Friday 30 March 2012

User Centricity and Licensing

The world of IT is changing.  There is a strong push to move to a much more User Centric approach for software delivery and that means using technology such as delivering an application through RDS or a Citrix Presentation session.  This brings so much simplification in terms of centralised management of the application and updates as well easily controlling user access by groups for example and as long as the number of users the application is available to matches the number of licenses owned for the application then everything is fine... isn't it?


This has to be the top licensing misconception and often comes up in discussions I have with customers.

When an application such as Office, Visio or Project is delivered in this manner then controlling access either via Active Directory groups, or Group Policies etc is not sufficient. This is due to these applications being licensed “per device”. With this license model it means that every device that the user can potentially access (or does access) the remote session with the application in requires a license.

For example;
  1. Fred usually uses the Thin Client on his desktop. That’s license number 1 required.
  2. He pops into a branch office in the afternoon and logs into a PC and connects to his remote session through a portal. That’s license number 2 needed.
  3. He then disappears home early and logs in from home using his iPad. That’s license number 3.

Parking the whole logging in remotely scenario for now as that’s an even bigger amount of possible devices, Fred has the ability to use any device within the organisation to access his remote desktop. Each one of these devices would require licensing for the per device licensed application.

This isn’t just limited to Terminal Services, Remote Desktop Services and Citrix (I know the underlying tech is the same!) scenarios.

This same license model also applies to VDI, you could potentially access a VDI desktop from any device as that’s the benefit. It also applies to app streaming solutions like XenApp and application virtualisation such as App-V and AppWave.

Basically, all the technologies that really push User Centricity and targeting applications at users rather than devices (System Center 2012 Configuration Manager heavily focuses on this).
So really since applications can be delivered to any client device, a per device application license must be obtained for every device the delivery mechanism server has the ability to deliver an application to, not just the person using the desktop application.

One solution to this is AppSense Application Control. While this solution allows you to claw back some control and compliance and is recognised by Microsoft as an official way to control licensing it does have some draw backs.
AppSense Application Control allows you to define the devices that are allowed to run the per device licensed software and block it from running on non-licensed devices, giving you the flexibility of centrally managing and delivering software like MS Project from RDS/XenApp/VDI/App-V methods, but at the same time removes the flexibility that targeting the user and flexible working should bring.

One area that this is vitally important in, in my opinion, though is blocking access to applications licensed in this model when logging in from outside of the corporate network when any device could be used and “in theory” thousands/millions of licenses should be required and you only have your corporate devices covered fully by an Enterprise Agreement for example.

So what can you do?  Well it all depends on the application, the vendor and the licensing model.  There are some agreements and special licensing models that can be potentially useful but they all take some analysis of numbers required, benefits and costs etc.
All I can really advise is:
  1. Make sure every application you aim to deliver remotely has it's licensing properly checked before you take the plunge and do it to ensure you avoid any costly compliance challenges.
  2. If in doubt, speak to someone who knows.  All application vendors/suppliers will have specialists, check with your account manager to see what they can do to help.


Monday 26 March 2012

System Center 2012 - Self Service Software Solution Accelerator

Well I blogged about it coming, and now it's here!

Key features:
  • Sync Configuration Manager 2012 Applications data into Service Manager 2012 CMDB
  • Monitor and transport Configuration Manager 2012 Software Catalog requests requiring approval to Service Manager 2012 and open a Service Request
  • Return the completed approval workflow status to Configuration Manager 2012 for handling
  • Administrators can define and maintain application selection criteria for specific applications or application groups and specific users or user groups
  • Track service application requests and view application catalog contents in Service Manager
Extend your application approval process. End users can easily request applications on-demand using the Configuration Manager 2012 Software Catalog directly or via redirection from the Service Manager 2012 Self-Service Portal. Application requests requiring approval will be routed to Service Manager where custom approver lists and activities can be configured based on user and application properties.

From the description on the connect site it looks like they've leveraged Orchestrator to pull information from ConfigMgr and utilise the service requests and workflows to automate Orchestrate the approval requirements.

Unfortunately I'm stuck on a train at present, but will give this a whirl in the lab tomorrow.

To download and try this you'll need to sign into the Microsoft Connect site with a Live ID and join the beta program here:

Private Cloud & System Center Exams

I blogged ages ago (here) that Microsoft were looking for input into how to structure some of the new System Center 2012 exams.

Starting with MMS 2012 (Where I hope to be taking and passing them!!) Microsoft will be looking to offer 3 new exams.

  • Exam 70-243: Administering and Deploying System Center 2012 Configuration Manager.
  • Exam 70-246: Private Cloud Monitoring and Operations with System Center 2012.
  • Exam 70-247: Private Cloud Configuration and Deployment with System Center 2012.
There was a call to split 70-243 into two exams, and while this doesn't initally appear to have happened, what is encouraging is the fact that with the System Center 2012 release being a bundle of all the individual components, they have split this into the two areas:

Monitoring and Operating
Can be seen as day to day operations

Configure Data Center Process Automation (18%)
  • Implement workflows.
  • Implement service offerings.
Deploy Resource Monitoring (20%)
  • Deploy end-to-end monitoring.
  • Configure end-to-end monitoring.
  • Create monitoring reports and dashboards.
Monitor Resources (23%)
  • Monitor network devices.
  • Monitor servers.
  • Monitor the virtualization layer.
  • Monitor application health.
Configure and Maintain Service Management (18%)
  • Implement service level management.
  • Manage problems and incidents.
  • Manage cloud resources.
Manage Configuration and Protection (22%)
  • Manage compliance and configuration.
  • Manage updates.
  • Implement backup and recovery.

