What [s New in ITMS 8.1 & GSS 3.2 –Technical Deep Dive
Transcript of What [s New in ITMS 8.1 & GSS 3.2 –Technical Deep Dive
What’s New in ITMS 8.1 & GSS 3.2 – Technical Deep DiveBrian Sheedy, Sr. Principal TEC, Endpoint ManagementTomas Chinchilla, Principal Product Manager, Endpoint Management
Agenda
1 Symantec Management Platform Core
2 ITMS Product Integration
3 ITMS Solution Enhancements
4 Ghost Solution Suite 3.2 Enhancements
ITMS 8.1 Operating Systems Support
• Additional CMDB Database Support:
– Microsoft SQL Server® 2012 SP3
– Microsoft SQL Server® 2014 SP2
– Microsoft SQL Server® 2016
• Additional Site Server Support:
– Windows Server 2016
– Windows 10 Anniversary Update
• Additional Symantec Management Agent Support:
– Windows 10 Anniversary Update 1 (Windows 10, version 1607)
– Windows Server 2016
– CentOS 6.0 - 6.8 and CentOS 7.0 - 7.2
– AIX 7.1 TL4
– OS X 10.12 Sierra
– RHEL 6.7, 6.8, RHEL 7.2
– Solaris 11.3
– SUSE Linux Enterprise 12 SP1
Platform Support Matrixhttp://www.symantec.com/docs/HOWTO9965
Data Migration Capabilities
• Replicate data between the servers that have different versions of ITMS installed.
• Migrating data to ITMS 8.1 is supported from the following versions:
– IT Management Suite 7.6 HF7
– IT Management Suite 8.0 HF6
• Export and import data between servers with different versions of ITMS
• Allows Re-use of data objects from previous ITMS implementations.
– Start with a clean database, then move the data that you require to the new database.
– Keep the old Notification Server fully functional while setting up the new server.
• Implementation TIPS:
– Performing an off-box upgrade to introduce a new hardware?• Symantec recommends that you keep using the existing database.
– Migrating large amounts of data?• Symantec recommends using the standalone replication rules.
• Migrates data that cannot be exported and imported between Notification Servers.
– Moving individual data objects from one server to another• Use the manual export and import or the ImportExportUtil.exe tool.
• Allows you to modify the data in the exported XML file before importing
ITMS 7.x ITMS 8.1ITMS 7.6 HF7ITMS 8.0 HF6
Data Migration Guidehttp://www.symantec.com/docs/DOC9586
Symantec Installation Manager
• Performance increased by 20%
• Database configuration has been moved from Symantec Management Console to SIM.
• Performing Full Repair and Uninstall is implemented.
• Repairing MSI-s and reconfiguring installed solutions is moved to separate pages
• Links have been replaced with Tool Tips
• XML signing for PL increases security
Symantec Installation Manager Licensing
• SLIC licenses are common format for Symantec vs. legacy licenses used by Altiris– SLIC licenses are delivered from Symantec in SLF format with simple XML
structure
• SIM supports both formats in the 8.1 release– The licenses in SLIC format are only supported for ITMS version 8.1.
• Existing legacy licenses already applied will remain fully functional after upgrade
• Applying a new SLIC license overwrites the existing legacy licenses.
• If you need to extend the node count for current legacy license:– Symantec issues a replacing SLIC license with new extended licenses.
• If multiple license files are applied for a single solution, each SLIC license is displayed in a separate row in the license page
• Adding new SLIC license on top of existing valid SLIC license adds nodes to the sum of allowed nodes.
If you have any questions about SLIC licenses, contact the Symantec Customer Care.
Mac OS Profile Management
• Mac OS Profile Management feature lets you import Mac configuration profiles and enforce them by implementing policies.
• Configuration profiles let you configure settings such as email settings, network settings, or distribute certificates to Mac computers.
• Granular targeting ensures you can manage even the most complex organizational structure
• Run reports to see what policies are applied
• Removed profiles will be automatically reapplied using our policy framework
• Note: The Initial version of this feature supports device type profiles only and is only available if you install Client Management Suite 8.1
– For more information about Mac OS Profile Management, see the knowledge base article at the following URL: http://www.symantec.com/docs/HOWTO125782
How to Create and use Mac OS Configuration Profiles
• Step 1: Create a configuration profile
– Generate profile to a .mobileconfig file using:
• macOS Server profile manager (Paid Tool)
• Apple Configurator 2 (Free Tool)
– Transfer or copy to the Notification Server computer.
