United Kingdom Endpoint Management User Group

 View Only
Back to Library

Creating a Pilot Computers Filter: dynamic, automatic & maintenance free 

Dec 15, 2015 11:26 AM

Rolling out software is a tricky business. Any change, whether a major software release or a security patch, runs the risk of impacting user productivity. In order to manage this risk, IT administrators often choose to expose software changes to their estate in incremental stages.

The number of release stages IT administrators mandate for software rollouts however will often vary, even within one organisation. For example, a critical windows update might move straight to full rollout without even one simple test, whereas a Java update that's required for critical business systems access might be advanced through multiple stages.

To give you an idea of what this can look like, below I've detailed the 4 release stages we often apply to our software rollouts.  

  1. Test
    This stage releases the software solely to a few test machines. These machines are usually virtual, and are representative of the most common baseline software configuration. This stage represents the most basic quality control gateway for deploying the package. 
     
  2. Initial Pilot
    This stage exposes the software package to small pool of local IT staff. In our environment, this sample represents a fraction of 1% of our computer estate.  The aim here is to catch those initial 'gotchas' using a pool of technically savvy users with 'standard' configurations. The confidence level in a successful rollout is medium. The combination of small sample size and user base however means that the impact of a failed pilot is relatively low and rollback is relatively painless.
     
  3. Extended Pilot
    This stage extends the pilot to include machines which are more representative of the target estate. Here the confidence level in a successful rollout is high, and rollback becomes user impacting. In our environment, this sample represents perhaps 5% of our computer estate
     
  4. Full Rollout
    All machines are now targeted with the software rollout. The confidence level in a successful rollout is very high, and the impact of rollback in the event of an issue emerging is high.

Over the years this system worked pretty smoothly for us with the exception of one niggle; the management overhead of the Extended Pilot group. Initially this pilot group consisted mostly of volunteers who were selected to be representative of our estate. When our customer base was small, the manual processes in keeping abreast of staff and PC changes was manageable. However as our customer base grew and became increasingly distributed, the process of reinvigorating the group to keep it from going stale became a major painpoint.

Eventually, I realised this pilot group in it's current form was no longer fit for purpose, and a rethink was required.

 

Extended Pilot Group Criteria

For the re-think, I went back to basics. What was it I ultimately wanted? Well, ideally I'd want a pilot filter which was maintenance-free and full of active computers. This would enable me to reliably pilot managed software deliveries for Java Run-time Environment rollouts, or IE upgrades etc.

This meant my group membership had to follow three basic criteria,

  • Psuedo-random - so that it was representative of the computer population
     
  • Dynamic - to automatically exclude retired or inactive machines
     
  • Scope - to restrict the member total to a percentage of our computer estate

 

Construction

To figure this out I used the tools available to me; Google and critically the Symantec Connect community.

I decided a straightforward way of picking computers consistently in a pseudo-random manner was to use the computer's GUID. The GUID is randomly assigned to each computer when it first checks in to the SMP. So if I were to create a filter of my computers ordered by GUID, the top 10 would represent a consistent and pseudo-random subset.

Next, to eliminate inactive machines I should restrict membership to computers which were regularly checking in. To obtain recently-checked-in computers within ‘n’ days, I resorted to copying and pasting a chunk from SQL previously written by my colleague Ian Atkin;

 

SELECT guid FROM  vComputer vc
join resourceupdatesummary rus               
on vc.guid = rus.resourceguid               
AND rus.inventoryclassguid = 'C74002B6-C7B9-47BB-A5D6-3031AF73BB8D'  
WHERE and Datediff(dd,rus.[modifieddate],Getdate()) <= 7

This T-SQL provides the a nice list of computers which have checked-in within the last 7 days.

The question now is how to build in my last criteria -making the membership scale. That initially seemed simple -use the T-SQL 'SELECT TOP' to limit the returned rows to the top 5%.

