Managing your desktop fleet

Be it a small company or a multi-billion-dollar enterprise, the basic element of any IT infrastructure is the desktop, or now, even laptops. This is perhaps the only element that brings users close to IT. Everything else sits in the datacenter or in switching closets. As desktops are used by both invoices and experts alike, managing them is perhaps the most difficult of all tasks. Due to this, the range of queries can be immense, and the problem increases with more desktops, and multiplies when they're spread across multiple geographies. There are so many things to manage in a desktop---configuration, rollout of OS, applications, patches, and updates, inventory, license metering and the list continues.

So how should you manage your desktop fleet? There are ample tools available for the job, so it's a matter of choosing the right ones for your needs. They can easily be broken up into management tools and monitoring tools. As the names suggest, the former allows a two-way communication between the tool and the desktops, whereas the latter only gathers information. The management tools by and large require an agent to be installed on each desktop, whereas the latter can manage without it.

We'll not get into the theory of how to choose the right desktop management and monitoring tool at this point. Instead, we'll give you a taste of some of the variety that's out there. We'll walk you through the nitty-gritty of deploying them, and finding out the requirements for setting them up, so that you understand the painpoints involved. This would help you plan your own rollouts better. While there are lots of different tools available, we've tried to select a good variety to give you an idea of the number of things you can do with desktop management tools. We've also covered the hot new concept of desktop virtualization.

After all, the proof of the puddding lies in eating it. Happy Reading!

What if one day your management decides that all users must use Thunderbird mail client instead of all the variety currently running on their desktops. This might be a good move from a standardization point of view, but bad news for you, because you have to roll it out across all desktops. The more desktops there are, the bigger your troubles. So it's better to use a solution that can do the rollout from a central server. The concept is not new. Lots of tools can do it, but one additional thing that tools let you do nowadays is push the configuration changes as well. This helps from a compliance perspective. We'll show you how to do this in this section.

Application Deployment with Altiris

Altiris has a full-featured desktop management solution using which you can get agent-based Inventory Management for heterogeneous systems based on Windows, Linux and Mac; SNMP-based inventory management for network devices; Patch Management; package rule management; Software Virtualization; Software delivery; Real Time System Management; Auto Discovery for RIM; Helpdesk and Carbon Copy (web-based remote control for problem diagnostic and resolution etc).

Pre-requisites

In this article, we'll be using Altiris Client Management (ACM). This has a long list of pre-requisites for smooth desktop management. First, you need a Windows Server with ADS installed and running. Though this is not a part of the pre-requisites, but while working on it, we felt that it becomes very difficult to run it on a network without ADS. Second, the machine to which you are installing ACM must be added to the domain.

The next thing you require is a Windows 2003 Server, with .NET Framework, ASP.Net, and IIS installed on it. You also need MS SQL Server 2005, but that can be installed on another machine in the same network and domain. But do have the administrative rights for the same. It's always advisable that your SQL server also authenticates through the domain. This will make sure you get a single sign on across the ACM platform.

Installation

Once all pre-requisites are in place you have to start the installation process. To do so copy the setup files to the machine on which you plan to install and then run the setup file. The setup is essentially a nine-screen wizard which will take all the information from you and roll out the applications completely. Now by 'completely' we mean it will not only install the server application but also roll out the agents on all the machines which you choose during the installation process.

The first page of the installation wizard will check for all the required components. If you have all the pre-requisites installed then most likely you will not get any error here. But if you still get any, then the wizard will inform you what exactly you don't have in your machine and you can go ahead and install that component.

If you are using SQL Server which is not installed in the local machine then the installer will not detect it, but will give you a warning. In this case you can easily ignore the warning and continue with the installation process. Now when the installation wizard asks you to configure the SQL server, you can specify the remote server which is running SQL and its account credentials.

Next the installation wizard will ask you to choose which machines you want to deploy the Altiris agents on. Once started, the installation takes time as it is going to install agents on machines at the time of the software installation itself.