• Step 2: Create the Mac OS Profile policy
– Go to the Policies view.
– Create a new Mac OS Profile policy.
– Upload the .mobileconfig file
• Configuration is uploaded
• You can export the profile or remove it if is disabled
– Choose the Target computers
– Enable the Policy and Save changes
.mobileconfig
Mac OS Profile Policy Behavior
Profiles are pushed to the device and applied
Policy framework ensures profile stays applied
Reports are available to review compliance
Automation policies and Security Role Manager
• Security Role Manager
– Enhanced View and Search options to simplify finding the required item.
– Extended layout to provide more information for the selected item.
• Automation Policies Page
– The state of each automation policy is indicated more clearly.
– New system messages available.
– New override and filtering options for system messages.
Site Management Page
• In the Add/Remove Services dialog box, you can now right-click the service and view the list of prerequisites for installing this service.
• Advanced detection of missing pre-requisites for installation of specific Site Service
• Right-click menu now works similarly to other Symantec Management Console pages
• Task Servers with an older version will display Warning/Required Upgrade status
Task Server Services
• Microsoft 2016 Server supported
• TaskInstances table – Redesigned– Split into 2 Tables:
• TaskInstancesCompleted• TaskInstancesIncomplete
– View Created for Compatibility
• Anonymous access to Task web-sites Disabled
• Merge support for Deployment Tasks– Prevents DS jobs assigned to merged computers from
hanging or missing once merged• NSConfigurator as TaskManagementMerges• New SQL table: TaskManagementMerges
• Task Server Advanced Settings Added– NSConfigurator as TaskServerAdvancedSettingsAllowed
– Hard limit for clients registered on TS
– HTTPS Preferred host name allowed
Tasks with Completed, Failed, Replicated Status
Tasks with NotStarted, Started, StopRequested,
ReplicationRequestedStatus
Cleanup Task Data Task Configuration
• The Cleanup Task Data task may remove the task instances of recently executed tasks.
– As a result, some task instances might be missing and the summary information for that task may be incorrect.
• Enable the Minimum time period to keep the task instances/summaries option.
• The Cleanup Task Data task will not remove the task records that are newer than the defined time period.
Package Server Assignment
• Allows assignment of Specific OR Multiplesoftware packages to specific Package Server(s)
• Reworked Options:
– All Package Servers
– Package Servers individually
– Package Servers by site
– Package Servers automatically with manual prestaging
• By default – all packages assigned to all package servers
• Shows list of available package servers/sites
– Changes display depending on option selected
DEFAULT
Client Task Agent (CTA) Enhancements
• New option prevents Sleep Mode at the following locations:– On the Task Agent Settings page (global settings)
– In the Advanced options dialog box, on the Task options tab, of a client task.
• The Defer dialog box is now redesigned. – The redesign addresses multiple stability and
usability issues.
• Client Task Agent is now consolidated and will only deploy the relevant client for the platform– BaseTaskHandler plugin integrated to CTA
– No longer applies CTServerAgent_x64.dll for Client Task Server plugin on x64 bit OS
Task Based UI Enhancements
• In the Create New Task dialog box and Select Task dialog box are now searchable
• Select multiple tasks at once by holding down the Ctrl key
• New Client Task Status Details report available.
– Double-click any task or job item in the Job/Task Status Detail report
Target Selector for Policies and Tasks
• From the Apply to menu of a Task or Policy, you can now access to the recently used targets.
• Easy to define set of targets for specific policy, using search and structured layout
• Saved targets are re-usable and editable by users with the same scope of access.
• Easily define scoping as area of visibility for new target
• Possible to view and edit the target scoping by selecting a scoping link.
User Guide Documentation
• New “Mind Maps” Format is introduced
• Access Mind Maps from a SymWiselanding page or an SMP Console.
• Follow sequenced or independent use cases under the main objective.
• Learn more information using:– Links to help topics, KB articles or YouTube
videos with instructions;
– Screenshots or diagram images.
