Getting Started

Getting Started with Numara® Asset

Management Platform

Note

Numara® Software, Inc. reserves the right to make changes in specifications and other information contained in this document without prior notice. The reader is advised to consult Numara® Software, Inc. to determine whether any such changes have taken place.

Under no circumstance and to the minimum extent permitted by law, including none, shall Numara® Software, Inc. be liable for any damages whatsoever, including but not limited to consequential or incidental damages due to loss of business, loss of time, loss of information, loss of profit or loss of opportunities, arising in whole or part out of or related to this manual or the information contained in it, even if Numara® Software, Inc. has been informed of such danger or should have been informed or is in possession of knowledge of such danger or implications.

This product and documentation are provided on a RESTRICTED basis. Use, duplication, or disclosure by the US Government is subject to restrictions set forth in Subparagraphs (c) (1) and (2) of the Commercial Computer Software Restricted Rights at 48 CFR 52.227-19, as applicable.

1994 - 2010© Copyright Numara® Software, Inc. Portions Copyright© 1989-95 GROUPE BULL Portions Copyright© 1999-2000 Dave Smith Portions Copyright© 1998, 1999, 2000 Thai Open Source Software Center Ltd Portions Copyright© 2001 by First Peer, Inc. Portions Copyright© 1995 Eric Young Portions Copyright© 1994, Tom Boutell, Cold Spring Harbor Labs Portions Copyright© 1991 by Ozan S. Yigit Portions Copyright© 1995-1998 Jean-loup Gailly and Mark Adler Portions Copyright© 1999 - 2005 NetGroup, Politecnico di Torino (Italy) Portions Copyright© 2005 - 2008 CACE Technologies, Davis (California)

All rights reserved.

This document may not be reproduced in part or whole by any means, for any purpose or transmitted in any way, except small quotations not exceeding one thousand characters and in such case only with clear reference to the source and mentioning the Numara® Software, Inc. copyrights, without the express written permission of Numara® Software, Inc.

Numara® Software, Inc.

2202 North West Shore Blvd. Suite 650

Tampa, FL 33607

USA

http://www.numarasoftware.com/

Numara, the Numara Software logo, Track-It! and FootPrints are registered trademarks of Numara Software, Inc. Microsoft is a registered trademark and Windows is a trademark of the Microsoft Corporation. Pentium is a trademark of the Intel Corporation. All other marks are property of their respective companies.

IntroductionThe Numara® Asset Management Platform (NAMP) is a unique solution for managing and securing systems that provides a global overview of the complete infrastructure by using its automating administration tools as well as its securisation functionalities. Once installed on all systems the NAMP agents allow the administrator to monitor all devices from the NAMP administration console.

The Numara Asset Management Platform is composed of a Master server, a unique agent, installed on all devices and relay agents for an optimised architecture, a database as well as a unique administration console.

OrganisationThis manual is designed for the new user of the Numara Asset Management Platform as well as users that acquired new functionalities and are trying to familiarise themselves with these. It provides you with detailed examples on specific topics such as step-by-step instructions on how to create your first objects and execute operations as well as setting up the security in the software.

To be able to execute the examples of the chapters in this manual it is taken as granted that the Numara Asset Management Platform and its components were installed as explained in the Installation manual with all their default values.

The manual is divided into the following sections and topics:

Section I - Basic Objects and FunctionalitiesThis first section of the Getting Started manual introduces you to the basic objects and functionalities of the Numara Asset Management Platform. These objects are common to all modules and specific functionalities of the suite. It is therefore recommended to follow the order of the chapters in this manual to arrive at the required proficiency regarding these objects, their functioning and possibilities and the impact they have on other objects and modules of the suite. The section has the following chapters:

• First Steps in the Console - Topology, Direct Access, Remote Control• Inventory Step-by-Step - Hardware and Software Inventory• Queries and Device Groups Step-by-Step • Configuration Management Step-by-Step - Operational Rules• Directory Server Synchronisation Step-by-Step - Device Groups, Administrator Groups and User Groups• Reports Step-by-Step

Section II - Advanced Management SuiteThis second section of the Getting Started manual introduces you to the advanced functionalities and their specific objects of the Numara Asset Management Platform. The examples and exercises in these chapters are based on those of the first section, we therefore recommend you to do these first.

• Operating System Deployment Step-by-Step• Software Distribution Step-by-Step• Resource Monitoring Step-by-Step• Application Management Step-by-Step• Power Management Step-by-Step

4 - Numara Asset Management Platform

• Peripheral Device and Data Control - Step by Step• Patch Management Step-by-Step• Vulnerability Management Step-by-Step• Device Compliance Step-by-Step• Setting Up Security

What’s New in this VersionThe main new features and changes since the last version are the following:

• A new parameter was added to the safe reboot functionality of the patch management that allows to bypass locked sessions.

• A new system variable was added to the Console and new parameters were added to the kiosk.ini file to manage the accessibility of the Application Kiosk page of the browser agent interface.

• A new parameter was added to the timer module to manage timers related to specific users and a new operational rule was added to be able to configure the module.

Further DocumentationIn addition to this little manual you will find detailed information on all possible aspects and topics regarding the Numara Asset Management Platform in subject oriented manuals, which are located on the Numara Asset Management Platform Installation DVD under the /docs directory in their respective language directories. There you will find a reference manual containing detailed information on general topics such as all parameters, modules, security, as well as more technical information on topics such as the autodiscovery.

Contents

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Section I - Basic Objects and Functionalities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

Chapter 1 - First Steps in the Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111.1 Populating in the Device Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111.2 Remote Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121.3 Direct Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141.4 User Preferences. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

Chapter 2 - Inventory Step-by-Step . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212.1 Device Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .212.2 Device Group Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .242.3 Inventory Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25

Chapter 3 - Queries and Device Groups Step-by-Step . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313.1 Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .313.2 Device Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .393.3 Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44

Chapter 4 - Configuration Management Step-by-Step . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494.1 Operational Rule Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .494.1 Rule Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75

Chapter 5 - Directory Server Synchronisation Step-by-Step . . . . . . . . . . . . . . . . . . . . . . . . 855.1 Synchronising with Active Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .855.2 Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93

Chapter 6 - Reports Step-by-Step. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 956.1 Report Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .956.2 Report Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Section II - Advanced Management Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125Chapter 7 - Operating System Deployment Step-by-Step . . . . . . . . . . . . . . . . . . . . . . . . . 127

7.1 Operating System Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1297.2 Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170

Chapter 8 - Software Distribution Step-by-Step . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1818.1 Software Distribution Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1828.2 Software Distribution Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1948.3 Software Distribution Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .198

Chapter 9 - Resource Monitoring Step-by-Step . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2119.1 Resource Monitoring Examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2119.2 Monitoring Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .224

Chapter 10 - Application Management Step-by-Step . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22910.1 Managed Application Examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22910.2 Application Management Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24510.3 Application Management Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .249

Chapter 11 - Power Management Step-by-Step. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25911.1 Power Management Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .259


11.2 Power Management Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26811.3 Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .281

Chapter 12 - Peripheral Device and Data Control - Step by Step . . . . . . . . . . . . . . . . . . . 28912.1 Device Management Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28912.2 Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .297

Chapter 13 - Patch Management Step-by-Step . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29913.1 Patching Your System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30013.2 Patch Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31213.3 Patch Management Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .315

Chapter 14 - Vulnerability Management Step-by-Step . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32514.1 Making Your System Secure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32614.2 Vulnerability Management Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .350

Chapter 15 - Device Compliance Step-by-Step. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36315.1 Compliance Rule Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36315.1 Compliance Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38015.2 Rule Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .384

Chapter 16 - Setting Up Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39116.1 Capabilities and Access Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39116.2 Security Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39116.3 Basic Operation Principles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39216.4 Specific Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39816.5 Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .400

Table of Contents - 7

Section I

Basic Objects and Functionalities

This first section of the Getting Started manual introduces you to the basic objects and functionalities of the Numara Asset Management Platform. These objects are common to all modules and specific functionalities of the suite. It is therefore recommended to follow the order of the chapters in this manual to arrive at the required proficiency regarding these objects, their functioning and possibilities and the impact they have on other objects and modules of the suite. The section has the following chapters:

• First Steps in the Console - Device Topology, Direct Access, Remote Control and User Preferences

• Inventory Step-by-Step - Hardware and Software Inventory• Queries and Device Groups Step-by-Step • Configuration Management Step-by-Step - Operational Rules• Directory Server Synchronisation Step-by-Step - Device Groups, Administrator Groups and

User Groups• Reports Step-by-StepAll examples and exercises assume that you have installed the Numara Asset Management Platform and its or any additional components as explained in the Installation manual with the default values.

1

First Steps in the ConsoleOnce you have rolled out agents in your network you can watch your database fill up with information about your managed devices, being sent by the agents running on these machines as they finish installing and come on line.

1.1 Populating in the Device TopologyA good starting point to watch this is the Device Topology node, where you will see all managed devices appearing one after the other in their NAMP hierarchy as the type of machine they represent.

Select the Device Topology node in the left window pane, then your master. In the right window pane select then the Graph tab. The tab pane will now display the network hierarchy of the devices which you just installed and rolled out with the master server as its central point. For more information on the graph and its possibilities please refer to the respective chapter in the Numara Asset Management Platform Console Guide. This type of graph is also available for the user groups, inventories and vulnerabilities.

If you do not have the graph, you may see your clients coming online by selecting first the master in the left window pane, the right window pane should then display the relay under the Members tab. And when you click on the relay in the left window pane, its Members tab will display all managed devices as they come online. The icon representing the devices as a node displays which functionality the device has in the network, i.e. if it is a simple client ( ), a relay ( ) or the master ( ). The status of the device is expressed in the colour of the screen of the device, however in this situation they should all be green for a status of online with no problems. If the agent has been able to find the operating system this will also be displayed in the icon: client with Windows OS ( ), with Linux ( ) or Solaris ( ).

SubnodesWhen you select one of the managed devices in the left window pane, for example the master, you can see all the information it provides in its tables or through its list of subnodes:


• Agent Configuration - this node provides access to all configuration settings of the agent running on the local client.

• Direct Access - if you need to see or modify specific settings on a client you may do so via this node.• Remote Control - in this node you may establish a remote control connection with the currently selected

devices.• Inventory - here you will find all possible information on hardware, software, custom, security, patch, power

management and vulnerability inventory of the client.• Assigned Objects - this node groups all objects which are assigned to the currently selected device.• Events - this node provides access to all events concerning the selected device.

TabsThe tabs in the right window pane of the master also provide some information:

• Members tab - This table lists the devices which are located under the master. For our case this should be the manually installed relay. When you click the relay and then its Members tab you should see the list of all devices to which the agent was rolled out.

• Parent Device Groups tab - this tab lists all groups of which the currently selected device is a member. If you reselect the master in the left window pane, this tab will display already one group, called All Devices, even though we have not created any. However, we imported the Out-of-the-Box objects that also include this one group.

• Graph tab - as you have already seen above this tab displays your newly installed device topology in graphical format.

• General tab - this tab displays all available information on the selected device, such as name, IP address, topology type, OS, agent version, if it is a patch manager, a package factory or a scanner, etc.

1.2 Remote ControlFrom this location you may take over the control of the remote devices that you have just installed. To do so proceed as follows:

1 Select one of the devices to which you rolled out the agent in the left window pane under the Device Topology node, or the relay.

2 Select the Remote Control node of the device.3 An identification window appears on the screen, in which you must provide a valid login and password for the

remote device.

4 Click the Edit->Connect menu item or the respective icon ( ) in the icon bar.5 The Connection Status appears on the screen.6 Once the connection is correctly established, the screen of the target client appears in the right window pane.

If you are using NAT configurations the devices can not be accessed via Remote Control and Direct Access.

Chapter 1 - First Steps in the Console - 13

7 You may now execute any required functions or manipulation on the target machine.8 If you have the remote device in your view, you will see, that the NAMP icon in the systray, which normally is

blue ( ) and oscillates green when the agent is busy, has turned yellow ( ), to indicate that the client has been taken over via remote control.

9 Now we will try some operations on the remotely controlled device:a Start the file Explorer on the remote device and close it.b Open a text editor and create a new file. Save it under c:\temp as test.txt.c You may also reboot the remote device by clicking the Reboot Remote Device icon ( ) in the tool bar.

Click Yes in the confirmation window to confirm the reboot.d After the device is up and running again you can copy some text from your local device to the text file you

just created under step b on the remote device.1 To do so open Notepad, for example, type some text, select it and then copy it to your local clipboard

using CTRL + C keyboard shortcut.2 In the Remote Control Console window open the test.txt file on the remote device.3 Click the Send Clipboard icon ( ) in the tool bar. The contents of the local clipboard are copied to the

clipboard of the remotely controlled client.4 Now place the cursor at the end of the test.txt file and use the CTRL + V keyboard shortcut to copy the

content to the file. Save it.e You may do the same operation in the other direction using the Retrieve Clipboard icon ( ).f You can also retrieve the test.txt file from the remote device and save it on your local device.

1 Select the File Transfer icon ( ) in the tool bar.2 The File Transfer window opens on the screen. This window allows you to copy files from the local to

the remove device and vice versa.3 Find the source file, i.e. the test.txt file to be copied in the tree hierarchy of the remote device and select

it.4 Select the target directory, i.e. c:\temp on your local device.5 Click the arrow between the two fields to start the transfer. The transfer may be stopped and thus the file

copy being cancelled by clicking the stop transfer button ( ).


6 Select the Close button at the bottom of the window when all required files were transferred.g Delete the test.txt file on the remote device in the same way as you would do on your local device.

10 To disconnect now select the Disconnect icon ( ) in the tool bar.11 A confirmation window appears. Click the Yes button to continue.12 The connection will be interrupted and the image of the remote screen disappears from your right window

pane.

1.3 Direct AccessSome parts of the remote devices, such as the file system, the Windows Registry and the services may also be accessed via the direct Direct Access node in the console. To do so proceed as follows:

1 Select one of the devices to which you rolled out the agent in the left window pane under the Device Topology node.

2 Select the Direct Access node of the device.3 If you are using the same device as for the Remote Control example, the connection will be established

directly, as you have already provided an identification. If you are using another device the Identification window will appear and you must provide a valid login and password for the selected device.

4 Once the connection is established, you can see the available parts of the remote system which you can access:File SystemRegistryServices

If you are using NAT configurations the devices can not be accessed via Remote Control and Direct Access.


Process ManagementWindows Events

File System1 First select the File System node.2 The file system of the remote device will be displayed in a way very similar to Windows Explorer. It allows you

not only to view a device’s complete directory structure with its files and folders but also to manipulate them:a Go down in the hierarchy to C:\temp. Here we will create a new directory:

1 Choose the Edit->Create Directory menu item or click the respective icon ( ) in the icon bar.2 The Create a new Directory popup dialog box opens.

3 Enter Test as the name for the new directory then click OK to confirm.b To edit an existing file on the remote device, such as a configuration file proceed as follows. Be aware that

the file must be smaller than 200 KB to be editable for performance reasons.1 In the table in the right window pane select the text file to be edited, e.g. go down the directory structure

of to the config directory of the NAMP client and select the relay.ini file. We will turn the currently selected device from a simple client to a relay.

2 Select the Edit->Edit File menu item or the respective icon ( ) in the icon bar.3 An Edit Text File Window opens on the screen with the contents of the file.4 For the first entry called IsEnabled modify the value from 0 to 1 and the select the OK button at the

bottom of the window to confirm the modification.

c You may also transfer files between the remote and local device in the file system, it works exactly in the same way as described above under the Remote Control chapter.

Registry1 Now select the Registry node in the left window pane.2 Browse down into the structure of the remote registry to key HKEY_LOCAL_MACHINE/SOFTWARE/Numara

Software/Numara AMP.3 Now create a new key by choosing the Edit->Create Key menu item or the respective icon ( ) in the icon bar.4 The Create New Key popup dialog box opens.5 Enter Test Key as the name for the new key then click OK to confirm.

6 The new key will be created directly and selected.


7 Now we will create a string value for the new key.8 For this select the Edit-> Create String Value menu item or click the respective icon ( ) in the icon bar.9 The new value will automatically be created under the key and displayed in the table of the right window

pane.10 To name the newly created value, either choose the Edit->Properties... menu item or click the respective icon

( ) in the icon bar or right click the relevant value in the right pane, then choose Properties... in the displayed contextual menu.

11 The Properties dialog box appears on the screen. Enter the following values:ValueEnter the name for the newly created value, e.g. Test Key Value.DataEnter here “This is a test for the registry”.

12 Click OK to confirm the new value.13 Now, to delete the new value select the Edit->Remove Value menu item or click the respective icon ( ) in the

icon bar.14 Click Yes in the confirmation message box.15 The value will be deleted immediately.16 To delete the Test Key select it and then click the Edit->Remove Key menu item or click the respective icon

( ) in the icon bar.17 Again click Yes in the confirmation message box.18 The key will be deleted immediately.

Services1 Now select the Services node in the left window pane.

2 The table in the right window pane displays the list of all services on the remote device.3 Here you can start or stop services and configure startup options.4 Select a service which is currently stopped.5 Then select the Edit->Start menu item or the respective icon ( ) in the icon bar.6 The service will be started directly.7 Select the now running service to stop it again by selecting the Edit->Stop menu item or the respective icon

( ) in the icon bar.8 The service will be stopped immediately.9 Now select another service and restart it by selecting the Edit->Restart menu item or the respective icon ( )

in the icon bar.10 You may also modify some values of a service, such as the display name or the startup type.11 To do so select the Numara Asset Management Platform Agent service and then the Edit->Properties... menu

item or the respective icon ( ) in the icon bar.12 The Properties dialog box appears on the screen.13 Change the startup type here from Automatic to Manual.

Be aware, that the NAMP agent may NOT be stopped or restarted from this location.


14 Click OK to confirm the modification.15 Repeat steps 11 to 14 and undo the modification.

1.4 User PreferencesThe NAMP console provides the administrator with a number of options to configure the console‘s general look‘n feel and its way of working. This is done via the User Preferences which is accessible everywhere via the Options menu.

To access the User Preferences window proceed as follows:

1 Select the Options->User Preferences. menu option.2 The User Preferences window opens on the screen3 Select the icons in the left window pane to move from one page to the next.4 After you have set your preferences in all the tabs of the dialog box click the OK button at the bottom of one of

the pages to confirm all choices and entries and apply these to your configuration and close the window. To cancel any changes and entries made click the Cancel button.

We will make the following changes to these options for illustration:

1 In the General tab you may define the general settings of your console window. In the Console Appearance box:

From the dropdown field Look’n Feel select another skin for the general appearance of the console. This will change the colour scheme, of the console window itself.In the Language dropdown field select Japanese.In the Time Zone box check the unselected radio button and in the now accessible field select the time zone in which you are located.From the Date Format dropdown field select the date format you want to use.In the System Settings box modify the Auto LockDown Delay value to 0. This entry defines the maximum time that may elapse without any input to the computer by the keyboard or mouse before the console is locked down for security reasons. If that time has elapsed the user/administrator must enter his logon again to unlock the console. The default value for this number is 600 seconds. For our tests set this value to 0, which deactivates the lockdown function.

2 Click the OK button to close the window and see the effect of the changes.


3 To open the User Preferences window again reselect the menu before the last and select the option at the bottom.

4 In the window click the arrow on the first field to the right to select UK English as the Language again.5 Click OK to confirm and close the window.6 The console is back to English as language.7 Select the User Preferences window again.8 Then select the Tables tab in the left window bar.9 The Tables tab is for setting the properties of the tables in

the right window pane of the console. Make the following changes:

In the Table-Row Settings box modify the colours for the table lines, by clicking the Modify button. The field to the left of the button displays the current colour. In the appearing window select a colour of your choice. Then repeat the process for the even lines and also for the grid between the lines.In the Row Height field enter 15 to increase the height of the table rows.In the Automatic Refresh box move the cursor of the time scale to the left until the value to the right of the Enable Regular Automatic Refresh field indicates 15 seconds. Now all right window panes that have automatic refresh will be a refreshed every 15 instead of the default 30 seconds.In the Paging Settings box change the value for the table rows per page to 15.


10 Now select the Fonts icon. In this page you may select the size and type of font to use.

Select a font type from the dropdown field.The Font Preview box displays a Sample for the selected font and size.You may also increase the size of the font as we have increased the row hight.

11 The Object Assignments page defines the standard behaviour of the assignments between the NAMP objects. We will make no modifications here, as we will be using the predefined default schedule in our examples later.

12 Select the E-mail page. The parameters in this tab define the basic settings of the mail server in your organisation. This information is required to be able to execute a number of the examples we will define in later chapters, amongst others to send reports as e-mails and the notification option of the Task Management. The following parameters must be defined:Server NameEnter the name of your mail server to which all mail is set for routing.PortDefines the port number of the mail server, the default value is 25.AuthenticationThis field defines if the mail server requires authentication for its communication, possible values are Force Authentification, Authenticate if possible or Never Authenticate. Select the value your mail server requires.User NameEnter into this field a valid login to the mail server. This may be any login, not necessarily that of the user defining his preferences in via these options.PasswordsThe corresponding password.

13 Then click the OK button to confirm all modifications and to close the window.14 You can now see the main modifications you made to the console appearance.15 To make the e-mail system work for the later examples two more steps need to be made in the console:16 Go to the Global Settings->System Variables node and select the Mail tab. 17 Select one of the table rows in the right window pane and then the Edit->Properties... menu item or click the

respective icon ( ) in the icon bar.18 The Properties dialog box appears on the screen.19 Enter the required values as above in the E-mail page.20 Click the OK button to confirm and close the window.


21 Now go to the Global Settings->Administrators node and select the admin entry in the left window pane. We will configure this administrator here for e-mailing, as we will execute all our examples as this administrator.

22 Select one of the table rows in the right window pane and then the Edit->Properties... menu item or click the respective icon ( ) in the icon bar.

23 The Properties dialog box appears on the screen.24 Find the E-Mail field and enter your e-mail address.25 Then click the OK button to confirm and close the window.

26 The e-mail function is now set up.27 Now open again the User Preferences window and modify any of the settings you don‘t like or return to the

default values.

2

Inventory Step-by-StepThe agent of the Numara Inventory Manager allows you to collect any type of inventory data for the individual machines of your network. The collected information is related to the individual properties of the object and contains extensive information, such as the installed processor and its type, speed, RAM, BIOS name and date, the software installed on the managed devices as well as any other custom defined attributes, such as the geographical location, the values of registry or of a configuration file entry. Not all of the above, however, will be available for all platforms.

The different types of inventory are available:

• for devices• for device groups• on the agent interface for the local device.The types of inventory may be accessed via the Inventory node

• for a devicevia the Device Topology top node or via a device group node of which the respective device is a member.

• for a device groupvia the group’s node

2.1 Device InventoryThe inventory for a device is accessed through the device’s node and its Inventory subnode via the Device Topology. For our examples here we will select the Device Topology node and then the Inventory subnode of our master. As you can see in the graphic below, the Inventory node displays a separate node for all different types of inventory available. The table in the right window pane also indicates the date and time at which the respective inventory was last updated.

The NAMP agent also creates an inventory of patches missing on the devices, of vulnerabilities present on them, and collects a number of parameters regarding the device’s security situation. The Custom inventory allows you to collect a number of specific device parameters you may need in your day to day network tasks. These types of inventory are filled in either via operational rules or device scanning and are therefore still empty when being selected here for the first time. You will find more information on how to fill these in under chapters Configuration Management Step-by-Step, Patch Management Step-by-Step and Vulnerability Management Step-by-Step.

All types of inventory are by default generated and uploaded when the agent is started. However, as the collection may be extensive, this may take a while before all information is gathered and uploaded to the database. When you access the Hardware Inventory and Software Inventory for the first time, they may still be empty.


2.1.1 Hardware InventoryThe hardware inventory for devices shows a number of objects which may or may not be applicable to all supported operating systems, i.e. Windows, Solaris and Linux. Each of these objects will be displayed split up into object specific properties.

To get a first view of the Hardware Inventory for the master do as follows:

1 Select your master device under the Device Topology node.2 Then from its subnodes select the Inventory node.3 The right window pane presents you now with the complete selection of available inventory types. Select

Hardware Inventory.4 The right window pane now displays the most general level of hardware inventory for the master. The number

of objects shown depends on the operating system installed on the master, but the objects shown in the picture below are a common minimum for all different operating systems.

5 If you double-click one of these entries, the Network Adapter entry for example, the right pane will show the processor details as shown below. The amount of details displayed depends on the hardware object selected.

To display the history for an inventory refer to Option (a).

To display the hidden elements for an inventory refer to Option (b).

To add or remove an inventory object refer to Option (c).

Chapter 2 - Inventory Step-by-Step - 23

2.1.2 Software InventoryThe Software Inventory node of the console displays a single list of all software packages found on the selected device. The list is generated by the agent and uploaded into the database at regular intervals. As with the other inventory information, all entries are stored in the database to be available even if the actual device is off-line.

1 Click the Software Inventory node of the device in the left window pane.2 Below this node you will find the Applications node. Select it.

3 The right window pane will now display all software products which the agent has found on the managed device with some additional information as shown in the image above.

4 As this list may be very long it is probably paged. You may see this at the bottom of the console window where the number of pages are indicated and the buttons for moving from one page to another are provided.

The number of lines to be displayed by page as well as a number of additional displaying parameters are customisable via the User Preferences. For more information on this subject refer to chapter User Preferences on page 49 in Section I of the console manual.


2.2 Device Group InventoryThe different types of inventory are also available for the device groups, offering an overview over a specific part of your network, such as the Anti-virus situation of your laptops or the current situation regarding the RAM of the machines in your development department. The inventory is accessible via the Inventory node below the respective device group.

2.2.1 Hardware InventoryThe hardware inventory for groups shows a number of objects which may or may not be applicable to all supported operating systems, i.e. Windows, Solaris and Linux. Each of these objects will be displayed split up into object specific properties.

To get a first view of the Hardware Inventory do as follows:

1 Select the device group All Devices under the Device Groups node.2 Then from its subnodes select the Inventory node.3 The right window pane presents you now with the complete selection of available inventory types. Select

Hardware Inventory.4 The Inventory node on the left expands to display the types of inventory and the right window pane now

displays the most general level of hardware inventory for the selected device group.5 Select the Desktop Monitor option.

6 It has a number of properties, Instance Name, Monitor Manufacturer, Width, Height, etc.7 Select the Name option.8 The table in the right window pane will now display the list of monitor names found for all devices and the

respective count.

9 Now select the Bar Chart tab. It displays the same information as the Inventory tab in form of a bar chart.


10 The labels to the right of the chart provide the names of the different monitors found.

11 Now select the Pie Chart tab. This graphic displays again the same information in form of a pie chart.

2.3 Inventory OptionsThe following paragraphs will provide you with a number of options for the different inventory types.


(a) Inventory HistoryNumara Inventory Manager keeps track of the changes that occur with each inventory upload for all types of inventory. These changes may be seen in the History tab for each inventory type. This tab displays the inventory delta, i.e. the differences between the last state of the inventory and the newly uploaded inventory. The following exercise is valid for all types of inventory, we will do it here as an example for the hardware inventory.

1 After an initial upload of the inventory the History tab will be empty, as no modifications have yet taken place. At the earliest you might see elements appear in this tab once a second inventory has been generated and uploaded.

2 In the masters File Explorer select any file, preferably a large one and duplicate it.3 Now restart the agent service via Services and Applications node of the Computer Management in Windows.

By default the agent is configured in such a way as to generate and upload all inventories when being started.

4 Now go to your master device under the Device Topology node and open the Inventory->Hardware Inventory node again.

5 Select its History tab.6 You might have to wait a bit, as inventory generation tends to take some time.7 Once the inventory is generated and uploaded the History tab should display an entry with a name of Logical

Disk, Free Space as its property name and a different old an new value, since the available free disk space on your device has changed.

(b) Hide Inventory ElementsAll types of inventory have a third tab, the Hidden Elements tab. In this tab you may define inventory objects which are not to appear in the History tab of the devices, which are currently of no use to you. The selection you make in this tab is applicable to all devices, i.e. to the inventory of the master as well as that of the relay and all rolled out clients. Same as with the History tab this system is applicable to all types of inventory, for our example we will choose the hardware inventory again.

1 Select the Hidden Elements tab of your master hardware inventory.2 The table is still empty as all history elements are still displayed in the History tab. Only once a history exists

can elements be moved to this tab, and only those which already exist in the history.

Be aware that restarting the NAMP agent via Windows is only done in this case as we are still very early in the usage of the software. Once you have mastered a few more chapters of this manual restarting the agent will be done as explained in chapter Configuration Management Step-by-Step and the operational rule called Reboot Device.


3 To move an element to the Hidden Elements tab now select the Edit->Hide Element menu item or select the respective icon ( ) in the toolbar.

4 The Add Elements to Hide popup window appears on the screen.5 It displays all elements which exist in the History tab.

6 Select the Logical Disk element to be removed from the general History tab.7 Click OK to confirm and close the window.8 The Logical Disk element will now be displayed in the table.9 If you go back now to the History tab you will see that the table is empty.

(c) Modify Hardware Inventory Filter for a DeviceThe list of inventory objects is a default list that may be modified to your requirements, you may add or remove objects or modify them. This is done via the concept of Inventory Filters which exist for the hardware and software inventory. In the exercise below we will add a WMI element from the standard hardware inventory of our relay.

1 Open the Global Settings->Inventory Filters->Hardware Inventory node.2 Then select the Edit->Create Filter menu item or click the respective icon ( ) in the icon bar to create a new

hardware inventory filter.3 The Properties popup window will appear on the screen.4 Enter Relay Hardware Filter as the name for the new filter into the provided field.5 Click OK to confirm and close the window.6 The new filter will appear in the list, select it.7 The filter has several subnodes as you can see, select the WMI Filters node. This node displays the list of WMI

classes which are in the hwinvcfg.xml file. This file is part of the hardware inventory collection, it is made to suit the users needs.

8 As you can see in the table it lists a default set of WMI elements which are either included (ACCEPT) or not included (REJECT) in the default hardware inventory.

If already other elements were present in the table in addition to the Logical Disk element, these will remain in the list, only the Logical Disk element will disappear.


9 One element which currently is not in the default inventory but still useful to monitor is the USB ports. Therefore browse down in your list and double-click the USB Controller value.

10 The USB Controller values are now displayed, and you can see it is currently not included in the inventory.

11 Select a table row and then the Edit->Properties menu item or click the respective icon ( ) in the icon bar.12 The Properties popup window will appear on the screen.13 Select the ACCEPT value from the Action drop-down list.

14 Click OK to confirm the added inventory object and close the window.15 Now our new hardware inventory filter is set up and must be saved. To do so select the Edit->Save menu item

or click the respective icon ( ) in the icon bar16 The filter may now be assigned to the relay. For this select the Assigned Objects->Devices node under the

Relay Hardware Filter node.17 To assign the filter to the relay select here Edit->Assign Device menu item or click the respective icon ( ) in

the icon bar.18 A confirmation window appears on the screen. Click Yes to confirm the immediate activation of the

assignment.


19 The Assign to Device popup window will appear on the screen.20 Select the All button ( ) in the left window bar.

21 Select the relay from the list.22 Click OK to confirm the assignment and close the window.23 The assignment process for the new filter is now directly started and will be used to generate the next

hardware inventory for the relay.24 Once the filter is assigned, i.e. the Status field displays the value Assigned, you can regenerate a new

inventory now. To do so restart the relay agent via a Remote Control connection or if your relay is closely located directly start it via the Services and Applications node of the Computer Management in Windows. By default the agent is configured in such a way as to generate and upload all inventories when being started.

25 Now go to your relay device under the Device Topology node and open the Inventory->Hardware Inventory node again.

26 You might have to wait a bit, as inventory generation tends to take some time.27 Once the inventory is generated and uploaded the list should include a value called USB Controller.

Be aware that restarting the NAMP agent via Windows is only done in this case as we are still very early in the usage of the software. Once you have mastered a few more chapters of this manual restarting the agent will be done as explained in chapter Configuration Management Step-by-Step and the operational rule called Reboot Device.


28 When you double-click the entry the detailed view opens in the console displaying information for all USB slots of the device.

3

Queries and Device Groups Step-by-StepThe base for many operations executed in your network via the console are queries and device groups. Device groups are a way of organising all managed devices within your network. The structure defined through the groups is individual and freely configurable by the administrator. These groups may contain any type of device, i.e clients, relays or even the master server. Devices may also be present in more than one group, for example, a Windows NT client may be in a group called NT Servers and at the same time in another group called Accounting Clients.

Groups may be created, for example, according to the following criteria:

• Geographical location of the devices: in this case the groups would be divided in the continents, countries, cities, buildings, etc.

• Corporate structure of the managed devices: The organisation through groups could contain in this case the administration and functional divisions of the company, such as Engineering, Support, Sales, Accounting, Directors, etc.

• Characteristics of the devices: this could mean a grouping according to the physical components of the clients such as the size of the RAM or hard disk, the type of the processor, etc., the clients could be organised according to their operating systems, etc., orthey may be organised according to the function they have within the network, such as relay, first level relay, second level relay, client, etc.

Queries in Numara AMP allow for the dynamic grouping of the clients into exactly these groups as you have defined above according to the criteria that you have specified.

The out-of-the-box objects contain quite a number of queries and one device group populated by one of these queries: All Devices, which contains - as the name already implies - all devices which have a NAMP agent installed, such as the master, the relay and all clients to which the agent was rolled out.

PrerequisitesTo execute the examples provided in this chapter we assume that:

• master, console and database are installed in their default directories.• you have rolled out the NAMP agent to a number of devices as described in the Installation manual.• a console is open and connected to the master.• you have installed the out-of-the-box objects during the master installation.

3.1 QueriesQueries can be carried out on all Numara Asset Management Platform object types and objects (e.g. operational rules, administrators, devices, etc.) and are either based on a single or multiple criteria and their values defined by the administrator. These are used to group the target type according to certain criteria, such as for example to find all managed devices in the network that have 1024 MB of RAM and put them into a specific device group. Also they may be used in reports to define the contents of the report and find the data.


There are two types of queries in Numara Asset Management Platform, predefined criteria-based queries and free sql queries. The examples in this chapter will include both types of queries, which serve as a base for other step-by-step examples further on, such as the operational rules, software distribution and patch management. Therefore we recommend you to stay as close as possible to the object names and their chosen options.

3.1.1 Criteria QueriesQueries may be composed of criteria which tell the agent on the targets what to check for. The criteria available to the query depend on the Type of the query, thus not all existing criteria are available all the time.

Query 1: Query Collecting All XP SP2 DevicesThe first query to be created is a criteria based query which will be used for a number of objects in other examples of this section.

1 To create a query, select the main Queries node in the left window pane.2 Select the Edit->Create Query menu item or the respective icon ( ) in the icon bar.3 The Properties dialog box will appear on the screen.4 Enter the following data into the field and leave all others untouched.

Enter the name of the new query into the Name field, use All XP SP2 Devices for this case.5 Click OK to create the query and to close the window.6 The newly created query will directly appear in the table in the right window pane.7 Now double-click the query in the table to access it. It will appear as a node in the left window and display its

tabs and contents to the right.8 Select the Criteria tab in the right window pane. 9 Currently the table is still empty. To define the criteria of the query choose the Edit->Add Criterion menu item

or click the respective icon ( ) in the icon bar.10 The Select Criterion popup window will appear on the screen. It displays the list of available criteria in its left

list field.

11 Select the criterion Operating System Name.12 The Criterion Description box below shows two fields through which you may specify the contents of the

criterion. Do the following:a In the Operator drop-down box select the value Contains.b Enter XP into the Value field.

13 Click the Find ( ) button.14 The Search Criteria popup appears on the screen. It provides the list of all operating systems found which

contain XP in their name.

Chapter 3 - Queries and Device Groups Step-by-Step - 33

15 Select the provided XP operating systems and click OK.16 The selected option will now be displayed in the Value field of the Search Criteria window.17 Modify the Operator to Equal to.18 Click the Add button ( ) to add the criterion to the list.19 Now select the criterion Operating System Revision.20 The Criterion Description box below shows two fields through which you may specify the contents of the

criterion. Do the following:a In the Operator drop-down box select the value Contains.b Enter Service Pack into the Value field.