Altiris deployment solution lets you easily migrate settings and data from an old machine to a new one. To start in Altiris main console click on deployment tab. A new window will appear. Here from the right pane under computers, click on the dropdown menu and choose Add new deployment server. Now provide the IP address and port used by the deployment server with the credentials required to login to the server. For deployment tasks such as copying images, installing software packages, running scripts etc. you need to set up package server which is a component of Altiris Notification Server.

Before setting up Altiris package server, we need to set up central deployment server library which contains the images and other package files needed for deployment.

Creating this library is simple, just go where you have installed the central deployment server; the default Altiris path for this is c:\Program Files\Altiris\eXpress\Deployment Server. Here create a new folder named 'library', create subdirectories for your images and software packages and also create a temp folder.

To set up the package server open the Altiris console and click on configuration tab. In the new window go to server settings and open Notification Server Infrastructure and go to Package Servers.

Now select Add Package Server. This will open Find Resource window, here choose the domain name and click on find. This will list all the machines in the domain running Altiris client, choose the machine running deployment sever and click OK. Once added you can also edit the default settings of the package server by going to settings tab. Now we need to edit DS Library package configuration settings, for this go to Tasks and under Deploy and Migrate go to DS Library. Now in the new window in package source option, choose Access Package from a local directory on the Notification Server Computer and provide the patch to the package you copied earlier, select apply to save changes.

With this we are ready to schedule the jobs (i.e. single or multiple tasks like configuration change in a workstation) for image deployment. To schedule a job go to deployment tab in the Altiris web console, under the jobs pane, click on schedule job.

Now from the computer's pane, select the deployment server, the computers on which you want to execute the job and the application files you want to deploy, then click schedule. Similarly you can also schedule configuration changes, image deployment etc. on the workstations.

Deploying a simple software like Thunderbird remotely is still easy. What if you have to remotely install an OS across 500 desktops simultaneously? And that too with a five or ten-member IT team? If you were to do it manually, you'd retire by the time it gets over. So, in this article, we'll tell you how to use a remote OS deployment solution. It's one of the the oldest concepts in desktop management, and yet still holds value. We've covered remote OS deploying using Windows based software, so this time, we'll tell you how to deploy Linux remotely using a Linux distro. We'll do it using Fedora 7 Linux distro, which incidentally, we've also carried on this month's DVD.

Unattended Linux deployment using Fedora 7

Suppose you have machines running Fedora Core 6 on your network, and you want to upgrade them to Fedora 7. If you have around 500 of them to work on, then going the traditional way would take some 5 days and require at least 10 people.

But Remote installation when coupled with unattended installation solves the problem and makes it a breeze to rollout hundreds and thousands of machines in very less time and manpower.

If you have a homogenous Windows network then it becomes very easy with RIS(Remote Installation Server), which we have covered in our earlier issues. But with Linux it becomes slightly tricky.

If you have a heterogeneous network with Windows and Linux both, and the domain controller and a DHCP server running on the Windows, then things become more complicated.

So, this time we decided to guide you how one can build a mass deployment server for Linux in a Windows environment.

Installation

Get a machine and install fedora 7 on it. F7 is carried with this month's PCQXtreme DVD, so all you have to do is pop the DVD into your machine and start the installation process. Once the installation is done log into the machine and install Revisor using yum. To do so execute the following command:

#yum install revisor

Around five or six components are installed along with revisor. Then go to the Applications menu and click on the system menu. Here run the application called 'kickstart'. It will open a window which looks similar to the screens of Anaconda. This is essentially a GUI from where you can select all your installation options and save them to a kickstart file. The window allows you to set all anaconda options and make the installation completely unattended. Just make sure that you check off the option 'Enable interactive installation'. Once you are done with all the settings you require for the system, click on the file menu and save the file as ks.cfg on your hard disk.

Next you need to install a tftp-server. Again installing it through yum is a child's play. Just run the following command and it will be done:

#yum install tftp-server

Now check whether syslinux is installed on your system or not by running the following command:

#rpm-qa syslinux

If the command gives an output then it is installed else you have to install it by running the following command:

#yum install syslinux

Let's now see how to do the configuration.