• For more information:– http://www.symantec.com/docs/DOC9706
New Feature in 8.1: Monitoring SEP Agent HealthAn additional layer of protection to ensure SEP is ready to protect your organization
Today’s challenges:
• Difficult to assess the overall health of agent estate
• If SEP agent stops reporting the cause is rarely clear
• If the agent isn’t working your endpoints are not protected
Little Visibility of Agent Status
• Little detail about the the current configuration of the agent
• Troubleshooting machines individually is very time consuming
Lacks Reporting and Targeting
• When your protection agent is no longer communicating, how can you fix it?
• Not easy to remediation the diverse range of possible issuesFew Remediation Options
Assess the Health of Security Agent Deployments
Provides in-depth reporting to
enable quick remediation:
Detailed inventory points:
› Vendor/Product Name
› Version
› Correctly Installed
› Centrally Managed/Server details
› Last Inventory received
Ensure SEP is Protecting Customers
How EPM helps:
• Quickly assess overall health
• Diagnose the cause of issues quickly
• Get early warning of agent compromise
Full Visibility of Agent Status
• Monitor key agent configuration metrics
• Easily build targets to remediate issues and manage upgrades
Accurate Reporting and Targeting Capabilities
• Full range of remediation options
• Automate actions for key issues and proactively reduce agent downtime
Powerful Management and Remediation Options
Symantec CCS & EPM integration – Closed loop remediationDelivering the first step towards a complete Compliance and Remediation solution
Today’s challenges:
• Logging tickets for compliance issues is generally manual and time consuming
• Gathering the right information for remediation is challenging and inconsistent
Complex Ticketing Process
• Remediation requires a separate, unintegrated tool
• Time needs to be spent by the infrastructure Admins to work out the correct response to compliance issues
Manual Remediation
• Verifying compliance after a remediation attempt requires additional effort and is prone to human error
• Audit trail is not always complete and ticket management (updating/closing) is a significant effort
Difficult to Verify
Symantec CCS & EPM integration – Closed loop remediationCCS automatically logs tickets for vulnerable assets
The first version will support:
› Patch Compliance
› Configuration Compliance using scripts
1. Select a check:
2. Run a compliance scan to find vulnerable assets:
3. Trigger CCS to automatically log tickets
Symantec CCS & EPM integration – Closed loop remediationTicket goes through approval flow and is set for remediation
5. Once all approvals are received ticket is
placed in ‘Ready for Remediation’ status:
4. Ticket is reviewed and approved: Supports any approval
flow, for example:
Symantec CCS & EPM integration – Closed loop remediationEPM works silently in the background monitoring for tickets and executing remediation
6. EPM monitors for tickets and executes remediation:
7. EPM updates ticket status, CSS then
automatically verifies compliance
Symantec CCS & EPM integration – Closed loop remediationEPM & CCS integration delivers reduced costs, improved processes, and drives automation
How CCS & EPM integration helps:
• Ticket logging is automatic when triggered in the console saving valuable time. Exception logging supported.
• All information required for remediation is added to the ticket including target and payload
Automated Ticketing
• EPM works silently in the background to automatically remediate issues. No need to learn additional tools.
• CCS admin is able to add scripts directly from CSS for EPM to execute, lowering infrastructure team effort
Automatic Remediation
• Verifying compliance is completely automatic, saving time and reducing errors
• Audit trail is fully available with virtually no additional effort
Closed Loop
ITMS on AWS: Context
• Enterprises moving workloads to AWS
• New SMBs – quick, easy initial implementation; no upfront capital investment
• MSP partner play
Drivers
• Tremendous AWS growth, globally
• Fast and simple AWS Test Drive (POC in 30 minutes)
• Unified management-mobility-security from the Cloud
• SEP Cloud + ITMS on AWS + Connector
• Other Symantec products (SEP, CCS, DCS, etc.)