21 Click the Find button.22 The Search Criteria popup appears on the screen. It provides the list of all operating systems revisions found

which contain Service Pack in their name.23 Select the provided Service Pack 2 and click OK.24 The selected option will now be displayed in the Value field of the Criterion Description window.25 Modify the Operator to Equal to.26 Click the Add button ( ) to add the criterion to the query.27 Then click OK to confirm the new query content and to close the window.28 All newly created queries are inactive, thus they must be activated before they can manage a group. To activate

select the green coloured option active instead of the currently displayed red option inactive in the Query Status drop-down field.

29 In the Preview tab you can see a preview of the query’s results.


Query 2: Query Finding all Operational Rules of Type Software DistributionThe second example is for a query of type other than device, of type operational rule. With this query we want to find all operational rules which are of type Software Distribution (to be created in the Software Distribution and Operational Rules Step-by-Step chapters later on) to use as a base for a report, also later on in chapter Reporting Step-by-Step.

1 To create the query, select the main Queries node in the left window pane.2 Select the Edit->Create Query menu item or the respective icon ( ) in the icon bar.3 The Properties dialog box will appear on the screen.4 Enter the following data into the respective fields and leave all others untouched.

a Enter the name of the new query into the Name field, use ORs of type SWD for this case.b Select from the drop-down box of the Type field the Operational Rule value.

5 Click OK to create the query and to close the window.6 Now double-click the query in the table to access it.7 Select the Criteria tab in the right window pane. 8 Currently the table is still empty. To define the criteria of the query choose the Edit->Add Criterion icon ( )

in the icon bar.9 The Select Criterion popup window will appear on the screen.10 Select the criterion Type.11 The Criterion Description box below shows two fields through which you may specify the contents of the

criterion.12 In the Operator drop-down box select the value Equal to.13 Click the Find button.14 The Search Criteria popup appears on the screen. It provides the list of all operational rule types available.

15 Select the Software Distribution option and click OK.16 The selected option will now be displayed in the Value field of the Criterion Description window.17 Click the Add button ( ) to add the criterion to the query.


18 Then click OK to confirm the new query content and to close the window.19 All newly created queries are inactive, thus they must be activated before they can manage a group. To activate



Query 3: Reverse Query Finding all Devices without FirefoxThis example query finds all devices on which the Firefox browser is NOT installed.

1 Go to the Queries top node.2 Create a new query of type Device called Devices without Firefox.3 To define the new criteria for the query choose the Edit->Add Criterion menu item or click the respective icon

( ) in the icon bar.4 The Select Criterion popup window will appear on the screen.5 Open the Software Inventory - Installed Software folder and select the Name option from the list.6 Select the Contains option for the Operator, type Firefox in the Value field and click the Find button in the

Criterion Description box.7 The Search Criteria popup appears on the screen with all applications that contain Firefox in their name.


8 Select the Firefox option and click OK.9 The selected option will now be displayed in the Value field of the Criterion Description window.10 Click the Add button ( ) to add the criterion to the query.11 Now select the Version option from the Installed Software folder.12 Select the Starts with option for the Operator, type 2 in the Value field and click the Add button ( ).13 Then click OK to confirm the new query content and to close the window.14 Check the Reverse Query Result box.

15 To activate select the green coloured option active instead of the currently displayed red option inactive in the Query Status drop-down field.

16 Go to the Preview tab to see a preview of the query’s results.

Query 4: Query Finding All Updated DevicesThis query will find all devices that were updated within a certain time frame, for our example we will select one month.

1 To create the query, select the main Queries node in the left window pane.2 Select the Edit->Create Query menu item or the respective icon ( ) in the icon bar.3 The Properties dialog box will appear on the screen.4 Enter the name of the new query into the Name field, use Updated Devices for this case.5 Click OK to create the query and to close the window.6 Now double-click the query in the table to access it.7 Select the Criteria tab in the right window pane. 8 Currently the table is still empty. To define the criteria of the query choose the Edit->Add Criterion icon ( )

in the icon bar.9 The Select Criterion popup window will appear on the screen.10 Select the criterion Last Update.

If the query results are not reversed it will find all devices on which Firefox version 2 is installed, our task here, however is to find all those on which it is not yet installed.


11 The Criterion Description box below now shows additional fields through which you may specify the contents of the criterion.

12 In the Operator drop-down box select the value Greater than or equal.13 Select the newly appeared Timeframe radio button.14 Leave the preentered time value in the field next to it, -1 for one month ago.15 Then select the corresponding unit from the drop down list to the right, Month.

16 Click the Add button ( ) to add the criterion to the query.17 Then click OK to confirm the new query content and to close the window.18 All newly created queries are inactive, thus they must be activated before they can manage a group. To activate



3.1.2 Free SQL QueriesThis type of query can be entirely freely composed of sql syntax according to your requirements. It may be assigned to populate device groups and be used as the base for subreports, also they may be selected as static and dynamic objects within administrator or group security profiles.


Query 5: Devices On Which Word And Excel Are Installed

In this example we need to use a free query as we try to find devices which have both Word and Excel installed. For this a software inventory table needs to be called twice, and this is not possible via the criteria.

1 To create the query, select the main Queries node in the left window pane.2 Select the Edit->Create Query menu item or the respective icon ( ) in the icon bar.3 The Properties dialog box will appear on the screen.4 Enter the required data into the following two fields and leave all others untouched.

a Enter the name of the new query into this field, use Devices with Word and Excel for this case.b Check the field Free Query.

5 Click OK to create the query and to close the window.6 The newly created query will directly appear in the table in the right window pane.7 Now double-click the query in the table to access it. It will appear as a node in the left window and display its

tabs and contents to the right.8 Select the SQL tab in the right window pane.9 Enter the following query into the Sql Query text field:

SELECT DeviceName FROM Devices, SoftwareInventory s1, SoftwareInventory s2 WHERE Devices.DeviceId=s1.DeviceId and s1.name like '%Word%' and s2.name like '%Excel%' and Devices.DeviceId=s2.DeviceId

10 Once the query is entered verify that the syntax and spelling is all correct.11 For this select the Edit->Verify SQL menu item or click the respective icon ( ) in the icon bar.12 The database will verify your syntax and display the result in the Sql Result field below. It will provide

information regarding any errors it found, the detail level of which is based on your database system.

SQL-based queries may be used to define very specific cases which may not be done via the provided criteria, such as finding more than one value of the same type.

The query must start with SELECT.

The content of the query is case sensitive.

The FROM must include the base table linked to the query type: if the type is Device, the query need to include the Device table.

The query cannot include the following operators: COUNT, SUM, AVERAGE, MAX, MIN, as well as SQL commands such as UNION, INTERSECT, EXCEPT, MINUS, etc.


13 Now that the query is finished and correct save it by selecting the Edit->Save Query menu item or click the respective icon ( ) in the icon bar.

14 The SQL query will be saved to the database.15 All newly created queries are inactive, thus they must be activated before they can manage a group. To activate


16 Go to the Preview tab of the query.17 Here you can see the list of all devices which fulfil the criteria of the free query you just created.

3.2 Device GroupsDevice groups may be static or dynamic:

• Static groups are populated ’by hand’, i.e. the administrator individually selects the group’s members and adds them.

• Dynamic groups are populated by queries or a directory server and their members are reevaluated at regular intervals.

Both types of device groups, static and dynamic are created directly under the Device Groups node or, if they are based on a query, they may be created directly from the query.

The examples in this chapter will include both types of groups, which serve as a base for other step-by-step examples further on, such as the operational rules, software distribution and patch management. Therefore we recommend you to stay as close as possible to the object names and their chosen options.


Device Group 1: Static Device GroupA static device group is created directly under the Device Groups node, and as long as it does not contain any members it may still become a dynamic group by assigning a query or a directory server to it. To create a new device group proceed as follows:

1 Select the Device Groups top node.2 Then either select the Edit->Create Device Group menu item or select the respective icon ( ) in the toolbar.3 The Properties dialog box appears on the screen.4 Enter a name for the new group, for example, All My Devices.

5 The drop-down list below this field allows you to define if you would like to only display the members of the group under the node in the hierarchy tree in the left window pane, only all possible subnodes providing additional information on the group or both. Leave this value at All to display everything.

6 Click the OK button at the bottom of the window to confirm the new group.7 It will now appear in the right window pane in the Members tab.8 Select the new group and go to its Member tab, which is still empty.9 You may now manually add the group’s members by selecting the Edit->Add Device menu item or the

respective icon ( ) in the icon bar.10 The Select a Device dialog box will appear on the screen.

11 Select some devices which are to be added to the device group from the Available Objects box, e.g., the master and the relay.

12 Click OK to add the devices to the device group and close the window.13 The table in the right hand side will now display all the newly defined member devices.


Device Group 2: Create a Device Group from a QueryIf the device group to be created is based on a query it may be created directly from the query:

1 For this go to the Queries top node and select the directories Operating Systems and Windows.2 Go to the folder‘s Members tab and there select the query Windows XP Devices in the table to the right.3 Then either select the Edit->Create Device Group or select the respective icon ( ) in the toolbar.4 The new group will be automatically created directly under the Device Groups top node with the same name

as that of the query, i.e. Windows XP Devices, with the query assigned to it being of Status active.5 You will find the group under the group assignments of the query. To display it click the cross next to the

Windows XP Devices node to display its subnodes.6 Select the Dynamic Groups->Device Groups node and in the right pane you will see the newly created

Windows XP Devices group.

7 You may also see the group if you go to the Device Groups node. There you will see that the group type is indicated by its icon, i.e. a query based group ( ).

8 If the new group is not yet displayed click the Refresh ( ) icon.


9 Then select the group in the left window pane and go to the group’s Members tab.10 It will display all those managed devices of your network corresponding to the criteria set up in the query.

Device Group 3: Device Group Managed by Several QueriesSometimes it is not possible to put all criteria for a device group in one query. Therefore the target group must be managed by more than one query. For an example later on we need a group finding all client devices on which the Firefox browser is not installed.

1 Select the Device Groups top node.2 Then either select the Edit->Create Device Group menu item or select the respective icon ( ) in the toolbar.3 The Properties dialog box appears on the screen.4 Enter a name for the new group, for example, All Client Devices without Firefox.

5 Click the OK button at the bottom of the window to confirm the new group.6 Open the group’s Dynamic Population->Queries node.


7 Select the Edit->Assign Query menu item or the respective icon ( ) in the icon bar.8 The Assign a Query dialog box will appear on the screen.9 Click the All button on the left.

10 Select both the Client Devices and Devices without Firefox queries, then click OK.

11 Contrary to the queries groups are active immediately.

12 Go to the group’s Members tab to see which devices the query found.13 Refresh ( ) if no members are displayed yet.

Be careful not to modify the query operator in this case, it must remain AND. If you modify it to OR the device group will contain all devices with XP SP2 as their operating system as well as all those on which Firefox is installed.


3.3 OptionsThe following paragraphs provide a number of options for the query as well as the device group application in the Numara Asset Management Platform and its functionalities.

3.3.1 Query OptionsFollowing you will find a number of options regarding the queries.

(a) Duplicate Query and Modify its CriteriaOnce a query is created and assigned it may still be modified if needed. Also, it may be used as a base for other more specific queries as in our following example. We will duplicate the query All XP SP2 Devices and make it more specific so it will find all XP client devices:

1 Go to the Queries top node.2 Select the All XP SP2 Devices query in the table to the right.3 Then select the Edit->Copy icon ( ) in the toolbar.4 The query and all its properties have been copied to the clipboard.5 Now select the Edit->Paste icon ( ) in the toolbar.6 The query and all its properties will be added to the current console location with the same name increased by

1, i.e. All XP SP2 Devices (1).7 Now you can rename the query and edit and adapt it.

8 Select the All XP SP2 Devices (1) in the table.9 Then select the Edit->Properties... icon ( ) in the toolbar.10 The Properties dialog box appears on the screen.11 Change its name to All XP SP2 Clients.12 Double-click the All XP SP2 Clients query.13 Select the Criteria tab in the right window pane. 14 The table already contains the criteria defined for query All XP SP2 Devices, i.e. that the operating system

must be Windows XP. For this new query we still want Windows XP SP2 Devices but under the condition that they are of topology type Client, i.e. the query is not to collect the master and the relay.

15 To define the new criteria for the query choose the Edit->Add Criterion menu item or click the respective icon ( ) in the icon bar.

16 The Select Criterion popup window will appear on the screen.17 Select the Topology Type item from the list and click the Find button in the Criterion Description box.18 The Search Criteria popup appears on the screen. It provides the list of all topology types available.


19 Select Client option and click OK.20 The selected option will now be displayed in the Value field of the Criterion Description window.21 Click the Add button ( ) to add the criterion to the query.22 Then click OK to confirm the new query content and to close the window.23 In the table you can now see all criteria.24 Reactivate the query again. Every time a query is modified it becomes inactive automatically and must be

reactivated.25 Go to the Preview tab of the query.26 Here you should see now the list of all clients with Windows XP SP2 apart from the master and the relay

device.27 Select the new query in the left window pane and click the Create Device Group icon ( )to create the

corresponding group.

(b) Convert Criteria Query to Free QueryCriteria-based queries may be converted to free queries, but not the other way round. This may come in handy, if for example you find that the options provided by the list of existing criteria is not specific enough for the query you would like to create. For our example we will convert the Client Devices query to a free query because we want to not only find all clients but also the relays.

To convert a criteria query to an sql query proceed as follows:

1 Open the Queries->Numara Asset Management Platform Architecture node and select the Members tab.2 Duplicate the Client Devices query (see Option (a) above).3 Then select the new query and the Edit->Properties... icon ( ) in the toolbar.4 The Properties dialog box appears on the screen.5 Change its name to Clients and Relays and check the Free Query box.6 Click OK.7 In the appearing confirmation window click Yes.

8 Double-click the Clients and Relays query.9 Select the SQL tab in the right window pane.10 In the Sql Query box you can see the translation of the selected criterion to general SQL syntax.11 Modify the displayed syntax to the following:

SELECT DISTINCT Devices.DeviceName FROM Devices WHERE ((Devices.TopologyType =N'_DB_DEVTYPE_CLIENT_') OR (Devices.TopologyType =N'_DB_DEVTYPE_RELAY_')) ORDER BY Devices.DeviceName ASC

12 Once the query is entered verify that the syntax and spelling is all correct by selecting the Edit->Verify SQL menu item or click the respective icon ( ) in the icon bar.

13 The database will verify your syntax and display the result in the Sql Result field below. It will provide information regarding any errors it found, the detail level of which is based on your database system.


14 Now that the query is finished and correct save it by selecting the Edit->Save Query menu item or click the respective icon ( ) in the icon bar.

15 The SQL query will be saved to the database.16 All modified created queries are inactive as well and therefore must be reactivated before they can be used. To

activate select the green coloured option active instead of the currently displayed red option inactive in the Query Status drop-down field.

17 Go to the Preview tab of the query.18 Here you can see the list of all devices which fulfil both criteria of the free query, i.e. all your devices with the

exception of the master.19 Select the new query in the left window pane and click the Create Device Group icon ( )to create the

corresponding group.

3.3.2 Device Group OptionsIn the following paragraphs you will find options regarding the device group usage.

(c) Convert a Static Group to a Dynamic GroupYou may convert a group from static to dynamic to always maintain it at its most accurate membership level like in the following example for the group All My Clients, which was created before.

1 For this you first need to remove all devices you just added manually.2 To do so open the node Device Groups->All My Clients and go to the Members tab.3 Select all members in the right window pane.4 Then select the Edit->Delete Member menu item or the respective icon ( ) in the icon bar.5 A confirmation window appears on the screen.6 Select OK to confirm the removal.7 Then select the Dynamic Population subnode in the left window pane8 Choose the Queries node among its children.9 Select the Edit->Assign Query menu item or the respective icon ( ) in the icon bar.10 The Assign a Query dialog box will appear on the screen.11 Click the All button ( ) on the left side bar to display the list of all available queries.12 Select the query called Client Devices from the list. This query will find all devices in your network which

have the Topology Type Client.13 Click OK to add the query to the selected device group and close the window.14 If you now return to the Members tab of the group and refresh it ( ), you will find it populated with all the

devices on which the rollout was successfully installed, but neither the master nor the relay device.

You may also convert dynamic groups to static groups. In this case the query membership remains at the situation of the last dynamic update of the query, i.e. it retains all its members it comprised at the moment the query was converted.


15 Also you can see that the icon has changed from the static group icon ( ) to the dynamic query group icon ( ).


4

Configuration Management Step-by-StepConfiguration Management in the Numara Asset Management Platform is execute via the concept of operational rules. Operational rules define how and in which way the NAMP functions are to be performed. These rules are made up of a series of commands executed by the agent. A single operational rule can perform more than one operation, called “step” The steps are divided into several categories according to target and function.

As shown in the graphic below, the operational rule process consists of the following individual steps:

1 Create the operational rule (1)2 Assign the rule to the target and send the assignment (2, 3)3 The rule arrives on the target and is executed (4, 5)4 The target sends the execution status to the master (6).

Master Send Status

Assign Target Device

Create Operational Rule1

3 5

6 Target Client

2

Execute Operational Rule

Send Assignment

4Pull Operational Rule to Target Device

The examples in this chapter will serve as a base for other step-by-step examples further on, such as the software distribution and patch management, we therefore recommend you to stay as close as possible to the object names and their chosen options.

PrerequisitesWe assume that:

• the master, console and database have been installed.• the master and console have been installed in their default installation directory.• a console is open and connected to the master.• you have rolled out the NAMP agent to a number of devices as described in the Installation manual.• you have already done the exercises in the preceding Queries/Device Groups Step-by-Step chapter to execute

some of the options in the second part of the chapter.

4.1 Operational Rule ExamplesThe following paragraphs provide you with a number of sample operational rules to execute in your network. Specifically we will create the following rules:

1 Inventory Management Rule: This operational rule will contain a number of steps which create and update the Patch, Security and Custom Inventory.

2 Start Program Rule: This rule will launch the calculator on a device after the device’s user has given his ok to the operation.

3 OR Synchronisation Rule: This rule will synchronise the operational rules at the agent startup.

50 - Numara Asset Management Plattform - Operational Rules

4 Customised Form Rule: This rule will request the local user to provide some information to be entered into the custom inventory.

5 Reboot Device Rule: This rule reboots a device, also with user confirmation, for example after a patch application or software distribution.

Rule 1: Inventory ManagementMost inventory types in the Numara Asset Management Platform are or can be maintained and updated via operational rules. We will be creating the rule in this example and it will:

• Update the Patch Inventory, i.e. the Patch Inventory will display all patches which are applicable to the OS of the individual device but are not installed.

• Create a Security Inventory, i.e. it will collect specific information relevant to the security of the device, such as installed Firewall and installed Antivirus.

• Upload a number of parameters of the device which are collected in the Custom Inventory, such as the Monitor Manufacturer Information, a number of ini and registry values.

This operation is composed of the following actions:

1 Create Operational Rule via the Operational Rule Creation Wizard2 Execute the Operational Rule on the Relay3 Monitor Execution4 Verify Inventories

Step 1: Create Operational Rule via the Operational Rule Creation WizardThe first action to take is to create the operational rule. This rule will contain the following steps:

a Patch Inventory:Analyse Patch Situation

b Security Inventory:Installed AntivirusInstalled FirewallsShared ResourcesWindows Start-up ProgramsWindows Update StatusUpdate Security Inventory

c Custom Inventory:Collect Environment Variable ValueCollect Ini File ValueCollect Registry Key ValueMonitor Manufacturer InformationUpload Custom Inventory

To create this operational rule proceed as follows:

1 Select the Wizards->Operational Rule Creation menu item or the respective icon ( ) in the icon bar.2 The Operational Rule Creation Wizard appears on the screen.3 The left pane of the wizard window displays all available steps of this wizard. Depending on the selections

made in the right window panes, some of these steps will become available/unavailable.

Step 1a: Definition In this first step the operational rule to be created must be defined via its parameters.

1 Enter Inventories into the Name field.2 Leave all other parameters as they are, as neither packages will be distributed nor dependencies are required

for this rule.

All operational rules are also available on the Maintenance pages of the agent for direct local application, see Option (d).

Chapter 4 - Configuration Management Step-by-Step - 51

3 Click the Next button to continue.

Step 1b: StepsOperational rules are made up of steps which tell the agent on the target devices which actions to execute. In this window you will select the steps to execute.

1 Select the Add Step icon ( ) on top of the list field.2 The Select a Step popup windows will appear on the screen.3 It displays the list of available steps in its Available Steps box. When you click a step a description will

appear in the text field at the bottom of the window.4 To add the steps for the rule proceed as follows:

a Patch Management Steps:

1 Double-click the Patch Management folder.2 Select the step Analyse Patch Situation and click the Add ( ) button.3 The Properties dialog box appears on the screen. In addition to the preselected options also check the

Force Upload option:

If you want to create the new rule in a specific folder instead of under the operational rules top node see Option (c) now.


4 Click OK. 5 The step is now added to the list of Selected Objects.6 This step will update the patch inventory for all targets.

b Security Inventory Steps:1 Now, to add the steps for the Security Inventory double-click the Security Inventory folder.2 As the first step select Installed Antivirus and click the Add ( ) button.3 Click OK to add it to the list.

4 Next select step Installed Firewalls.5 Click OK to add it.

6 Next select step Shared Resources.7 Again this step has no parameters to define so only click OK in the Properties dialog box to add it.8 Next select step Windows Start-up Programs.9 Again this step has no parameters to define so only click OK in the Properties dialog box to add it.10 Next select step Windows Update Status.11 Again this step has no parameters to define so only click OK in the Properties dialog box to add it.12 All steps collecting inventory data have now been added to the rule, however another rule is required to

upload all this collected data to the master database. For this select the Inventory Management group.13 Select step Update Security Inventory and click the Add ( ) button.14 In the appearing Properties dialog box check the following additional options:

Upload after update


Force Upload

15 Click OK to confirm it.

16 All steps for creating an initial Security Inventory have been added now.c Custom Inventory Steps:

1 To add the steps for the Custom Inventory double-click the Custom Inventory folder.2 As the first step select Collect Environment Variable Value and click the Add ( ) button.3 The Properties dialog box appears on the screen. Enter the following data in the respective fields:

Environment Variable: PATHCustom Inventory Instance Name: Variable

4 Click OK.5 For the second step select the Collect Ini File Value. Click the Add ( ) button.6 In the appearing Properties dialog box enter the following values for the requested parameters:

File Path: C:\Program Files\Numara Software\Numara Asset Management Platform\Client\config\mtxagent.ini

Section Name: SecurityEntry Name: SSL

Custom Inventory Instance Name: Type of Agent Communication (SSL Mode)Entry Type (String or Integer): Integer

Make sure the Update Inventory step is always the last step in any type of inventory collection, as the steps are executed in the specified order, therefore if you put it somewhere in the middle the data collected after the upload step will not be uploaded to the master and the database.

These two values, Section Name and Entry Name, must always be entered exactly as they appear in the configuration file, otherwise the agent will not be able to find them in the ini file and thus cannot upload them.


7 Click OK to add the step.8 As the next select step Collect Registry Key Value. Click the Add ( ) button.9 In the appearing Properties dialog box enter the following values for the requested parameters:

Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersionValue Name: ProductNameCustom Inventory Object Name: Windows VersionCustom Inventory Instance Name: Product Name

10 Click OK to add the step.

11 As the next step select Monitor Manufacturer Information. Click the Add ( ) button.12 In the appearing Properties dialog box leave all preselected values.

If you would like more information on this registry key, repeat steps 8-10 for the same key and values: CurrentVersion and CSDVersion, see Option (f).


13 Click OK to add this last step.14 All steps collecting inventory data have now been added to the rule, however another step is required to

upload all this collected data to the master database. For this select the Inventory Management group.15 Select step Update Custom Inventory and click the Add ( ) button.16 In the appearing Properties dialog box check the options Upload after update and Force Upload

17 Click OK to confirm it.18 Now click OK to confirm the list of steps and their order of execution of the operational rule.


5 Now click the Finish button to confirm the settings of the new operational rule.6 A confirmation window appears on the screen which allows you to directly

continue with the Operational Rule Distribution Wizard. Click Yes to continue directly with the distribution of the new rule.

Step 2: Execute the Operational Rule on the RelayThe operational rule is now created and must be assigned to the devices, in our example the relay, on which to execute via the Operational Rule Distribution Wizard.

Step 2a: Operational RuleIn the first window of the Operational Rule Distribution Wizard you define which rule to distribute as well as some distribution options:

1 The Name field is inaccessible as the operational rule to distribute is already preselected, i.e. the one we just created.

2 From the Target Type dropdown field select the option Devices, as we will distribute this rule only to the relay.

3 Leave all other options as they are.

4 Click Next to continue.

Step 2b: Assigned DevicesTo assign the rule to the relay proceed as follows:

1 To do so select the Assign Device icon ( ) above the list field. 2 The Select a Device popup window will appear on the screen.3 Go to the All tab and select the relay from the list.

If you want to schedule the rule to execute at a specific date and time and/or at regular intervals, uncheck the Default Schedule option, and then see Option (a).

To manually modify the execution schedule after an initial execution follow the wizard explanations without any optional modifications and then see Option (b).


4 Click OK to confirm and close the window.5 The relay will be added to the list of assigned devices.

6 Click Finish to confirm the assignment and launch the rule execution with the default schedule, i.e. once immediately.

7 The last option provided by the wizard is to go directly to the object. For our example we will directly activate the rule and change to focus to it, therefore check the Go to Operational Rule box and click Yes, to directly activate the rule.

Step 3: Monitor ExecutionThe execution can be monitored from several locations. For our example here we remain under the Devices node.

1 In the right window you can see the relay and the Status column. Currently this status should be Assignment Waiting.

2 Once the assignment is done the status will change to Ready to run, to indicate that now the scheduling of the actual operational rule step is being executed.

3 Once the operational rule has executed on the relay, i.e. it has collected all the requested information and updated the database with it, your Status field should have changed to Executed.


Step 4: Verify InventoriesOnce the rule is executed the results, i.e. the generated inventories may be inspected. To do so proceed as follows:

1 Open the node Device Topology->Master->Relay->Inventory.2 The table in the right window pane lists all possible types of inventory and you can see the date at which the

inventories were updated last, i.e. if your operation rule was already executed.3 Select the Custom Inventory node.4 Now the table should display the following objects in addition: Configuration Values, Screen Information,

System and Windows Version.5 Double-click each of the entries to find out what information they contain.

6 Then select the Security Inventory node.7 Below you should find one entry for each of the steps of the executed operational rule. Refresh ( ) if the

entries are not displayed yet.8 Double-click each of the entries to find out what information they contain.

If the status reads Execution failed, you may have entered a wrong path to for one of the step parameters.


9 Now select the Patch Inventory node and the Missing Patches node below.10 The table in the right window pane will display the list of all patches which are applicable to the operating

system of you relay, i.e. Windows XP, but have not yet been installed. For information on how to rectify this situation see chapter Patch Management Step-by-Step.

11 The node Missing Service Packs displays the list of service packs which are missing for the relay.

Rule 2: Start ProgramIn this example we will create a rule that might launch the calculator on the master device if the user, i.e. you, decided to do so. This operation is composed of the following actions:


1 Create Operational Rule2 Assign the Operational Rule to the Master3 Monitor Execution

Step 1: Create Operational RuleThe first action to take is to create the operational rule. This rule must contain two steps:

• A message box which will appear on the window and in which the user has the choice if they want to launch the execution

• The step launching the execution itself.To create this operational rule proceed as follows:




1 Enter Execute Calculator into the Name field.2 Leave all other parameters as they are, as neither packages will be distributed nor dependencies are required

for this rule.



4 Click the Add Step icon ( ) on top of the list field.5 The Select a Step popup windows will appear on the screen.6 It displays the list of available steps in its display window.



7 Double-click the User Message Box folder.8 Select the step User Acknowledgement via Message Box and click the Add ( ) button.9 The Properties dialog box appears on the screen. Enter the following data in the respective fields:

Stop Condition: Select the Stop on failed step value from the drop-down list.Message Title: Execute CalculatorMessage Text: Do you want to launch the calculator now on your device?Validation Button Label: OKCancel Button Label: CancelTentatives: 2Retry Interval: 2

10 Click OK. This message box allows to execute or cancel the execution.11 Now, to add the second step double-click the Process Management folder and select the Execute Program

step. Click the Add ( ) button.12 The Properties dialog box appears on the screen. Enter the following data in the respective fields:

Executable Path: C:\WINDOWS\system32\calc.exe (for Windows XP devices)Leave all other fields untouched.


13 Then click OK to add the step and then OK again to confirm the list of steps and to close the window.14 In the list field you can now see both steps.



Step 2: Assign the Operational Rule to the MasterThe operational rule is now created and must be assigned to the devices on which to execute, in our example the master.








Step 2b: Assigned DevicesTo assign the rule to the master proceed as follows in this window:

5 Select the Assign Device icon ( ) above the list window. 6 The Select a Device popup window will appear on the screen.7 Go to the All tab and select the master.8 Click OK to confirm and close the window.9 The device will be added to the list field in the wizard window.

10 Click the Finish button to confirm the assignment and execute.11 The last option provided by the wizard is to go directly to the object. For our

example we will directly activate the rule and change to focus to it, therefore check the Go to Operational Rule box and click Yes, to directly activate the rule.


Step 3: Monitor ExecutionTo monitor the execution you need to have the target device in your visual range as well as the console window, if you assigned the rule to another device than the master.

1 To check the status of execution select again the Devices node in the left window pane.2 In the right window you can see the target device and a column called Status. Currently this status is

Assignment Waiting.3 Once the assignment is done the status will change to Ready to run, to indicate that now the scheduling of

the actual operational rule step is being executed.4 Check the screen of your target device for the appearance of the message box.5 Once it appears click the Cancel button. The message box disappears and reappears two minutes later again.6 This time click OK and wait for the appearance of the Calculator.7 Once it is on the screen check your Status field again and you will see that it has changed to Executed.8 If you refused to launch the calculator twice, the status will change to Execution failed, as the rule could

not be completely executed.

Rule 3: OR SynchronisationThis rule will synchronise the operational rules at the agent startup between those available on the master for the agent and those actually present on the agent, to make sure none of them get lost and the agent always has the most up-to-date set of rules available.

When the client receives a synchronisation request it sends back the list of its own operational rules linked to a checksum. The master then creates an up-to-date list of the device’s operational rules and checks these with the list it received. If an operational rule on the list from the device does not exist any more, the master sends an order to the device to delete it; if a more recent version of an operational rule exists on the master i.e. the checksums on the master and the client are not identical, an update order will be sent to the device; and if a rule is absent on the client but present on the master, then an assign order will be sent to the client device. Any rule which is ‘paused’ will not be taken into account.

This rule is created and assigned via the Operational Rule Creation and Operational Rule Distribution wizards and consists of the following steps:

1 Create Operational Rule2 Assign the Operational Rule to the Master3 Verify Result

If the status reads Execution failed, you may have entered a wrong path to the calculator.

This step-by-step instruction may be adapted and applied for all types of synchronisation available in Numara Asset Management Platform.


Step 1: Create Operational Rule1 Select the Wizards->Operational Rule Creation menu item or the respective icon ( ) in the icon bar.2 The Operational Rule Creation Wizard appears on the screen.3 The left pane of the wizard window displays all available steps of this wizard. Depending on the selections



1 Enter OR Synchronisation (or any other desired name) into the Name field.2 Leave all other parameters as they are, as neither packages will be distributed nor dependencies are required

for this rule.



1 Select the Add Step icon ( ) on top of the list field.2 The Select a Step popup windows will appear on the screen.3 Expand the item Agent Configuration and select the step Rule Synchronisation.



4 Click the Add ( ) button to confirm.5 The Properties dialog box appears on the screen. 6 Leave all preselected options checked and check in addition the last option Bypass Transfer Window.7 Then click OK to add the step to the list and close the window.8 Click OK again to confirm the list of steps for the operational rule and close the window.



Step 2: Assign the Operational Rule to the MasterThe operational rule is now created and must be assigned to the devices on which to execute, in our example the master.




3





Step 2b: Assigned DevicesThe operational rule is now created and must be assigned to the devices on which to execute, in our example the master.

1 To do so select the Assign Device icon ( ) on top of the list field. 2 The Select a Device popup window will appear on the screen.3 Go to the All tab and select the master. 4 Click OK to confirm and close the window.5 The device will be added to the list field in the wizard window.6 Click the Finish button to confirm and close the wizard.7 The last option provided by the wizard is to go directly to the object. For our


Step 3: Verify ResultThe rule execution may be monitored as usual under the Devices node of the assigned device. To see what this rule actually does, we will interrupt the assignment of an operational rule and simulate an unscheduled restart of the device, by stopping the agent service.

1 For this go to the Computer Management->Services and Applications window of Windows.2 Select the Numara Asset Management Platform Agent in the list of services.3 Then open the node Device Topology->Relay->Assigned Objects->Operational Rules.4 Select the Execute Calculator rule in the right window pane and then select the icon Unassign Operational

Rule ( ).5 In the appearing confirmation window click Yes, to confirm the unassignment.6 Now the unassignment is waiting to be executed.7 Now quickly go to the Computer Management->Services and Applications window and stop the Numara

Asset Management Platform Agent service.8 Now the unassignment has been sent, but it should not yet have arrived on the agent, therefore the rule will

still be available on the system.9 Now, when you restart the NAMP agent service, the agent will execute a synchronisation of all its rules with

the master’s list of rules for it. It will find that the Execute Calculator rule is no longer on the list and will unassign it.


Rule 4: Customised FormThis step creates a form to update the custom inventory of the local target client. Once the rule is executed a browser window opens on the target, in which a form with several fields is to be filled by the local user. The form has two buttons, OK to confirm the filled in form and Later to postpone the filling in of the values. Once the form is completed and confirmed the custom inventory .xml file is updated with the new information. This newly added information will be added to the custom inventory in the console and the agent interface pages at the next update. The fields are prefilled in for a personal information form.

For our following example we will create a form in which we ask the user to fill in his personal office data. For this the following operations need to be executed:

1 Create Employee Information Rule2 Assign Operational Rule to Master3 Fill in the Customised Form4 Custom Inventory - Verify Result

Step 1: Create Employee Information RuleThe rule we will create for this example will contain the following steps:

• Send Customised Form - this step defines all the fields the user is requested to fill in.• Update Custom Inventory - this step generates the new custom inventory and uploads it from the agent to the

master, so it can be displayed in the console.This rule is created and assigned via the Operational Rule Creation and Operational Rule Distribution wizards.




1 Enter Employee Information into the Name field. This value will be used as the entry name for the custom inventory entry.


Step 1b: StepsIn this window you need to select the steps to execute.

1 Select the Add Step icon ( ) on top of the list field.



2 The Select a Step popup windows will appear on the screen.3 Expand the item User Message Box and select the step Send Customised Form.4 Click the Add ( ) button to confirm.5 The Properties dialog box appears on the screen. 6 Enter the following values into the respective fields:

TitleEnter the title of the form into this field, e.g. Employee Information.Header TextThe field should contain a short textual explication for the local user regarding the fields of the form below, e.g. Please fill in the fields of the following form:.Form FieldsThis field contains the semi-colon separated list of fields of the form to be filled in, as they are displayed in the HTML page to the user. For our example we will leave the first two values and then add some more: Name;First Name;Badge ID;Department;Office;Country;Phone Extension.Form Field Data TypeThis field contains the semi-colon separated list of the data types of the fields defined above to be filled into the form, for the list fields (combo) the type of the list field must also be defined. Possible values are string, integer, combo:string, combo:integer and boolean. For our example we need the following: string;string;integer;string;string;combo:string;integer.Default Field ValuesThis field allows you to define default values for the form fields that will be displayed to be selected via a drop down list. The entry default values are separated by commas (,), the default values for each field are separated by a semi-colon (;). The field is prefilled in with default values for the country, ;;;;;UK,France,Germany,Australia.Labels of Custom Inventory FieldsThis field contains the semi-colon separated list of field names as which they will appear in the custom inventory. Make sure that the order and the number of the fields is the same as in the Form Fields above. For our example this will be: Name;First Name;Employee ID;Department;Building;Country;Phone Extension.Footer TextThis free text field is below the list of fields to be filled in and may contain additional information. We will enter here Thank you for your cooperation.Validation Button LabelThis parameter defines the text to be displayed on the confirmation button in the dialog box, enter OK.Cancel Button LabelThis parameter defines the text to be displayed on the cancel button in the dialog box, such as for example Later.Retry IntervalThe retry interval defines the interval at which the step is to effect its retries in minutes. The default value is set to 2 minutes. Leave it.