Configure TFTP

Once you have installed tftp server, a folder called tftpboot will be created at your system root. Copy the pxelinux.0 file to the folder with:

#cp /usr/lib/syslinux/pxelinux.0

Now copy all the contents from the F7 DVD's isolinux folder to the tftpboot folder by:

#mkdir /tftpboot/linux-install/pxelinux.cfg -p

#cp /media/cdrom/isolinux/* /tftpboot/linux-install

#cp /tftpboot/linux-install/isolinux.cfg /tftpboot/linux-install/pxelinux.cfg/default

Next open /tftpboot/linux-install/pxelinux.cfg/default file in a text editor and make it look like the following:

label linux

kernel vmlinuz

append initrd=initrd.img ramdisk_size=8192 s=http://192.168.3.88/Fedora/ks.cfg

label text

kernel vmlinuz

append initrd=initrd.img text ramdisk_size=8192 ks=http://192.168.3.88/Fedora/ks.cfg

Here 192.168.3.88 is the IP address of the hosting server where tftp-server is also installed;

You need to change the settings according to your requirements. With this you are more or less through with the tftp-server configuration.

Configure Apache

To host the F7 installer on some shared location, we decided to use an http share. To do so, create a folder called Fedora in /var/www/html and copy all the contents of the Fedora CD into it. You can do so by running the following command:

#mkdir /var/www/html/Fedora

#cp /media/cdrom/* /var/www/html/Fedora –rf

Once this is done, copy the ks.cfg file to the location so that the installer can get all the options from the file; execute the following command for this:

#cp /ks.cfg /var/www/html/Fedora

Configure DHCP

There are two options for configuring DHCP. Either configure and run a DHCP on the same Linux machine on which you have installed the tftp-server and apache or configure your pre-existing Windows DHCP server to target this boot server. We'll use both options.

DHCP on Linux

To configure DHCP on your installation server, make sure the diskless clients get IP addresses from the RIS server and remotely boot and start the Fedora installer. To do this open the /etc/dhcpd.conf file and add the following lines shown below and restart DHCP server.

option domain-name-servers

192.168.3.88; #<-- RIS Server IP

option domain-name

"ris.pcquest.local";

# <--domain name

option option-128 code 128 = string;

option option-129 code 129 = text;

filename

"/linux-install/pxelinux.0"; #<- Boot image File

DHCP on Windows

This is even simpler. Go to Administrative Tools and fire up the DHCP option. Here right click on the 'Server Options', click on the 'configure options' and a new Windows opens up. Check two options namely '066 Boot Server Host Name' and '067 Bootfile Name'.

For both of these give the values 192.168.3.88 and pxelinux.0 respectively. Now just restart the DHCP server and you are done.

The Finishing Touches

Come back to the tftp-server and restart both the apache and tftp servers. Go to any machine with a pxe bootrom and reboot it with the first boot option as network card, and you are done.

As the name suggests, inventory management is the recording and the managing of the desktop hardware to its component level. It is also understood as hardware monitoring. There are two approaches to do inventory management. One, of course, is the manual way in which you open up all the machines and check for the available hardware and keep a note of it. But this traditional method is not that efficient for recognising hardware changes. Let's assume you have 1 GB of RAM in your machine and loose 512 MB due to hardware failure or some other reason. Now unless you don't inspect the machine you will not be able to detect the change. So, going with the other approach, i.e. doing the inventory with the help of software would serve the purpose. Here an agent is pushed to all the desktops and the software takes care of the rest. It connects back to a central server and reports for all the hardware components inside each and every machine. In case there is a change of hardware component, it immediately detects and reports back, hence, solving the problem of changing inventory.