So testing began, and initially it worked beautifully.  But it seemed there was a bug in the SMP membership update processing which meant that the total returned just grew and grew each time the filter was automatically refreshed as a result of being in a live policy target.  I looked to the Symantec Connect community[1] and being amazing as they are, I got a result: use NTILE

I had never heard of NTILE before, and although ‘ericg2’ had given me sample usage, I needed to read up on what it did to figure out how to crowbar it into my SQL.  If you haven’t seen this before it’s very well explained all over Googleland, but suffice to say it splits the results into ‘n’ percentiles and you can select just one of them.  I wanted about 5% so I selected the first of 20 ‘NTILE’s.

 

The SQL

Anyway, enough rambling, here is the finished crafted SQL.

select vc.guid from vcomputer vc
join (
select ntile(20) over (order by guid) AS "ntile", guid  from   ----- ntile 20 is about 5%

(SELECT guid FROM  vComputer vc
join resourceupdatesummary rus               
on vc.guid = rus.resourceguid               
AND rus.inventoryclassguid = 'C74002B6-C7B9-47BB-A5D6-3031AF73BB8D'  
WHERE Datediff(dd,rus.[modifieddate],Getdate()) <= 7  ) xxx

) "grp" on vc.Guid=grp.Guid
where

grp.ntile=1

 

Console View

         5percent.png

 

Variants

It is simple to change the quantity of computers: just change the NTILE number.  We also have another pilot filter that contains 50% of computers that checked in the last 7 days.  The NTILE difference is:

select ntile(2) over (order by guid) AS "ntile", guid  from   ----- ntile 2 is about 50%

It's probably easiest to think in terms of fractions: ntile 2 = 1/2 = a half.  Our 5% is ntile 20 = 1/20 = one twentieth.

 

Advantages and Disadvantages

Before I leave this, I should point out that whilst this approach resolves most of our previous issues, it isn't perfect. 

Pros

  • Maintenance free - as your estate grows so will the number of computers returned by a 5%-active query. You might want to play with this figure in your environment to find a percentage that you are comfortable with.
     
  • Fire and forget: any policy with this filter in its target will get a good set of results back.  I have confidence that around 100 computers will definitely check in and get my policy.
     
  • Self-renewing: if someone is holiday their computer will drop out of the filter after 7 days. So the filter is always (nearly) full of current computers.
     
  • Consistent membership - mostly: because the query sorts by GUID then the top 5% of computers will mostly be predictable providing they keep checking in.

Cons

  • Inconsistent membership: clearly this contradicts the last 'pro' above, but it is important to note that this is dynamic and the exact computers will change pretty-much every day.  A few stragglers will drop out and be replaced regularly.  You may get a computer that is targeted by the filter, but it then drops out.  This means that you can be left with a computer but not know it got the update or software etc. because it won't show up in the compliance view for the policy.  As long as this is kept in mind though, there should not be any real surprises about this.  We use central logging for all our deliveries so we can see from there which computers actually got targeted.
     
  • Extra work for rollbacks: in the event of requiring a rollback of your pilot, you can't just apply the rollback script to the same target containing the pilot filter because the computers change.  So the target for the rollback policy will have to specifically target the computers based on something that the pilot did, like an inventory item added - for example an add / remove programs entry.

 
Hope this provides some food for thought for you all out there. Happy Piloting!

[1] http://www.symantec.com/connect/forums/altiris-75-filter-sql-very-strange-behaviour

 

Darren Collins
Applications Packaging and Deployment for IT Services,
Oxford University, UK.

Statistics
0 Favorited
1 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

AndreasMuller
Mar 07, 2016 05:28 AM

Thanks Darren,

I'll have a look on your suggestions. Much appreciated!

/Andreas

Darren Collins
Mar 04, 2016 06:00 AM

Sorry even with some inspired Googling I can't think of any way that wouldn't involve separate SELECT for each site to form your pilot group, e.g.