7 Then click OK to add the step to the list and close the window.8 Now select the Inventory Management group.9 Select step Update Custom Inventory and click the Add ( ) button.10 In the appearing Properties dialog box also check the options Upload after update and Force Upload.11 In this case we will leave the Differential Upload option activated, as a custom inventory already exists. Thus

only the changes, i.e. the new entry will be uploaded, which makes the process faster.

12 Click OK to confirm it.13 Now click OK to confirm the list of steps and their order of execution of the operational rule.14 All steps are added to the rule and it is ready to be assigned.




Step 2: Assign Operational Rule to MasterThe Operational Rule Distribution Wizard allows you to proceed with the target assignment and scheduling process of the operational rule as follows:



2 From the Target Type dropdown field select the option Devices, as we will distribute this rule only to the master.




Step 2b: Assigned DevicesThe operational rule is now created and must be assigned to the devices on which to execute, in our example the master.

1 To do so select the Assign Device icon ( ) on top of the list field. 2 The Select a Device popup window will appear on the screen.3 Go to the All tab and select the relay. 4 Click OK to confirm and close the window.5 The device will be added to the list window.

6 Click Finish to confirm the assignment.7 The last option provided by the wizard is to go directly to one of the

objects, i.e. the operational rule or the task, if one was created. for our example we will directly activate the rule and change to focus to it, therefore check the Go to Operational Rule box and click Yes, to directly activate the rule.

Step 3: Fill in the Customised FormOnce the rule is assigned to the master an HTML page will appear on the screen, which displays the form we just defined.


1 Fill in your personal information.2 Click the OK button to confirm.3 The information will now be stored by the agent in the local database and uploaded to the master for display in

the console. This may take a moment, please be patient.

Step 4: Custom Inventory - Verify ResultTo verify the rule execution may be monitored as usual under the Devices node of the assigned device. Once the status is displayed the rule is executed and all data should be available in the Console.

1 Open the node Master->Inventory.2 In this window you can see in the right pane the list of all available inventory types and the date and time of

their last update.3 Check the value for the Custom Inventory.4 Once it is updated to the current time select the node to display its contents.

5 Now select the History tab in the right window pane.6 The contents of this tab display all elements that were added, removed or modified in the Custom Inventory.7 Here you will find a new element as well, called Employee Information. The same element which was just

added to the Custom Inventory.


Rule 5: Reboot DeviceThe operational rule created in this example will reboot a device. This may be useful or necessary after a software distribution and installation, a patch application or a vulnerability solution.

Contrary to the operational rules created before we will not assign and execute this rule on its own, it will be used together with the Software Distribution and Patch Management Step-by-Step examples further on.



Step 1: DefinitionIn this first step the operational rule to be created must be defined via its parameters.

1 Enter Reboot (or any other desired name) into the Name field.

2 Click the button at the bottom of the window to continue.

Step 2: StepsOperational rules are made up of steps which tell the agent on the target devices which actions to execute. In this window you will select the steps to execute.



1 Select the Add Step icon ( ) on top of the list field.2 The Select a Step popup windows will appear on the screen.3 Expand the item Windows and select step Reboot.4 Click the Add ( ) button.5 The Properties dialog box appears on the screen.6 Click the OK button to confirm and add this step.7 Now click the OK button to confirm the list of defined step for the operational rule and to close the window.

8 In the list field you can now see the step with its parameters.9 Click the Finish button to confirm all parameters for the new rule and terminate it.10 A confirmation window appears on the screen which allows you to directly

continue with the Operational Rule Distribution Wizard. Click No, as this rule will not yet be assigned and executed.

11 The new rule is added to the list of available operational rules under the top node.

4.1 Rule OptionsThe following paragraphs will provide you with a number of options that may be used to modify the operational rule application.

(a) Assign the Rule with a Specific ScheduleWhen using the automatic activation a default schedule is assigned to the operational rule: immediate execution, once. In our case we will define a schedule first and then the assignment must be activated.

For our example of the Inventory Management rule it may be useful to run this rule at regular intervals, such as every day at start up, to have a most accurate view of the device’s situation. To do so proceed as follows:

1 In the first window of the Operational Rule Distribution Wizard make sure to uncheck the Default Schedule option.

2 At Step 2b: Point 6 (page 57) click Next again instead of finishing the wizard. 3 Another wizard window will appear after the Assigned Devices window, the Schedule window.4 First go to the Validity tab. This tab allows you to define the activation of the execution and its termination.


5 In the Execution Date box define on when to run the inventory collection. In our example we will select the Next Startup radio button to launch the inventory when the agent is started next.

6 Then go to the Termination box below, click the Run Forever radio button.7 Now select the Frequency tab.8 Leave the By Schedule and the Run Every Day radio buttons checked.9 In the Period drop-down field select the value Once Only.

10 In the field below select the time at which to execute the inventory collection, e.g., 03:00. To modify the minute value just click in the field with the selected value and change the value, e.g. to 03:30.

Inventory collection might be quite resource consuming, thus it is recommendable to run these rules when the network load is low, i.e. during the night, if the devices are not shut down.


11 Click Finish to confirm the assignment and schedule and finish the wizard.12 The last option provided by the wizard is to go directly to the object. For our


(b) Manually Modify the Execution ScheduleOnce an operational rule is executed its schedule may still be modified to have the rule execute according to a specific schedule. For our example we will use the OR Synchronisation rule and have it execute every Monday morning, to make sure the agents and their operational rules are up to date for the start in the new week.

Manually modifying a schedule consists of two different actions:

1 Modify the schedule2 Reassign the rule

Proceed as follows:

1 After the execution of the rule select the OR Synchronisation rule in the left window pane.2 Go to its Assigned Objects->Devices node.3 Then select the master entry in the table in the right window pane.4 The entry should currently display the status Executed.5 To define the schedule either double-click the table entry or select the Properties icon ( ) in the icon bar.6 The Scheduler window will open on the screen. 7 First go to the Validity tab. This tab allows you to define the activation of the execution and its termination.

8 In the Execution Date box define on when to run the inventory collection. In our example we will select the Next Startup radio button to launch the synchronisation when the agent is started next.

9 Then go to the Termination box below, click the Run Forever radio button.10 Now select the Frequency tab.11 Leave the By Schedule radio button checked.12 In the By Schedule panes select the Day of the Week radio button.13 The box below will become editable, uncheck all boxes apart from Monday.14 In the Period drop-down field select the value Once Only.15 In the field below select the time at which to execute the synchronisation, e.g., 07:00.

If the rule is not reassigned to the targets, the local agent will not be aware of the modifications and thus not be able to apply them.


16 Click OK to confirm the new schedule and close the window.17 Now select the master entry again in the table to reassign the rule.18 To do so select the Reassign Operational Rule icon ( ) in the icon bar.19 The status will change to Reassignment Waiting and then all other status values until it arrives at Updated,

to indicate that the rule was updated on the device an is ready for execution again.

(c) Creating a Rule in a Specific FolderWhen creating a new operational rule it may be directly created in a folder instead of under the Operational Rules top node, which is the default location. To do so proceed as follows:

1 To add it to another folder click the icon to the right of the Folder field (...). 2 The Select Folder window appears on the screen displaying the folder hierarchy. If the desired target folder

does not yet exist you can also create a new folder.a To do so first select the parent folder of the new one and then select click the New Folder icon ( ) below

the hierarchy. b The Properties dialog box appears on the screen. c Enter the desired data into the respective fields and then click the OK button at the bottom of the window

to confirm the new folder. 3 Select the target folder and click the OK button to confirm and to close the window and return to the original

window.

(d) Operational Rules in the Maintenance PagesThe Maintenance pages of the Agent Interface were specifically created for maintenance crews and support people to facilitate their tasks on site. In case of a problem they may execute specific operational rules directly from the local interface to solve the issue. By default all operational rules an administrator can see and manage in the console are available on the Maintenance pages in the Agent Interface. To log on to the Maintenance pages proceed as follows:

1 Go to the target device (physically go there, you cannot do it from you desk via the console or the Agent Interface if the target device is not the device you are currently working from). In our case we will do this on the master’s interface, so no need for travelling.

2 Right-click the blue NAMP agent icon ( ) at the bottom-right of the Windows device.3 Left-click on the Agent Interface menu item.4 A browser window opens displaying the HCHL interface of the local agent.5 Select the Identification item on the top right corner of the window.


6 Identify yourself with a local login in the appearing popup window.7 The browser window now reloads and displays a number of additional tabs. Select the Maintenance tab.8 An new login page appears. Enter the following login data:

Name: Enter the name of the masterPort: 1610Login: admin

9 Click OK.

10 The Maintenance page appears in the window. There are two types of rules available on the Maintenance pages: a Active Operational Rules

Active rules are all those rules that have been assigned to a device or a device group. Here you should find the first three rules that were created in this chapter with their respective execution status and schedule.

1 You can execute rules directly from the active rules page of the interface, e.g. the Execute Calculator rule.

2 To do so select it by checking the respective box under the Select column at the right border.3 Then click the Activate button at the bottom left of the page.4 A confirmation window appears on the screen. Click OK to proceed.

5 The status of the rule will change to Updated once the rule has been reassigned and then it will be executed. You will see this once the confirmation message box to launch the calculator is displayed again on the screen. If you click Yes, and the calculator is displayed the status will become Executed

To refresh these pages always use the Refresh button at the bottom of the page, NEVER the browser’s button.


again, if you click No, the status will be Execution failed, since the rule could not be successfully completed.

b Additional Operational RulesAdditional rules are all those rules that have been created but are not assigned to any device or group. On this page you should now see two rules, a distribution rule which is always automatically created concerning patch management, ConfigFiles.cst, as well as the Reboot rule which we created but didn’t assign to any device.

1 To assign a rule, e.g. the ConfigFiles.cst distribution rule, from the Additional Operational Rules page to the local device select it, i.e., check the respective box under the Select column at the right border.

2 Then click the Activate button at the bottom left of the page.3 Active Operational Rules.

(e) Assign Operational Rule to a Device GroupInstead of distributing an operational rule to an individual or a number of individual devices you may assign it to a group, preferably dynamic.

Proceed as follows to assign the Inventory Management rule (Rule 1) to a group containing All XP SP2 Devices of your network:

1 At Step 2: open the node Operational Rules->Inventory Management->Assigned Objects->Device Groups.2 Select the Edit->Assign Device Group menu item or click the respective icon ( ) in the icon bar.3 In the appearing confirmation window (Would you like to automatically activate...?) click Yes.4 The Assign to Device Group popup window will appear on the screen.5 Select the All XP SP2 Devices group from the list in the Available Objects box.

Dynamic groups are maintained either via a directory server or a query and their members are updated regular. For more information refer to chapter Queries and Device Groups Step-by-Step earlier in this manual. You will also find the guidelines there on how to create the group we will be using for the rule assignment in this example. Assigning an operational rule such as the inventory collection will ensure that all devices fulfilling specified requirements will apply this rule, without you having to specifically telling them so.


6 Click OK to confirm and close the window.7 In the right window pane you can now see the device group to which the rule was assigned.8 If you answered Yes to Would you like to automatically activate...?, the distribution process is started directly!

9 If you now select the Assigned Objects->Devices node you will find the list of all devices that are a member of the group in the table.

(f) Add More Steps to an Operational RuleOnce an operational rule is created and executed you might find that it is missing some steps or might be made more efficient using some more or other steps. When modifying the following steps need to be executed:

1 Modify the contents of the Inventory Management rule2 Reassign the rule to the target

Step 1: Modify the Contents of the Inventory Management RuleFor our example we will modify the Inventory Management rule in the following way:

a Remove the Patch Inventory stepb Add more Security Inventory steps:

Number of Administrator AccountsOpen PortsProcess List

To do so proceed as follows:

1 Open the node Operational Rules->Inventory Management and go to the Steps tab.2 In the right window pane you can see all the steps which are currently executed for this rule.


3 To remove the patch step select the respective step in the first line, Analyse Patch Situation.4 Now select the Remove Step icon ( ) in the icon bar.5 A confirmation window appears on the screen. Click Yes.6 The step will directly disappear from the rule and the list.7 Now, to add more steps for the Security Inventory click the Add Step icon ( ) in the icon bar.8 The Select a Step popup windows appears on the screen.9 Double-click the Security Inventory folder.10 As the first step select Number of Administrator Accounts and click the Add ( ) button.11 The Properties dialog box appears on the screen. Enter the value Administrator Account into the field Security

Inventory Instance Name and click OK to add it to the list of Selected Objects.12 Next select the Open Ports step and click the Add ( ) button.13 The Properties dialog box appears on the screen. Select the TCP value from the drop-down box, enter TCP

Ports as value into the Security Inventory Instance Name field and click OK to add the step.14 As the third new step select the Process List step and click the Add ( ) button.15 The Properties dialog box appears on the screen. Leave both options enabled and click OK to add the step.16 Click OK now to confirm the new list of steps to add to the existing steps and to close the window.17 You can see now that all new steps have been added at the bottom of the list. However to be updated at the

next inventory update they must be located before the Update Security Inventory step.18 Select all three new lines in the table.19 Then select the Move To icon ( ) in the icon bar.20 A new Steps window appears on the screen.21 Enter line 6 into the field and click the OK button.22 All three selected steps will now be moved up to lines 6-8, i.e. before the Update Security Inventory step, and

push all following steps down.

Step 2: Reassign Rule to TargetWhenever an operational rule was modified in any way, its contents have changed, the schedule was modified, etc., the rule must be reassigned to the target to update it. To do so proceed as follows:

1 Click the Assigned Objects, then Devices node in the left window pane under the Inventory Management rule.

2 Select the already assigned master in the table.3 Then click the Reassign Operational Rule icon ( ) in the icon bar.4 The reassignment order will be sent to the master and the status will change to Update Waiting.5 After this you should see the following successive status:

UpdatedReady to runExecuted


6 Once the status is displayed as Executed go to the Security Inventory of the master and check that the new parameters have been added.


5

Directory Server Synchronisation Step-by-StepThe LDAP Client (notably Microsoft Windows Active Directory) functionality presents organisations with a directory service designed for distributed computing environments. It allows organisations to centrally manage and share information on network resources and users while acting as the central authority for network security. In addition to providing comprehensive directory services to a Windows environment, the directory server is designed to be a consolidation point for isolating, migrating, centrally managing, and reducing the number of directories that companies require.

The Numara Asset Management Platform allows you to synchronise its device database with directory services already existing in your network. You may thus ’copy’ existing directory services items such as organisational units (OU), computers, etc., into the Numara Asset Management Platform groups and members to then administer these via the NAMP console. All three types of groups existing in the Numara Asset Management Platform, i.e. device groups, administrator groups and user groups, can be synchronised.


• the master, console, database, and some client agents have been installed.• a console is open and connected to the master.• Active Directory is installed in your network and has its organisation in place.• you have done the basic exercises in the Queries and Device Groups Step-by-Step chapter or you are at least

familiar with the general concepts of the different groups in the Numara Asset Management Platform.

5.1 Synchronising with Active DirectoryThis first part of the chapter provides some examples for active directory synchronisations:

• Synchronise a device group• Synchronise an administrator group• Synchronise a user groupThe first step to execute before any synchronisation can be done is to define at least one directory server in the NAMP console. To do so proceed as follows:

Step 1: Define the Active Directory ServerThe first step in the synchronisation procedure is to define the directory server with which to synchronise in the NAMP console. To do so proceed as follows:

1 Open the Global Settings->Directory Servers node in the left window pane.2 Either select the Edit->Create Directory Server or select the respective icon ( ) in the toolbar.3 The new directory server will be created and the Properties window opens on the screen.4 Enter the following information into the respective fields of the General tab:


a Enter the user-friendly name of the directory server, under which it is known into the Name field. This name may be any combination of characters.

b Enter the known network name of the directory server in the Host Name field. This value may be either the complete or short network name, such as scotty.bridge.enterprise.com or scotty, or it may be the IP address of the server in its dotted notation, e.g. 175.175.2.1.

c Enter the number of the port at which the directory server may access the database in the Port Number field. The usual value for this port is 389.

d Enter the base distinguished name into the Base DN field to uniquely identify the directory server. The base DN is the start entry in the directory tree. You may enter this value either in the LDAP notation or as UNC. For example for an Active Directory domain with the name kirk.bridge.enterprise.com this entry would look like this:

LDAP: dc=kirk, dc=bridge, dc=enterprise, dc=comUNC: kirk.bridge.enterprise.dc=com

e In the User DN field you must enter the distinguished name of the user. This is the name uniquely identifying the user. You may enter this value either in the LDAP notation or as UNC. This would be for example cn=username, cn=usergoup where username is the user you wish to connect as, and usergroup is the folder that contains username in Active Directory Users and Computers, or \\username\usergoup as UNC.

5 Enter the following data into the respective fields in the Password tab:a Enter the password of the directory server through which the above defined user may access it into the New

Password field. Be sure to enter the correct password, other wise the directory server cannot be accessed from the console. For security reasons the password will be displayed in the form of asterisks (*).

b Confirm the password entered into the Confirm New Password field above by re-entering it into this field.6 Click the OK button at the bottom of the window to confirm the new directory server and to close the window.7 Now, to make sure you have entered all the data above correctly you may want to try the connection.8 To do so double-click the newly entered directory server.9 Select the Edit->Check Connection menu item or the respective icon ( ) in the icon bar.10 The console will verify its connection with the directory server and make the results known in a message box

displayed on the screen. The results are either Connection successful! if the connection could be successfully established, or if it failed the message box displays the server’s answer, such as Login Failed or Server Down.

If the connection failed this may be due either to a physical problem with the network or some directory server data incorrectly entered.

Chapter 5 - Directory Server Synchronisation Step-by-Step - 87

Synchronisation 1: Device GroupIn our first example we will synchronise a device group with an Active Directory group. This process is divided into the following steps:

1 Define the Active Directory Server in the console if it doesn’t exist yet (see Step1 above)2 Create the device group3 Assign the directory server to the new device group and synchronise

Step 2: Create Device GroupThe first actual step for synchronisation is to create the device group which is to be a mirror of one of the active directory groups.

1 Select the Device Groups top node.2 Then either select the Edit->Create Device Group menu item or select the respective icon ( ) in the toolbar.3 The Properties dialog box appears on the screen.4 Enter a name for the new group, e.g. AD Group. The name of this group is completely irrelevant, you may

leave the default name, as it will be changed to the name of the directory server group once it is synchronised.

5 Click the OK button at the bottom of the window to confirm the new group.

Step 3: Assign the Directory Server to the New GroupBefore the groups can be synchronised a relation must be established between the NAMP device group and the Active Directory group. To do so the directory server is assigned to the device group.

1 Open the Dynamic Population->Directory Server node of the group.2 Select the Edit->Assign Server menu item or click the respective icon ( ) in the icon bar.3 The Select a Directory Server window appears on the screen.4 Select the directory server entry you just added in the console from the list box. You may either select the

directory server itself or one of its children.

If you select Members Only for this value, you will not be able to assign the Directory Server, as the required subnodes to do so are not displayed.


5 Now that the directory server is assigned to the group its name will change to the name of the selected unit, i.e. Computers in the example above.

6 The Properties window opens on the screen. Here you may specify if all devices are to be synchronised or only those with a NAMP agent installed. Leave the preselected value and then click the OK button to confirm.

7 A confirmation window appears on the screen. Click Yes to immediately synchronise with the selected directory server.

8 The synchronisation is executed immediately.9 The Directory Server Synchronisation window appears displaying the results of the operation. It lists all

objects that have been added with their status which in this case will always be New Object. Click Close to close this window.

10 If you go back now to the Device Groups top node you will see that the name of your group has changed, in the example here from AD Group to Computers.support.sophia.

The name of a device group synchronised with an active directory server will always be modified to the name of the synchronised group and the name of the server with the format: <entry>.<directory server name>.

If you want to schedule the synchronisation at a specific later time or to execute it at regular intervals click No and see Option (a).


Synchronisation 2: Administrator GroupIn our next example we will synchronise an administrator group with an Active Directory group. This process is divided into the following steps:

1 Define the Active Directory Server in the console if it does not exist yet (see Step 1 at the beginning of the chapter)

2 Create the administrator group3 Assign the directory server to the new administrator group and synchronise

Step 2: Create Administrator GroupTo synchronise an administrator group it must first be created. To do so proceed as follows:

1 Open the Global Settings->Administrator Groups node in the left window pane.2 Select the Edit->Create Administrator Group menu item or the respective icon ( ) in the icon bar.3 The Properties dialog box appears on the screen.4 Enter a name into the respective field. This name is of no importance, it will be replaced with the name of the

active directory group after the synchronisation.

5 Click the OK button at the bottom of the window to confirm the new administrator group.

Step 3: Assign the Directory Server to the New GroupBefore the groups can be synchronised a relation must be established between the NAMP administrator group and the Active Directory group. To do so the directory server is assigned to the administrator group.

1 Open the Dynamic Population->Directory Server node of the group.2 Select the Edit->Assign Server menu item or click the respective icon ( ) in the icon bar.3 The Select a Directory Server window appears on the screen.4 Select the directory server entry from the list box. You may either select the directory server itself or one of its

children. In our example we have chosen a subgroup called France. Click OK to confirm.

5 The Administrator Authentication window appears on the screen.


a Normally, when synchronising an administrator group with a directory server the system authentication will be used at the connection with the console. The Authentication drop-down list allows you to choose between the system authentication and a PAM authentication for Linux masters.

b The Login Type drop-down list allows you to choose between the following three types of login for the synchronisation:Login: james.c kirkDomain\Login: Enterprise\james.c kirkInternet Style Login: [email protected] Internet Login type corresponds to the userPrincipalName attribute on the directory server. If this attribute is not filled in, the administrator will not be synchronised if the login type Internet is selected.

6 Click OK.7 Now the connection with the directory server is established.




The name of an administrator group synchronised with an active directory server will always be modified to the name of the synchronised group and the name of the server with the format: <entry>.<directory server name>.


Contrary to device and user groups, administrator groups do NOT contain subgroups. Therefore, even if the active directory server unit the admin group was synchronised with did have subgroups these will be completely ignored. Only administrators located directly under the selected unit will be synchronised.


11 If you go back now to the Administrator Groups top node you will see that the name of your group has changed, in the example here from AD Group to France.Business..... The format of the new name is <entry>.<directory server name>.

Synchronisation 3: User GroupIn this example we will synchronise a user group with an Active Directory group. This process is divided into the following steps:

1 Define the Active Directory Server in the console if it doesn’t exist yet (see Step1 at the beginning of the chapter)

2 Create the user group3 Assign the directory server to the new user group and synchronise

Step 2: Create User GroupThe first actual step for synchronisation is to create the user group which is to be a mirror of one of the active directory groups.

1 Select the User Groups top node.2 Either select the Edit->Create User Group menu item or select the respective icon ( ) in the toolbar.3 The Properties dialog box appears on the screen.4 Enter a name for the new group, e.g. AD Group. The name of this group is completely irrelevant, you may

leave the default name, as it will be changed to the name of the directory server group once it is synchronised.

5 Click the OK button at the bottom of the window to confirm the new group.

Step 3: Assign the Directory Server to the New GroupBefore the groups can be synchronised a relation must be established between the NAMP user group and the Active Directory group. To do so the directory server is assigned to the user group.

1 Open the Dynamic Population->Directory Server node of the group.2 Select the Edit->Assign Server menu item or click the respective icon ( ) in the icon bar.3 The Select a Directory Server window appears on the screen.4 Select the directory server entry you just added in the console from the list box. You may either select the

directory server itself or one of its children. In our example we have chosen the Users unit containing all user subgroups and users.


5 Now that the directory server is assigned to the group its name will change to the name of the selected unit, i.e. Technical Support in the example above.




9 If you go back now to the User Groups top node you will see that the name of your group has changed, in the example here from AD Group to FabienC. The format of the new name is <entry>.<directory server name>. Also the icon of the group has been changed from the static icon ( ) to the directory server managed group icon ( ).

The name of a user group synchronised with an active directory server will always be modified to the name of the synchronised group and the name of the server with the format: <entry>.<directory server name>.



5.2 OptionsThe following paragraphs will provide you with a number of options that may be used with active directory synchronisations. The following options will all be executed for device groups, but they work in the same way for user and administrator groups as well.

(a) Synchronise a Device Group at a Specific Date and Time and/or Regular Intervals

You may want to schedule the synchronisation for a later moment or periodically re-synchronise your device group with the directory server to keep your group up to date. The following example is for devices groups, but the same principle applies also for user and administrator groups.

To schedule a synchronisation and thus synchronise a group proceed as follows:

1 Open the Device Groups-><GroupToSynchronise>->Dynamic Population->Directory Server-><AssignedDirectoryServer> node.

2 Mark the directory server in the right window pane and select the Edit->Properties... menu item or click the respective icon ( ) in the icon bar.

3 The Properties window appears on the screen.4 This window provides you with the synchronisation scheduling options:

a For execution at a later date and time select the following:1 Check the Deferred to radio button to schedule a directory server synchronisation for a later date.2 Enter a date into the field or click the arrow to call the calendar on the screen and select a date.3 From the At drop-down box select the time of the day at which the synchronisation is to be launched.


b For a periodic synchronisation once a week on Sundays at midnight:1 Select the radio buttons Immediately and Run Forever in the Validity tab.2 Then go to the Frequency tab and make the following additional selections:3 Check the Day of the Week radio button to schedule a directory server synchronisation for a specific day

of the week.4 The fields below become available. Uncheck all boxes apart from Sunday.5 In the Period box select the value Once Only, to run it once on the selected day.6 In the At drop-down box leave the preselected value 0:00, to launch the synchronisation at midnight.

5 Click OK to confirm the new schedule.6 The synchronisation between the group and the assigned directory server will be launched once the specified

time arrives.

6

Reports Step-by-StepReports in the Numara Asset Management Platform can be created and generated in different ways for almost any of the object types which exist in the NAMP database. In this exercise we are going to create a number reports regarding the outcome of the exercises we did in the preceding chapters.

Reports tend to be carried out on a number of clients which can be grouped through a query or they may be directly assigned to a device group. Most of the reports we will use are predefined reports (Out-of-the-box objects) but we will also create a report from scratch and execute it.

Report data may be displayed either in tabular format or as a graphical representation. These should provide you with a very clear picture of the activity on your system and what has happened on the specific objects that you are interested in. You can explore and analyse your data by using a variety of graphs available in the console.

Two report types are available: style-based and template-based.

Style-basedThese reports are based on a layout type that defines the number of subreports the report contains and how these subreports are ordered on the displayed or printed page. 12 different layout styles are available. Style-based reports may either base their generated data on the results of a query, on the members of a device group or both.Template-basedTemplate-based reports are provided in XML, HTML in PDF format. This report type is available for vulnerability management, patch management, power management, application management and compliance rules.


• the master, console and database have been installed• you have rolled out the NAMP agent to a number of devices as described in the Installation manual.• a console is open and connected to the master• you have installed the out-of-the-box objects during the master installation• you have done the exercises in the preceding chapters Rollout, Queries and Device Groups, Configuration

Management and Directory Server Synchronisation or at least the one for the object you now want to create the report for.

6.1 Report ExamplesThis chapter is divided into the following sections:

1 Out-of-the-box reports based on queries2 Out-of-the-box reports assigned to device groups3 Template-based reports4 Create new style-based reports, assign and generate them.


6.1.1 Out-of-the-box Reports Based on QueriesThe out-of-the-box reports that are based on queries are ready to be employed immediately, they only need to be generated.

Report 1: Hardware Summary ListFor our example we will used a report called Hardware Summary List, which is located directly below the main Reports node. To generate it immediately proceed as follows:

1 Go to the Reports node.2 Select the Hardware Summary List report in the table in the left window pane.3 Select the Edit->Generate Report menu item or the respective icon ( ) in the icon bar.4 A confirmation window appears on the screen, click the OK button to confirm.5 The report will be created immediately using the current data of the database.6 To view the Hardware Summary List report select the Edit->View Last Result menu item or the respective

icon ( ) in the icon bar.7 A login window appears on the screen. Enter the login credentials with which you are currently logged on to

the console, in our case here this should be admin and no password.8 A new browser window or tab opens and displays the report.

Report 2: Active Directory ResultsTo view the results of your directory server device group synchronisation generate the report called Active Directory Devices as described above.

These reports may be generated at regular intervals to provide thus an overview of the general development of your network. See Option (d).

To view the generated report via the Report Results node see Option (a).

Chapter 6 - Reports Step-by-Step - 97

Report 3: Global Software ListTo get an overview of all software programs which are installed on the devices in your network generate the report called Global Software List as described above.

6.1.2 Out-of-the-box Reports Assigned to Device GroupsAll out-of-the-box reports, based on queries, may be assigned to device groups. This report will then display the same information but limited to the data of the assigned device group. To assign and then generate the Hardware Summary List report immediately proceed as follows:

1 Go to the Reports node.2 Select the Hardware Summary List report in the table in the left window pane.3 Go to its Assigned Objects->Device Groups node.4 Then select the Edit->Assign Device Group menu item or click the respective icon ( ) in the icon bar.5 The Assign to Device Group popup windows will appear on the screen.6 Select the All Devices group from the window.

7 Click OK to confirm the assignment and close the window.8 The device group will be added to the table of assigned device groups.9 The go back to the Hardware Summary List report in the left window pane.10 Select the Edit->Generate Report menu item or the respective icon ( ) in the icon bar.11 A confirmation window appears on the screen, click the OK button to confirm.12 The report will be created immediately using the current data in the database concerning the assigned device

group.

13 To view the report select the Edit->View Last Result menu item or the respective icon ( ) in the icon bar.14 Enter again your login in the appearing window.15 A new browser window or tab opens and displays the report. This report displays now the same type of data as

in the example above, but only for all client devices in your network, i.e. the master and relay are missing from the list and graphs.

The report result which is generated will be put in all the required places according to the reports settings. This means it will be available under the Report Results node of the report, as well as under that of the device group it is assigned to.


6.1.3 Template-based ReportsTemplate-based reports, as their name indicates these are templates which may be used to create your own reports according to a specific model or template, and they are provided in XML, HTML and PDF format. This report type is only available for Patch Management, Vulnerability Management, Power Management, Application Management and Compliance Rules. Examples and how to use these are explained in detail in the respective chapters.

If you have imported the out-of-the-box objects one report was created for each of the existing templates in their respective folders. In this chapter we will create such a report for the vulnerability situation, but it cannot be generated yet, as no vulnerabilities have been found yet. It will be generated in chapter Vulnerability Management Step-by-Step.

Report 4: Situation by VulnerabilityTo create a new report based on a template proceed as follows:

1 Select the main Reports node in the left pane.2 Either select the Edit->Create Report menu item or select the respective icon ( ) in the toolbar. 3 The Properties dialog box appears on the screen.4 Enter the following data into the respective fields and leave all other values as they are:

NameEnter the name of the new report into this field, e.g. Situation by Vulnerability.Report TitleEnter the title of the report, you can just copy the name here, e.g. Situation by Vulnerability. This text will appear on top of your report as the heading.Report TypeSelect from the drop-down list the Template-based option.Report TemplateSelect from the drop-down box the report template to use. For this example we will use the template called By Vulnerability.




5 Click the OK button at the bottom of the window to confirm the data for the new and to close the window.6 The report is now created and configured, it remains to generate it once the required data are available.

6.1.4 Creating and Generating New ReportsThe following paragraphs will explain you how to create a new report from scratch for the following requirements:

• Operational Rule Status report: This report returns the status on all operational rules that were executed for the different examples in your test environment.

• Agent Rollout Results report: This report returns the results of the agent rollout in your test environment.• Monthly Device Update report: This report returns the list of all devices that were updated within the last

month.

Report 5: Operational Rule StatusThis report returns the status on all operational rules that were executed for the different examples in your test environment.

Generally when creating a report a query must be created first if the report is not to be executed on a device group, which is the case for this example. Therefore we will execute the following steps for this report:

1 Create Query2 Create and Generate Report3 View Report

Step 1: Create QueryThe query for our report will collect all operational rule status that can be found:


a Enter the name of the new query into the Name field, use Operational Rule Status for this case.b In the Type field select the value Device - Operational Rule Assignment.

5 Click OK to create the query and to close the window.6 The newly created query will directly appear in the table in the right window pane.

If the report is to be made publicly available see Option (g) now.

If the report is to always be generated in other formats than only HTML see Option (f) now.


7 Since we want the query to collect all possible values no criteria must be defined and the query is set up.8

9 Select the Preview tab where you can see a preview of the query’s results.

Step 2: Create and Generate ReportIn the second step the actual report will be created. Our report will be in form of a table with four columns which list the name of the operational rule that was executed, the final execution status, the device on which it was executed and if, via which device group the rule was assigned. To create the report via the wizard proceed as follows:

1 Select the Wizards->Report Creation menu item or the respective icon ( ) in the icon bar.2 The Report Creation Wizard appears on the screen.3 The left pane of the wizard window displays all available steps of this wizard. Depending on the selections


Step 2a: Report The first step defines the report base information as follows:

1 Enter the following data into the respective fields and leave all other values unchanged:NameAs the name enter Operational Rule Status.Report TitleEnter the title of the report, for example, Execution Status of all Operational Rules. This text will appear on top of your report as the heading.

2 Click Next to go to the following wizard page.

To generate a report on a specific status value, for example for the status failed this query must be defined to collect only the requested status value. Refer to Option (h) how to define the query for this case.

Option (b) explains how to create this report with two subreports, the first in form of a table, the second displaying the same information in form of a pie chart.

To later on modify the number of subreports (add more subreports) see Option (c).

To make the report available on the Report Portal see Option (g) now.


Step 2b: SubreportsThis step is concerned with the configuration of the subreports, it provides one tab for each subreport of the report, i.e. in our case one tab.

1 When creating a report based on a query, the first thing when defining the contents is to select the query which defines the attributes which may be chosen for the report.

2 To do so first select the Device - Operational Rule Assignment value from the Query Type.3 The Operational Rule Status query should now be preselected in the Query Name field.4 As the table is the preselected format for the report we do not need to modify it just now.

5 Now select the Add Column icon ( ) to add your first column to the report.6 The Select Report Columns dialog box will appear on the screen.7 The left list window of the dialog box (Available Columns) will display all available attributes for this query.8 Select the Status value from directly under the Available Columns, and leave all other values as they are.9 Click the Add button ( ) to move the attribute to the list of Selected Columns.10 Then click the Operational Rules folder and select the Name attribute, with the None operator and the Sort

Order Ascending, as we want the table sorted by the operational rule names.11 Click the Add button ( ) to move the attribute to the list of Selected Columns.12 Now click the Devices folder and select the Name attribute. This will then display the name of the device on

which the rule was executed with the respective status.13 Click the Add button ( ) again.14 Now click the Device Groups folder and select again the Name attribute. This column will display the name of

the device group if the rule was assigned via a device group, if not this column will remain empty.15 Click the Add button ( ) again.

16 Click OK to close the window.17 To have a preview of the newly created report click the Subreport Preview bottom below.18 A new browser tab opens in which you may see how this subreport will appear in the final report.19 Click Next to go to the following wizard page.

Step 2c: Publication and MailWe will not publish this report or send it via e-mail, therefore just click Next to go to the following wizard page.

If another report format is desired, such as a chart, refer to Option (b) or Option (c) now.


Step 2d: Assigned ObjectsWe have assigned a query to our subreport and want to see the results of the whole population, therefore no device group needs to be assigned.