Inventory mgmt with PC-Duo Enterprise

PC-Duo is a centralized desktop management suite for Windows and mac OS it comes with separate modules namely Inventory Management, Software Distribution, Software Metering, Diagnostics, Helpdesk Issue Tracking and Remote Control. The Inventory Management module provides detailed software and hardware inventories. It lets you manage software policies throughout the network and also lets you control as well as monitor software usage across the organization. You can create Policy compliance and License compliance reports too. In Policy compliance report it will tell you which machines are running wrong and also about the missing and unauthorized software packages installed. In inventory reports it also lets you compare inventory of two machines. PC-Duo can also work in audit mode in which it can capture inventory and user details from the workstations without installing agents on them. Software Metering module provides analysis of software usage on the workstations. It also lets you monitor which users are using the software and for how much time. This helps to ensure that software is installed at its desired place, which helps to reduce software licensing costs. PC-Duo has a web-based reporting portal which can be accessed from anywhere, it comes with 50 predefined reports; adding to this you can also have customized reports. It also lets you schedule all of its functions such as inventory scans and software distributions so that they can be performed while network usage is low.

Site is another important component of PC-Duo which lets you organize your workstations into business and logical groups. Each site collects data from the assigned offline areas. Sites require an ODBC compliant database to store and manage the data collected.

Install and config

PC-Duo can be installed on Windows 2003, 2000 and XP. Before installing PC-Duo you need to have MDAC 2.80 or a later version of it, and for database you need to have at least one of these-MS SQL, Oracle, MSDE or MS Access. Once installed, the first thing you need to do is to create a Site database. This database stores all the data collected from the clients. The site creation wizard starts automatically when you run PC-Duo for the first time. The wizard will ask you to specify Offline Area and Client kit locations and choose the machines on which you want to install agents. Offline Area is basically a shared director used by clients to store the raw data extracted from the machines. The wizard next asks you to choose the machines where you deploy PC-Duo clients i.e. its agents. Once you have selected the machine, click on finish, it will now create a Site Database and install the clients on the selected workstations. Once wizard finishes, you can see the Site in its main console, with all the available modules. To start managing your network, go to the operations option on the Site. From here you can perform all desktop management operations like Inventory, Remote Control, Software metering etc. Let's do a hands on of some of the operations you can perform.

Inventory

Performing Inventory scans and creating reports is simple in PC-Duo. To perform an Inventory of hardware for the workstations running in your network, select Hardware Scan option under the operations. Choose upgrade hardware inventory , this will open a new window. Here select the workstation on which you want to perform the scan or else you can select 'All Clients' option to scan all the machines in the network and click OK. This will open Submit job window, here first provide a name for the job and choose the time when you want scan to run. You can also choose to repeat the scan everyday or week. Now click on the logging tab, here enable the log extra detail option and click on submit button. Now it starts scanning your workstation for their hardware inventory. Once the scan finishes, you can see the reports from the hardware scan window. Other than hardware summary for the whole network, you can also see the component specific reports such as CPU, Memory and Disk. Similarly you can also perform software inventory from the Software Scan option. The software inventory reports let you find out software installations and patches identified from the registry with a complete software package installation report.

This is a new concept in the world of desktop management, and there are many different ways of doing it. Being new, there's no standard definition for it, so different vendors are promoting their own methods for doing it. Simply put, desktop virtualization means running more than one OS on a single desktop PC. It may seem like ordinary virtualization, but there are different ways of doing it to ensure smooth desktop management. For instance, suppose you were to create a virtual machine in which you packaged the Operating System with your own security policies and software? This would allow you to standardize what you're giving to your users. Another form of virtualization is called Virtual Desktop Infrastructure, or VDI. Here, there's no OS at the desktop. Instead, you run it inside your data center, and deliver it virtually to the users. This could be done using thin clients or from a simple desktop PC. The most well-known vendor for VDI is VMware, but other vendors like Virtual Iron also exist.

Another concept similar to VDI is Application Delivery in which only the application is delivered to the users instead of the whole OS. In this the application is streamed over the network, and it is executed in an isolated environment over the user's PC. Citrix's latest version of Presentation Server, 4.5, has this feature, and we'll tell you how to deploy it.