Configuration and Deployment
For those responsible for design and implementation of the solutions.

Design and Deploy System Center (19%)
  • Design a scalable System Center architecture.
  • Install the System Center Infrastructure.
  • Upgrade System Center components.
Configure System Center Infrastructure (21%)
  • Configure System Center components.
  • Configure portals and dashboards.
Configure the Fabric (27%)
  • Configure the storage fabric.
  • Configure the network fabric.
  • Configure the deployment and update servers.
  • Configure clouds and virtualization hosts.
Configure System Center Integration (16%)
  • Configure private cloud integration.
  • Configure integration of private and public clouds.
Configure and Deploy Virtual Machines and Services (18%)
  • Configure profiles.
  • Create and configure server App-V packages.
  • Configure and deploy a service.
  • Update a service.

Monday 5 March 2012

System Center 2012 Software Self Service - Solution Accelerator More Info

I posted a quick entry the other day about a Solution Accelerator for integrating Configuration Manager 2012 software deployment more with Service Manager and the Self Service portal via service requests.

In a mail shot from Microsoft today they mentioned it a bit more:

Fingers crossed we'll see this soon, and I'll certainly post as soon as it does become available to try!

Service Manager - Bulk change the priority (Impact & Urgency)

A customer had the requirement the other day to bulk change the priority on a certain classification of Incidents (They were using incidents of a certain classification in place of Service Requests)

I ran into a problem getting Orchestrator connected to SCSM, so it was time for a quick PowerShell script.

Import-Module SMLETS
$IRClass = Get-SCSMClass -Name System.WorkItem.Incident$
$EnumClass = Get-SCSMEnumeration | Where-Object{$_.displayname -eq 'Other Problems'}
$IRs = Get-SCSMObject -Class $IRClass |Where-Object{$_.Classification -eq $EnumClass}
$PropertyHashTable = @{"Impact" = "Low"}
$IRs | Set-SCSMObject -PropertyHashtable $PropertyHashTable
$PropertyHashTable = @{"Urgency" = "Low"}
$IRs | Set-SCSMObject -PropertyHashtable $PropertyHashTable

This basically finds all incidents of classification 'Other Problems' (just as an example!) and then changes the impact and urgency to low, therefore putting the priority to the lowest possible value.

Disclaimer: This script is provided as is, with no warranties, expressed or implied and has only been tested within my test environment.

Thursday 1 March 2012

SCOM DMZ/Workgroup Agent Deployment Script(s)

I've been working for a customer tidying up their System Center installation this week and as part of that I was showing them how to deploy OpsMgr agents to their DMZ.

Their DMZ consists of workgroup based servers, which means each one needed certificates generating, installing and associating in order to work.

I was bored after doing the first one as it was so tedious so I took the time to write a couple of scripts to automate the process as much as possible.

So, script #1:
Running this script on the DMZ server will...
  1. Prompt for the name to be used for the certificate (preferably FQDN, but make sure it matches the full computer name)
  2. Create the certificate request file
  3. Upload the certificate request file to a folder on the RMS
  4. Pause for the "2.GenerateCertificate.cmd" script to be run on a server/workstation on the same domain as the certificate server
  5. Imports the Root CA certificate chain
  6. Imports the SCOM Agent Certificate
  7. Copies the agent install files locally (Doesn't have to be done but did in this environment due to IE7 stopping files being executed from a remote share)
  8. Installs the agent
  9. Installs the CU5 updates
  10. Runs MOMCertImport to associate the certificate to the Health Service
  11. Restarts the Health Service

So, script #2:
This script must be run on a domain computer than has access to the issuing certificate server and run using an account that has the auto enrolment rights on the certificate.
  1. Prompts for the full server name used during the 1.DMZAgentInstall.cmd script
  2. Submits the certificate request file to the certificate server
  3. Retrieves the certificate and stores it ready for import
And there you have it, a quick two step process to setup a DMZ/Workgroup client easily.

Now a couple of things:
  1. I know this would have been better in PowerShell before someone says it, but the customer had mainly Windows 2003 Servers, without PowerShell installed.
  2. If you have access to the certificate server from the DMZ, you could probably streamline this to one script, but this customer didn't.
  3. This was a quick and dirty throw together, feel free to improve and post back the results ;)
Things that need changing before running the scripts:
Rename the downloaded files from .txt to .cmd
Share the agent management folder on the RMS
Create a Certs folder in the agent management folder on the RMS
Change the following highlighted variables to reflect your environment
The script assumes you're using a PKI environment with the SCOM Certificate Template setup ready

** Certificate Server Variables **
SET CATEMPLATE=<<SCOMGatewayAuthenticationTemplateName>>

** OpsMgr Agent Variables **

Scripts to Download:

App-V improvements in Configuration Manager 2012

I started this post ages ago, but never finished it or posted it.
Rather than it staying in my drafts I'll post it as is, so this may have changed from beta to RC and again may still do upon RTM.

App-V improvements in Configuration Manager 2012
Just a quick post to show some of the App-V & ConfigMgr 2012 integration improvements coming.

Essentially you still need to sequence the application outside of ConfigMgr using the App-V sequencer, then create an application or deployment type from the sequenced information.
The client requires App-V 4.6 SP1.
  • You can unpin the content from the ConfigMgr cache (cache improvements)
  • You can specify individual components in the app to publish to clients (publishing improvements)
  • No requirement to create virtual packages vs physical packages - just now deployment types in the same application
  • All DPs are enabled for streaming by default (was separate config process in ConfigMgr 2007)
  • Streaming over the Internet supported
There may be some others that I've missed, but this is all I've tracked down so far.