Step 2e: ScheduleNow that the report is set up it remains only to define its generation schedule. To do so proceed as follows:

1 Check the Immediately radio button in the Execution Date panel.2 Check the Immediately generate the report box at the bottom of the window.

3 Click the Finish button at the bottom of the window to confirm the new report and immediately generate it.

Step 3: View ReportThe report will be directly generated. To display it proceed as follows:

1 Reselect the report again in the left window pane.2 Then go to the Report Results subnode.3 The table in the right window pane will show one entry for the generated report.4 To view the report select the Edit->View menu item or the respective icon ( ) in the icon bar.5 A new browser window or tab opens and displays the report. This report displays now the data as previewed:

a table with the list of operational rules and their final execution status, as well as the devices/ assigned device groups.


6

Report 6: Agent Rollout ResultsTo see how the agent rollout worked we will create a report again in form of a table that will list all devices with their installation status. To create the report we will need to execute again the following steps:

1 Create Query2 Create and Generate Report3 View Report

Step 1: Create QueryThe query for our report will collect all push configurations that can be found:


a Enter the name of the new query into the Name field, use Rollout Status for this case.b In the Type field select the value Push Configuration.

5 Click OK to create the query and to close the window.6 The newly created query will directly appear in the table in the right window pane.7 Since we want the query to collect all possible values no criteria must be defined and the query is set up.8

9 Select the Preview tab where you can see a preview of the query’s results.

Step 2: Create and Generate ReportOur report will be in form of a table with two columns which list the name of the device and its installation status. To create the report via the wizard proceed as follows:



Step 2a: Report The first step defines the report base information as follows:

1 Enter the following data into the respective fields and leave all other values unchanged:NameAs the name enter Rollout Status.Report TitleEnter the title of the report, for example, NAMP Agent Rollout Results. This text will appear on top of your report as the heading.


To generate a report on a specific status value, for example for the status failed this query must be defined to collect only the requested status value. Refer to Option (h) how to define the query for this case.



Step 2b: SubreportsThis step is concerned with the configuration of the subreports, it provides one tab for each subreport of the report, i.e. in our case one tab.

1 When creating a report based on a query, the first thing when defining the contents is to select the query which defines the attributes which may be chosen for the report.

2 To do so first select the Push Configuration value from the Query Type.3 The Rollout Status query should now be preselected in the Query Name field.4 Select the Edit->Add Column icon ( ).5 The Select Report Columns dialog box will appear on the screen.6 The left list window of the dialog box (Available Columns) will display all available attributes for this report.7 First open the Assigned Devices Folder and then select the value Device Name value, with the None operator

and the Sort Order Ascending.8 Click the Add button to move the attribute to the list of Selected Columns.9 Then select the Rollout Status value from directly under the Available Columns, with the None operator

and the Sort Order None.10 Click the Add button to move the attribute to the list of Selected Columns.11 Click OK to close the window.



Step 2c: Publication and MailWe will not publish this report or send it via e-mail, therefore just click Next to go to the following wizard page.

Step 2d: Assigned ObjectsWe have assigned a query to our subreport and want to see the results of the whole population, therefore no device group needs to be assigned. Click Next to go to the following wizard page.

Step 2e: ScheduleNow that the report is set up it remains only to define its generation schedule. To do so proceed as follows:

1 Check the Immediately radio button in the Execution Date panel.2 Check the Immediately generate the report box at the bottom of the window.3 Click the Finish button at the bottom of the window to confirm the new report and immediately generate it.


4 A confirmation window appears now on the screen. To directly move the focus of the console to the newly created report click Yes.

5 The console will now display the main view of the newly created report.

Step 3: View ReportThe report will be directly generated. To display it proceed as follows:

1 Reselect the report again in the left window pane.2 Then go to the Report Results subnode.3 The table in the right window pane will show one entry for the generated report.4 To view the report select the Edit->View menu item or the respective icon ( ) in the icon bar.5 A new browser window or tab opens and displays the report. This report displays now the list of all devices on

which a NAMP agent is installed together with the agent installation status.

Report 7: Monthly Device UpdateThis report shows in tabular and chart format all devices which were updated during the last month. We will also schedule this report to be automatically regularly executed on the first of each month.

In this example we will create the report via the wizard, proceed as follows:



Step 1: Report The first step defines the report base information as follows:

1 Enter the following data into the respective fields and leave all other values unchanged:NameAs the name enter Updated Devices.Report TitleEnter the title of the report, for example, Monthly Device Update. This text will appear on top of your report as the heading.Report StyleFrom this dropdown list select Style 5. This will give the report two subreports one below the other, as the little icon indicates.



Step 2: SubreportsThis step is concerned with the configuration of the subreports, it provides one tab for each subreport of the report, i.e. in our case two tabs.

1 Our first subreport will contain the graphic, a pie chart detailing the different operating systems found on the updated devices.

2 As the title enter Devices by Operating System Name into the field Subreport Title.3 When creating a report based on a query, the first thing when defining the contents is to select the query which

defines the attributes which may be chosen for the report.4 Leave the Device value in the Query Type field.5 Then select the Updated Devices query in the Query Name field.6 In the Subreport Format field below select the Pie Chart value.7 Click the Display the options icon next to the field.8 The Report Format Options window appears on the screen. This window allows you to configure the pie chart

parameters.9 Make the following modifications to enlarge and enhance the chart:

Check the Value Labels box.Increase the Chart Width to 800.Increase the Chart Height to 400.Check the Percent Labels box.


Then click the OK button to confirm and close the window.10 Now select the Add Column icon ( ) of the Data panel.11 The Select Report Columns dialog box will appear on the screen.12 The left list window of the dialog box (Available Columns) will display all available attributes for this report.13 Select the value Operating System Name, leave all other fields.14 Click the Add button ( ) to move the attribute to the list of Selected Columns.15 Click OK to close the window.16 Now go to the Series panel.17 Select again the Add Column icon ( ) of the Series panel.18 The Select Report Columns dialog box will appear on the screen.19 Select again the value Operating System Name, leave all other fields.20 Click the Add button to move the attribute to the list of Selected Columns.21 Click OK to close the window.

22 No select the Subreport 2 tab.23 As the title enter Device Details into the field Subreport Title.24 When creating a report based on a query, the first thing when defining the contents is to select the query which

defines the attributes which may be chosen for the report.25 Leave the Device value in the Query Type field.26 Then select the Updated Devices query in the Query Name field.27 Now select the Edit->Add Column icon ( ).28 The Select Report Columns dialog box will appear on the screen.29 The left list window of the dialog box (Available Columns) will display all available attributes for this report.30 Select the value Name, leave all other fields.31 Click the Add button ( ) to move the attribute to the list of Selected Columns.32 Now select the value IP Address, leave all other fields.33 Click the Add button ( ).34 Then select the value Last Update, leave all other fields.35 Click the Add button ( ).36 Finally select the value Operating System Name, leave all other fields.37 Click the Add button ( ) to also move this attribute to the list of Selected Columns.38 Click OK to close the window.39 All subreports are now set up40 Click Next to go to the following wizard page.


Step 3: Publication and MailWe will make this report a public report, this means that it will be available on the report portal and all persons with a valid access to this HTML page may view this report. Also we will send this report to our own account per e-mail once it is generated.

1 Enter Monthly Device Update into the Report File Name field.2 Then check the box Public Report.3 Above the lower panel select the Add e-mail icon ( ).4 The Define Mail dialog box appears on the screen. To specify the recipients as direct recipients, copy

recipients and blind copy recipients, you proceed in the same way.To enter recipients click the To.../CC.../BCC... button and the Select an Address dialog box appears on the screen.

To select an administrator or administrator group from the list click the Select from List radio button and then select the recipient(s) below. You may specify an administrator group as the recipient, in this case the mail will be sent to all members of this group that have a valid e-mail address entered into their general data tab.Or you may click the Select Manually radio button and enter any valid e-mail address into the field below. You may also enter more than one address by separating these with a semi-colon, for example, [email protected];[email protected].

5 Then enter Monthly Device Update Report as the Subject of the mail.6 Click OK to confirm the mail and add it to the list.


Step 4: Assigned ObjectsIt is not necessary to assign this report to a group, we have assigned both subreports to a query and we want to see the information for our whole network. Therefore just click Next to go to the following wizard page.

Step 5: ScheduleNow that the report is set up it remains only to define its generation schedule, on the first of every month. To do so proceed as follows:

1 Check the Immediately radio button in the Execution Date panel.2 Check the Run Forever radio button in the Termination panel.


3 Check the Immediately generate the report box at the bottom of the window. This will generate a report right now for immediate results in addition to the monthly schedule.

4 Now go to the Frequency tab.5 In the By Schedule panel select the Day of the Month radio button.6 And select from the list below the value 1st day of the month.7 Now go to the panel to the right and select the value Once Only in the Period field.8 In the field below, at , enter the time at which it is to be generated, i.e., at 5 in the morning.9 Then click the Finish button at the bottom of the window to confirm the new report and immediately generate

it.

10 A confirmation window appears now on the screen. To directly move the focus of the console to the newly created report click Yes.

11 The console will now display the main view of the newly created report.12 To view the report select the Edit->View Last Result menu item or the respective icon ( ) in the icon bar.13 A new browser window or browser tab opens to display the report.14 Enter admin as your login in the appearing window.


15

6.2 Report OptionsThe following paragraphs provide a number of options for the reporting functionality of the Numara Asset Management Platform.

(a) Report ResultsEach time a report is generated a new node is created in the Report Results node named using the local generation date and time of the computer on which the report is generated for the report as its name if no specific name is provided. These report results are also automatically sorted in folders if they are generated for device groups. This is valid for the Report Results subnode of the respective report as well as for Report Results subnode of any device or vulnerability group the report is assigned to.

Each node for an individual report as well as all objects which may be assigned to a report have a subnode called Report Results. Under this node all reports are stored that were generated. From here you may display all generated versions of the report.

(b) Report with Two SubreportsThis report displays the same data once in form of a table and then in form of a pie chart for the Operational Rule Status report (Report 5:).



1 At Step 2a: Point 1 (page 100), select Style 5 from the Report Style field.2 The field below Subreport Count will change from 1 to 2.

3 Continue with Step 2b: (page 101) for Subreport 1.4 Then select the tab for the second subreport, Subreport 2 and again repeat the steps of Step 2b: (page 101).5 At the end add two more columns:

Select the Status value from directly under the Available Columns, with the Count operator and the Sort Order None.Select the Status value again from directly under the Available Columns, with the None operator and the Sort Order None and the Group By box checked.

6

7 Now select the the Pie Chart option from the Subreport Format box .

These two columns are absolutely obligatory for any type of graphical display. If these are not provided the data may only be displayed in form of a table.


8 You can see that the original Data list field was now split in two, and the selected attributes were divided as required.

9 To have a preview of the newly created subreport select the Subreport Preview button at the bottom.10 Enter again your login in the appearing window.11 A new browser window or tab opens and displays the report. This view displays now a preview of the

subreport.12 Continue with Step 2c: to finish defining and then generate the report.

(c) Modify the Number of SubreportsIf after setting up a report you find you need more information in this report provided by other subreports you may modify this by changing the report style and adding more subreports. In this example we will extend the Operational Rule Status report with a two more subreports, one which shows the same data as the initial report in pie chart format, and a second report which displays data regarding the operational rules themselves.

1 Select the Operational Rule Status report (Report 5:) in the right window pane and then select the Properties icon ( ) in the icon bar.

2 In the appearing Properties window go to the field Report Style and select from its drop-down list the item Style 3. Then click OK to close the window.

3 The field below Subreport Count will change from 1 to 3.


4 The node in the left window pane will now display three subnodes.

5 The data defined for Subreport 1 will remain as they were defined in the main example.6 Now the same data must be defined for the graphical representation of this data.7 If you have done Option (b) you may continue directly with Point 13 below.8 For this select the second subreport, Subreport 2, in the left window pane and again repeat the steps of Step

2b: (page 101) of the main report procedure. 9 Then add two more columns:

Select the Status value from directly under the Available Columns, with the Count operator and the Sort Order None.Select the Status value again from directly under the Available Columns, with the None operator and the Sort Order None and the Group By box checked.

10

11 Then select the Format tab.12 Select from the Subreport Format box the Pie Chart option.

These two columns are absolutely obligatory for any type of graphical display. If these are not provided the data may only be displayed in form of a table.


13 The third subreport will show a list in table format displaying more information about the operational rules themselves, i.e. their type, who created them and when, etc.

14 For this select the third subreport, Subreport 3, in the left window pane and go to its Columns tab.15 In the Query drop down box at the top of the table and select again the Operational Rule Status query.16 Then either choose the Edit->Add Column menu item or click the respective icon ( ) in the icon bar to add

your first column to the report.17 The Select Report Columns dialog box will appear on the screen.18 The left list window of the dialog box (Available Columns) will display all available attributes for this query.19 First click the Operational Rules folder and select the Name attribute, with the None operator and the Sort

Order Ascending, as we want the table sorted by the operational rule names.20 Click the Add button to move the attribute to the list of Selected Columns.21 Then select the Type attribute, with the None operator and the Sort Order None as well. This attribute will

display if the rule is a general operational rule, a software distribution or a patch rule.22 Click the Add button again.23 Then select the Notes attribute. This will display any comments that were added to the rule by its creator.24 Click the Add button again.25 The next column will be the Created By attribute.26 Click the Add button again.27 And the final column will be the Create Time attribute. These two will display who initially created the rule

and when it was created.28 Click the Add button again.29 Click OK to close the window.


30 As the table is the preselected format for the report we do not need to modify it.31 To have a preview of the newly created report select it again in the left window pane and then the Edit->View

menu item or select the respective icon ( ) in the toolbar.

(d) Regularly Execute a ReportTo generate the report regularly and/or at a specific time proceed as explained below. For our example here we will genreate the report every week on Sunday night. This way we can start examining the data right away on Monday morning:

1 In window Step 2e: Schedule of the wizard make the following modifications:2 Check the Immediately radio button in the Execution Date panel.3 Check the Run Forever radio button in the Termination panel.4 Check the Immediately generate the report box at the bottom of the window. This will generate a report right

now for immediate results in addition to the monthly schedule.

5 Now go to the Frequency tab.6 In the By Schedule panel select the Day of the Week radio button.


7 Now uncheck all boxes in the field below apart from the Sunday box.8 Now go to the panel to the right and select the value Once Only in the Period field.9 In the field below, at , enter the time at which it is to be generated, i.e., at 5 in the morning.

10 Then click the Finish button at the bottom of the window to confirm the new report and immediately generate it.

11 Continue as described by Step 3: View Report of the general procedure.

(e) Modify the Generation Schedule LaterTo schedule a report to be generated at a specific time and/or date or be generated at regular intervals do the following:

1 Select the Hardware Summary List report in the left window pane.2 Select the Assigned Schedule tab in the right window pane. The table displays the schedule for the report

which is currently disabled.

3 To modify the schedule either double-click the table entry or select the Properties icon ( ) in the icon bar.4 The Scheduler window will open on the screen on the Validity tab.5 In the Execution Date box define on when to run the report. In our example we will select the Immediately

radio button to see the outcome right away.


6 Then go to the Termination box below, click the Run Forever radio button.7 Now select the Frequency tab and make the following changes.8 Check the Day of the Week radio button.9 The checkboxes for the weekdays become accessible. Uncheck all boxes apart from Friday.10 In the Period drop-down field select the value Once Only.


12 Click OK to confirm the new schedule and close the window.13 The new schedule is effective as of now. The report will execute from now on every Friday at 21:00 until the

schedule is modified again.

(f) Reports in HTML, XML and PDFTemplate-based reports may be directly generated in different formats at the same time, the available formats being HTML, the standard selection, as well as XML and PDF. If more than one format is chosen to be generated, one file per format and report is generated and made available. For example, to generate the Situation by Vulnerability report not only in HTML but also in XML and PDF proceed as follows:

1 At Point 4 (page 98) also check the boxes Generate in XML and Generate PDF in the Properties window.


2 The continue the procedure as described.3 Once the report is generated it will be available in all three formats.

(g) Reports in the Report PortalThe Report Portal is a service provided by the master server which makes publicly reports available to everybody with the right credentials. To access the report portal type the following address into the browser window: http://<master name>:<master port>/report. This page provides the list of all reports which have been generated and been defined as public reports. By default these reports are stored indefinitely. (This value may be modified in the database configuration file, for more information on this subject please refer to section [DeleteThread] on page 29 in chapter Vision64Database.ini in the Reference Manual.)

The Report Portal displays the following information about the available reports:

NameThis field displays the automatically generated name of the report name of the available report or the name as defined in the Report File Name field in the general report definition.Report TitleThis field displays the title of the report.Create TimeThe date and time at which the report was actually generated.Group NameThe name of the device group if the report is assigned to one. If a report is assigned to more than one group, a separate table entry can be found for each assigned device group.


To make a report available on the report portal proceed as follows, for example for the Operational Rule Status report (Report 5:):

1 At Step 2c: Publication and Mail (page 101) also check the box for option Public Report in the Properties window.

2 The continue the procedure as described.3 Once the report is generated it will become available on the Report Portal.

(h) Report on All Failed Operational Rule ExecutionsTo modify the report in such a way that it will show all operational rules for all devices on which their execution failed, not the report but the query must be modified, the data on which the report is based. To modify the query proceed as follows:

1 Select the Operational Rule Status query in the left window pane and go to the Criteria tab.2 Currently the table is still empty. To define the criteria of the query choose the Edit->Add Criterion menu item

or click the respective icon ( ) in the icon bar.3 The Select Criterion popup window will appear on the screen. It displays the list of available criteria in its left

list field.


4 Select the criterion Status.5 Click the Find button.6 The Search Criteria popup appears on the screen. It provides the list of all existing operational rule status.

7 Select the status Execution Failed and click OK.8 The selected option will now be displayed in the Value field of the Criterion Description window.9 Click the Add button ( ) to add the criterion to the query.10 Click OK to confirm the new criterion and close the window.11 To activate the query now select the green coloured option active on top of the table.


12 Select the Preview tab where you can see a preview of the query’s results.13 Now that the query is modified you only need to regenerate the report by selecting the Edit->Generate Report

menu item or the respective icon ( ) in the icon bar.14 A confirmation window appears on the screen, click the OK button to confirm.15 The report will be created immediately using the current data in the database.16 To view the report select the Edit->View Last Result menu item or the respective icon ( ) in the icon bar.


Section II

Advanced Management Suite

This second section of the Getting Started manual introduces you to the advanced functionalities and their specific objects of the Numara Asset Management Platform. The examples and exercises in these chapters are based on those of the first section, we therefore recommend you to do these first.

This section is divided into the following chapters:

• Operating System Deployment Step-by-Step• Software Distribution Step-by-Step• Resource Monitoring Step-by-Step• Application Management Step-by-Step• Power Management Step-by-Step• Peripheral Device and Data Control - Step by Step• Patch Management Step-by-Step• Vulnerability Management Step-by-Step• Device Compliance Step-by-Step• Setting Up SecurityBe aware that most of these functionalities require a specific license, they are not included in the basic Numara Asset Management Platform license. You may however try all these functionalities with the trial license provided with the product. This license is valid 15 days and allows you a total of 20 devices for testing the different topics.

7

Operating System Deployment Step-by-StepTo be able to execute the examples described in this chapter a number of general Numara Asset Management Platform as well as OS deployment prerequisites must be fulfilled, which are listed in the following two paragraphs. The examples will then guide you step by step through the different possible procedures installing a new operating system on a remote device or creating a new image to be deployed. The procedures will however only refer to parameters that need to be filled in or be modified, any parameters of which the preentered default values are used are not mentioned here. You will find detailed information on these parameters in the general OS Deployment manual.

Numara Asset Management Platform PrerequisitesTo execute the examples provided in this chapter we assume that:

• you have done the exercises in the chapters of Section I and are familiar with the general concepts of the NAMP console and its workings.

Deployment Lab PrerequisitesBefore deployments are launched in your infrastructure they should be tested in a lab environment. The following paragraphs list the components and prerequisites for this lab.

OSD ManagerThe OSD Manager is a device of the NAMP infrastructure located within a subnet. For our example here we will select the master as the OSD Manager. The following prerequisites apply to this device:

• The device figuring as the OSD Manager must have one of the following operating systems: Windows 2000 (minimum Service Pack 4), Windows 2003, Windows XP, Windows Vista or Windows 2008.

• The WAIK (Windows Automated Installation Kit) for Windows 7 must be installed on the OSD Manager/TFTP server device.

• The TFTP server will execute the function of OSD Manager, i.e., it will be responsible for the OS deployments. Each subnet can only have one OSD Manager/TFTP server. The TFTP server must be configured as follows:1 An InstallTFTP.bat file is available on the Numara Asset Management Platform Installation DVD in

directory support\OSD that contains all configuration settings for the TFTP server. a Copy the InstallTFTP.bat file to directory c:\InstallTFTPServer. If you copy the files to another

directory make sure to modify the corresponding path in the InstallTFTP.bat file.b Also copy from a Windows 2003 installation disk the files TFTP.EX_ and TFTPD.EX_ to the same

directory.c Launch the InstallTFTP.bat file.d The TFTP server is now configured as required.

2 The TFTP server directory must be shared with read and write permission to everyone.• The TFTP port must be opened on the firewall (by default this is UDP port 69).• The directory C:\PXETFTP must be defined as the TFTP root directory and it must be shared with write

access. To add the access proceed as follows:1 Select the C:\PXETFTP directory in the tree in the left part of the Explorer window.2 Then right click the mouse and select the Properties option in the pop-up menu.3 The Properties window appears for the selected directory.

128 - Numara Deployment Manager - Operating System Deployment

4 First go to the Share tab.5 Make sure the Share Directory option is selected, if this is not so select it now.6 Then go to the Security tab (NTFS only).7 Select the user group, which will be defined for the access to this directory, it is recommended to NOT use

everyone.8 The Permissions box below will now display the access rights accorded to this group. Make sure it has the

box Full Control for Allow checked. If this is not the case mark it now.9 Then click Add above the box to validate the modification.10 Click Apply to confirm all modifications and activate them.11 Then click OK to confirm and close the window.

• It is recommended to create a dump of all drivers required for the target devices on the OSD manager, this facilitates the selection of the required drivers during the project setup. For this create a specific directory for these drivers with an intuitive subdirectory structure, e.g., split up by operating system, each of these split by driver type, etc.

DHCP ServerThe DHCP server may be located on the same device as the OSD Manager, however it is recommended to use a different device. It may be either a Windows or a Linux server and must be configured as follows:

• Windows DHCP ServerThe DHCP server expected is a Windows 2000 or 2003 server edition component. The DHCP configuration required to use PXE may be done through the user interface, or the command line.The detail of the required parameters and an example of the command line to type in are as follow:

Option 060: PXE ClientSome computer have compatibility issues, depending on their PXE version. This parameter is not mandatory.Value: PXEClient

Option 066: TFTP boot server host nameHost name or IP address of the TFTP server. This is the IP address of the future TFTP server.Value: 192.168.0.52

Option 067: Bootfile NameNBP file name that the computer has to load from the TFTP server.Value: pxelinux.0

Option 043: Vendor Specific InfoIndicates to the PXE client that the DHCP server is also the TFTP server.Value: 01 04 00 00 00 00 ff

The tool to edit these options through the command line is named “netsh.exe”, it is present in the regular installation of Windows XP and 2003, but optional on Windows 2000 Server Edition.The command lines to set those options are executed locally, on the DHCP server:

netsh dhcp server add optiondef 60 PXEClient String 0 comment=<comment>

netsh dhcp server scope 192.168.0.0 set optionvalue 060 STRING PXEClient

netsh dhcp server scope 192.168.0.0 set optionvalue 066 STRING <TFTP server address>

netsh dhcp server scope 192.168.0.0 set optionvalue 067 STRING pxelinux.0

netsh dhcp server scope 192.168.0.0 set optionvalue 043 BINARY 010400000000ff

It is possible to reserve an IP address, name and description for a particular incoming MAC address:netsh dhcp server scope 192.168.0.0 add reservedip <IP Address> <MAC Address> <Machine name> “<Machine description>” {DHCP|BOOTP|BOTH}

Later on, to remove this entry, the command is:netsh dhcp server scope 192.168.0.0 delete reservedip <IP Address> <MAC Address>

Example:netsh dhcp server add optiondef 60 PXEClient String 0 comment=PXE support

netsh dhcp server scope 192.168.0.0 set optionvalue 060 STRING PXEClient

netsh dhcp server scope 192.168.0.0 set optionvalue 066 STRING 192.168.0.52

Chapter 7 - Operating System Deployment Step-by-Step - 129

netsh dhcp server scope 192.168.0.0 set optionvalue 067 STRING pxelinux.0

netsh dhcp server scope 192.168.0.0 set optionvalue 043 BINARY 010400000000ff

To reserve a particular IP address for MAC address (will have to be done for each machine):netsh dhcp server scope 192.168.0.0 add reservedip 192.168.0.112 00504A81F1F1 targetname “Target description” BOOTP

Delete reservation:netsh dhcp server scope 192.168.0.0 delete reservedip 192.168.0.112 00504A81F1F1

Important: On Windows 2000 Server and Advanced Server, setting option 43 via netsh will fail with the following error: “DHCP Server Scope Set OptionValue failed”, if the hotfix KB884119 is not installed or superseded. (See http://support.microsoft.com/kb/884119/ for reference.)

• Linux DHCP ServerFor a Linux DHCP server (dhcpd) the following lines must be added to the dhcpd.conf file: allow booting;

allow bootp;

class "pxeclients" {

match if substring (option vendor-class-identifier, 0, 9) = "PXEClient";

next-server <IP du Gestionnaire OSD>;

filename "pxelinux.0"; }

Then the DHCP server must be rebooted.

Sysprep DeploymentThe Sysprep deployment has a number of limitations as follows:

• a uniprocessor/core image can only be deployed on other uniprocessor/core devices.• a multiprocessor/core image can only be deployed on other multiprocessor/core devices.• The operating system language is fixed by the initial capture.• No static IP address may be used.• The administrator login/password of the captured system must be the same as the one specified in the

deployment parameters in the unattended information tab. If this is not the case an invalid login and/or password Windows error is generated.

Storage DeviceAt least one device with network shares on which the OS setup, image and ghost to be deployed may be stored is necessary. For this you may use the OSD Manager or the DHCP server, however, it is recommended to use a dedicated device. In our examples we will deploy the 64 bit version of Windows Vista, therefore these setup and image files must be copied to a share called \Vista64, a ghost image is to be copied to a directory called \Ghosts64. This directory must contain the ghost executable file as well as the ghost image. Be aware, that Windows NT, 2000 and XP have a limit for concurrent SMB connections per share so a linux server with a samba share or a Windows Server Edition is advised.

Target DevicesThree devices (with or without an operating system installed) must be available in the vicinity of your test environment to which the operating system may be deployed via the different deployment types. These devices must have PXE boot set as the first boot device in the BIOS.

7.1 Operating System DeploymentThe following paragraphs will guide you through the different possibilities of the operating system deployment in NAMP. Specifically we will execute one example for each of the four possible operating system deployments:

1 OS Deployment - Setup Mode

If it is located on the OSD Manager, the same user as for the PXETFTP share must be used, otherwise Windows will not be able to locate the storage share at deployment time.


2 WIM Image Capture3 OS Deployment - WIM Image Mode4 OS Deployment - Custom Mode

7.1.1 OSD Manager ConfigurationAll these different types of deployment, however, require the selection and configuration of the OSD Manager before any operation may be executed. This is the same for all types and is done in the first two windows of the OS Deployment Wizard. Once configured you may just click your way through these two windows for any further deployments.

1 To launch the OS Deployment Wizard either select the Wizards->OS Deployment menu item or click the respective icon ( ) in the icon bar.

2 The wizard appears on the screen with its first window.

Step 1: OSD ManagerHere you may either select an existing OSD Manager or specify a new one.

1 For our first example we will select the device displayed in the window, the master, who always is defined as OSD Manager by default if it is installed on a Windows operating system.


Step 2: OSD Manager ConfigurationThe second wizard window allows you to specifically configure the OSD Manager. You must provide the following information for this:

1 Enter the following values into the respective fields:

If your master is installed on a non-Windows operating system you need to first define a device as OSD Manager. Go to Option (i) to do so.


NameThis field displays the name of the currently selected OSD Manager.Windows AIK Installation PathEnter into this field the path to the WAIK. If you do not enter any value the default installation path (C:\Program Files\Windows AIK) will be used. To directly select the path click the Select button next to the field. A popup window will appear with the directory structure of the device where you can directly select the installation directory. Click OK to confirm and close the window.TFTP Port (UDP)Modify the port number if you need to use another than the default number 69.TFTP Local PathEnter into this field the local path to the shared TFTP server directory. To directly select the path click the Select button next to the field. A popup window will appear with the directory structure of the device where you can directly select the path. Click OK to confirm and close the window.TFTP UNC PathThis field displays the network path to the shared TFTP server directory. Once you select and confirm the TFTP Local Path this field will be automatically filled in.TFTP UNC CredentialsInto these fields you must enter the access credentials to the shared TFTP server. Read and Write permissions are required for this. 1 To add or edit the credentials click the Edit button to the right.2 The Properties window will appear on the screen.3 Enter a login name that provides you with read and write access into the Login

field and the corresponding password in the respective fields. The login name must have one of the following formats:<domain name>\<user login>

<local host name>\<user login>

When the popup is opened for the first time, the wizard will preenter the device name into the field according to the <local host name>\<user login> scheme.

4 To view the passwords you may also uncheck the Hide Passwords checkbox. Both password fields will now be displayed in clear text format.

5 To confirm the credentials click the OK button at the bottom of the window.6 The account will be added in the wizard window fields.


Driver Root FolderThis field contains the complete path of the of the directory where the drivers will be copied to for later use. The default directory for this is <InstallDir>\Master\data\OSDeployment\drivers\. Do not modify this value if you are following a standard deployment. To directly select the path click the Select button next to the field. A popup window will appear with the directory structure of the device where you can directly select a different directory. Click OK to confirm and close the window.DHCP Server AddressThe IP address or DNS name of the DHCP server which will redirect the PXE requests to the local TFTP server. The DHCP server must have the protocol BOOTP activated.Skip DHCP CheckIf the DHCP server is installed on the same device as the OSD Manager device you must check this box, as the DHCP server cannot be verified in this case. This test verifies if the BOOTP protocol is activated on the DHCP server.

2 Once all parameters are defined they must be checked that they are correct. Until the verification is executed and returns the Status OK - Initialisation Complete, the wizard cannot continue. When checking the parameters the wizard will highlight the problem field(s) in red, if the entry in one of the fields is incorrect.

3 To verify click the Check Environment button to the right of the Status field.4 AMP will now verify all entries of this page, i.e. the directories as well as the access rights to them and the

DHCP server address if it is installed on another device.5 If all values are correct the Status OK is returned, otherwise an error message is displayed in the Status field

indicating where the parameter value is not correct.6 Once the Status OK is returned click Next to go to the following wizard page.

7.1.2 OS Deployment - Setup ModeOur first example will deploy a 32 bit Vista operating system to a device via the Setup Mode. This mode is executed via an unattended file which so to speak takes the role of the user entering the required information during the installation process.

Step 3: Deployment TypeIn the third wizard window you need to select which type of deployment is to be executed. For our first example we will use the Setup Mode which is also the preselected option. Do not modify anything in this window and click Next to go to the following wizard page.

Be aware that the first initialisation will take several minutes.


Step 4: Project ParametersThe deployment of a new operating system to a number of targets is managed in its entirety by a NAMP object called project.

1 This next window defines the parameter for the deployment project, which are the following:

NameEnter a self explicatory name for the project into this field, for example Vista (64 bit) Setup Deployment.ArchitectureThis field indicates the type of architecture for the OS deployment, i.e., the architecture of the WinPE image launching the setup program. The possible options are 32 Bit for x86 and 64 Bit for amd64 Windows installations. Select the 64 Bit option for the 64 bit Vista setup deployment.


Target DriveSelect from this field the drive letter on which the operating system is to be installed, in our example we will use the C drive, therefore select C from this field.


Step 5: ImageThis wizard window allows you to either select an existing or create a new operating system image which is to be deployed by the setup. Images exist for all types of deployment, but the list displayed in this window is already filtered and will only show the images created for the respective selected deployment type.

The wizard window is still empty as no images have yet been created. The option to create a new image (Create a new OS image or setup) is selected by default, therefore click Next to go directly to the following wizard page to define the parameters of the new image.

Step 6: Image ParametersThis next window allows you to define the parameters for the setup image.

1 The following parameters must be defined:


NameEnter a descriptive name for the image in the Name field, for example Vista (64 bit) Setup Image.ArchitectureThis field indicates the type of architecture the image is to be applicable to. The possible options are 32 Bit for x86 and 64 Bit for amd64 Windows installations.TypeThis parameter defines the image type being used for the deployment. This list is already prefiltered and only provides image types applicable to the selected deployment mode. Possible values here are Windows Vista/Server 2008/7 Setup and Windows XP/Server 2003 Setup. For our example select the Windows Vista/Server 2008/7 Setup option.LocationEnter into this field the network path to the image or setup folder, where you copied the image files required for the installation, e.g. \\192.168.196.13\Vista64. This is the folder which contains the setup.exe file for the deployment. This directory may be located on any device in your network, as long as it can be accessed by the OSD Manager.Connection ParametersThe login and password to be used by the deploying device to access the network location in read and write mode. 1 To enter the login information click the Edit button next to the non-editable fields. 2 A Properties window appears on the screen in which you must enter the login name and corresponding

password in the respective fields and re-enter the password for confirmation.The login name must have one of the following formats:<domain name>\<user login>


Be aware that . is not a valid domain in this case.3 For security reasons the passwords will only be displayed in the form of asterisks. 4 To view the passwords you may also uncheck the Hide Passwords checkbox. Both password fields will now

be displayed in clear text format.5 To confirm the credentials click the OK button at the bottom of the window.6 The account will be added in the wizard window fields.

2 Once all parameters are defined they must be checked that they are correct. Until the verification is executed and returns the Status OK, the wizard cannot continue.


3 To verify click the Check Image button to the right of the Status field.4 AMP will now verify all entries of this page, i.e. the directory as well as the access rights to it.5 If all values are correct the Status OK is returned, otherwise an error message is displayed in the Status field


Step 7: Image DriversIn this step of the OSD wizard the drivers must be defined which will be used by the Windows Setup after installation. This is the equivalent for manually inserting the drivers floppy during the installation process. Here you can define all drivers that may be needed by the deployment operating system to properly run. The drivers must be defined here as well in their usual .inf format. If you are creating an XP setup and your targets use a SATA disk, do not forget to add the required SATA driver here as well.

1 By default no drivers are predefined, therefore this list field is empty.2 For this example we will first add an Ethernet network driver.

3 To do so click the Create Driver icon ( ) above the list field.4 The Create a New Driver window appears on the screen.5 Enter the following data into the respective fields:

NameEnter a name for the new driver, for example Ethernet Network Driver.Driver TypeThis drop down list defines the type of the driver, i.e. if it is a network driver, a SATA disk driver, a keyboard driver, etc. Select the Modem/Network Driver value from the list.Driver .inf FileEnter into this field the name and path of the .inf file of the driver. This is the path on the local device, i.e. the OSD Manager and to be entered as such with the drive letter as well as the name of the file, e.g. D:/Drivers/TEXTORM/chipset/Vista32/Ethernet/nvfd6032.inf. You may also


indicate a path to a removable device, such as a DVD drive, as the driver files will be copied to a specific directory in the Numara Deployment Manager.1 To find the file in its directory structure click the Select button next to the field.2 The Driver File from <Device> window appears on the screen.3 It provides the directory structure of the currently selected OSD Manager.4 Browse the directories to find the correct file, select it and then click the OK button to add it.


7 To verify click the Check Driver button to the right of the Status field.8 AMP will now verify all entries of this page, i.e. the directory as well as the access rights to it and fill in the

remaining fields with the recovered information, such as the list of driver files.9 If all values are correct the Status OK is returned, otherwise an error message is displayed in the Status field

indicating where the parameter value is not correct.10 Once the Status OK is returned click OK button to add the new driver to the list and return to the Image

Drivers window.11 Now the driver appears in the list of available drivers.12 Repeat steps 2 to 9 to add other drivers. The drivers defined here must be compliant with the image to be

deployed.13 Then click Next to go to the following wizard page.