SELECT (clever SQL here resulting in 1 or 2 returns from Site 1)

UNION

SELECT (clever SQL here resulting in 1 or 2 returns from Site 2)

UNION

... etc.

I did stumble across another method (that I haven't tested) that doesn't use TOP to get a specific number of returns though using ROW_NUMBER as follows - this returns exactly 5 results:

SELECT * FROM ( 
  SELECT *, ROW_NUMBER() OVER (ORDER BY name) as row FROM tableApoint 
) a WHERE row >= 5 and row <= 10

( from http://stackoverflow.com/a/10440718/1013119 )

Good luck. 
Regards, Darren.

AndreasMuller
Mar 01, 2016 04:02 AM

This is great!

I'm testing this with my own rookie modifications. We manage about 300+ sites and I pick 100 to be included in the target from which 5% are selected. But how can I make sure that a minimum of 1-2 computers from each site is included?

My awkward code so far;

select sil._ResourceGuid from 

(select _ResourceGuid from Inv_AeX_AC_Location
where [Distinguished Name] like '%Workstations%'
and ([Distinguished Name] like '%SITE1%'
	OR [Distinguished Name] like '%SITE2%'
	OR [Distinguished Name] like '%SITE3%'
-- and so on
)) sil

join (
select ntile(20) over (order by _ResourceGuid) AS "ntile", _ResourceGuid  from   ----- ntile 20 is about 5%

(SELECT _ResourceGuid FROM  Inv_AeX_AC_Location il
join resourceupdatesummary rus
on il._ResourceGuid = rus.resourceguid
AND rus.inventoryclassguid = 'C74002B6-C7B9-47BB-A5D6-3031AF73BB8D'
WHERE Datediff(dd,rus.[modifieddate],Getdate()) <= 7  ) xxx
) "grp" on sil._ResourceGuid=grp._ResourceGuid

where
grp.ntile=1

 

Darren Collins
Jan 07, 2016 09:16 AM

Hi Ari, That would have been my colleague Ian Atkin at the web cast.

I don't know if this info will help you, but I have a couple of passive reports that use the vComputer.[User] field to return the user of the computer - I've no idea how accurate it is though or how that relates to the 'Primary' user that is calculated though.

E.g. below is some quick & dirty SQL that you can put into a computer report to select only hard-coded usernames from the 'User' field of the vComputer table:

SELECT vc.Guid, vc.[Name], vc.[User]

FROM vComputer vc

WHERE vc.[User] IN

(SELECT    'JSmith' AS [User]
               UNION ALL SELECT 'FBloggs'
               UNION ALL SELECT 'ANother'

)
-- You would replace this second SELECT with SQL to pull in your VIP usernames from ServiceDESK

The names in quotes in the hard-coded second select statement would then match the usernames of the selected VIPs as listed in the 'User' field.  In our environment they seem fairly accurate, but of course it also pulls in other computers that the users have logged onto - as I said I don't know if this is last logged on user or primary user or what.  Hopefully someone else on here will know more about that.

We don't use Symantec ServiceDesk but you should be able to put in the second SELECT statement SQL to pull the VIPs usernames from the ServiceDesk database in the way you've done already in your existing report you mentioned (you wouldn't want to hard code 111 usernames!).

This method may not be 100% accurate, but creating a Filter in a similar way and excluding it from your policy target should enable you to miss the large majority of your VIP's computers.

 

TeleFragger
Jan 05, 2016 02:42 PM

Not bad... I too use the 4 distribution method as follows:

  1. My target test machines (I have XP/W7x32/W7x64/W8.1x64/W10x64/2k3/2k8/2k12) in 4 environments
    1. Dev/Dev - CMS 7.6 HF7 - where we are going Q1 2016
    2. Dev - CMS 7.5 SP1 HF5 - Current version Dev
    3. Test  - CMS 7.5 SP1 HF5 - Current version mimics Prod
    4. Prod - Well Production
  2. Support techs at each site
  3. Pilot Production Group
  4. Enterprise

Works great but I use static lists as I deal with an FDA regulated environment and well we cannot just use a TOP or random machines.

