software if it's somehow placed onto a desktop.  Where Chassis Package Type is NOT 8 or 9 or 10 or 12, for example, and the software is present (detection rule), uninstall.

Other ideas include adding security so that only certain users can deploy it, creating a report to prove compliance, or using the registry key recommended above.

If it's supposed to be installed on all laptops, the filter above would let you install it on all laptops using the MSD, and there shouldn't be any need to create a task or policy that could accidentally be applied to a desktop because you've already applied it to all laptops.

Or am I missing something?

Mike Clemson, Senior Systems Engineer, ASC
Intuitive Technology Group -- Symantec Platinum Partner
intuitivetech.com

jlawson's picture

We really don't use MSD yet because of the reason that you can't attach multiple task to a MSD.  All you can do is deploy the software.  What if you need to do some configuration afterwards or something.  A Job allows me to take a quick delivery and build what I need.

I'm sure MSD is great and if you have a full packaged msi installer and editor package like WISE it may do the job but I need to be able to do multiple things with many of my software packages I deliver.  This makes Jobs much easier.  Also as WISE is nice and all I would hate to have to edit the package everytime a new release came out.  With a Job I can just pull out the current quick delivery and insert the new quick delivery based off of the manufactures MSI.

As far as uninstalling yes that is great and would work but wouldn't everyone rather just avoid that all together?  I sure do and the reason for this question.  They built the Applicability rule for this exact reason to limit who gets the package.
 

mclemson's picture

You can attach multiple tasks to a Managed Software Delivery.  When viewing the policy, under the Software tab, click the Add button to add a software resource or a task.

What most people do with Software Resources if they need to do something outside of the command line is use a .bat or .vbs wrapper, which runs the command line (e.g. msiexec.exe /i program42.msi /qn) and then follow-up tasks (e.g. DEL C:\Documents and Settings\All Users\Desktop\program42.lnk).  This way you can add, remove and modify files; add, modify, or delete registry entries, etc.

Applicability rules were not built strictly to limit who can receive a package.  Applicabililty rules were designed so that a software program is only installed if it applies to that operating system or application base.  For example, javax86.exe "applies to" 32-bit workstations, or Office2007SP2.exe "applies to" Office 2007.  Filters are what you use if you want to target hardware, such as "Computers with nVidia GeForce 9300 installed" or "Servers located in Site XYZ."

Mike Clemson, Senior Systems Engineer, ASC
Intuitive Technology Group -- Symantec Platinum Partner
intuitivetech.com

jlawson's picture

You can attach multiple tasks to a Managed Software Delivery

I come from a deployment solution background and sometimes you need reminders on what else can be done :)

Either way this is not my solution as I want to prevent the install no matter what.  Which is what applicability rules provide me.