Step 8: Target ListThe next step in the OS deployment procedure is to select the deployment targets. Targets are not defined via groups, as these may only contain devices with a NAMP agent installed, they are managed via target lists, which may also contain devices without a NAMP agent. The individual targets are then added to these lists. This may be done in a number of different ways. In our example here we will only have one target device which will be added as a single device.

The option to create a new target list (Create a new target list) is selected by default, therefore click Next to go directly to the following wizard page to define the members of the new target list.

A target list can only be assigned to one project at a time. To use it with another project and have it be available in this list it must first be unassigned from its current project.


Step 9: Target List ConfigurationIn this step of the wizard you must select the deployment targets which are collected in the target list.

1 The first step is to enter the name Vista Setup Target List into the Name field.2 Then select the template of the unattended file that is to be used for the deployment. You may either use the

template which is provided by Numara, leave the field empty, or you may use you own custom defined file. For this example we will use the Numara default file, therefore do not modify the entry.

3 This deployment will only have one target device and we will add it as a new target.

4 For this select the Create Target icon ( ) on top of the empty list field.

If the unattended file template field is empty, the OSD Manager will use the default unattended file template corresponding to the image type.

To add target devices via lists see Option (a) now.

To add existing devices as targets see Option (b) now.

To add target devices via a PXE subnet see Option (c) now.


5 The Create a New Target window appears on the screen with its three tabs, General Information, Parameters and Unattended Information.

6 Enter the following information into the respective fields of the General Information tab for the new device:

NameEnter into this field the short name that the new device is to have, e.g., scotty. Be aware that the name of the new target may only have a maximum of 15 characters and may only contain the following characters: A-Z, a-z, 0-9, the underscore (_) and a dash (-).

TargetLeave the radio button selected as we are defining a single target and enter the information for at least one of the three following fields. If the device is already up and running the wizard will recover information regarding the MAC address, based on the provided IP address or DNS name.

MAC AddressEnter into this field the current MAC address of the target device. This is the most precise information to identify the device and should be preferred to the other two following identification options.

IP AddressEnter into this field the current IP address of the target device. This option may be used if the MAC address is unknown and device is already running. In this case the respective target device will try to find its MAC address and provide this information.

DNSEnter into this field the current DNS information of the target device. This option may be used if the MAC and IP addresses are unknown and device is already running. In this case the respective target device will try to find its IP address which in turn will then search for the MAC address and provide this information.

7 Then select the Parameters tab and fill in the fields for the target operating system information.

EditionSelect from the drop-down box the Windows edition that is being installed, e.g. Windows Vista Enterprise. The listed editions have been automatically detected from the installation CD/DVD.

LanguageSelect from the drop-down box the language. This language setting will be applicable to the setup, the operating system to be installed, the keyboard layout and the user locale. The listed languages have been automatically detected from the installation CD/DVD.

Product KeyThis field defines the preformatted input for the OS product key (e.g.: ABCDE-FGHIJ-KLMNO-PQRST-UVWXY). Replace the standard key already entered in this field with the key provided by Microsoft on your installation DVD.TCP/IP ParametersLeave the preselected option Dynamic IP in this box, this will automatically assign the target device its new IP address via DHCP.

8 Then select the Unattended Information tab and fill in the fields for your organisation.

To add target devices with static IP addressing see Option (e) now.


Screen ResolutionSelect from the drop down list the appropriate screen resolution for the monitor of the target device.

Colour DepthSelect from the drop down list the appropriate colour depth for the monitor of the target device.

Refresh RateSelect from the drop down list the appropriate refresh rate for the monitor of the target device.

Resolution (DPI)Select from the drop down list the appropriate DPI value for the target device.

OrganisationEnter into this field the name of your company, e.g. Numara Software. This is the value that will appear in the license window of the operating system.

WorkgroupEnter into this field the name of the workgroup to which the newly installed device is to belong to, e.g., WORKGROUP. This field will be ignored if a domain is specified.

Administrator LoginEnter into this field the login name for the administrator that is to be created for the newly installed OS with full administrator rights accorded for the new device. For Vista and later versions this field is prefixed by Microsoft and modifications will be ignored.

Administrator PasswordEnter into this field the corresponding password.

User LoginEnter into this field the login name with which the user is to log on to his device which provides him with the required user rights. This field is only applicable to Vista and later.

User PasswordEnter into this field the respective password to be used (Vista and later only).

Time ZoneSelect from this drop down list the time zone which is to be applied to the new device, i.e. in which it is located.

Full NameEnter into this field the complete name of the user that is to use the new device, e.g. Jane Doe.

DomainEnter into this field the name of the domain the new device should belong to, e.g. TESTLAB. Do not enter anything into this field if you have provided Workgroup information, as this value will override it.

Domain Administrator NameEnter into this field the login name of the domain administrator with which he may access the new device.

Domain Administrator PasswordEnter into this field the corresponding password.

First Logon CommandThis field lists the commands to be executed on the first logon, this may be a path to a batch file to execute, e.g. E:\Apps.bat or cmd /c REGEDIT /S E:\Apps\patch.reg. This parameter is only applicable to XP.

9 Then click the OK button at the bottom of the window to confirm the data for the new target device and add it to the target list.

10 Then click Next to go to the following wizard page.


Step 10: Disk ConfigurationThis wizard window allows you to define the configuration of the disk on which the operating system will be installed. A number of predefined disk configurations are initially provided by Numara and one of these will be used for this first example.

1 In the list of available disk configurations select the Disk with two partitions option.2 This configuration will create two partitions of the hard disk, the first, the boot or active partition with 30 GB

and the second with the remaining space.


Step 11: DriversIn this step of the OSD wizard the drivers required for the WinPE must be selected. For the deployment to work at least one driver must be selected, i.e. the network driver, as well as the SATA driver if the target disk is a SATA disk.


To create a new disk configuration see Option (h) now.



NameEnter a name for the new driver, for example WinPE Ethernet Network Driver.Driver TypeThis drop down list defines if the driver is a network or a SATA disk driver. A network driver is obligatory for each deployment. All drivers must be Vista compliant drivers as they are used by WinPE. Select the WinPE Network value from the list.

Driver .inf FileEnter into this field the name and path of the .inf file of the driver. This is the path on the local device, i.e. the OSD Manager and to be entered as such with the drive letter as well as the name of the file, e.g. D:/Drivers/TEXTORM/chipset/Vista32/Ethernet/nvfd6032.inf. You may also indicate a path to a removable device, such as a DVD drive, as the driver files will be copied to a specific directory in the Numara Deployment Manager.1 To find the file in its directory structure click the Select button next to the field.2 The Driver File from <Device> window appears on the screen.3 It provides the directory structure of the currently selected OSD Manager.4 Browse the directories to find the correct file, select it and then click the OK button to add it.



remaining fields with the recovered information, such as the list of driver files.

All drivers must be Vista compliant drivers as they are used by WinPE.


9 If all values are correct the Status OK is returned, otherwise an error message is displayed in the Status field indicating where the parameter value is not correct.

10 Once the Status OK is returned click OK button to add the new driver to the list and return to the Drivers window.

11 Now the driver appears in the list of available drivers.12 Repeat steps 2 to 9 to add a SATA driver if you are using a SATA disk, be aware that also the SATA drivers must

be Vista compliant.13 Then in the Drivers window mark both check boxes next to the added drivers to indicate that they are to be

used.14 Then click Next to go to the following wizard page.

Step 12: Project Build DateIn the last step of the operating system deployment wizard the schedule for the project build and its activation is defined. Building the project signifies to check that all parameters and values of the project are correct and that all required elements are available and in their correct location.

As we want to activate and execute this first deployment right away leave all values as they are and click Finish to launch the deployment.

Step 13: Project MonitoringThe project will now be build, i.e. all parameters are verified, the files are copied to the location required for the remote installation, etc. You can follow the progress of the project in its console node, as the focus of the console will automatically be moved to this object when the wizard is finished. In this view you can follow the different stages of the build.

If any other than the final status Build completed successfully. is displayed the build failed and you need to review the parameters of the project as well as maybe the source files.

Be aware that only one project per OSD Manager at a time can be active. If you have more than one deployment project you must schedule them in such a way that they are not launched at the same time and that the first deployment has finished before the next one starts, i.e. that they are not active at the same time. It is however possible to execute simultaneous deployments via different OSD Managers in different subnets. If you activate a new project via this wizard any other project in the same subnet will automatically be deactivated.


Step 14: Deployment ExecutionOnce the build is successfully completed the files are put at the required location on the OSD Manager for deployment. To now start the actual operating system deployment to the target device you must switch on the device. It will boot on the PXE boot section and the operating system installation is executed.

You can follow the progress of the installation by selecting the Assigned Objects->Target List->Vista Setup Target List node in the left window pane. The right pane displays the target list members with their status information.

7.1.3 WIM Image CaptureAs the next example we will create a new master WIM image of the device on which we just installed the Vista operating systems via the setup mode via the WIM Image Capture option of the wizard. This mode makes a snapshot of an existing system on the active disk, usually C and creates a WIM image of it, which may then be used to be deployed to new devices as we will do in the next example. To start this mode the OS Deployment Wizard must be started again:


2 The wizard appears on the screen with its first window in which the OSD Manager is selected.3 We only have one OSD Manager which is already preselected.

Do not start the target devices before the project is finished and ready to launch the installation. If the target devices are already running the PXE boot will not find the files for the installation and the deployment and installation of the new OS on the target devices will not take place.


4 Click Next to go to the following wizard page.5 In this window the parameters of the OSD Manager must be defined.6 However, we have already done this with the previous example, so you can just click Next to go to the

following wizard page.

Step 3: Deployment TypeIn this third wizard window you must select which type of deployment is to be executed. For this example we will select the WIM Image Capture option at the bottom. Then click Next to go to the following wizard page.

Step 4: Project ParametersThe capturing and creating of a WIM image which can then be deployed to other devices is also managed by the NAMP object called project.

1 This window defines the parameters for the capture project, which are the following:


NameEnter a self explicatory name for the project into this field, for example Vista (64 bit) Capture.ArchitectureThis field indicates the type of architecture for the OS deployment, i.e., the architecture of the WinPE image launching the setup program. The possible options are 32 Bit for x86 and 64 Bit for amd64 Windows installations. Select the 64 Bit option for the 64 bit Vista capture.

Target DriveSelect from this field the drive letter on which the operating system is installed of which the image is to be created, in our example we will use the setup deployment we executed in the previous example, therefore the respective drive is the preselected C drive.


Step 5: ImageIn this wizard window you must define the base parameters of the WIM image to create. If other images have already been created they will be shown in this list and you may select such an existing image and modify and overwrite it with the new image to create.


In case of a Sysprep capture select Shutdown from the Operation after Installation field.


Step 6: Image ParametersThis window allows you to define the parameters for the WIM image.


NameEnter a descriptive name for the image in the Create a new OS image or setup field, for example Vista Capture.TypeThis parameter defines the image type being used for the deployment. Select Windows Vista/Server 2008/7 Setup for our example.


LocationEnter into this field network path including the name to the image folder, where the image to create is to be stored, e.g. \\192.168.196.13\Build\WinVista.wim. This directory may be located on any device in your network, as long as it can be accessed by the OSD Manager and the target device of which the image is created.Connection ParametersThe login and password to be used by the deploying device to access the network location in read and write mode. 1 To enter the login information click the Edit button next to the non-editable fields. 2 A Properties window appears on the screen in which you must enter the login name and corresponding








Step 7: Target ListThe next step in the OS capture procedure is to select the target. A capture target list may always only contain one target device, i.e. the device of which the image is to be created. For our example we will use the device on which the setup mode installed the Vista operating system in the previous example.

This may be done in a number of different ways. In our example here we will add the target as a single device. All other possible ways will be explained in the options.


In case of a Sysprep capture select Windows Vista/Server 2008/7 Sysprep WIM Image.


Step 8: Target List ConfigurationIn this step of the wizard you must select the target device of which the image is to be created. Remember, this list can only contain one single device.

1 Enter the name Vista Capture Target List into the Create a new target list field on top of the empty list field.2 Then select the Create Target icon ( ) on top of the empty list field.

To add the target device via a list see Option (a) now.

To add an existing device as the target see Option (b) now.


3 The Create a New Target window appears on the screen with its General Information tab.

4 Enter the following information into the respective fields for the device:

NameEnter into this field the short name of the target device exactly as you entered it for the setup, e.g., scotty.

TargetLeave the radio button selected as we are defining a single target and enter the information for at least one of the three following fields, preferably the MAC Address. If the device is already up and running the wizard will recover information regarding the MAC address, based on the provided IP address or DNS name.

MAC AddressEnter into this field the MAC address of the target device.

IP AddressEnter into this field the IP address of the target device.

DNSEnter into this field the DNS information of the target device.

5 Then click the OK button at the bottom of the window to confirm the data for the target and add it to the target list.


Step 9: Disk ConfigurationThis wizard window allows you to define the configuration of the disk of the image. When an image is captured of an existing operating system installation the disk configuration is already defined. Therefore a specific image capture disk configuration must be used, which is provided by Numara at installation time.

1 In the list of available disk configurations select the Unchanged disk for custom deployment option.2 This configuration contains all information required for the image capture.

Be careful not to select a disk configuration that will format the drive or partition!




Step 10: DriversIn this step of the OSD wizard the Vista compatible drivers required for the WinPE must be selected. For the capture to work at least one driver must be selected, i.e. the network driver, as well as the SATA driver if the target disk is a SATA disk. As we have already executed the Setup mode in which the two required drivers were defined we will use these now for the current example.

1 The wizard window will show the two drivers already defined during the previous example.2 Check both their boxes if you have a SATA drive, otherwise only the Ethernet driver.



Step 11: Project Build DateIn the last step of the operating system deployment wizard the schedule for the project build and its activation is defined. Building the project signiefies to check that all parameters and values of the project are correct and that all required elements are available and in their correct location.


Step 15: Project MonitoringThe project will now be build, i.e. all parameters are verified, to make sure the capture can be properly executed. You can follow the progress of the project in its console node, as the focus of the console will automatically be moved to this object when the wizard is finished. In this view you can follow the different stages of the build.

If any other than the final status Build completed successfully. is displayed the build failed and you need to review the parameters of the project as well as maybe the state of the target device.


In case of a Sysprep distribution, the target MUST be running before the project becomes active! Also, you must manually launch the provided batch file \\<OSD Manager>\PXETFTP\SYSPREP\RUNSYSPREP.BAT, that will sysprep the target and finally reboot it. The file must be executed as a privileged user (admin). If the file can not be found in this location the project is not activated or not set as a Sysprep image type.


Step 16: Deployment ExecutionOnce the build is successfully completed the snapshot of the target device is started. You can follow the progress of the image creation process by selecting the Assigned Objects->Target List->Vista Capture Target List node in the left window pane. The right pane displays the target list member with its status information.

7.1.4 OS Deployment - WIM Image ModeIn this third example we will install a new device via the WIM Image Mode using the WIM image we captured in the preceding example. The WIM Image Mode uses a snapshot of an operating system taken of an installed device to install the same operating system on the target device or a sysprepped OS, able to be deployed on various hardware types. The snapshot or image file contains all information required to install the new device. To start this mode the OS Deployment Wizard must be started again:


2 The wizard appears on the screen with its first window in which the OSD Manager is selected.3 We only have one OSD Manager which is already preselected.4 Click Next to go to the following wizard page.5 In this window the parameters of the OSD Manager must be defined.6 However, we have already done this with the previous example, so you can just click Next to go to the


Step 3: Deployment TypeIn this third wizard window you must select which type of deployment is to be executed. For this example we will select the WIM Image Mode deployment option. Click Next to go to the following wizard page.



1 This next window defines the parameters for the deployment project, which are the following:

NameEnter a self explicatory name for the project into this field, for example Vista (64 bit) WIM Deployment.ArchitectureThis field indicates the type of architecture for the OS deployment, i.e., the architecture of the WinPE image launching the setup program. The possible options are 32 Bit for x86 and 64 Bit for amd64 Windows installations. Leave the preselected option 64 Bit for the 64 bit Vista WIM deployment.


Target DriveSelect from this field the drive letter on which the operating system is to be installed, in our example we will use the C drive, therefore select C from this field.


Step 5: ImageThis wizard window allows you to either select an existing or create a new operating system image which is to be deployed by the WIM mode. Images exist for all types of deployment, but the list displayed in this window is already filtered and will only show the images created for the respective selected deployment type, i.e. in this case any existing WIM images.


Step 6: Image ParametersThis window allows you to define the parameters of the WIM image.



NameEnter a descriptive name for the image in the Create a new OS image or setup field, for example Vista WIM Image.LocationEnter into this field network path to the folder, where you stored the image file that we created in our previous example including the name of the image, e.g. \\192.168.196.13\Build\WinVista.wim. This directory may be located on any device in your network, as long as it can be accessed by the OSD Manager and the target devices, i.e. it is therefore recommended to put it on a device within the subnet.Connection ParametersThe login and password to be used by the deploying device to access the network location in read and write mode. 1 To enter the login information click the Edit button next to the non-editable fields. 2 A Properties window appears on the screen in which you must enter the login name and corresponding








If you are using a WIM-Image with Sysprep support see Option (f) now.


Step 7: Target ListThe next step in the OS deployment procedure is to select the deployment targets. Targets are not defined via groups, as these may only contain devices with a NAMP agent installed, they are managed via target lists, which may also contain devices without a NAMP agent. The individual targets are then added to these lists. This may be done via a number of different ways. In our example here we will only have one target device which will be added as a single device. All other possible ways will be explained in the options.




1 Enter the name Vista WIM Image Target List into the field on top of the empty list field.2 This deployment will only have one target device and we will add it as a new target.

3 For this select the Create Target icon ( ) on top of the empty list field.4 The Create a New Target window appears on the screen.5 Enter the following information into the respective fields of the General

Information tab for the new device:

NameEnter into this field the short name that the new device is to have, e.g., Device1. Be aware that the name of the new target may only have a maximum of 15 characters and may only contain the following characters: A-Z, a-z, 0-9, the underscore (_) and a dash (-).

TargetLeave the radio button selected as we are defining a single target and enter the information for at least one of the three following fields. If the device is already up and running the wizard will recover all remaining information directly from the device and add it to the respective fields.






Step 9: Disk ConfigurationThis wizard window allows you to define the configuration of the disk on which the operating system will be installed. A number of predefined disk configurations are initially provided by Numara and one of these will be used for this first example.

1 In the list of available disk configurations select the Disk with two partitions option.2 This configuration will create two partitions of the hard disk, the first, the boot or active partition with 30 GB

and the second with the remaining space.



To add target devices via a PXE subnet see Option (d) now.

If you are using a WIM-Image with Sysprep support see Option (g) now.



Step 10: DriversIn this step of the OSD wizard the Vista compatible drivers required for the WinPE must be selected. For the deployment to work at least one driver must be selected, i.e. the network driver, as well as the SATA driver if the target disk is a SATA disk. As we have already executed the Setup mode in which the two required drivers were defined we will use these also now for the current example installation.

1 The wizard window will show the two drivers already defined for the previous examples.2 Check both their boxes if you have a SATA drive, otherwise only select the Ethernet driver.











Do not start the target devices before the project is finished and ready to launch the installation. If the target devices are already running before the PXE boot will not find the files for the installation and the deployment and installation of the new OS on the target devices will not take place.


You can follow the progress of the installation by selecting the Assigned Objects->Target List->Vista Image Target List node in the left window pane. The right pane displays the target list members with their status information.

7.1.5 OS Deployment - Custom ModeAs the last example we will install a new device via the Custom Mode. This mode allows you to use other applications with which snapshots of existing installations may be created and then be ’duplicated’ on other devices, such as for example ghost images. To start this mode the OS Deployment Wizard must be started again:


2 The wizard appears on the screen with its first window in which the OSD Manager is selected.3 We only have one OSD Manager which is already preselected.4 Click Next to go to the following wizard page.5 In this window the parameters of the OSD Manager must be defined.6 However, we have already done this with the previous example, so you can just click Next to go to the


Step 3: Deployment TypeIn this third wizard window you must select which type of deployment is to be executed. For this example we will select the Custom Mode. Then click Next to go to the following wizard page.

A Sysprep installation is quite long (~1 hour, depending on the hardware) and requires several reboots.



1 This window defines the parameters for the deployment project, which are the following:

NameEnter a self explicatory name for the project into this field, for example XP (64 bit) Custom Deployment.Target DriveThis field is used to configure the MBR file and is there accessible. HOWEVER only modify the preentered value if required.



Step 5: ImageThis wizard window allows you to either select an existing or create a new operating system image which is to be deployed by the setup. Images exist for all types of deployment, but the list displayed in this window is already filtered and will only show the images created for the respective selected deployment type.


Step 6: Image ParametersThis window allows you to define the parameters for the custom deployment image.



NameEnter a descriptive name for the image in the Create a new OS image or setup field, for example XP Custom Mode Image.LocationEnter into this field network path to the folder, where the custom image and the program is located, e.g. \\192.168.196.13\ghosts64. This is the folder which contains the ghost executable file for the deployment as well as the ghost image. This directory may be located on any device in your network, as long as it can be accessed by the OSD Manager and the target devices.Connection ParametersThe login and password to be used by the deploying device to access the network location in read and write mode. 1 To enter the login information click the Edit button next to the non-editable fields. 2 A Properties window appears on the screen in which you must enter the login name and corresponding



3 For security reasons the passwords will only be displayed in the form of asterisks. 4 To view the passwords you may also uncheck the Hide Passwords checkbox. Both password fields will now

be displayed in clear text format.5 To confirm the credentials click the OK button at the bottom of the window.6 The account will be added in the wizard window fields.Custom Image Command LineThis field contains the command required to deploy the image, e.g., ghost32.exe -clone,mode=restore,src=W:\XP32.GHO,dst=1:0 -SURE for a ghost image, whereby W: is the mounted share of the UNC OS location in the WinPE. An example when using imagex would be: imagex /apply "W:\MyImageFile.wim" 1 C:.




Step 7: Target ListThe next step in the OS deployment procedure is to select the deployment targets. Targets are not defined via groups, as these may only contain devices with a NAMP agent installed, they are managed via target lists, which may also contain devices without a NAMP agent. The individual targets are then added to these lists. This may be done via a number of different ways. In our example here we will only have one target device which will be added as a single device. All other possible ways will be explained in the options.




1 Enter the name XP Custom Mode Target List into the Name field on top of the empty list field.2 This deployment will only have one target device and we will add it as a new target.




3 For this select the Create Target icon ( ) on top of the empty list field.4 The Create a New Target window appears on the screen.5 Enter the following information into the respective fields of the General

Information tab for the new device:

NameEnter into this field the short name that the new device is to have, e.g., scotty. Be aware that the name of the new target may only have a maximum of 15 characters and may only contain the following characters: A-Z, a-z, 0-9, the underscore (_) and a dash (-).

TargetLeave the radio button selected as we are defining a single target and enter the information for at least one of the three following fields. If the device is already up and running the wizard will recover information regarding the MAC address, based on the provided IP address or DNS name.






Step 9: Disk ConfigurationThis wizard window allows you to define the configuration of the disk on which the operating system will be installed. A number of predefined disk configurations are initially provided by Numara and one of these will be used for this custom example.

1 In the list of available disk configurations select the Unchanged disk for custom deployment option.2 This configuration will contains all the required information for the standard ghost installation.

To add target devices via a PXE subnet see Option (d) now.




Step 10: DriversIn this step of the OSD wizard the drivers required for the WinPE must be selected. For the deployment to work at least one driver must be selected, i.e. the network driver, as well as the SATA driver if the target disk is a SATA disk. As we have already executed the Setup mode in which the two required drivers were defined we will use these now for the current example installation.

1 The wizard window will show the two drivers already defined for the setup example.2 Check both their boxes if you have a SATA drive, otherwise only select the Ethernet driver.










You can follow the progress of the installation by selecting the Assigned Objects->Target List->XP Custom Mode Target List node in the left window pane. The right pane displays the target list members with their status information.

7.2 OptionsThis following section will provide you with a number of option available for the different modes of operating system deployment.

(a) Add Target from ListsDevices may be added to the target list through a number of different ways. One is through different types of lists. Be aware that you cannot add the master as a target device. To do so proceed as follows:

1 Select the Add Members from Lists icon ( ).2 The Select Devices from the List window opens which provides you with the following methods to choose the

scan targets:

Do not start the target devices before the project is finished and ready to launch the installation. If the target devices are already running before the PXE boot will not find the files for the installation and the deployment and installation of the new OS on the target devices will not take place.


AutoDisc Object AutoDisc Device Network CSV Lista AutoDisc Object

The AutoDiscovery module provides a list of all devices of any type found in the network, such as printers or devices with and without the agent installed. This list is also available for the vulnerability scan functionality to facilitate the selection of the scan targets. However, the list displayed in this case will only show all clients of type device and only those with a status of Verified or Learned, which means that all devices in this list have been verified for existence either by the local client or a neighbour client and exist on the network. To add a device from the list of all autodiscovered devices known to the database proceed as follows:1 Select the AutoDisc Object tab ( ) in the left window bar.2 The field Available Devices displays the list of all available devices. You will find more information on

the list of autodiscovered devices in chapter Autodiscovered Objects on page 209 in the Console manual.3 Select the device/devices to be added as targets from the list and then click the Add button ( ) to move

the selected devices to the list of Selected Devices.4 Click OK to confirm the selections and close the window.

b AutoDisc Device

The tab AutoDisc Device allows you to select your target devices from a list of autodiscovered devices by one specific network device. Proceed as follows:1 Select the AutoDisc Device tab ( ) in the

left window bar.2 The Select a Device window opens on the

screen.3 Select the device of which the

autodiscovered list is to be used from one of the tabs of the Select a Device dialog box.

4 Click OK to confirm the selection and close the window.

5 The Select Devices from the List dialog box now only displays the devices that were discovered by the selected network device.

6 Select the device/devices to be added as targets from this list and then click the Add button ( ) to move the selected devices to the list of Selected Devices.

7 Click OK to confirm the selections and close the window.c Network

You may add a device from the list of your Microsoft network neighbourhood. To do so proceed as follows:1 Select the Network tab ( ) in the left window bar.2 The field Available Devices displays now the Microsoft Windows Network Neighbourhood structure

on the screen.3 Select the device/devices to be added to the list from one of its groups.4 Click OK to confirm the addition and close the window.

d CSV ListTo add a device to the scan from an existing .csv file proceed as follows:1 Select the CSV List tab ( ) in the left window bar.2 A window opens, in which you may choose the file containing the device list.3 Click the Open button at the bottom of the window to open the list.4 The field Available Devices displays now the list of all devices contained in the selected CSV list.5 Check the box Header, if your CSV file has a title line which is to be removed.


6 Select the device to be added to the scan from the list in the window. You may also select all devices in the list by using the Select All button.

7 Click OK to add the device and close the window.3 Continue with the general procedure.

(b) Add DeviceYou may also add a device or all devices of a target list via the device selection window. This is the easiest way to add device to the target list if you install only devices that are already known to the NAMP database. Device without agents are not available in this window. To add devices proceed as follows:

1 Select the Add Device icon ( ).2 The Select a Device window opens on the screen.3 Select the device to be added from one of the tabs of the Select a Device dialog box. 4 Click OK to confirm the addition and close the window.5 Continue with the general procedure.

(c) Create Target via PXE Subnet (Setup Mode)You may also create new target devices by specifying a subnet in which they will be located. When creating new targets in this way, it will be added to the OS Deployment database specifically for this deployment. To do so proceed as follows:

1 Select the Create Target icon ( ).2 The Create a New Target window opens on the screen with its three tabs, General Information, Parameters

and Unattended Information.3 Enter the following required information for the target device in the General Information:

NameEnter into this field the short network name that the new device is to have, e.g., scotty.

DescriptionThis field is a free text field and may contain some descriptive text or necessary information about the object.

ArchitectureThis field indicates the for which type of architecture the target list is applicable to. The possible options are 32 Bit for x86 and 64 Bit for amd64 Windows installations. This field is generally not accessible, as the architecture is defined by the target list.

EnabledThis parameter defines if the target device is active, i.e. if it will recuperate the image or setup file to install. By default this option is set to Yes, enabled or active target. If a target device is disabled, it must be activated manually via this option and then the project must be rebuilt for this modification to become effective.

PXE Subnet FilterThis field displays the IP address for the subnet which contains the target devices. A new field next to the Name field appears in the window. You may enter into this field the way the device names within a subnetwork are automatically incremented. The default value here is 001, i.e. the name with the suffix 001, 002, etc., e.g. HQ001, HQ002, ... HQ099.

PXE Subnet FilterEnter into this field the IP address in its dotted notation for the subnet which is to contain the target devices. The address may be entered with the wildcard character asterisks (*): 192.168.1.*, 192.168.*.* or 192.*.*.*.

4 Then select the Parameters tab and fill in the fields for the target operating system information.




Product KeyThis field defines the preformatted input for the OS product key (e.g.: ABCDE-FGHIJ-KLMNO-PQRST-UVWXY). Replace the standard key already entered in this field with the key provided by Microsoft on your installation DVD.

TCP/IP ParametersThe fields in this box allow you to define the parameters for static or dynamic IP address management:

Dynamic IPSelect this radio button to dynamically assign the IP addresses for the devices. This option is only applicable to Setup projects. This is the default value.

Static IPSelect this radio button if the IP addresses are statically assigned to the devices. The following fields must be defined for static IP addressing:

IP AddressEnter into this field the IP address which is to be attributed to the target device. This field is mandatory.

Subnet MaskEnter into this field the subnet mask for the target device. This field is mandatory.

GatewayEnter into this field the IP address of the gateway of the target device. This field is mandatory.

Prefered DNS ServerEnter into this field the IP address of the preferred DNS server of the target device. This field is mandatory.

Alternate DNS ServerEnter into this field the IP address of the alternate DNS server of the target device. This field is optional.

Click the Default Values button below these fields to preenter the Subnet Mask, Gateway and Prefered DNS Server fields with the default values.


Screen ResolutionThis parameter defines the resolution in pixels of the target screen. The value in parenthesis behind the value indicates for which screen size the respective resolution is generally used.

Colour DepthThis parameter defines the colour depth in bits per pixel of the target screen.

Refresh RateThis parameter defines the refresh rate in Hertz of the target screen (e.g.: 85 for CRT, 60 for LCD).

Resolution (DPI)This field displays the resolution in dpi that is to be used for the fonts displayed on the screen of the device to be installed.

OrganisationThis field displays the name of your organisation, e.g Numara Software.


WorkgroupThe network workgroup of the target devices, e.g. WORKGROUP. If you enter a value here and as well into the Domain field later on, this value will be ignored.

Administrator LoginEnter into this field the login name to which is to be created for the newly installed OS with the full administrator rights accorded on the new device. For Vista and later versions this field will be greyed out, as the login name is predefined by Microsoft and may not be modified.


User LoginEnter into this field the login name with which the user is to log on to his device which provides him with the required user rights. This parameter is only applicable to Vista.

User PasswordEnter into this field the respective password to be used. This parameter is only applicable to Vista.

Time ZoneThe timezone in which the target device is located.


DomainEnter into this field the name of the domain the new device should belong to, e.g. TESTLAB. If you entered a name for the workgroup above the domain value will prevail.




6 Click the OK button at the bottom of the window to confirm the data for the new target list or click Cancel to abandon without modifications and to close the window.

7 Continue with the general procedure.

(d) Create Target via PXE Subnet (Non-Setup Mode)You may also create new target devices by specifying a subnet in which they will be located. When creating new targets in this way, it will be added to the OS Deployment database specifically for this deployment. To do so proceed as follows:

1 Select the Create Target icon ( ).2 The Create a New Target window opens on the screen with its three tabs, General Information, Parameters

and Unattended Information.3 Enter the following required information for the target device in the General Information:

NameEnter into this field the short network name that the new device is to have, e.g., scotty.

DescriptionThis field is a free text field and may contain some descriptive text or necessary information about the object.

ArchitectureThis field indicates the for which type of architecture the target list is applicable to. The possible options are 32 Bit for x86 and 64 Bit for amd64 Windows installations. This field is generally not accessible, as the architecture is defined by the target list.


EnabledThis parameter defines if the target device is active, i.e. if it will recuperate the image or setup file to install. By default this option is set to Yes, enabled or active target. If a target device is disabled, it must be activated manually via this option and then the project must be rebuilt for this modification to become effective.

PXE Subnet FilterThis field displays the IP address for the subnet which contains the target devices. A new field next to the Name field appears in the window. You may enter into this field the way the device names within a subnetwork are automatically incremented. The default value here is 001, i.e. the name with the suffix 001, 002, etc., e.g. HQ001, HQ002, ... HQ099.

PXE Subnet FilterEnter into this field the IP address in its dotted notation for the subnet which is to contain the target devices. The address may be entered with the wildcard character asterisks (*): 192.168.1.*, 192.168.*.* or 192.*.*.*.


(e) Create Target in Static IP ModeTarget devices may also be created in static mode. To do so proceed as follows:

1 In the Parameters tab of the Create a New Target window make the following changes:2 In the TCP/IP Parameters box select the Static IP radio button.3 Then enter the following parameters:

IP AddressEnter into this field the IP address which is to be attributed to the target device. This field is mandatory.

Subnet MaskEnter into this field the subnet mask for the target device. This field is mandatory.

GatewayEnter into this field the IP address of the gateway of the target device. This field is mandatory.

Prefered DNS ServerEnter into this field the IP address of the preferred DNS server of the target device. This field is mandatory.

Alternate DNS ServerEnter into this field the IP address of the alternate DNS server of the target device. This field is optional.

Click the Default Values button below these fields to preenter the Subnet Mask, Gateway and Prefered DNS Server fields with the default values.


(f) Sysprep WIM Image Deployment - Additional DriversIf you are executing a sysprep installation, an extra wizard window will be displayed in which additional drivers required by the SysPrep installation must be defined.

In this step of the OSD wizard the drivers must be defined which will be used by the Windows Setup for installation. This is the equivalent for manually inserting the drivers floppy during the installation process. Here you can define all drivers that may be needed by the deployment operating system to properly run. The drivers


must be defined here as well in their usual .inf format. If you are creating an XP setup and your targets use a SATA disk, do not forget to add the required SATA driver here as well.

Proceed as follows:

1 Before Step 7: of the WIM Image Deployment wizard an Image Drivers window will appear on the screen to define the additional drivers.



NameEnter a name for the new driver, for example Ethernet Network Driver.Driver TypeThis drop down list defines the type of the driver, i.e. if it is a network driver, a SATA disk driver, a keyboard driver, etc. Select the Modem/Network Driver value from the list.Driver .inf FileEnter into this field the name and path of the .inf file of the driver. This is the path on the local device, i.e. the OSD Manager and to be entered as such with the drive letter as well as the name of the file, e.g. D:/Drivers/TEXTORM/chipset/Vista32/Ethernet/nvfd6032.inf. You may also indicate a path to a removable device, such as a DVD drive, as the driver files will be copied to a specific directory in the Numara Deployment Manager.1 To find the file in its directory structure click the Select button next to the field.2 The Driver File from <Device> window appears on the screen.3 It provides the directory structure of the currently selected OSD Manager.4 Browse the directories to find the correct file, select it and then click the OK button to add it.




remaining fields with the recovered information, such as the list of driver files.10 If all values are correct the Status OK is returned, otherwise an error message is displayed in the Status field

indicating where the parameter value is not correct.11 Once the Status OK is returned click OK button to add the new driver to the list and return to the Image

Drivers window.12 Now the driver appears in the list of available drivers.13 Repeat steps 2 to 9 to add other drivers. The drivers defined here must be compliant with the image to be

deployed.14 Then click Next to go to the following wizard page.15 Continue with the general procedure.