Tailwinds
ITMS
AWS-HostedCompany Servers
CEMGateway
AWS
ITMS on AWS: Deployment Overview
RemoteBranch
Mobile Workers
Amazon Marketplace 1-click deployment
a) Essential server mgmt. for AWS-hosted workloads
b) VPC Gateway configuration for full ITMS range of capabilities and scalability
c) CEM Gateway configuration for basic capabilities with light or no on-prem infrastructure
Site Server
CustomerGateway
Site Server
CorporateNetwork
VPCGateway
ITMS on AWS: Deployment Model – Considerations
CEM Management infrastructure is mostly* in AWS
Endpoints are both on-prem as well as outside of perimeter
Subset of core ITMS capabilities supported by CEM is acceptable
VPC Gateway
Extension of existing infrastructure into AWS
Full spectrum of ITMS capabilities is critical
Breadth and scope of workload outside of perimeter
* except for on-prem Site Server initially
ITMS on AWS: Deployment Model – Summary
• Elasticity to handle variable load
• Benefits from geographical connectivity provided by Amazon global reach
Both models provide
• You need to minimize the cost of on-prem infrastructure maintenance
• Substantial portion of your workforce is mobile
• Imaging and server management capabilities are not critical for you
Consider using CEM model if
• You need to use the full range of ITMS capabilities
• Majority of the workforce is connected to corporate LAN
Consider using VPC Gateway model if
ITMS on AWS: Current Plan
Largest opportunity
HYBRID
Licensing model
BYOL
Capabilities
• Inventory, SW Delivery, Path (CEM)
• + OS Deployment, SW Portal, Asset, etc. (VPC Gateway)
Metering
PER NODE
Enhanced Support for Office 365 and Windows Updates - Summary
ITMS patch functionality extended to take advantage of the new updating capabilities introduced by Microsoft in the following areas:
1. Office 365 Updates
2. Windows 7/8.1 Monthly Rollups & Security Updates
3. Windows 10 Feature and Cumulative Updates
Office 365 Updates and Symantec Enhancements
• Relies on the ‘Click to Run’ option• Only downloads the missing content
needed to perform the update • Previously, updates required the
entire install package to be downloaded
• Identifies O365 installations that need updating
• Applies update by transferring only the missing content
• Downloads the O365 update to a central location, leverages Package Servers to get content closer to endpoints
Office 365 Updates Symantec Enhancements
Office 365 Updates and Symantec Enhancements
Customer Benefit
– Communicate to endpoint only the information required to perform the update
– Leverage Package Server infrastructure, where present, to reduce network bandwidth use
– Single Patch framework and user experience to update all OS’es and applications in the environment
Technical Details
SMP Server
Patch data
Staging
Package Server
Management Agent
Management Agent
Policy
• Standard Patch policy with DON’T_DOWNLOAD flag
Configure
• Redirect Click-to-Run Settings to point to package location
Update
• Launch native O365 Update process
O365 Update bits
O365 Update bits
Windows 7/8.1 Updates and Symantec Enhancements
• As of October 2016, Microsoft released monthly rollups and security updates
• Monthly rollups are cumulative in nature, including security and non-security updates
• Monthly security updates will not be cumulative
• All updates in a monthly rollup/update are applied at once, no option to choose individual updates
• Symantec KB Article with more information
• ITMS downloads monthly rollups and security updates from Microsoft’s site
• Detection and applicability rules of Win7/8.1 monthly rollups and security updates for intelligent targeting and compliance reports
• Peer-to-peer distribution for data transfer efficiencies for remote sites without Package Servers*
Windows 7 and 8.1 Updates Symantec Enhancements
Windows 7/8.1 Updates and Symantec Enhancements
Customer Benefit
– Central control and tracking of Win7/8.1 monthly rollup and security updates rollouts
– Single Patch framework and user experience to update all OS’es and applications in the environment
– Optimized network utilization for remote sites without Package Servers
– Alignment with industry trends to reduce the fragmentation of environments based on patch levels
Available Today
Windows 10 Feature Updates and Symantec Enhancements
• Microsoft has been providing Win10 feature updates (3-4GB) every 4-8 months since Windows 10 GA release
• Win10 feature updates require manual step to download .ISO files from Microsoft site
• Detection and applicability rules of Win10 Feature Updates for intelligent targeting and compliance reports
• Peer-to-peer distribution for data transfer efficiencies for remote sites without Package Servers*
Windows 10 Feature Updates
Symantec Enhancements
Windows 10 Cumulative Updates and Symantec Enhancements
• Cumulative security and reliability updates since specific edition’s GA or feature updates
• CU’s are growing in size!(~300MB in April, 700MB in June, ~900MB in September)
• Optimizations of the download size for future updates
• Peer-to-peer content distribution for locations where Package Server deployment is not feasible
• ITMS will support package size optimizations from Microsoft
Windows 10 Cumulative Updates
Symantec Enhancements
Peer to Peer Distribution (P2P) in ITMS 8.1
• Downloads and distributes software delivery and patch packages to Windows computers.– Minimizes the software delivery time and increases
reliability of software deliveries
– Significantly reduces the load on the network and ITMS infrastructure.