Application Streaming with Citrix Presentation Server 4.5

Application Streaming lets you deliver Windows-based applications to any desktop and yet centrally manage them.

Citrix calls its Application Streaming as record, download and play architecture. Applications to be streamed are prepared using Citrix profiler, which

includes configuration and files required by the application to run in isolation. The Citrix profiler creates a .CAB file which is published on a file server. When an application is streamed, it is cached locally and users can use it just like a normal desktop application. Application streaming lets you install and configure an application on a profiler and then transfer it to a file server; these applications can be streamed to a workstation from the file server. This lets you access the application from anywhere without connecting to the server. Now all application updations and patching can be done at one place, instead of every workstation. Users can access the application using Citrix program neighborhood client or a web client.

If a desktop is not in the network, applications can still be used by caching them locally in an isolated environment. Application caching also ensures faster access to the application whenever it is launched. When an application runs, cached files are updated automatically in case a new version of file is available on the server. While streaming applications run in an isolated environment, the files, such as registry settings, INI, DLL files, required to run an application are also isolated. This ensures that the files do not clash with the ones running on the workstation client.

How to implement?

Citrix Streaming Profiler lets you prepare profiles that contain applications and settings, which will be streamed to desktops. Profiles can be created by installing applications on an independent machine running Citrix Streaming Profiler. You can have multiple applications in a profile with their pre-requisites. The Profiler can be installed on Windows 2000, XP and R2 and must have Microsoft XML 2.0. Once installed, open Citrix Profiler and from the File Menu start New Profile wizard to create a new profile. For this first provide a name to the file and then choose the profile security level.

Next you need to set at least one target Operating System. By default, the wizard will choose the Operating System and language installed on the machine on which you are running the profiler.

Next the wizard will ask you to choose whether you want to use 'quick' or 'advanced' install. Use advance install if you are installing multiple apps, editing registry settings etc. while quick install if you are installing an app through a single executable file. So let's deploy MS Office using quick install.

Browse to the location of the installation program, and provide command line parameters if there are any. Then the wizard will ask you to launch the installer and will install it in the system in which you are running profiler. You can also choose to perform a virtual restart. The wizard also lets you run every application, this is handy when in some applications you have to provide serial numbers for the first time you run, or perform some one-time configuration when they start for first time.

Lastly the wizard will ask you if you want to digitally sign the profile using a certificate from a trusted authority, however this is optional. Once you click on finish the profile will be created and you will be shown profiler main console. From here you can check all the settings and save the profile to a UNC path.

Publishing an App

In the Access Management console select the farm to publish the application. Go to application node and select application node and from common task pane click on new folder.

Now select this folder and choose publish application from the common task pane, this will launch publish application wizard. The wizard will ask you to choose application delivery method. Here you can choose between 'streamed to the client' or 'accessed from the server'. In streamed to the client delivery method users stream the profiled app from the file server to their workstation. For this users need to have streaming client installed. In accessed from server option, users launch application from the server using ICA.

In the next step wizard asks you to provide the UNC path where the profile of application which we created earlier resides. The next step lets you choose whether you want user to have offline access to the applications or not. You can also choose to pre-cache the application when a user logs in, however concurrent logins may result in huge traffic if the application being streamed is heavy. Going further, the wizard will ask you to add users who can access this application and lastly to choose an icon for the application and publish it. Once you have published the application, you are done with the server part configuration, now for users to access the published application you need to install citrix streaming client for them. Here you have two options, first to use Streaming client with program Neighborhood agent and second to use Streaming client with a Web browser. In streaming client with a web browser option as the name says, a user accesses the published app through a web browser. However in this option offline access to applications is not supported. The program Neighborhood agent supports all application streaming features and it requires at least 5% or 1 GB of disk space whichever is minimum to run. Citrix streaming client also comes with a utility called RadeDeploy.exe which lets you pre-deploy the frequently used applications to clients. This prevents clogging of network and the file server. In program Neighborhood client, you can easily access the published application using application sets. Once a user is authorized, the application sets are visible in neighborhood client. The user can simply launch the application and start using it.