 

 

Migration User
Jan 04, 2016 09:07 AM

Hi SK,


We don't have the VIP security group here; I'm going to have to use the data imported into a static filter, but of course there's no computer information in that import. I'll probably then exclude by the GUID, such as (sample fragment):

WHERE (cm.collectionguid NOT IN ('eb16ae0d-c1a0-45a3-8b53-6024b1db181c'))

I've got a few ideas and am working through them, but it's a little frustrating for me because of the way the data is or isn't associated in the tables. I may be wrong but it looks like I'll have to join tables in a chain to get everything I need. I'm looking for some help with the SQL in case somebody has already done something similar or is just very good with the queries in SMP (I'm more of a trial-and-error query writer).


Thanks for your reply!


Ari

SK
Jan 01, 2016 09:30 AM

Hello Ari,

You could create a filter based off of Inv_AeX_AC_Primary_User data, and then add that as a not in filter to your rollout filters. 

Another method would be to use the AD Import process to import computers from a security group (if you have one for the VIP's), as you can configure the import process to perform user to machine mappings, which means that you would then already have the filter that can then be exlcuded. 

SK

Migration User
Dec 31, 2015 11:18 AM

Hi Darren,

I heard you speak about this in the recent Best Kept Secrets web cast, but didn't know about this post, so I did it my way - one example below (not targeting any collection or showing any joins).


 

SELECT * FROM vComputer

WHERE 0.05 >= CAST(CHECKSUM(NEWID(), name) & 0x7fffffff AS float)

/ CAST (0x7fffffff AS int)

 

When I proposed the extended pilot approach to management, all they wanted to know was how we were going to exclude VIPs from this. We have 111 VIPs at last count - I can pull their details in a report from Symantec ServiceDesk where they are flagged, but it's kludgey because there's no computer assignment in that report. Have you run into the need to exclude by user? I'm experimenting with joining various tables (Inv_Global_User_General_Details, etc.), but why reinvent the wheel if it's been done?

Thanks,

Ari

 

Darren Collins
Dec 16, 2015 05:45 AM

Hi Brandon, I've not had a need to collect a percentage of computers that are already in a filter like that, and although I'm no SQL expert so I can't speak for its efficiency, your example works perfectly (I just tried it on one of our filters).

I also can’t think of another way to achieve the same results without using a single SQL query either (as you have).

Thanks for posting your SQL sample. 

Darren.

 

Darren Collins
Dec 16, 2015 05:05 AM

You're welcome and thanks for the comment!

Brandon
Dec 15, 2015 01:14 PM

Thank you. I was attempting this, but not using ntile. I wanted to apply some collection filtering to mine so I am going to test out your method with a little twist like I pasted below. Did you do anything ever with filtering the sample group?

 

select vc.guid from vcomputer vc
join (
select ntile(50) over (order by guid) AS "ntile", guid  from   ----- ntile 50 is about 2%

(SELECT guid FROM  vComputer vc
WHERE VC.[Guid] IN
        (
        SELECT distinct cm.[ResourceGuid] FROM vCollection vColl
            JOIN CollectionMembership cm ON vColl.[Guid] = cm.[CollectionGuid]
            JOIN resourceupdatesummary rus on vc.guid = rus.resourceguid
            AND rus.inventoryclassguid = 'C74002B6-C7B9-47BB-A5D6-3031AF73BB8D' 
                WHERE vColl.Name = 'Windows Desktops' -- change to desired filter name
                AND Datediff(dd,rus.[modifieddate],Getdate()) <= 7
        )
) xxx

) "grp" on vc.Guid=grp.Guid
where

grp.ntile=1

 

AndyN
Dec 15, 2015 01:06 PM

this is fantastic! Thank you for sharing!

Related Entries and Links

No Related Resource entered.