– Excellent for Windows cumulative updates and the Office 365 updates
– Can also be used to manage devices at sites with low-bandwidth connections and no dedicated package servers.
• Set in the Targeted Agent Settings – A new “Peer Downloading” tab will appear in the
Agent
• Feature Notes:– P2P and Multicasting cannot be used concurrently
– Not supported in Deployment Solution
SMPServer
Endpoint 3
Endpoint 1
Endpoint 2
Use Case: P2P Enhanced Support for Windows 10 Cumulative UpdatesCustomer Benefits
– Significant reduction of file size for optimized bandwidth utilization
– Scalable content distribution model at the endpoint to supplement Package Server framework
– Doesn’t require changes to network and security configuration
– Single Patch framework and user experience to update all OS’es and applications in the environment
– Simplified way to ensure that environment is safe by following the OS vendor update posture
Peer Download Optimization in ITMS – Discovery & Negotiation
SMPServer
Endpoint 3
Endpoint 1
Endpoint 2
1. Discover peers
2. Receive policy to download Software package
3. Check if someone is already downloading or has the package
4. Peers respond back
5. All interested peers know who has the package
Peer Download Optimization in ITMS – Download and Sharing
SMPServer
Endpoint 3
Endpoint 1
Endpoint 2
1. Download from server and notify peers
2. Download from peer
3. Software download policy arrives later
4. Request package information from peers
5. Download from peer
Patch Management for Linux 8.1
• Supports Client-based Dependency Resolving
• Benefits:– More stable and precise ability to resolve dependencies
– No delays in software update policy creation• Dependency resolving is not required at this stage.
• Only the updates that are selected for distribution are added to a software update policy.
– Optimization of the network traffic and disk space that is used on Notification Server, package servers, and client computers.• During the staging of software bulletins, Patch Management
Solution downloads all the updates that are included into the bulletins.
• However, after the client-based dependency resolving is completed, the additional download occurs only for the dependent software update packages that are required on a specific client computer.
For more information aboutClient-based Dependency Resolving
see KB article DOC9722
Software Management Solution Enhancements
• Managed Delivery Progress Status– In the Managed Delivery Settings and Managed
Software Delivery policy page
– Data Class created for Progress Status
• Software Components Import – Java Applet Removal
– Faster file upload
– Create custom Folders
– Zip and DMG Preview
– Multiple Package Import
• Add or Edit Package dialog box– Same features as Software Import
Not Started 0
Running 1
Deferred 2
Rebooting 3
Completed 4
Progress Statuses
Indicates the stage of the whole Managed Delivery policy lifecycle
Asset Management \ CMDB Solution
• Software License migration in ITMS 8.1• Version 7.x License Creates New License Rule
Set to Per Device License Type User Changes License Type
• Version 8.0 License Imports as configured
• Improved Usability of Asset Edit pages– ActiveX Flex Grid replaced by W2UI JS
– Solved several grid rendering issues.
– Improved usability of cell lookup and select functionality
• Reworked Resource Association Diagram– Replaced Flash with HTML5
– Improved diagram performance • larger diagram can be displayed
– Improved diagram controls usability
– Improved diagram display options usability
Lookup Link Select
Inventory Solution 8.1
• SEP Agent Health through Inventory Solution– Evaluates SEP 12+ Agent health on Windows and Mac platforms.