(g) Sysprep WIM Image DeploymentA sysprep WIM image deployment requires the configuration of the additional parameters. Proceed as follows:

1 At Point 4 (page 158) of Step 8: Target List Configuration of the WIM Image deployment parameters of two more tabs must be defined:

2 Select the Parameters tab and fill in the fields for the target operating system information.



Product KeyThis field defines the preformatted input for the OS product key (e.g.: ABCDE-FGHIJ-KLMNO-PQRST-UVWXY). Replace the standard key already entered in this field with the key provided by Microsoft on your installation DVD.


Screen ResolutionSelect from the drop down list the appropriate screen resolution for the monitor of the target device.

Colour DepthSelect from the drop down list the appropriate colour depth for the monitor of the target device.

Refresh RateSelect from the drop down list the appropriate refresh rate for the monitor of the target device.

Resolution (DPI)Select from the drop down list the appropriate DPI value for the target device.

OrganisationEnter into this field the name of your company, e.g. Numara Software. This is the value that will appear in the license window of the operating system.


WorkgroupEnter into this field the name of the workgroup to which the newly installed device is to belong to, e.g., WORKGROUP. This field will be ignored if a domain is specified.

Administrator LoginEnter into this field the login name to which is to be created for the newly installed OS with the full administrator rights accorded on the new device. For Vista and later versions this field is prefixed by Microsoft and modifications will be ignored. This login and corresponding password must be the same as the administrator login/password of the previously captured system.


User LoginEnter into this field the login name with which the user is to log on to his device which provides him with the required user rights. This field is only applicable to Vista and later.

User PasswordEnter into this field the respective password to be used (Vista and later only).

Time ZoneSelect from this drop down list the time zone which is to be applied to the new device, i.e. in which it is located.


DomainEnter into this field the name of the domain the new device should belong to, e.g. TESTLAB. Do not enter anything into this field if you have provided Workgroup information, as this value will override it.





5 Then click Next to go to the following wizard page and continue with the general procedure.

(h) Create new Disk ConfigurationIf none of the predefined disk configurations answer the requirements of your distribution you may create a new disk configuration. Creating new disk configurations consists of the following two steps:

1 Create new Disk Configuration2 Create Partitions for the new configuration

Step 1: Create new Disk ConfigurationProceed as follows to create a new disk configuration in the OSD wizard for a distribution:

Be aware that WinPE has a number of limitation as described on the Microsoft web site (http://technet.microsoft.com/en-us/library/cc507857.aspx) such as the fact that drive letter assignments are NOT persistent between sessions. This means that no matter which drive you assigned specific drive letter in the disk configuration of an OS deployment, the drive letter assignments will be in the default order after WinPE is restarted.


1 At Step 10: Disk Configuration of the wizard select the Create Disk Configuration icon ( ) above the list window.

2 The Properties dialog box appears on the screen.3 Enter the desired data into the respective fields.

NameEnter a name for the new disk configuration, for example FullDisk_3Partitions.DescriptionThis field is a free text field and may contain some descriptive text or necessary information about the object.SizeThis value displays the total size of the respective hard disk in MB.Delete Disk PartitionsThis parameter defines if any partitions that already exist on the target device are deleted, possible values are Yes and No.

Disk NumberThe physical disk number on the device, 0 indicating the first disk, 1 the second, etc.StatusThis field displays the current status of the selected disk configuration.

4 Before the disk configuration may be created it must be verified that all entered data is correct.5 To execute a check on the disk click the Check Disk Status button next to the non-editable field. Be aware that

the disk creation cannot be confirmed until the disk verification succeeded, i.e. the status value OK is displayed.

6 Click the OK button at the bottom of the window to confirm the data for the new disk configuration and to close the window.

7 The new configuration will be added to the list field.

Step 2: Create PartitionsNow that the disk is configured its partitions must be defined that will be created during the installation process on the remote target device.

1 Select the new disk configuration in the list field.2 Select the Create Partition icon ( ) above the list field.3 The Disk Partitions for <Disk Name> dialog box appears on the screen. It displays the list of all partitions

defined for the currently selected disk.4 To add a new partition click the Create Partition icon ( ) above the list field.5 The Create a new partition window appears on the screen.6 Enter the desired data into the respective fields.

NameEnter a name for the new partition.DescriptionThis field is a free text field and may contain some descriptive text or necessary information about the object.FormatThis parameter indicates the format of the partition, possible values being NTFS, FAT-32 or Do Not Format, if the disk is not to be formatted but to use the current configuration, such as to keep another partition type for Linux or to keep partitions with existing data.

TypeThis parameter defines the type of the partition, i.e. if it is a primary, extended or logical partition.

This option should be used with caution, as any data on the disk will be lost irretrievably if selected, even if you selected not to format the partition in the partition definition.

This formatting options should be used with caution, as any data on the partition will be lost irretrievably if one of these options selected.


ExtendThis parameter is of interest if the defined disk partitions do not completely use up the available disk space. Possible values are Yes, extend partition, in this case the size fixed for the disk will be ignored and the remaining disk space will be added to the respective partition. If you select No, do not extend the partition, the remaining disk space can not be used. Only one partition per disk may be extended. As FAT-32 disks may not be larger than 32 GB, extending it over this limit will generate an error.SizeThis value displays the total size of the respective disk partition in MB. FAT-32 disks may not be larger than 32 GB. The specified size is adjusted to the cylinder snap and may therefore be somewhat smaller or larger than the defined value.LabelThe unique name of the partition, e.g. SYSTEM, DATA or BACKUP).Drive LetterThe logical drive letter from C to Z assigned to the drive, each letter may only be assigned once. You may assign the partition a specific drive letter, however, WinPE may change this after rebooting if it does not coincide with its internal sorting logic.Active PartitionThis parameter defines if a partition is active, i.e. if it is potentially bootable. This partition must be used to install the operating system on, which is to be booted. Only one partition may be active per disk.Partition NumberThe unique physical partition number on the disk the currently selected entry belongs to, 1 is the first partition, 2 the second, etc.

7 Click the OK button at the bottom of the window to confirm the data for the new partition and to close the window.

8 Repeat these steps until all partitions for the disk configuration are defined.9 To change the order of the partitions you may move one up or down in the list.10 Select the partition in the table in the right window pane.11 Either choose the Edit->Move Down/Move Up menu item or click the respective icon ( / ) in the icon bar

until the partition is at the desired position.12 Click the OK button at the bottom of the window to confirm the data for the new disk partition and to close the

window.13 Continue with Step 10: Disk Configuration of the main wizard procedure.

(i) Add OSD ManagerTo define a device as OSD Manager proceed as follows:

1 Choose the Add Device icon ( ).2 The Add an OSD Manager popup window will appear on the screen displaying the list of all devices, that may

be a OSD Managers due to their operating system.3 Select the device to be added from one of the list boxes.4 Click OK to confirm and close the window.5 The device will be added to the table of OSD Manager and its configuration parameter will be updated

accordingly.6 Continue with Step 1: OSD Manager of the main procedure.

8

Software Distribution Step-by-StepUsing the Numara Deployment Manager you can control and manage software installations and distributions across the entire network. The architecture offers a ’pull’ system, whereby the agents will collect (or pull) software packages from the software depot, the master or a relay on the network and proceed to install and configure the software on the clients.

As shown in the graphic below, the software distribution process consists of the following individual steps:

1 Download the installation file for the product to distribute from the Internet (1)2 Create the package to distribute in the Package Factory and publish it to the master/relay (2, 3)3 Assign the package to the target device and distribute (4, 5)4 Install the package on the target and sent execution status to the master (6, 7).

InternetPackage Factory

Master

Create package

Send Status

Assign Target Device

Installation Files1

6

3

5

4

Pull package to Target Device

7Target Client

2

Publish package to Master

Install package

This chapter is divided into the following sections:

• Software Distribution Examples• Software Distribution Reporting• Software Distribution Options


• in your test environment you have at least one, preferably several devices on which Firefox and Orca are not yet installed.

• your master has a Internet connection to download the setup files.• a browser is installed on your master.• you have done the exercises in the chapters of Section I and are familiar with the general concepts of the

NAMP console and its workings.

182 - Numara Deployment Manager - Software Distribution

8.1 Software Distribution ExamplesThe software distribution process is illustrated in this chapter via two examples:

• Creation and distribution of Mozilla Firefox version 3 via a custom package.• Distribution of the database editor Orca via an msi package. (If you are executing rpm distributions you may

also follow the general guidelines of this process as the two package types are very similar.)

Distribution 1: Firefox Custom PackageThe actual software distribution process is split into the following individual steps:

1 Download Firefox Setup-File from the Mozilla site.2 Create Firefox Custom Package and Make It Available.3 Assign and Distribute Package Immediately.4 Monitor Distribution Progress and Results.

Step 1: Download Firefox Setup-FileThe first step before a software package can be distributed is to download the original installation package of the manufacturer, for our example the file Firefox Setup 3.0.7.exe for Mozilla Firefox version 3. To do proceed as follows:

1 On the device you defined above as the Packager download the new Firefox version from http://

www.mozilla.com/en-US/firefox/all.html.2 Save the file Firefox Setup 3.0.7.exe on the local disk.

Step 2: Create Firefox Custom Package and Make It AvailableNow that the software to be installed is available locally, the distribution package can be created and then be made available for the actual distribution:

1 Select the Wizards->Package Creation Wizard ( ) menu item.2 The Package Creation Wizard appears on the screen and guides you through the individual steps required to

create a new custom package.

Step 2a: Package FactoryIn the first window, Package Factory, you need to select the Package Factory on which the new package is to be created as well as the type of the package to be created.

1 Select the one defined packager.

2 In the panel Package Type you must define which type of package is to be created via the wizard. Select the Custom Package option.

To create rpm packages your package factory must be a Linux operating system. If you do not have a Linux master first see Option (i) on how to define another device as Packager which you will need to use.

To see the command line options, open a cmd shell, go to the directory where you have saved the file, and execute Firefox Setup 3.0.7.exe /help: the /quiet option can be used to install in silent mode, with no user interaction.

If you want to define another device as the Packager please see Option (i).

Chapter 8 - Software Distribution Step-by-Step - 183

3 Click Next to continue

Step 2b: Custom PackageIn the next wizard window, Custom Package, the new package must be configured. For this the following parameters must be defined:

1 Enter the name for the new package into the respective field, for instance Firefox v3.0.7.


Step 2c: Installation OptionsThis window provides two panes for configuration:

If you want to create the new package in a specific folder instead of under the packages top node see Option (k) now.

If your antivirus heavily attacks .zip files, choose the .pkg Archive Type.


The Installation panel defines the parameters how the execution of the installation of the package on the target(s) is effected.

1 In the Destination Path field enter the path in which you want the Firefox Setup 3.0.7.exe to be stored temporarily, for instance c:/temp.

2 In the Run Command field enter c:/temp/Firefox Setup 3.0.7.exe /S.

The Overwrite box defines which files the package may overwrite when installing on the target and which it may not touch.

1 Check the Overwrite Non-system Files, Overwrite older file versions only and Overwrite read-only files boxes.


Step 2d: Add FilesTo add the files to install to the custom package proceed as follows:

1 Select the Add File icon ( ).2 The Files from dialog box appears on the screen.3 In the Add Files to Custom Package tab go to the drive and directory in which you stored the Firefox

installation file Firefox Setup 3.0.7.exe and select it.4 Uncheck the option Enable Full Path.

In this field you need to enter the destination path to which the executable file is to be copied and under which it is stored in the package, therefore the path in the Run Command field must be c:/temp/Firefox Setup 3.0.7.exe /S, the /S option is optional and indicates a silent installation.

This option allows you to control where the file will be put on the target devices.


5 Click OK to confirm and to close the window.6 The firefox installation file was added to the list window.


Step 2e: PublicationPublishing a package signifies making it available for distribution within the network after creation or modification. We will simply publish the package to the master which is also the preselected option, therefore do not make any changes in the window and click the Finish button confirm all settings and finish this wizard.


Step 2f: Package DistributionOnce the package is created a popup window appears in which you may continue directly with the distribution of the newly created package via the respective wizard. Check the Deploy the Package radio button and click Yes to continue directly with the distribution of the new package.

Step 3: Assign and Distribute Package ImmediatelyThe distributable package is now available on the master ready to be assigned and distributed to the target devices. Since we have chosen to continue directly with the distribution, the Package Distribution Wizard appears on the screen.

Step 3a: PackageIn the first window of the wizard you define which package to distribute as well as some distribution options. In our case the package is already preselected, the one we just created.

If you want to schedule the distribution at a specific later time, uncheck the Default Schedule option, and then see Option (a) when the Schedule wizard window appears.

If you want to advertise the distribution to users via the Application Kiosk refer to Option (h) now.

If you want to schedule the distribution with Wake-On-LAN enabled, uncheck the Default Schedule option and then see Option (b) when the Schedule wizard window appears.


Make no changes and click the Next button to continue.

Step 3b: Assigned DevicesIn this next window you need to define the targets of the package distribution. As we have not made any changes in the previous window we will assign the package to a device group, one we created in a previous chapter called All Client Devices without Firefox.

1 Select the Assign Device Group icon ( ).2 The Select a Device Group popup window will appear on the screen.3 Select the device group All Client Devices without Firefox from the list box.4 Click OK to confirm the assignment and close the window.5 The device group will be added to the list field.

If you want to schedule the distribution at a specific later time see Option (a) now.

If you want to schedule the distribution with Wake-On-LAN enabled see Option (b) now.


6 Click the Finish button confirm all settings and finish this wizard.

Step 3c: Distribution ActivationThe last option provided by the wizard is to immediately activate the package and/or go to the package. Check the Go to Package box to change the focus of the console window to the package distribution view. Click Yes to confirm the activation.

Step 4: Monitor Distribution Progress and ResultsThe focus of the console was moved to the Device Groups under the Assigned Objects node of the newly created package. In the right window pane you can see the entry for the assigned group with its status Activated. To follow the execution of the distribution via the different status values the process passes select the All Client Devices without Firefox subnode. In the table to the right you should see all members of the group with the following successive status values:

• Assignment Sent• Assigned• Ready to run• Executed

Distribution 2: Orca MSI PackageThe actual software distribution process of distributing an msi package is split into the following individual steps:

1 Create MSI Package and Make It Available.2 Assign and Distribute Package.3 Monitor Distribution Progress and Results.

If you want to distribute the software via multicast (limit the network bandwidth used during distribution) click No here and refer to Option (c) now.

If you want to advertise the distribution to users via the Application Kiosk click No here and refer to Option (i) now.

If you want to put more conditions in your distribution, for instance to be sure to distribute only to machines with at least 256 Mb of RAM, click No here and see Option (d) now.

If you want to put more post-processing in your distribution, for instance leave to the user the possibility to reboot immediately or later, click No here and refer to Option (g) now.

At any moment you can use the Refresh button ( ) in the toolbar.

The bottom right counter tells you the seconds before the status is refreshed automatically.


PrerequisitesIn addition to the general prerequisites mentioned at the beginning of the chapter we also assume that:

• the msi file to install orca is stored on the master• orca is not yet installed on the master

Step 1: Create MSI Package and Make It AvailableThe first step for the msi distribution is to create the package on the Packager and then make the package available for the actual distribution:

1 Select the Wizards->Package Creation Wizard ( ) menu item.2 The Package Creation Wizard appears on the screen and guides you through the individual steps required to

create a new MSI package.

Step 1a: Package FactoryIn the first window, Package Factory, you need to select the Package Factory on which the new package is to be created as well as the type of the package to be created.

1 We only have one packager defined therefore leave it selected.

2 In the panel Package Type you must define which type of package is to be created via the wizard. Select the MSI Package option.


Step 1b: MSI PackageIn the next wizard window, MSI Package, the new package must be created. Created in this case means selecting the downloaded msi file and specifying it as the msi package to handle. Proceed as follows:

If you want to define another device as the Packager please see Option (i).


1 Click the Select button to the right of the Name field.2 The MSI Packages window will appear on the screen.3 This dialog box provides you with a list of all available drives from which you

may select the MSI package.4 To find the orca package browse down into the directory tree and select it.

5 Click the OK button to confirm.6 The msi package will be automatically created with its name being Orca, as

taken from the msi file.

7 Then click Next to continue.

Step 1c: Installation OptionsThe Installation options provide information on the execution of the installation of the package on the target(s). Make the following changes:

1 In the User interface field select the option None instead of the preselected value. This will ensure that the installation is executed in the background without disturbing the user.

If your antivirus heavily attacks .zip files, choose the .pkg Archive Type.

If you want to create the new package in a specific folder instead of under the MSI packager top node see Option (k) now.

If you know, that the msi package requires additional files for installation check the Additional Files box in the Options panel and see Option (j) when the respective window appears.



Step 1d: PublicationPublishing a package signifies making it available for distribution within the network after creation or modification. We will publish the package to the master which is also the default. Click the Finish button confirm all settings and finish this wizard.

Step 1e: Package DistributionOnce the package is created a popup window appears in which you may continue directly with the distribution of the newly created package via the respective wizard. Click Yes to continue directly with the distribution of the new package.

If you have checked the Additional Files box in the Options panel to add required files to the msi, the window appears now on the screen. See Option (j) now for instructions.


Step 2: Assign and Distribute PackageThe distributable package is now available on the master ready to be assigned and distributed to the target devices. Since we have chosen to continue directly with the distribution, the Package Distribution Wizard appears on the screen.

Step 2a: PackageIn the first window of the wizard you define which package to distribute as well as some distribution options. In our case the package is already preselected, the one we just created.

1 In the Target Type drop-down box select the option Devices, as we want to distribute the software only to one device, the master.


Step 2b: Assigned DevicesIn this next window you need to define the targets of the package distribution. As we have selected Devices in the preceding window, we can only add individual devices here.

1 Select the Assign Device icon ( ).2 The Select a Device popup window will appear on the screen.3 Mark the device to which you want to distribute orca, e.g. the master, then click OK.4 The device is added to the list in the wizard window.5 Now click the Finish button to confirm the distribution.

If you want to distribute the software via multicast (limit the network bandwidth used during distribution), refer to Option (c) now.

If you want to schedule the distribution at a specific later time, uncheck the Default Schedule option, and then see Option (a) when the Schedule wizard window appears.

If you want to advertise the distribution to users via the Application Kiosk click No here and refer to Option (h) now.

If you want to schedule the distribution with Wake-On-LAN enabled, uncheck the Default Schedule option and then see Option (b) when the Schedule wizard window appears.

If you want to schedule the distribution at a specific later time see Option (a) now.


Step 2c: Distribution ActivationThe last option provided by the wizard is to immediately activate the package and/or go to the package. Check the Go to Package box to change the focus of the console window to the package distribution view. Click Yes to confirm the activation.

Step 3: Monitor Distribution Progress and ResultsIn the right window pane of the Devices node you can follow the execution of the distribution via the different status the process passes. You should see the following successive status:

• Assignment Sent• Assigned• Ready to run• Executed

If you want to schedule the distribution with Wake-On-LAN enabled see Option (b) now.

If you want to distribute the software via multicast (limit the network bandwidth used during distribution) click No here and refer to Option (c) now.

If you want to advertise the distribution to users via the Application Kiosk click No here and refer to Option (i) now.

If you want to put more conditions in your distribution, for instance to be sure to distribute only to machines with at least 256 Mb of RAM, click No here and see Option (d) now.

If you want to put more post-processing in your distribution, for instance leave to the user the possibility to reboot immediately or later, click No here and refer to Option (g) now.




8.2 Software Distribution ReportingUp to now the event data regarding software distributions are only available locally on the agent. However, to be able to generate reports on this topic and to view them in the console together with other data these events must be specifically uploaded to the master and its database. Once data is available on software distributions on your network, you may generate different reports to summarise the general situation or detail specific distributions. The following chapter will guide you through some of these possibilities. The general information on reports you will find in the Reporting chapter earlier in this manual.

Step 1: Upload Software Distribution Events to Master DatabaseThe event data of all types of software distributions may be uploaded to the master database via an operational rule:

1 Go to the Operational Rules top node in the left window pane.2 Click on the Create Operational Rule icon ( ) in the icon bar. 3 The Properties dialog box appears on the screen.4 Enter Upload Software Distribution Events into the Name field and then click the OK button.5 The new operational rule is added to the list of members in the right pane. Double-click it.6 In the now displayed General tab you can review the basic information of the operational rule.7 To configure all the steps it is to contain go to the next tab, the Steps tab.8 Click the Add Step icon ( ) in the icon bar to add the first step.9 The Select a Step popup windows will appear on the screen.10 It displays the list of available steps in its Available Steps box.

By default these events are configured to be uploaded every 24 hours, i.e. at midnight. If the agent is not running at this time the events will be uploaded at agent startup.


11 Double-click the Event Log Manager folder.12 Select the step Upload Events and click the Add ( ) button.13 The Properties dialog box appears on the screen.14 From the Model Name dropdown list select the Software Installations value and leave all other fields as

they are.15 Then click OK to confirm the parameters and OK again to confirm the new step.16 The operational rule is now configured and must be assigned to the target, i.e. all devices, since we executed

software installations on the master as well as the clients.17 Go to the Assigned Objects->Device Groups node in the left window pane under your newly created

operational rule.18 Select the Assign Device Group icon ( ) in the icon bar. 19 A confirmation window appears on the screen. In this window you may define if the device group assignment

will be activated according to the default schedule defined in the User Preferences. Click Yes, to activate the operational rule automatically.

20 The Select a Device Group popup window will appear on the screen.21 Select the All Devices group from the list.

22 The group will be added to the table in the right pane with a status of Activated.23 Go to the subnode All Devices and follow the execution of the operational rule for the individual group

members.


24 Once their status is Executed all data are uploaded.25 To verify this go to the Events->Event Logs node of the All Devices group.26 This node displays the list of all events registered by the event log models for the selected device group.27 The software installation events are the default selection therefore click the Find button directly.28 The table below will now display all software installation events that were uploaded and are continued to be

uploaded.

29 Now all data are uploaded and ready and the report may be generated.

Step 2: Generate ReportsThe Numara Asset Management Platform provides a number of predefined reports for the software distribution with its out-of-the-box objects. They are all collected in the Distribution Statistics folder. Proceed as follows to generate a report:

1 Open the Reports->Distribution Statistics folder in the left window pane.2 Select a report, for example Monthly Software Distribution Statistics.3 Select the Edit->Generate Report menu item or the respective icon ( ) in the icon bar.4 A confirmation window appears on the screen, click the OK button to confirm.5 The report will be created immediately using the current data of the database.6 To view the report select the Edit->View Last Result menu item or the respective icon ( ) in the icon bar.7 A login window appears on the screen. Enter admin and no password.8 A new browser window or tab opens and displays the report.

Report 1: Monthly Software Distribution StatisticsThis report is composed of two vertical subreports, displaying a chart each, one for the Software Distribution Count by Month and the second the Distributed Volume by Month.


Report 2: Software Distribution Results by GroupThis report is also composed of two subreports, horizontally divided, the above subreport displaying a pie chart for the Overview over Software Distribution Results, i.e. it shows all different final status values for the executed distributions. The second subreport displays in tabular format all device groups with their respective distribution status.

Report 3: Software Distribution Results by MonthThis report is also composed of two subreports, horizontally divided, the above subreport displaying a pie chart for the Overview over Software Distribution, i.e. it shows all different final status values for the executed distributions. The second subreport displays in tabular format the different months with the number of times a distribution finished with a specific status value.

Report 4: Software Distribution Results by PackageThis report shows two charts next to each other, the pie chart showing the package repartition in percentage and the bar chart the Distributed Volume by Package.


Report 5: Software Distribution Results by TypeThis report shows two charts next to each other, the pie chart showing the package type repartition in percentage and the bar chart the Distributed Volume by Package Type.

8.3 Software Distribution OptionsThe following paragraphs will provide you with a number of options that may be used to modify the software distributions.

(a) Schedule a Software Distribution for a Given Time and DateSoftware distributions can be quite heavy on the network and therefore it might be better to schedule it for a time when general network load is low, such as the lunch break or at night.

Make the following changes in the Schedule window if you have unchecked the Default Schedule option in the first window of the wizard:

1 The Schedule window appears on the screen displaying its first tab Assignment. 2 In the Assignment Date box check the Deferred to radio button and then select the desired date and time in

the list boxes to the right.

Almost all these options use the Firefox custom package for their example as well as the hyperlink target, however, you may use all these examples as well for the msi package simply be replacing any reference to Firefox v3.0.7.cst by orca.msi.


3 Now click the Finish button to confirm the distribution.

(b) Distribution with Wake-On-LAN enabledNumara Deployment Manager allows you to use the Wake-On-LAN functionalities to make sure the software is distributed to all assigned devices no matter their current state.

Make the following changes in the Schedule window if you have unchecked the Default Schedule option in the first window of the wizard:

1 The Schedule window appears on the screen displaying its first tab Assignment. 2 Check the box Wake-up Devices, to enable the WOL option.

3 Now click the Finish button to confirm the distribution.


(c) Multicast Distribution (Distribute Using a Predefined Bandwidth)Multicast delivery enables parallel software distribution to an unlimited number of client systems while simultaneously reducing server and network resource requirements and bandwidth consumption for high-volume, high population software distribution. It enable software to be distributed to thousands of desktops in the same time it takes to deliver software to a single desktop, while making optimal use of server and network resources. The multicast principle is to send a file on a virtual multicast address advertised to all target clients where each of these will get the file. Contrary to unicast the server sends the file only one time. For more detailed information on the multicast principle refer to chapter Multicast Software Delivery on page 197 in the Reference manual.

A software distribution via multicast consists of the following steps:

1 Modify the multicast parameters on the relay if you have a specific configuration for which the default values may not be used. The default values are specified for a speed of 128 KB/s which should work for all types of networks. You will find a detailed explanation to all parameters in the Console manual under paragraph General on page 291 of the File Store chapter.

2 Create a multicast transfer window and assign it to the multicast relay. Be aware that if a transfer window of type multicast is assigned to a relay, this relay can only execute multicast software distributions, no unicast distributions.

3 Assign the package to distribute via multicast to the targets.To now distribute our Firefox software package to all clients without firefox in the network proceed as follows. We will assume that the default parameters may be used with our network and thus require no specific configuration.

1 Go to the Transfer Windows node under the Global Settings top node.2 Select the Edit->Create Transfer Window menu item or the respective icon ( ) in the icon bar.3 The Properties dialog box appears on the screen.4 Enter the desired name, for instance Standard Multicast, select Multicast as the transfer channel and KB/

second from the Slot Type list.

5 Click the OK button to confirm these settings and to close the window.6 Select the newly created window, e.g. Standard Multicast, in the left pane and select its Planning tab.7 The right window pane displays an hour/day of the week grid. Mark the periods for which the bandwidth

restrictions are to apply by selecting the first slot, e.g., Monday 08:00 and move your mouse cursor to the last slot, e.g. Friday 18:00, to restrict the bandwidth for all working days from 8am to 6pm.

8 Select the Edit->Define Time-slots menu item or click the respective icon ( ) in the icon bar.9 The Define Transfer Window Time-Slots window appears on the screen.10 Enter 128 (or any other desired value) and click OK to confirm.

Be aware that you need the special Multicast license if you want to execute software distributions via multicast. For trial purposes this license is included in the temporary license.


11 Select the Assigned Objects->Devices node of the Standard Multicast.12 Either choose the Edit->Assign Device menu item or click the respective icon ( ) in the icon bar.13 A confirmation window appears on the screen, click OK.14 The Select a Device Group popup window will appear on the screen.15 Select the All button ( ) in the left window bar.16 Select the device to which you want to apply bandwidth control, i.e. the relay, and click OK to confirm.From now on, and in the time slot defined, no communication between the selected device and its parent (the master or a relay) will ever exceed 128 KB/second, in both the ascending (inventories) and descending (distributions) directions. You can now distribute the Firefox package without any risk of limiting the network access to the end-user.

Now the required transfer window is defined and the distribution of Firefox may be continued:

1 Open the Packages->Firefox v3.0.7.cst->Assigned Objects->Device Groups node.2 Select the All Client Devices without Firefox entry in the right window pane.3 Select the Edit->Properties menu item or the respective icon ( ) in the icon bar.4 The Scheduler window appears on the screen displaying its first tab Assignment. 5 Select the Validity tab.6 In the Execution Date box either check Immediately to directly launch the installation or the Deferred to

radio button and then select the desired date and time in the list boxes to the right to start the installation at a later time.

7 Go to the Assignment tab.8 In the Assignment Date box select the option Immediately to directly activate the distribution.


9 Click the OK button to confirm the schedule.10 The software distribution process via multicast to the clients is now started.11 To verify that the distribution was correctly executed via multicast go to the All Client Devices without

Firefox subnode.12 In the table to the right all member devices of the group are listed with their status values and other data.13 Check the column Transport Mode.14 As long as the software distribution has not executed it will display the value Unknown.15 Once the distribution started it will display Multicast, if the multicast distribution worked properly. If this is

not the case the software distribution will be executed in the regular way and this field will display Unicast.

(d) Distribute Only to Device with at Least 256 MB RAMWhen a package is assigned for distribution, an operational (distribution) rule of the same name as the package will automatically be created containing the necessary actions (steps) to execute the package installation on the target device. This operational rule is editable, i.e. conditions may be added to it before the package installation, such as making sure the package will only be installed on a device with XP SP2 as its operating system and at least 256 MB RAM. Proceed as follows:

1 Select the Operational Rules top node in the left window pane.2 The right window pane will display the list of existing operational rules and folders. Select the Firefox

v3.0.7.cst operational (distribution) rule.3 Go to tab Steps in the right window pane.


4 Either choose the Edit->Add Step menu item or click the respective icon ( ) in the icon bar.5 The Select a Step popup windows will appear on the screen.6 In the window list expand item Monitoring and select step Check Installed RAM.7 Click the Add ( ) button.

8 In the appearing Properties window choose the option Stop on failed step for field Stop Condition and enter 256 in the RAM (MB) field.

9 Click OK to add the step to the list.10 Click OK to confirm the step list.11 In the table to the right select the line Check Installed RAM and then click the Edit->Move Up menu item or

click the respective icon ( ) in the icon bar once.Now the required new step is added and at the right position: If a target device does not have at least 256 MB of RAM, the distribution will not be executed. To continue the distribution of Firefox now do the following:

1 Open the Packages->Firefox v3.0.7.cst->Assigned Objects->Device Groups node.2 Select the device group to which the package is assigned, All Client Devices without Firefox.3 Select the Edit->Properties menu item or the respective icon ( ) in the icon bar.4 The Scheduler window appears on the screen displaying its first tab Assignment. 5 Select the Validity tab.6 In the Execution Date box either check Immediately to directly launch the installation or the Deferred to




9 Click the OK button to confirm the schedule.10 However, as you can see under the Status column the rule Firefox v3.0.7.cst was not activated in the last step

of the distribution wizard, it must be done now. Select the rule in the table.11 Select the Edit->Activate Operational Rule menu item or click the respective icon ( ) in the icon bar.12 The rule will be activated immediately with the default schedule.

(e) Kill Firefox Before Starting the DistributionIf you are using this software distribution to upgrade existing Firefox versions it might be good to make sure that any existing version of the Firefox browser is stopped on the target devices before starting the installation. To do so proceed as follows:

1 Select the Operational Rules top node in the left window pane.2 The right window pane will display the list of existing operational rules and folders. Select the Firefox

v3.0.7.cst operational (distribution) rule.3 Go to tab Steps in the right window pane.4 Either choose the Edit->Add Step menu item or click the respective icon ( ) in the icon bar.5 The Select a Step popup windows will appear on the screen.6 In the window list expand item Process Management and select step End Processes.

7 Click the Add ( ) button.


8 In the appearing Properties window choose the option Stop on failed step for field Stop Condition and enter firefox.exe in the Process Names field.

9 Click OK to add the step to the list.10 Click OK to confirm the step list.11 In the table to the right select the line End Processes and then click the Edit->Move Up menu item or click the

respective icon ( ) in the icon bar once.Now the required new step is added and at the right position: If any version of Firefox is currently being executed on a target device, it will be stopped before the installation process is started. Now, to continue the distribution do the following:

1 Open the Packages->Firefox v3.0.7.cst->Assigned Objects->Device Groups node.2 Select the device group to which the package is assigned, All Client Devices without Firefox.3 Select the Edit->Properties menu item or the respective icon ( ) in the icon bar.4 The Scheduler window appears on the screen displaying its first tab Assignment. 5 Select the Validity tab.6 In the Execution Date box either check Immediately to directly launch the installation or the Deferred to



9 Click the OK button to confirm the schedule.10 However, as you can see under the Status column the rule Firefox v3.0.7.cst was not activated in the last step

of the distribution wizard, it must be done now. Select the rule in the table.11 Select the Edit->Activate Operational Rule menu item or click the respective icon ( ) in the icon bar.12 The rule will be activated immediately with the default schedule.

(f) Reboot the Device at the End of the DistributionRebooting the device after the installation may be done in one of the following ways:


1 Add a new step ’restart’ to the distribution rule; for this execute the same operations as explained above under Option (d): Distribute Only to Device with at Least 256 MB RAM or Option (e):Kill Firefox Before Starting the Distribution.

2 Add a reboot step to the software distribution rule itself. The Reboot rule was already created under the exercises in the operational rules chapter, thus we only need to add it here.a Select the Reboot operational rule in the left window pane under the main Operational Rules node.b Go its the Dependencies tab.c Either choose the Edit->Add Dependency menu item or click the respective icon ( ) in the icon bar.d The Select an Operational Rule dialog box opens on the screen.e Open the Software Distribution folder and select the Firefox v3.0.7.cst operational rule.f Click OK to confirm the dependency.g Open Device Groups->All Client Devices without Firefox node.h There open the Assigned Objects->Operational Rules node.i The rule Firefox v3.0.7.cst rule is already assigned.j Select the Edit->Assign Operational Rule menu item or click the respective icon ( ) in the icon bar.k In the appearing confirmation window click Yes.l The Assign an Operational Rule popup window will appear on the screen.m Select the All button ( ) in the left window bar.n Select the rule called Reboot and click OK.o Click OK to confirm and close the window.p However, as you can see under the Status column the rule Firefox v3.0.7.cst was not activated in the last

step of the distribution wizard, it must be done now. Select the rule in the table.q Select the Edit->Activate Operational Rule menu item or click the respective icon ( ) in the icon bar.r The rule will be activated immediately with the default schedule.

The distribution will now be performed, and at the end the device will be rebooted. If you would like to give the user the choice if and when he wants to reboot follow the instructions of the next option.

(g) Define the Device Reboot after Distribution as User ChoiceThere are two possibilities to do so:

1 We are going to:a Create an operational rule for the Firefox distribution. Depending on where in the distribution process you

interrupt, this rule may already be created.b Create a second operational rule to control the reboot process.c Create a dependency between these 2 rules.d Assign and activate the 2 rules.

2 There is also a faster method to do this: a Create an operational Rule for the Firefox distribution. Depending on where in the distribution process you

interrupt, this rule may already be created.b Add the steps to control reboot to this rule.c Assign and activate this rule.The drawback of this method is that if the user chooses not to reboot, the whole distribution result will be reported as Failed, while in the first case, the distribution rule will be Executed (Ok) and the Reboot rule will be Failed (normal as the user decided not to reboot).

Our example will use the first method with the Firefox distribution rule already created and assigned but not activated. Thus we only need to create the second reboot rule.

1 Select the Operational Rules top node in the left window pane.2 Select the Edit->Create Operational Rule menu item or the respective icon ( ) in the icon bar.3 The Properties dialog box appears on the screen.4 Enter Firefox Reboot with User Confirmation into the Name field and click OK to confirm.5 Select the newly created rule Firefox Reboot with User Confirmation and go to the Steps tab.6 Either choose the Edit->Add Step menu item or click the respective icon ( ) in the icon bar.