– Collect SEP Agent Information using Inventory Solution• New Inv_SW_SEPAgent data class
– SEP Agent data class is selected in default Inventory policies
• Reworked Software Product Filters– Filters now work only with filter strings expressions
– Additional SQL expression is not required
– Inv_NormalizedSoftwareProductFilters replaces Inv_SoftwareProductFilters• Converted to new format/data class on Upgrade
• AeXAuditPls.exe changes (File Properties scan)– 64bit AeXAuditPls.exe implemented
– Old MS Access DB replaced by SQL Lite DB• Found in C:\ProgramData\Symantec\Inventory Agent\filescan.db
– Can be viewed using any DB browser for SQL Lite
Item Description
SEP agent presence SEP agent installed on endpoint or not.
SEP agent version Installed SEP agent version on endpoint
SEP agent is managed or unmanaged Installed SEP agent on endpoint is
unmanaged or managed via SEPM
SEPM Server name/IPServer name where the SEP agent is
connected
• Performance improvement• Improved expression parsing• No inconsistencies between SQL
and Plain text expressions• Simplified catalog.xml definition
Deployment Solution 8.1
• XFS file system support for RHEL 7.x– Create, Deploy, Partition Disk and Scripted OS
• WinPE 10 (v 1511) support– All Pre-OS tasks like imaging, disk management, SOI
– See INFO3561 Documentation for ADK Installation
• Thin Client Support– Tested on HP T520 & Dell 7020
– Supports capture and restore image• Windows 7 Embedded• Windows 10 IoT Enterprise
• PC Transplant supports Microsoft Office 365
• Rapid Deploy decommissioned in this release– You have served us well for many years…
Real-Time System Manager 8.1: KVM Viewer
• Based on HTML5 - supports many internet browsers
• In the KVM Viewer window you can now see:– Connection status
– Last run operation
– Current client computer power state
– Host name & IP address
• Perform actions directly from the KVM Viewer – Activate/deactivate KVM Viewer session
– Run power options
– Run CTRL+ALT+DEL action
– Set image compression and color mode
– Set the screen presentation mode• Automatically fit the screen size
• Show the actual image size
Workflow Solution 8.1
• Enhanced ability to design Workflow forms.– Design more modern looking forms using the latest Kendo
user interface capabilities that AngularJS provides.
– Added Show AngularJS Components check box at the global project to turn on or turn off the AngularJSComponents support.
• Enhanced Security– Enhanced security to support TLS encryption.
– New components from Microsoft namespace are used which allow the workflow processes to exchange emails while using TLS encryption
• Removed Pervasive.Data.SqlClient.dll – You must now provide a copy of the licensed version of
the Pervasive.Data.SqlClient.dll to generate any integration components that need to connect to the Pervasive SQL.
– For details, refer to the following article:TECH240123
Angular JS Capabilities
Text Boxes and Date/Time
Sub-Dialog Component Changes
Gauge and Chart Controls
Schedule Controls
Grid Components
Installation
• Added Software Support – Windows 2016 server (Client)
– macOS 10.12 (Client)
– MS SQL Enterprise 2016 (Database)
– MS SQL Enterprise 2014 SP2 (Database)
– MS Office 2016 (PCTransplant)
• Installation Readiness Check Added– Reduces chance of Installation failures by:
• Checking Installation Readiness• Summarizing the Current Installation
– Before installation/upgrade IRC checks:• Required configuration settings• Required ports present on machine• User rights
• Installer is now also available in Korean language
Installation
• Repair PXE manager option added
– Repairs and reinstalls the PXE Manager component.
– You must run repair PXE Manager option only on PXE manager installed Computers
– For more information see: DOC9721
GSS 3.2 Console
• Unified Boot Disk Creator (BDC)– Now aligned with same version and code base in GSS and GST
• Enable speed and Size optimization option restored– Select the Compression options while creating an image.
– For more see article: TECH233746
• Support for 4K USB drives– Supports storing Ghost images on external 4K USB hard drives.
– Scripted OS install is not supported for a 4K drive.
• New .frm file format with enhanced security
• The “Boot into Ramdisk” option is now removed – From the Boot Disk Media Type dialog box.
• Ghost Standard Tools available in multiple languages.– Korean, Japanese and Chinese Simplified languages
Thank you!
Copyright © 2017 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Thank you!
Tomas Chinchilla, [email protected] Sheedy, [email protected]