7 The Select a Step popup windows will appear on the screen.8 Expand the item User Message Box and select step User Acknowledgement via Message Box.9 Click the Add ( ) button to confirm.10 The Properties dialog box appears on the screen. Enter the following data in the respective fields:

Stop Condition: choose the option Stop on failed stepMessage Title: Firefox DistributionMessage Text: Do you want to reboot now or later?Validation Button Label: NowCancel Button Label: LaterNumber of Retries: 20Retry Interval: 5

11 Click OK to confirm and add the step to the list.12 Expand the item Windows and select step Reboot.13 Click the Add ( ) button to confirm.14 The Properties dialog box appears on the screen.15 Click the OK button to confirm and add this step.16 Click the OK button to add the list of steps to the operational rule now.17 Now go to the Dependencies tab.18 Either choose the Edit->Add Dependency menu item or click the respective icon ( ) in the icon bar.19 The Select an Operational Rule dialog box opens on the screen.20 Open the Software Distribution folder and select the Firefox v3.0.7 operational rule.21 Click OK to confirm the dependency.22 Open Device Groups->All Client Devices without Firefox node.23 There open the Assigned Objects->Operational Rules node.24 The rule Firefox v3.0.7 rule is already assigned.25 Select the Edit->Assign Operational Rule menu item or click the respective icon ( ) in the icon bar.26 In the appearing confirmation window click Yes.27 The Assign an Operational Rule popup window will appear on the screen.28 Select the All button ( ) in the left window bar.29 Select the rule Firefox Reboot with User Confirmation.cst and click OK.30 Click OK to confirm and close the window.31 However, as you can see under the Status column the rule Firefox v3.0.7.cst was not activated in the last step

of the distribution wizard, it must be done now. Select the rule in the table.32 Select the Edit->Activate Operational Rule menu item or click the respective icon ( ) in the icon bar.33 The rule will be activated immediately with the default schedule.The distribution will now be performed, and at the end the user will have the choice if to reboot or not. If the user chooses not to, the popup window will come back 20 times at a 5-minute-interval before the reboot is abandoned and the rule is viewed as having failed in its execution.


(h) Advertise the Package to Users (Application Kiosk)Advertising a package to users means that the package is assigned to specific devices. The user of the device is thus informed that the package is available and it is then their choice if and when to install the application.

1 In the window of the wizard make the following changes:2 In the drop-down Assignment Type select the option Advertise.3 Then continue with the wizard in the main procedure.

Application KioskTo actually perform the distribution on a target proceed as follows:

1 Go to the target device (physically go there, you cannot do it from you desk via the console or the Agent Interface if the target device is not the device you are currently working from).

2 Right-click the blue NAMP agent icon ( ) at the bottom-right of the Windows device. If the package has already arrived on the target, the icon should be displayed with the package ( ).

3 Left-click on the Agent Interface menu item.4 A browser window opens displaying the HCHL interface of the local agent.5 Select the Application Kiosk tab.6 Identify yourself with a local login in the appearing popup window.7 You will now see a web page proposing the Firefox v3.0.7 package for installation.

8 To install the package mark the check box Select at the right end of the Firefox v3.0.7 package.


9 Click the Download & Execute button.10 The package will now be installed.11 You can follow the different stages of the installation in the console window. The Agent Interface will only

display once the installation is finished (Executed) or if it has failed (Execution Failed) in the Status column.

(i) Define a Different Package FactoryAny device may be a Packager or Package Factory, it only must be declared as such. This may either be done in the properties of the device or in the Package Factory node. To add a device to the Package Factory as a Packager from the Package Factory node proceed as follows:

12 Select the Add Device icon ( ) above the list field.13 The Add a new Package Factory popup window will appear on the screen.14 Select the All button ( ) in the left window bar.15 Select the device to be added as a Package Factory from the list displaying all existing devices.

16 Click OK to confirm and close the window.17 The device will be added to the table of Packagers and its configuration parameter will be updated accordingly.18 When you select the device you will see all types of packagers which you can create on this device. The types

of packages depend on the operating system of the device, i.e. it is not possible to create rpm packages on a Windows device.

(j) Add Additional FilesSometimes it is necessary to add some more files to the MSI distribution packages. This may be done via the Additional Files window of the wizard. To add more files proceed as follows:

1 Select the Add File icon ( ) on top of the table.2 A dialog box with the name of the package appears on the screen providing the list of all available drives.3 Find the storing location either on your hard drives or on the CD/DVD drive and select the additional files

required for installation, such as the sku026.cab and sku0a4.cab files, located on the same level as the .mis file and required for the installation.

4 Click the OK button at the bottom of the window to confirm the additions or Cancel to abort and close the window.


5 Then click the Next button to continue with the Publication wizard window on page 191.

(k) Creating a Package in a Specific FolderWhen creating a new package it may be directly created in a folder instead of under the package type‘s top node, which is the default location. To do so proceed as follows:




to confirm the new package folder. 3 Select the target folder and click the OK button to confirm and to close the window and return to the original

window.

9

Resource Monitoring Step-by-StepThe Resource Monitoring allows the administrator to monitor a number of system resources and their usage and access on the managed remote devices. Resource monitoring can be very time and resource intensive on the devices as well as on the network traffic. It is therefore recommended to limit the monitoring to some few clients and to monitor only sensitive areas.


• at least one of the test devices is connected either locally or remotely to a printer.• at least one of the test devices has Internet access and MS Internet Explorer installed.• a browser is installed on your master.• you have done the exercises in the chapters of Section I and are familiar with the general concepts of the


9.1 Resource Monitoring ExamplesThis chapter will provide you with an example for each of the resources that may be monitored via the NAMP agent:

• Printer• File System• Web History

9.1.1 PrinterPrinter monitoring provides the administrator with information regarding the usage of the printer by all clients and is effected via querying of the printer queues. Some documents, such as very small ones that may remain only a very short time in the printer queue, may not appear in the list, especially if the defined query values are high. Remote print monitoring should only be done by very few clients in the network, as this will generate heavy traffic and may cause the printer to slow down considerably, as it is occupied most of its time answering to remote print monitoring queries instead of printing.

1 Configure Printer Monitoring2 Locally Monitoring the Printer Activity3 Printer Monitoring Results4 Generate a Print Monitor Report

Step 1: Configure Printer MonitoringThe first step before the printing activities of a device may be monitored is to activate and configure the module which, by default, is deactivated. Proceed as follows to do so:

Be aware, that the resource monitoring module is only applicable to Windows operating systems NT4 and later.

212 - Numara Asset Management Platform - Monitoring

1 Go to the Device Topology->Master->Agent Configuration->Module Configuration->Resource Monitoring->Printer node.

2 The General tab displays the list of the configuration parameters of this module.3 Highlight an entry in the table to the right.4 Then either select the Edit->Properties menu item or the respective icon ( ) in the icon bar.5 The Properties window appears on the screen.

6 Make the following modifications to the available parameters:Check the Enable printer monitoring parameter.If your master does not have a local printer connected, check the Enable remote printer monitoring box. In this case you may also uncheck the Enable local printer monitoring box above.Modify the Printer discovery delay to 10 seconds. For a production environment you should not modify this value below 60 seconds, as this will generated a lot more network traffic. We will use a smaller value her for seeing immediate results.

7 Then click OK to confirm and close the window.8 Printer monitoring is now activated on the master.

Step 2: Locally Monitoring the Printer ActivityTo be able to monitor this activity you need to print some documents on one or more printers, either local or remote depending on your configuration above. Then proceed as follows to see the activity locally on the device:

1 Go to the Device Topology->Master->Agent Configuration->Module Configuration->Resource Monitoring->Printer node.

2 Then select the Events tab.3 It displays the list of the documents printed by the device. Refresh ( ) the page if it is still empty.

Chapter 9 - Resource Monitoring Step-by-Step - 213

4 The following information is displayed:Event DateThe date and time at which the document arrived at the printer.Printer NameThe network name of the printer.User NameThe name of the user logged on to the client from which the print job was sent.Document NameThe name of the document to be printed. This document may be listed with its full or short network path which may also be truncated. Which option is used depends entirely on the application from which the document was printed.Page CountThe number of pages of the document which were to be printed. If the number is listed as Unknown or 0, it is due to the way the application sent the document, sends its data to the printer.

Step 3: Printer Monitoring ResultsUp to now the event data are only available locally on the agent. However, to be able to print reports on this topic and to view them in the console together with other data these events must be specifically uploaded to the master and its database. This is done via an operational rule:

1 Go to the Operational Rules top node in the left window pane.2 Click on the Create Operational Rule icon ( ) in the icon bar. 3 The Properties dialog box appears on the screen.4 Enter Upload Resource Management Events into the Name field and then click the OK button.5 The new operational rule is added to the list of members in the right pane. Double-click it.6 In the now displayed General tab you can review the basic information of the operational rule.7 To configure all the steps it is to contain go to the next tab, the Steps tab.8 Click the Add Step icon ( ) in the icon bar to add the first step.9 The Select a Step popup windows will appear on the screen.10 It displays the list of available steps in its Available Steps box.



11 Double-click the Event Log Manager folder.12 Select the step Upload Events and click the Add ( ) button.13 The Properties dialog box appears on the screen.14 From the Model Name dropdown list select the Printer Monitor value and leave all other fields as they are.15 Then click OK to confirm the parameters and OK again to confirm the new step.16 The operational rule is now configured and must be assigned to the target, i.e. the master.17 Go to the Assigned Objects->Devices node in the left window pane under your newly created operational rule.18 Select the Assign Device icon ( ) in the icon bar. 19 A confirmation window appears on the screen. In this window you may define if the device assignment will be

activated according to the default schedule defined in the User Preferences. Click Yes, to activate the operational rule automatically.

20 The Select a Device popup window will appear on the screen.21 Go to the All tab and select the master from the list.

22 The master will be added to the table in the right pane with a status of Assignment Waiting.23 Follow the execution of the operational rule.

If you want to schedule the rule to execute at regular intervals, click No, and then see Option (a).


24 Once its status is Executed all data are uploaded.25 To verify this go to the Events->Event Logs node of the master.26 This node displays the list of all events registered by the event log models for the selected device or device

group.27 To display the printer events instead of the default software distribution events select Printer Monitor from

the Model Name dropdown list.28 Then click the Find button.29 The table below will now display all events that were uploaded and are continued to be uploaded. If you are

monitoring a network printer, you may find some more print jobs in this list than those you printed before.


Step 4: Generate a Print Monitor ReportThe easiest and clearest way to monitor the printer activity is via reporting. The out-of-the-box objects include a report on printer monitoring which we will generate.

1 Go to the Reports node.2 Select the Resource Monitoring folder and from its members the report called Printer Usage.3 Select the Edit->Generate Report menu item or the respective icon ( ) in the icon bar.

4 A confirmation window appears on the screen.5 Click Yes to immediately generate the report.6 Then select the Edit->View Last Result menu option or the respective icon ( ) in the icon bar.7 A browser window opens on the screen requesting identification to the agent.8 Enter admin as the login with no password.9 The newly generated report is displayed in the window.


10 Don‘t forget to return the Printer discovery delay value to 60 seconds after the exercise or switch the printer monitor off again if you are not starting to monitor right away.

9.1.2 File SystemFile System monitoring provides the administrator with information regarding the usage of directories and files on the local client. It is used to monitor the access of specific files, for example files which contain company sensitive data, and when and by whom these files are modified. It is recommended to only monitor directories, which contain really sensitive data. Files that are modified very often, such as log files, may slow down the client considerably and will cause very heavy traffic on the network connections and thus and even loss of data may occur.

1 Configure File System Monitoring2 Locally Monitor the File System Activity3 File System Monitoring Results4 Generate a File System Monitor Report

Step 1: Configure File System MonitoringThe first step before the file system activities on a device may be monitored is to activate and configure the module which, by default, is deactivated. Proceed as follows to do so:

1 Go to the Device Topology->Master->Agent Configuration->Module Configuration->Resource Monitoring->File System node.


6 Make the following modifications to the available parameters:


Check the Enable file system monitoring parameter.The Directories to monitor parameter specifies the comma separated list of monitored directories. We will only monitor one directory in which we will make the modifications, therefore enter c:\temp into this field.

Check the Include sub-directories box to also monitor the subdirectories of the above listed directories.Check the Enable USB Drive Monitoring (Windows 2000 and later) box to also monitor the USB ports of the master.


Step 2: Locally Monitor the File System ActivityTo be able to monitor this activity you need to create, edit or modify some folder/documents in the c:\temp folder and on the USB ports.

• Create a new folder called test in there, then create a file called test.txt in this folder. Enter some text, save and close it. Reopen the file, edit and save it again. Then delete the first the file then the directory again.

• Connect a USB stick to one of the ports. Copy files from your hard to the key and vice versa.Then proceed as follows to see the activity locally on the device:

1 Go to the Device Topology->Master->Agent Configuration->Module Configuration->Resource Monitoring->File System node.

2 Then select the Events tab.3 It displays the list of all events logged by the device for the specified folders. Refresh ( ) the page if it is still

empty.

Specified directories that do not exist on a device will be signalled in the log file. Note that it is not possible to monitor root directories such as c:\ or directories on mounted network drives. Also it is not recommended to select directories where many file changes take place, such as c:\Program Files. The paths are not case sensitive.


4 The following information is displayed:Event DateThe date and time at which the file/folder was accessed.Connected User NameThe login name of the currently connected user which caused the event.Modify TypeThe type of the action that was executed on the file/folder, possible values are Creation, Deletion, Modification or Renaming.File NameThe name of the file which was accessed with its whole directory path.New File NameThe new name if the file action was Renaming, otherwise the field is empty.

Step 3: File System Monitoring ResultsUp to now the event data are only available locally on the agent. However, to be able to print reports on this topic and to view them in the console together with other data these events must be specifically uploaded to the master and its database. This is done via an operational rule. In this case, however, we will not create a new one but expand the rule we created for the printer monitoring upload:

1 Go to the Operational Rules->Upload Resource Management Events node in the left window pane.2 Go to the Steps tab which already displays the step uploading the printer events.3 Click the Add Step icon ( ) in the icon bar to add the first step.4 The Select a Step popup windows will appear on the screen.5 It displays the list of available steps in its Available Steps box. 6 Double-click the Event Log Manager folder.7 Select the step Upload Events again and click the Add ( ) button.8 The Properties dialog box appears on the screen.9 From the Model Name dropdown list select the File System Monitor value, which should be preselected

and leave all other fields as they are.10 Then click OK to confirm the parameters and OK again to confirm the step modification.

11 The operational rule now contains twice the same step with a different parameter value.12 As the operational rule was modified it must therefore be reassigned to the target, i.e. the master for its

modifications to become effective.13 Go to the Assigned Objects->Devices node in the left window pane under the operational rule.14 Select the Edit->Reassign Operational Rule menu item or the respective icon ( ) in the icon bar. 15 The reassignment process of the operational rule will be launched immediately and it will be executed

directly.16 Once its status is Executed all data are uploaded.

By default these events are uploaded every 24 hours, i.e. at midnight.


17 To verify this go to the Events->Event Logs node of the master.18 This node displays the list of all events registered by the event log models for the selected device or device

group.19 To display the file system events instead of the default software distribution events select File System

Monitor from the Model Name dropdown list.20 Then click the Find button.21 The table below will now display all events that were uploaded and are continued to be uploaded.


Step 4: Generate a File System Monitor ReportThe easiest and clearest way to monitor the file system activity is via reporting. The out-of-the-box objects include a report on printer monitoring which we will generate.

1 Go to the Reports node.2 Select the Resource Monitoring folder and from its members the report called File System Usage.3 Select the Edit->Generate Report menu item or the respective icon ( ) in the icon bar.



9.1.3 Web HistoryThe Web History monitoring provides the administrator with information regarding the use of the Internet and the web pages called by the remote client. Be aware that web monitoring is only applicable to the Microsoft Internet Explorer version 5.0 and later.

1 Configure Web Usage Monitoring2 Monitor the Web Activity3 Web Monitoring Results4 Generate a Web Monitoring Report

Step 1: Configure Web Usage MonitoringThe first step before the web usage activities of a device may be monitored is to activate and configure the module which, by default, is deactivated. Proceed as follows to do so:

1 Go to the Device Topology->Master->Agent Configuration->Module Configuration->Resource Monitoring->Web History node.


6 Check the Enable web history monitoring parameter.



Step 2: Monitor the Web ActivityTo be able to monitor this activity you need to open Internet Explorer now and access some web pages. Then proceed as follows to see the activity locally on the device:

1 Go to the Device Topology->Master->Agent Configuration->Module Configuration->Resource Monitoring->Web History node.

2 Then select the Events tab.3 It displays the list of web sites that you just visited. Refresh ( ) the page if it is still empty.

4 The following information is displayed:Event DateThe date and time at which the web site was accessed.User NameThe name of the user which accessed the Internet, this may either be the SYSTEM, or the user currently logged on to the device.URLThe complete URL of the site that was accessed on the Internet.URL Visit CountThe number of times the site was accessed.DateThe date and time at which the site was last accessed.


Step 3: Web Monitoring ResultsUp to now the event data are only available locally on the agent. However, to be able to print reports on this topic and to view them in the console together with other data these events must be specifically uploaded to the master and its database. Again, we will expand the rule we created for the printer monitoring upload:

1 Go to the Operational Rules->Upload Resource Management Events node in the left window pane.2 Go to the Steps tab which already displays the step uploading the printer events.3 Click the Add Step icon ( ) in the icon bar to add the first step.4 The Select a Step popup windows will appear on the screen.5 It displays the list of available steps in its Available Steps box. 6 Double-click the Event Log Manager folder.7 Select the step Upload Events again and click the Add ( ) button.8 The Properties dialog box appears on the screen.9 From the Model Name dropdown list select the Web History Monitor value and leave all other fields as they

are.10 Then click OK to confirm the parameters and OK again to confirm the step modification.11 As the operational rule was modified it must therefore be reassigned again to the target, i.e. the master for its

modifications to become effective.12 Go to the Assigned Objects->Devices node in the left window pane under the operational rule.13 Select the Edit->Reassign Operational Rule menu item or the respective icon ( ) in the icon bar.14 The reassignment process of the operational rule will be launched immediately.15 Once its status is Executed all data are uploaded.16 To verify this go to the Events->Event Logs node of the master.17 This node displays the list of all events registered by the event log models for the selected device or device

group.18 To display the web history events instead of the default software distribution events select Web History

Monitor from the Model Name dropdown list.19 Then click the Find button.20 The table below will now display all events that were uploaded and are continued to be uploaded.


By default these events are uploaded every 24 hours, i.e. at midnight.


Step 4: Generate a Web Monitoring ReportThe easiest and clearest way to monitor the web activity is via reporting. The out-of-the-box objects include a report on web monitoring which we will generate.

1 Go to the Reports node.2 Select the Resource Monitoring folder and from its members the report called Internet Usage.3 Select the Edit->Generate Report menu item or the respective icon ( ) in the icon bar.


10 The second graphic displays the list of web pages accessed in form of a bar chart with labels. Depending on the length of the individual links the chart may be „moved“ to the left, and thus be displayed incomplete. To rectify this you may modify the settings of this chart:


11 Select the report in left window pane and the go to its Subreports->Subreport 2 node.12 There select the tab Format.13 Select the line Chart Width and then the Edit->Properties menu item or the respective icon ( ) in the icon

bar.14 The Properties window appears on the screen with the value for Chart Width preselected.15 Enter a larger value, the default value is 400, try with double the size as is the case for the example image

above.

16 Then regenerate the report and display it again. Keep modifying this value until it is satisfactory.

9.2 Monitoring OptionsThe following paragraphs will provide you with a number of options that may be used to modify the resource monitoring functionality.

(a) Assign the Event Upload Rule with a Specific ScheduleBy default the events are uploaded by the local agents to the master database once a day at midnight or at agent startup if the agent was not running at that time. The operational rule we created to have the events available directly for reporting was only executed once. To have this rule execute every day at 7 am to have the newest data ready for inspection or for a report generation proceed as follows:

1 At Point 19 (page 214) answer No.2 After Step 3 point 6 proceed as follows:3 Select the master in the table in the right window pane.4 To define the schedule either double-click the table entry or select the Properties icon ( ) in the icon bar.5 The Properties window will open on the screen. 6 First go to the Validity tab. This tab allows you to define the activation of the execution and its termination.7 In the Execution Date box define on when to run the inventory collection. In our example we will select the

Next Startup radio button to launch the inventory when the agent is started next.8 Then go to the Termination box below, click the Run Forever radio button.9 Now select the Frequency tab.10 Leave the By Schedule radio button checked.11 In the By Schedule select the Day of the Week radio button.12 The options in the panel below are available now.13 Uncheck the options for Saturday and Sunday.14 In the Period drop-down field select the value Once Only.


15 In the field below select the time at which to execute the inventory collection, e.g., 07:00.16 Click OK to confirm the new schedule and close the window.17 The status will still display Update Paused, which means you need to activate the modified schedule.18 Reselect the master in the table and then activate it by selecting the Activate Operational Rule icon ( ) in

the icon bar.19 The status will change to Update Waiting and then all other status values until it arrives at Updated, to

indicate that the rule was updated on the device an is ready for execution again.

(b) AMP Database CleaningBy default the data for persistent events is stored 1 year (365 days) in the master database. You may configure your database to store the data for a different period of time or even to delete all currently existing entries. To do so proceed as follows:

1 Open the Global Settings->System Variables node in the console.2 Select the Event Management tab.3 This tab defines the default settings for the event logging functions of you system.

4 Select an entry in the table to the right.5 Then click the Edit->Properties menu item or the respective icon ( ) in the icon bar.6 The Properties window appears on the screen to define the following parameters:

Maximum EventsThis entry defines the maximum number of all events logged into the database. Once this number is reached and a new event is generated, the new event will replace the ’oldest’ event currently logged in the database. The default value for this number is 10000.


TTL Persistent EventsDefines the maximum time in days that persistent events stay logged in the database. The default value is 365 days. To clear the database and delete all logged events enter 0.

7 Click OK to confirm and close the window.

(c) Cleaning the Local DatabaseThe local agent database is cleaned via an operational rule which is to be sent to all devices whose database needs cleaning. Proceed as follows:

This rule is created and assigned via the Operational Rule Creation and Operational Rule Distribution wizards.



Step 1: Operational Rule In this first step the operational rule to be created must be defined via its parameters.

1 Select the Operational Rules top node in the left window pane.1 Enter Persistent Event Cleaning (or any other desired name) into the Name field.2 Leave all other parameters as they are, as neither packages will be distributed nor dependencies are required

for this rule.


Step 2: StepsOperational rules are made up of steps which tell the agent on the target devices which actions to execute. In this window we will select three times the same step. Each of these steps will delete all event entries in the local database for its specified event log model:

1 Select the Add Step icon ( ) on top of the list field.2 The Select a Step popup windows will appear on the screen.3 Expand the item Event Log Manager and select the step Delete Events.


4 Click the Add ( ) button to confirm.5 The Properties dialog box appears on the screen. 6 Leave all preselected options checked and then click OK to add the step to the list and close the window.7 Select the step Delete Events again.8 Click the Add ( ) button to confirm.9 The Properties dialog box appears on the screen.10 This time select the value Printer Monitor from the Model Name dropdown list.11 Click OK to add the step to the list.12 Select the step Delete Events again.13 Click the Add ( ) button to confirm.14 The Properties dialog box appears on the screen.15 This time select the value Web History Monitor from the Model Name dropdown list.16 Click OK again to confirm the list of steps for the operational rule and close the window.

17 Now the event deletion is specified for all three resource monitoring models.18 Click the Finish button to confirm the settings of the new operational rule.19 A confirmation window appears on the screen which allows you to directly


Step 3: Operational RuleIn the first window of the Operational Rule Distribution Wizard you define which rule to distribute as well as some distribution options:


2 From the Target Type dropdown field select the option Devices, as we will distribute this rule only to the master.




Step 4: Assigned DevicesThe operational rule is now created and must be assigned to the devices on which to execute, in our example the relay.

1 Click the Assigned Objects, then Devices node in the left window pane under your newly created operational rule. The right window pane is empty since no devices have been assigned yet.

1 To do so select the Assign Device icon ( ) on top of the list field. 2 A confirmation window appears on the screen. Click Yes to automatically launch the rule.3 The Select a Device popup window will appear on the screen.4 Go to the All tab and select the relay. 5 Click OK to confirm and close the window.6 The device will be added to the list in the table in the right pane with a status of Assignment Waiting,

indicating that the order for the device assignment was created and is waiting to execute.7 Click Next to continue.

Step 5: ScheduleThe schedule of operational rules is defined via the Scheduler window which has three tabs with different scheduling options. We will execute the rule with the default schedule therefore leave all preselections as they are and click theFinish button.

1 Once the assignment is done the status will change to Ready to run, to indicate that now the scheduling of the actual operational rule step is being executed.

2 The synchronisation between the master list and the list on the client is finished when the value in the Status field has changed to Executed.

The last option provided by the wizard is to go directly to one of the objects, i.e. the operational rule or the task, if one was created. for our example we will directly activate the rule and change to focus to it, therefore check the Go to Operational Rule box and click Yes, to directly activate the rule.

10

Application Management Step-by-StepApplication managing provides administrators with visibility on installed applications and link them to the business cycle. It allows for the correlation of software inventory data between purchased software to installed software and used software.

The main objects of Application Management are:

• Application CatalogueThe Application Catalogue is a container for all applications which are to be managed on the devices of your infrastructure, that is to say they are to be either monitored for performance, restricted in their execution and/or defined for selfhealing.

• Schedule TemplatesA schedule template is a planning that defines the times via hourly time-slots at which the application usage may be denied or allowed or monitored. As its name indicates this is a template and may be assigned to and used by more than one application list.

• Application ListsApplication Lists are containers in which applications are collected that are managed in a specific way in your network, e.g. applications of which the usage is monitored for licensing reasons, applications that may not be executed on specific or all devices, et. The following different types of application lists are available:

monitoring applications, i.e. monitor when, where and for how long applications are executing,prohibiting applications, i.e. prohibit them from launching on specific devices and protecting applications, i.e. to provide applications with the possibility to heal themselves if they get corrupted in any way.


• Managed Application Examples• Application Management Reporting• Application Management Options


• a browser is installed on your master.• you have done the exercises in the chapters of Section I and are familiar with the general concepts of the

NAMP console and its workings to execute some of the options in the second part of the chapter.

10.1 Managed Application ExamplesThis chapter will provide you with guide you through a number of examples with different options for each of the three types of managed applications. These example will also introduce you to the different ways of creating these managed applications, i.e. the manual creation as well as the creation via the wizard. However, before applications may be monitored, prohibited or protected, they should be declared as managed applications by being added to the Application Catalogue. This procedure is the same for all three types of management.


Step 1: Define an Application for Application ManagementApplications may be defined as managed applications in a number of ways from different locations in the console. For our first step we select the easiest method, i.e. adding the application from the Software Inventory to the Application Catalogue.

1 Go to the Device Topology node and find the device which contains all the software applications you want to declare as defined applications, for example the master server.

2 Select the device’s Inventory->Software Inventory->Applications node.3 Find in the table in the right window pane the software application to be managed, for example Adobe Reader,

and select it. Make sure not to select an application of type Add/Remove Program or MSI, these types may be added to the application catalogue but they may not be managed as vital information is missing.

4 Then either select the Edit->Add as Managed Application menu item or the respective icon ( ) in the icon bar.

5 A confirmation window appears on the screen.6 In this window you may define the folder into which the application is to be added. By default it will be added

directly under the main Application Catalogue node as we will do now.

7 Click the OK button to confirm and to close the window.

For information on how to add a software from the Direct Access to the Application Catalogue see Option (a).

For information on how to add a software as a user defined application to the Application Catalogue node see Option (c).

For information on how to add a software directly from a device or device group to the Application Catalogue node see Option (d).

Only applications which contain all required information to be managed can be added. If an application listed in the software inventory does not provide all necessary information, this option will not be available.

To add the application to another folder that may or may not yet exist see Option (f) now.

Chapter 10 - Application Management Step-by-Step - 231

8 An Information window will now appear in which you may also directly add the selected application to an existing application list. Click No to only add the application to the Application Catalogue as we do not yet have created an application list.

9 The selected application will directly be added to the list under the Application Management->Application Catalogue node.

10 Go now to the Application Catalogue node and you will find an entry for Adobe Reader in the list. If this is not the case yet refresh ( ) the view.

11 Repeat steps 3 and 4 for some more applications for the examples to follow, e.g. add Chilli Interpreter, and the Pinball game to the list.

10.1.1 Application ListsApplication lists group a number of applications that are to be managed in a specific way on some or all devices in your network. An application list may only manage its members in one specific way, i.e. its members may either be monitored, prohibited or protected but not all at the same time.

The following paratroops will provide one example each for all three different types of application management:

• Monitoring Adobe Reader• Prohibit Pinball• Protect Chilli Interpreter

Application 1: Monitoring Adobe ReaderA monitored application enables customers to query the actual usage of applications on the managed devices. In this node you may define the applications which are to be monitored and on which clients in your network. The actual monitoring will be done by the local agent according to the definitions set up in the respective Monitored Application Model. The agent stores the logged data, the date and time the application was started and ended as well as the duration of the usage, in the local database and uploads these periodically to the master database.

This part of the chapter guides you step-by-step through the procedure of creating the application list manually, adding the Adobe Reader software as a member to be monitored and how to interpret the results.

Monitoring Adobe Reader consists of the following steps:


1 Define an Application for Application Management (as explained under chapter Step 1: above)2 Create a Monitored Application List with Adobe Reader as a Member3 Assign Adobe Reader to the Target Device4 Monitor Adobe Reader Execution

Step 2: Create a Monitored Application List with Adobe Reader as a MemberTo create an application list and add Adobe Reader as a member to be monitored proceed as follows:

5 Select the Application Lists node.6 Select the Edit->Create Application List menu item or the respective icon ( ) in the icon bar.7 The Properties dialog box appears on the screen.8 Enter the name into the respective field, e.g. Monitoring Adobe Reader.9 The required type of the application list, Monitored Application, is already preselected.10 Click the OK button at the bottom of the window to confirm the data for the new application list.11 Now double-click the newly created list and select the Applications tab in the right window pane.12 Here we now need to all the application(s) to be monitored. This may be done in a number of different ways,

but, as we have already added our application to the catalogue, we will add it here from the Application Catalogue.

13 Select the Edit->Add an Application from the Catalogue menu item or the respective icon ( ) in the icon bar.

14 The Add an Application from the Catalogue dialog box appears on the screen providing the list of applications.

15 Select the Adobe Reader in the list.16 Click the OK button at the bottom of the window to confirm and to close the window.17 Adobe Reader is now defined as an application which will be monitored.

Step 3: Assign Adobe Reader to the Target DeviceFor an application to be monitored, it must also be defined on which device it is to be monitored. To do so it must be assigned to this device:

1 Click the Assigned Objects, then Devices node in the left window pane under the Monitoring Adobe Reader entry. The right window pane is empty since no devices have been assigned yet.

2 To do so select the Assign Device icon ( ) in the icon bar.

To add the application from the software inventory see Option (b) now.

To add the application as a user defined application see Option (c) now.

To add the application directly from a device or device group see Option (d) now.


3 A pop-up window appears on the screen in which you can define if the device assignment will be automatically activated with the default schedule. If you select No here, the object must be specifically activated afterwards, therefore click Yes.

4 The Assign to Device popup window will appear on the screen.5 Go to the All tab and select the master from the list.

6 The master will be added to the table in the right pane with a status of Assignment Waiting and change to Assigned as soon as the local agent has received the assignment order.

7 From now on, every time Adobe Reader is used on the local device an event will be logged after the application was closed or has been running for more than 24 hours.

Step 4: Monitor Adobe Reader ExecutionNumara Asset Management Platform provides two locations at which the actual monitoring of applications may be done:

• under the Agent Configuration of the respective device,• under the Event Logs subnode of the All Events node of the device, for our example the master.

To see how the monitoring works, open and close the Adobe Reader application a number of times before you execute the following procedure. Leave the reader open at the end.

1 Open the Device Topology->master->Agent Configuration->Module Configuration->Managed Applications node.

If you select No here to not automatically activate the new application list, see Option (g) on how to activate it later manually.

To create and assign a monitoring schedule to the monitored application list see Option (h) now.

To view the monitored application events under this node or in a report see paragraph Upload Application Management Events to Master Database in the reporting section of this chapter.


2 Select the List tab. It displays all applications that have been selected for managing on the local client, monitored as well as prohibited applications. For the moment you will only see the Adobe Reader entry.

3 Now go to the Monitored Application Usage Details tab.4 This table displays the details on the monitoring of Adobe Reader. You will see that there are as many entries

in the table as you have effected opening and closings of the application. The last opening is not yet counted as the application has neither yet been closed nor has it been open for more than 24 hours.

5 Close Acrobat now.6 Refresh ( ) the view.7 Another entry will have been added to the list.8 In these entries you can see amongst others when the event regarding the monitored application was logged

(Event Date), when the application was launched (Start Time) and when it was closed (End Time) as well as the total time the application was used (Duration), this value is provided in seconds, as well as the name of the user who was connected at the time and his domain.

Application 2: Prohibit PinballA prohibited application list allows the administrator to disable the launching of specific applications on a managed device using the criteria defined through the Prohibited Application Model. It allows the denial of certain application launches, both on online as well as off-line devices. Renamed executables and applications will be accurately identified regardless of whether they are run from remote shares and/or removable devices. The agent stores data regarding these application, the date and time the application was found starting, in the local database and uploads these periodically to the master database. When a prohibited application is started at the remote client, the NAMP agent will immediately stop its execution and may - depending on the module settings - display a warning message window including the name and version of the application. If another application is stopped while the message window is still present, the name and version of the newly stopped application will be added to the existing window.

This part of the chapter guides you step-by-step through the procedure of defining an application, the Pinball game, as an application prohibited from execution during working hours via the wizard and explains how to interpret the results.

Prohibiting Pinball via the wizard consists of the following steps:


1 Define an Application for Application Management (as explained under chapter Step 1: above)2 Application Management Wizard3 Monitor Pinball Execution

Step 2: Application Management WizardProhibiting the execution of Pinball consists of several steps, that may all be executed directly within the Application Management Wizard.

Proceed as follows:

1 Select the Application Lists node in the left window pane.2 Select the Wizards->Application Management menu item or the respective icon ( ) in the icon bar.3 The Application Management Wizard appears on the screen.4 In this window you can see all steps of this wizard in the left window pane, the currently selected step is

highlighted in bold, all steps which are not applicable to the selections will be greyed out. For our example this concerns the schedule steps, as no schedule can be assigned to protected applications, they are protected at all times.

Step 2a: Application ListIn this first wizard step the application list to be created must be create by defining the following parameters:

1 Enter the name into the respective field, e.g. Prohibiting Pinball.2 From the dropdown list of the Type field select the Prohibited Application option.

3 Click the Next button at the bottom of the window to continue with the next step.

Step 2b: ApplicationsIn the Applications window you need to select all the application(s) to be protected. This may be done in a number of different ways, but, as we have already added our application to the catalogue, we will add it here from the Application Catalogue.

To create the new application list in a specific folder see Option (f) now.





1 Select the Edit->Add an Application from the Catalogue menu item or the respective icon ( ) in the icon bar.

2 The Add an Application from the Catalogue dialog box appears on the screen providing the list of applications.

3 Select the Pinball application in the list displayed in the window.4 Click the OK button at the bottom of the window to confirm and to close the window.

5 Pinball is now defined as an application which will be prohibited from execution and displayed as such in the list field.

6 Click the Next button at the bottom of the window to continue with the next step.

Step 2c: Schedule TemplateNumara Asset Management Platform provides you with the possibility to define the times at which an application may be used or is forbidden. This is done via a Schedule Template. This is a planning that defines the time-slots in which the applications in the assigned application list are managed according to their specified type. As then name indicates this is a template that may be assigned and used by more than one list once created here. For our example we will create a new template, as there are none yet existing. Proceed as explained below:

1 Check the Create a new schedule template option.2 Click the Next button at the bottom of the window to continue.


Step 2d: Schedule Template ConfigurationIn this window the new schedule template must be configured:

1 Enter the name into the respective field, e.g. No Working Hours. For prohibiting of applications this indicates that they cannot be launched during working hours, for monitoring this would mean that no application monitoring is done during the working hours.

2 The current planning displayed in the field below prohibits the execution at all times, indicated by red crosses ( ) in all fields.

3 To allow the execution for non-working hours mark the fields Mon-Fri 5:00-7:59 by clicking the first field (Mon 5:00) and dragging the mouse key to the last field (Fri 7:00).

4 Then choose the Allow Time-slot icon ( ) to allow the application to execute in this time range.5 The red x icon ( ) will change to the green check ( ) to indicate allow.6 Repeat points 3 and 4 for the timeslots Mon-Fri 12:00-13:59 and Mon-Fri 18:00-20:59.7 Click the Next button at the bottom of the window to continue.

To create the new schedule template in a specific folder see Option (f) now.


Step 2e: Assigned DevicesFor an application to be prohibited, it must also be defined on which device it is to be prohibited which is done in the last wizard window.

1 To do so select the Add Device icon ( ) on top of the list field. 2 The Select a Device popup window will appear on the screen.3 Go to the All tab and select the master from the list.

4 Click OK to confirm and close the window.5 The master will be added to the list of assigned devices in the list field.

Step 2f: Object SelectionThe last option provided by the wizard is to go directly to the application list and to activate it. For our example we will not change the focus but activate the list. Therefore click Yes, to immediately activate the application list.

The new prohibited application list is now added to the list of applications.

Step 3: Monitor Pinball ExecutionNumara Asset Management Platform provides two locations at which the actual monitoring of prohibited applications may be done:

• under the Agent Configuration of the respective device, or

To activate the prohibited application list later on, if you select No here see Option (g) now.


• under the Event Logs subnode of the All Events node of the device, for our example the master.

1 Open the Device Topology->master->Agent Configuration->Module Configuration->Managed Applications node.

2 Select the List tab. It displays all applications that have been selected for managing on the local client, monitored as well as prohibited applications. Here you will see now the monitored application Adobe Reader as well as the new prohibited Pinball. If this is not the case refresh ( ) the view.

3 Launch Pinball.4 An Information window will appear on the screen telling you that Pinball was prohibited from execution.

Click Ok to close the message box.

5 Now go to the Prohibited Application Usage Details tab.6 This table displays the details on the monitoring of Pinball execution.7 Here you will see that there is an entry in the table. If this is not the case refresh ( ) the view.

To view the prohibited application events under this node or in a report see paragraph Upload Application Management Events to Master Database in the reporting section of this chapter.

If Pinball is started instead of displaying the message you may be in one of the timeframes in which the execution is allowed, e.g. it might be lunch time.


8 Such an entry or event will be generated each time Pinball is tried to start. In this entry you can see amongst others when the event regarding the prohibited application was logged (Event Date) and when the application was launched (Detection Time), as well as the name of the user who was connected at the time and his domain.


Application 3: Protect Chilli InterpreterThe Selfhealing feature of Numara Asset Management Platform is based on a list of selfhealing applications. Each protected application has a definition that contains all the information necessary to protect that application, that is the list of files which are part of the application, the date and time the file was found belonging to the application as well as its size and checksum at that time. All this information is gathered by the local agent and stored in its database. The agent will then check the file time and size at regular intervals, currently set to 5 minutes. If the time and/or size of the file has changed the agent will then verify the checksum. If all three values have changed the agent will recover a copy of the original file either from a backup located on the local device or from a copy by another agent with the same file protection scheme.

This part of the chapter guides you step-by-step through the procedure of defining an application, the Chilli programming language, as a protected application via the wizard and how to interpret the results.

Protecting Chilli Interpreter consists of the following steps:

1 Define an Application for Application Management (as explained under chapter Step 1: above)2 Create a Protected Application List and Assign it to the Target via the Application Management Wizard3 Monitor Chilli Interpreter Selfhealing

Step 2: Create a Protected Application List and Assign it to the Target via the Application Management WizardTo create an application list and add Chilli Interpreter as a member to be protected, i.e. defined as selfhealing in case of file corruption, proceed as follows:

1 Select the Application Lists node in the left window pane.2 Select the Wizards->Application Management menu item or the respective icon ( ) in the icon bar.3 The Application Management Wizard window appears on the screen with its first window, Application List.4 In this window you can see all steps of this wizard in the left window pane, the currently selected step is

highlighted in bold, all steps which are not applicable to the selections will be greyed out. For our example this concerns the schedule steps, as no schedule can be assigned to protected applications, they are protected at all times.

Step 2a: Application List1 Enter the name into the respective field, e.g. Protecting Chilli Interpreter.2 From the dropdown list of the Type field select the Protected Application option.

Make sure to deactivate the selfhealing option for any protected application before updating or upgrading it, as these modifications will also be seen as ’destructive’. After you have made any necessary modifications to the software you can reactivate the selfhealing process for the respective software again.


3 Click the Next button at the bottom of the window to continue to the next window.

Step 2b: ApplicationsIn the Applications window you need to select all the application(s) to be protected. This may be done in a number of different ways, but, as we have already added our application to the catalogue, we will add it here from the Application Catalogue.

1 Select the Add an Application from the Catalogue icon ( ) above the list field.2 The Add an Application from the Catalogue dialog box appears on the screen providing the list of

applications.3 Select Chilli Interpreter.

4 Click the OK button at the bottom of the window to confirm the new protected application.5 The application is now added to the list and appears in the list window.




You can see here that a number of attributes may be defined for protected applications. To do so see now refer to Option (i) now.


6 Click the Next button at the bottom of the window to continue.

Step 2c: Assigned DevicesFor an application to be protected, it must also be defined on which device it is to be protected. To do so it must be assigned to this device:

1 To do so select the Add Device icon ( ) on top of the list field. 2 Then click the OK button to confirm and close the window.3 The master will be added to the table in the right pane.

4 All options of the protected application list are now defined, so click the Finish button to confirm.5 The last option provided by the wizard is to directly activate the newly

created application list and to go directly to it. Click Yes, to immediately activate the application list without changing the focus.

Refer to Option (g) to only create and then manually activate the created application list later.


Step 3: Monitor Chilli Interpreter SelfhealingNumara Asset Management Platform provides two locations at which the actual monitoring of application selfhealing may be viewed:

• under the Agent Configuration/Selfhealing of the respective device, or• under the Event Logs subnode of the All Events node of the device, for our example the master.

Once the selfhealing process is activated you may do the following to verify how it works:

1 Open the Windows Explorer.2 Go to the Chilli Interpreter installation directory and its bin folder (C:\Program Files\Numara

Software\Numara Asset Management Platform\Master\bin).3 Select the chilli.exe file and delete it.4 Now wait at least 30 seconds or click F5 or the refresh button. 30 seconds is the default timer for the

selfhealing check.5 The deleted file should be restored to the directory.

Selfhealing Events1 Open the Device Topology->Master->Agent Configuration->Module Configuration->Selfhealing node.2 Select the List tab. It displays all applications that have been selected for managing on the local client,

monitored as well as prohibited applications. Here you will see now the protected application Chilli Interpreter. If this is not the case refresh ( ) the view.

3 Now go to the Protected Application Fix Details tab.4 This table displays the details on the fixing of Chilli Interpreter.

To view the selfhealing events under this node or in a report see paragraph Upload Application Management Events to Master Database in the reporting section of this chapter.

Be aware that for most cases this only protects the directory in which the executable file of the software is found, in most cases the \bin directory.


5 Such an entry or event will be generated each time Chilli Interpreter is repaired. In this entry you can see amongst others when the event regarding the protected application was logged (Event Date), the date and time at which the application was fixed (Fixing Time), which file was fixed (Fixed File), as well as the name of the user who was connected at the time and his domain.

10.2 Application Management ReportingUp to now the event data regarding application management are only available locally on the agent. However, to be able to generate reports on this topic and to view them in the console together with other data these events must be specifically uploaded to the master and its database. Once data is available on application management, you may generate different reports to summarise the general situation or detail specific events. The following chapter will guide you through some of these possibilities. The general information on reports you will find in the Reporting chapter earlier in this manual. You may also create your own style-based reports as explained in the Report chapter earlier in this manual.

Step 1: Upload Application Management Events to Master DatabaseThe event data of all types of application management may be uploaded to the master database via an operational rule. The operational rule will contain three steps, i.e. one step per application event type to be uploaded.

1 Go to the Operational Rules top node in the left window pane.2 Click on the Create Operational Rule icon ( ) in the icon bar. 3 The Properties dialog box appears on the screen.4 Enter Upload Application Management Events into the Name field and then click the OK button.5 The new operational rule is added to the list of members in the right pane. Double-click it.6 In the now displayed General tab you can review the basic information of the operational rule.7 To configure all the steps it is to contain go to the next tab, the Steps tab.8 Click the Add Step icon ( ) in the icon bar to add the first step.9 The Select a Step popup windows will appear on the screen.10 It displays the list of available steps in its Available Steps box.



11 Double-click the Event Log Manager folder.12 Select the step Upload Events and click the Add ( ) button.13 The Properties dialog box appears on the screen.14 From the Model Name dropdown list select the Monitored Applications value and leave all other fields as

they are.15 Then click OK to confirm the parameters.16 Reselect the step Upload Events and click the Add ( ) button.17 The Properties dialog box appears on the screen.18 From the Model Name dropdown list select the Protected Application value and leave all other fields as

they are.19 Then click OK to confirm the parameters.20 Reselect the step Upload Events again and click the Add ( ) button.21 The Properties dialog box appears on the screen.22 From the Model Name dropdown list select this time the Prohibited Application value.23 Then click OK to confirm the parameters and OK again to confirm the new step.24 The operational rule is now configured and must be assigned to the target, i.e. all devices, since we executed

software installations on the master as well as the clients.25 Go to the Assigned Objects->Devices node in the left window pane under your newly created operational rule.26 Select the Assign Device icon ( ) in the icon bar. 27 A confirmation window appears on the screen. In this window you may define if the device group assignment

will be activated according to the default schedule defined in the User Preferences. Click Yes, to activate the operational rule automatically.

28 The Select a Device popup window will appear on the screen.29 Select the All button to the left.30 Select the master from the list.


31 The master will be added to the table in the right pane with a status of Assignment Waiting.32 Once its status is Executed all data are uploaded.33 To verify this go to the All Events->Event Logs node of the master.34 This node displays the list of all events registered by the event log models for the selected device.35 Select the Monitored Applications value from the dropdown list of the Model Name field.36 Click the Find button.37 The table below will now display all application management events of type monitoring that were uploaded.

38 Check the events for prohibited and protected applications as well.39 Now all data are uploaded and ready and the report may be generated.

Step 2: Generate ReportsThe Numara Asset Management Platform provides a number of predefined reports for the application management with its out-of-the-box objects, style-based reports as well as template-based ones. They are all collected in the Application Usage folder. Proceed as follows to generate a report:

Report 1: Prohibited Application Usage by Day of the WeekThis report is a style-based report, already created via the out-of-the-box objects and ready to be generated. Proceed as follows:

1 Open the Reports->Application Usage folder in the left window pane.2 Select a report, for example Prohibited Application Usage by Day of the Week.3 Select the Edit->Generate Report menu item or the respective icon ( ) in the icon bar.4 A confirmation window appears on the screen, click the OK button to confirm.5 The report will be created immediately using the current data of the database.6 To view the report select the Edit->View Last Result menu item or the respective icon ( ) in the icon bar.7 A login window appears on the screen. Enter admin and no password.8 A new browser window or tab opens and displays the report.


This report has two subreports each displaying a bar chart, the first for the number of times an application was started and the second for the average amount of time the application was running on the devices.

Report 2: Monitored Application Summary by Application ListsOne report per template-based report is also already created via the out-of-the-box objects, ready to be assigned to a target and to be generated. Proceed as follows:

1 Open the Reports->Application Usage folder in the left window pane.2 Select the report Monitored Application Summary by Application Lists.

3 Go to its Assigned Objects->Device Groups node.4 Either choose the Edit->Assign Device Group menu item or click the respective icon ( ) in the icon bar.5 The Assign to Device Group popup windows will appear on the screen.6 Select the All Devices group from the window.

7 Click OK to confirm the assignment and close the window.8 The device group will be added to the table of assigned device groups.9 The go back to the Monitored Application Summary by Application Lists report node in the left window

pane.

To restrict the data processed for this report to a certain time range see Option (k) now.


10 Select the Edit->Generate Report menu item or the respective icon ( ) in the icon bar.11 A confirmation window appears on the screen, click the OK button to confirm.12 The report will be created immediately using the current data of the database.13 To view the report select the Edit->View Last Result menu item or the respective icon ( ) in the icon bar.14 A login window appears on the screen. Enter admin and no password.15 A new browser window or tab opens and displays the report.

10.3 Application Management OptionsThe following paragraphs will provide you with a number of options that may be used to modify the application of managed software programs.

(a) Define Managed Applications from Direct AccessTo define an application as user defined and make it available for application management proceed as follows. Be aware, that an application which does not provide all information required for a managed application cannot be added as such, in this case the menu option will not be accessible.

1 Open the Device Topology->master->Direct Access->File System node.2 In the right window pane go down into the hierarchy to the storage location of your software applications, in

general Program Files and go to the Adobe Adobe Reader installation directory and select the executable file (AcroRd32.exe).


3 Select the Edit->Add User Defined Application menu item or the respective icon ( ) in the icon bar.4 The Add User Defined Application dialog box appears on the screen.5 It provides all the data it can find on the selected executable.

6 Click the OK button at the bottom of the window.7 A confirmation window appears on the screen.8 In this window you may define the folder into which the application is to be added. By default it will be added

directly under the main Application Catalogue node. To add it to another folder click the icon to the right of the field (...). The Select Folder window appears on the screen displaying the folder hierarchy. If the desired target folder does not yet exist you can also create new folders. To do so first select the parent folder of the new one and then select click the New Folder icon ( ) below the hierarchy. The Properties dialog box appears on the screen. Enter the desired data into the respective fields and then click the OK button at the bottom of the window to confirm the new application list folder. Select the target folder and click the OK button to confirm and to close the window.

9 An Information window will now appear in which you may also directly add the selected application to an existing application list. Click Yes to do so, No to only add the application to the Application Catalogue.

10 If you selected Yes the Assign an Application List dialog box appears on the screen providing the list of existing application lists.

11 Select the desired application list from one of the lists available in the window.12 Click the OK button at the bottom of the window to confirm.13 If the application list is already assigned to a device or group a Confirmation window appears in which you

may define to directly reactivate the application list for its assigned objects.14 The Adobe Reader application will now be automatically added to the list of applications.


(b) Add from Software InventoryApplications may be added to the list of managed applications via the list of installed software generated by the software inventory. Software applications which do not provide all information required for a managed application will in this case not appear in the list here. To add an application to the list of managed applications from the general software inventory list under the Application Management node proceed as follows:

1 Open the Application Management->Application Catalogue node in the left window pane.2 Select the Edit->Add from Software Inventory menu item or the respective icon ( ) in the icon bar.If you are in the wizard select proceed as follows:

2 Select the Add from Software Inventory icon ( ) on top of the list field.Then the procedure continues for both locations as follows:

3 The Add Applications from Software Inventory window appears on the screen. This window displays the filtered list of applications found in the software inventory that may be used for the managing of applications, i.e., those of type Application or Browser.

4 Find the Acrobat Distiller application, for example, and select it.

5 Click OK at the bottom of the window to directly add the selected software.

(c) Add User Defined ApplicationTo add a user defined application to the list of managed applications from directly under the Application Management node proceed as follows:

1 Open the Application Management->Application Catalogue node in the left window pane.2 Select the Edit->Add User Defined Application menu item or the respective icon ( ) in the icon bar.3 The Add User Defined Application dialog box appears on the screen.4 Enter the following data into the respective fields:

Name: Adobe Reader 8Version: 8.1.0.2007051100File Name: AcroRd32.exe

5 Click the OK button at the bottom of the window to confirm the data for the new managed application.

Make very sure that you enter the name and version number exactly as it was found under the Software Inventory, otherwise the application will be added to the list of managed applications, but neither monitoring, prohibiting nor protecting it will work.


(d) Add Application from DeviceTo add an application via an executable file of a specific device proceed as described below. Be aware, that an application which does not provide all information required for a managed application cannot be added as such, in this case the following menu option will not be accessible.

1 Select the Edit->Add Application from Device menu item or the respective icon ( ) in the icon bar.If you are in the wizard select proceed as follows:

1 Select the Add from Software Inventory icon ( ) on top of the list field.Then the procedure continues for both locations as follows:

2 The Select a Device window opens on the screen.3 Select from one of the proposed lists the device on which the desired executable file is located. Be aware that

you must provide access rights to this device if you have not yet done so via another of the console‘s functionalities.

4 Click the OK button at the bottom of the window to confirm the device.5 Now the Select Executable File window appears on the screen displaying the directory structure of the

selected device.6 Find the executable file in the hierarchy and select it, then click the OK button.7 The Add User Defined Application window appears on the screen.8 It provides all the data it can find on the selected executable apart from a name, and provides the following

fields:

NameDefine a name for the new managed application, such as My Word Processing Application.

VersionThe version number found for this application. If the field is empty the application has no version. You may enter/modify here the version number using wildcard characters * and ? to include for example all minor versions of a software, e.g. 7.* for all different flavours of version 7. If the field is empty the version attribute is ignored and all versions of the executable are included.

File NameThe name of the executable file of the application. This value is not editable.

File ChecksumThis field contains the checksum of the executable file. It may be removed to not limit the matching criteria to a very specific file version.

File SizeDisplays the size of the application. This value may also be removed to not limit the matching criteria to a very specific file version.

9 Click the OK button at the bottom of the window to confirm.10 A confirmation window appears on the screen if the selected application does not yet exist in the application

catalogue to which it will automatically be added as well.11 In this window you may define the folder into which the application is to be added. By default it will be added


12 If you are not in the wizard and the application list is already assigned to a device or group another Confirmation window appears in which you may define to directly reactivate the application list for its assigned objects.


(e) Add an Application to an Application Catalogue FolderWhen adding an application to an application catalogue folder from both the software inventory as well as the direct access nodes, it is possible to directly put the new application in a specific folder. To do so proceed as follows for both options:

1 After having selected and confirmed the application to add click the OK button at the bottom of the window.2 A confirmation window appears on the screen.3 In this window you may define the folder into which the application is to be added. By default it will be added


4 An Information window will now appear in which you may also directly add the selected application to an existing application list. Click Yes to do so, No to only add the application to the Application Catalogue.

5 If you selected Yes the Assign an Application List dialog box appears on the screen providing the list of existing application lists.

6 Select the desired application list from one of the lists available in the window.7 Click the OK button at the bottom of the window to confirm.8 If the application list is already assigned to a device or group a Confirmation window appears in which you

may define to directly reactivate the application list for its assigned objects.

(f) Add an Object to a FolderWhen adding/creating a new object it may be directly added/created to/in a folder, e.g., an application to an application catalogue folder, an application list to an application list folder or a schedule template to a schedule template folder. To do so proceed as follows:

1 In the window you may define the folder into which the object is to be added. By default it will be added directly under the main Application Catalogue node.

2 To add it to another folder click the icon to the right of the field (...). 3 The Select Folder window appears on the screen displaying the folder hierarchy. If the desired target folder



to confirm the new application list folder. 4 Select the target folder and click the OK button to confirm and to close the window and return to the original

window.

(g) Activate/Deactivate Application ListsIf the application list was not automatically activated during its assignment it must be done manually to start the actual managing of the applications of the list. This applies to all three list types.

The assignment of application list and target, i.e., the assigned device or group may be done in the following different locations, all of which are found under the respective Assigned Objects node:

• Application Lists of the assigned device• Application Lists of the assigned device group• Devices of the assigned application list• Device Groups of the assigned application listTo activate the application list management proceed as follows:

Devices/Device Groups1 Device/Device Group->Assigned Objects->Application Lists node in the left window pane.2 Select the entry which is to be activated in the table in the right window pane.


Devices/Device Groups1 Application list->Assigned Objects->Devices/Device Groups node in the left window pane.2 Select the entry which is to be activated in the table in the right window pane.The following steps of the procedure are applicable to both locations:

3 Select the Edit->Activate Application List menu item or the respective icon ( ) in the icon bar.4 The application list will be immediately activated.5 You can follow the activation process via the Status column of the table in the right window pane.

(h) Schedule TemplatesSchedule templates are specific schedules which are defined to regulate the use of monitored and prohibited applications. As the name template indicates this a planning which may be used for a number of applications which have certain criteria of use in common, such as personal software, which, for example may be forbidden to be used during regular working hours, but allowed before and after and during lunch time.

The Planning tab of these templates allows to define time-slots for prohibited applications. The hourly slots are represented in the visual form of a spreadsheet and display each if at this time the assigned prohibited applications are allowed to be used or denied.

These templates may also be created and assigned manually instead of via the assistant as shown in the main example. For this proceed as follows:

Step 1: Create a Schedule TemplateTo add a new schedule template to restrict the monitoring of the application list to the working hours proceed as follows:

1 Select the Schedule Templates node in the left window pane of the prohibited application.2 Select the Edit->Create Schedule Template menu item or the respective icon ( ) in the icon bar.3 The Properties dialog box appears on the screen.4 Enter Working Hours into the Name field.5 Click the OK button.6 Now select the new schedule in the left window pane and go to its Planning tab.7 Drag you mouse button from the Mon 7:00 field to the Fri 18:00 field.

8 The click the Edit->Allow Time-slot menu item or icon ( ) to allow the application to execute in the selected time range.


Step 2: Assign Schedule Template to Monitored Application ListFor this example we will assume that the Adobe Reader execution is only to be motored during working hours and instead of all the time, as is the default without schedule template:

1 Select the Application Lists node in the left window pane and the Monitoring Adobe Reader list that we created in the example.

2 Then go to the Assigned Objects->Schedule Templates node in the left window pane.3 Select the Edit->Assign Schedule Template menu item or the respective icon ( ) in the icon bar.4 The Assign a Schedule Template dialog box appears on the screen providing the list of defined Schedule

templates.

5 Select the Working Hours template from the list field.6 Click the OK button at the bottom of the window to confirm and to close the window.7 A pop-up window appears on the screen in which you can define if the device assignment will be

automatically activated with the default schedule. If you select No here, the object must be specifically activated afterwards.

8 Click Yes to confirm the activation.9 The newly assigned schedule template is now assigned and displayed in the table to the right.

(i) Protected Application ParametersProtected applications have a number of parameters that may specifically defined for the individual applications: may also be protected without a local backup copy. This is considerable for applications which are installed with the same version on quite a large number of your devices, such as for the NAMP agent for example.

To protect without a local backup copy proceed as follows:

1 In Step 2b: Point 5 (page 242) select the entry in the list field.2 Select the Edit->Properties ( ) menu item or icon.3 The Properties window appears on the screen providing the following options:

Local Backup CopyDisplays if a copy of the protected application is to be stored on the local device.


Protect Sub-directoriesThis value defines if the protection scheme includes the sub-directories of the application directory. This may be applicable for larger applications having sub-directories with do not only contain user created but application data, such as libraries or filters.Include File TypesBy default all files in the main directory as well as the sub-directories if specified are included. If you do not want to include all files enter into this field the list of file extension which are to be included in the selfhealing package. The files are a comma separated list with wildcard characters, such as *.exe,*.dll,*.bat, etc. If you are limiting the files to be protected they should not include any type of file that is user created, such as *.doc,*.txt, etc., as newer files may be erased by older ones in case of a selfhealing operation. You may also exclude these via the next parameter.Exclude File TypesBy default all file types are included for protection and selfhealing. In this field you may specify a list of file types which are not to be protected and thus included in the selfhealing package. The files are a comma separated list with wildcard characters, such as *.txt,*.doc,*.tmp, etc. In this field you may limit for example any type of file that is user created, such as Word documents, Excel spreadsheet, etc., as newer files may be erased by older ones in case of a selfhealing operation.

4 Click the OK button at the bottom of the window to confirm and to close the window.5 Then continue with the wizard.

(j) Defining the Integrity Check IntervalYou may define at which interval the agent checks the integrity of the protected applications. This is done via a parameter of the selfhealing module and the value will be applicable for all defined protected applications. The default value for the integrity check is defined at 30 seconds. To now increase this value for example to 5 minutes you have the following possibilities:

Modify the Parameter for a Single Device:1 In the console

a Open the node Device Topology->Device->Agent Configuration->Module Configuration->Selfhealing.b Select the entry in the table.c Select the Properties icon( ) in the displayed tab.d The Properties window appears on the screen. Modify the parameter to 300 seconds.e Then click the OK button to confirm the modification. The new parameter value will directly be taken into

account.2 Via the Agent Interface

a Double-click the SysTray symbol to open the agent interface in a browser window.b The select the button Identification in the top right corner of the browser window and log on to the

interface with a local login with administrator permissions.c The browser will now display the extended version of the agent interface.d Select the tab Advanced and from its list in the left column the option Selfhealing.e The browser window now displays the Selfhealing Module Parameters page.f Click the Modify... button.

If you do not make local copies for a protected application for all devices, make sure that at least one device in the neighbourhood of the backupless devices has such a backup copy, i.e. a neighbour device which can be found in the backupless device’s autodiscovery list.


g The browser now displays a page in which the value of the parameter may be modified. Enter 300 instead of the existing 30 seconds.

h Then click the Update button.The new parameter value will directly be taken into account.3 In the Configuration file

a Go to directory <InstallationDirectory>/Client/config.b Open the file SelfHealing.ini in a text editor.c Modify the value of parameter CheckInterval from 30 to 300 seconds. The new parameter value will

directly be taken into account.

Modify the Parameter for Several Devices:To modify the parameter value for several devices, we will first create an operational rule with the new value, and then assign it to the target devices, either directly to the individual devices or via a device group, such as for example group All Devices, to be executed. To do so proceed as follows:

1 Create an operational rule with step Selfhealing Module Setup. You define the value for this step to 300 seconds.

2 Assign the rule to device group All Devices and directly activate it.3 Open the following console node on one of the target devices Device Topology->Device->Assigned Objects-

>Assigned Operational Rules.4 Once the status Executed is displayed for the assigned operational rule, the modification was done.5 To verify this open node Agent Configuration->Module Configuration->Protected Applications of the device.

There you will now find the new value.

(k) Reporting on Specific Time RangeTo only use the data of a specific time range for the report to be generated, proceed as follows:

1 At Report 2: Point 2 (page 248) of the general procedure select the Options tab of the report.2 Since no options have yet been specified for this report the table in this view is still empty.3 To add a time frame select the Edit->Properties ( ) menu item or icon.4 The Properties window appears on the screen.5 Check both boxes to activate the calendar fields.6 Then open the calendar for each of the fields and select a start and an end date.7 Click OK to confirm and close the window.8 The time option is now active for the report.9 Continue with the general procedure with Point 3 (page 248).


11

Power Management Step-by-StepThe new functionalities of the Numara Power Manager allow you to follow the overall energy usage of your devices of specific periods of time, to calculate you energy costs and CO2 emissions as well as to measure the progress regarding the application of energy consumption policies.


• Power Management Procedures• Power Management Reporting• Options




11.1 Power Management ProceduresThe following paragraphs explain the different elements of power management and guide you through the generation, monitoring and interpretation of the power management data. This is done via the following steps:

1 Configuring Devices for Power Management2 Power Management Inventory3 Event Monitoring

Step 1: Configuring Devices for Power ManagementThe Power Management module is loaded by default at installation time, now it only needs to be configured. We will do so in this example via an operational rule using the wizards for all devices of your test environment:

1 Select the Wizards->Operational Rule Creation menu item or the respective icon ( ) in the icon bar.2 The Operational Rule Creation Wizard appears on the screen.3 The left pane of the wizard window displays all available steps of this wizard.


1 Enter Power Management Configuration (or any other desired name) into the Name field.2 Leave all other parameters as they are, as neither packages will be distributed nor dependencies are required

for this rule.

The Power Management functionality is NOT applicable to Linux, Mac OS and Solaris; it is only applicable to Windows, version 2000 and later.

260 - Numara Power Manager


Step 1b: StepsIn this window we need to define the operations necessary to configure the power management which is done all in one single step:

1 Select the Add Step icon ( ) on top of the list field.2 The Select a Step popup windows will appear on the screen.3 Open the Agent Configuration folder and select the Power Management Module Setup step.4 Click the Add ( ) button to confirm.5 The Properties window appears on the screen.

6 Make the following modification to the available parameters:Check the Log Events option. This will make sure that the events generated for the power management are logged in the local database.

7 Then click OK to add the step to the list and close the window.8 Click OK again to confirm the list of steps for the operational rule and close the window.

This step configures the event generation for the module, as we have just done, as well as the default inventory update and upload. By default it is generated and uploaded to the master database every 24 hours. If you want to define a different schedule see Option (a).

Chapter 11 - Power Management Step-by-Step - 261



Step 1c: Operational RuleIn the first window of the Operational Rule Distribution Wizard you define which rule to distribute as well as some distribution options:




Step 1d: Assigned DevicesThe operational rule is now created and must be assigned to the devices on which to execute, in our example the relay.

1 To do so select the Assign Device icon ( ) on top of the list field. 2 The Select a Device popup window will appear on the screen.3 Go to the All tab and select the relay.


4 Click OK to confirm and close the window.5 The device will be added to the list window.

6 Click Finish to confirm all choices and launch the assignment and configuration process.

7 The last option provided by the wizard is to go directly to one of the objects, i.e. the operational rule or the task, if one was created. for our example we will directly activate the rule and change to focus to it, therefore check the Go to Operational Rule box and click Yes, to directly activate the rule.

Step 2: Power Management InventorySimilar to the Patch Inventory the Power Management Inventory must be generated specifically. This is done via an operational rule executed on your target devices. The first action to take is to create the operational rule, this time manually.

Step 2a: Create Operational Rule1 To do so select the Operational Rules top node in the left window pane.2 Click the Edit->Create Operational Rule menu item or the respective icon ( ) in the icon bar.3 The Properties dialog box appears on the screen.4 Enter Power Management Inventory into the Name field and then click the OK button.5 The new operational rule is added to the list of members in the right pane. Double-click it.6 Go to the Steps tab.7 Click the Add Step icon ( ) in the icon bar.8 The Select a Step popup windows will appear on the screen.9 Double-click the Inventory Management folder and select the Update Power Management Inventory step of

this group.


10 Click the Add button ( ) to add the step to the list of Selected Objects.11 The Properties dialog box will appear on the screen displaying the parameters to be defined.12 Check the remaining options: Upload after update, Force Upload, Bypass Transfer Window.

13 Then click OK to close the window.14 Click OK to add the step to the operational rule and close the Select a Step popup window.15 The operational rule is now configured.

Step 2b: Assign and Execute the Operational Rule ImmediatelyThe operational rule is now created and must be assigned the target devices, for our example here we will assign it to the group All Devices again.

1 Return to the Power Management Inventory rule click the Assigned Objects and then the Device Groups node.

2 To assign the group select the Assign Device Group icon ( ) in the icon bar.3 A confirmation window appears on the screen. Click Yes, to activate the operational rule directly.

4 The Assign to Device Group popup window will appear on the screen.

To schedule the inventory generation at regular intervals, click No and see Option (b) once the device group is assigned.


5 Select the All Devices group from the list.

6 Then click OK to add it and close the window.7 If you answered Yes to Would you like to automatically activate...? (see point 3 above), the inventory process is

started directly!

Step 2c: Monitor Rule Execution ProgressIn the right window pane of the Device Groups node you can follow the execution of the rule execution via the different status the process passes for the individual devices. You should see the following successive status if everything went well:• Assignment Waiting

• Assignment Sent

• Assigned

• Ready to run

• Executed

One of the following status values may be shown if the execution failed:

• Verification Failed - this status may appear, of for example the operating system of the target is of an unsupported type, e.g. Linux or Solaris.

Step 2d: Verify Power Management InventoryOnce the rule has successfully executed you can take a first look on the inventory on the first device.




1 Open node All Devices->Device->Inventory->Power Management Inventory.2 This node displays its information in three different subnodes. We will for the moment only concern ourselves

with the Global Policies node.3 This node displays the name of the currently activated power scheme and its parameter values.

Step 3: Event MonitoringEvents may be monitored locally and centrally once the data is uploaded to the NAMP database, and they may be monitored individually for single device or for all the members of the group.

• Local Event Monitoring• Monitoring Events on the Master

Step 3a: Local Event MonitoringYou can monitor what is happening concerning power management locally on each of the devices of your group. To cause some events to be generated you can for example modify your screen saver settings to a very short time of inactivity, e.g. 1 minute. Wait until the screen saver comes on and then unlock your screen again as shown in the screen shot of this example. You may also configure the device to go into Standby modus after 1 minute, wait and then reactivate the device again.

1 Go to the All Devices->Device (Master?)->Agent Configuration->Power Management node.2 Then select the Events tab.3 It displays the list of events that occurred on the local device.4 Refresh ( ) the page if it is still empty.

To learn how to change the active power scheme see Option (e).

To learn how to create new power schemes or modify existing power schemes see Option (d).


5 The following information is displayed:Event DateThe date and time at which the power management action, the activation of the screensaver, was executed.TypeThis field displays the type of event that occurred, i.e., the screen saver was activated, the device was put in hibernation, etc.

Step 3b: Monitoring Events on the MasterUp to now the event data are only available locally on the agent. However, to be able to print reports on this topic and to view them in the console together with other data these events must be specifically uploaded to the master and its database. This is done via an operational rule:

1 Go to the Operational Rules top node in the left window pane.2 Click on the Create Operational Rule icon ( ) in the icon bar. 3 The Properties dialog box appears on the screen.4 Enter Upload Power Management Events into the Name field and then click the OK button.5 The new operational rule is added to the list of members in the right pane. Double-click it.6 To configure all the steps it is to contain go to the next tab, the Steps tab.7 Click the Add Step icon ( ) in the icon bar to add the first step.8 The Select a Step popup windows will appear on the screen.9 It displays the list of available steps in its Available Steps box.



10 Double-click the Event Log Manager folder.11 Select the step Upload Events and click the Add ( ) button.12 The Properties dialog box appears on the screen.13 From the Model Name dropdown list select the Power Management value and leave all other fields as they

are.14 Then click OK to confirm the parameters and OK again to confirm the new step.15 The operational rule is now configured and must be assigned to the target, i.e. all devices in our test

environment.16 Go to the Assigned Objects->Device Groups node in the left window pane under your newly created

operational rule.17 Select the Assign Device Group icon ( ) in the icon bar. 18 A confirmation window appears on the screen. In this window you may define if the device assignment will be

activated according to the default schedule defined in the User Preferences. Click Yes, to activate the operational rule automatically.

19 The Assign to Device Group popup window will appear on the screen.20 Select the group All Devices from the list.

By default the events, if activated, will be uploaded to the master database once a day at midnight. If you need a more frequent upload click No, and then see Option (c) once this step is finished.


21 The group will be added to the table in the right pane with a status of Activated.22 Select the subnode All Devices and follow the execution of the operational rule for the group members.23 Once its status is Executed all data are uploaded.24 To verify this go to the Events->Event Logs node of the All Devices group.25 This node displays the list of all events registered by the event log models for the selected device group.26 To display the power management events instead of the default software distribution events select Power

Management from the Model Name dropdown list.27 Then click the Find button.28 The table below will now display all events that were uploaded and are continued to be uploaded.

29 Now all data are uploaded and ready and reports may be generated.

11.2 Power Management ReportingThe easiest and clearest way to monitor the power management activity is via reporting. The NAMP console provides a template-based report for this. However, contrary to other modules, there is only one template with a number of different options to display the different aspects of the topic.

• All reports that can be generated with this template according to its different units and groupings can either be shown as a summary for all devices or with the same details displayed for each device that is included in the report.


• The report details may be grouped by Status, Weekly Hours, Day, Month, Week or Year• The units according to which the data may be displayed are Percentage, Hours, Energy, Price and CO2

Emission.• The reports may be generated for a specific period of time.• As usual all these reports may be generated and displayed in HTML, PDF and XML format.The following section will provides some examples of these possibilities, mostly as a summary. You will find detailed information on each of the possible contents in the Power Management Report Templates on page 47 of the Power Management manual.

For our examples here we will only create one report which we will modify each time to see the different possibilities. However, you may also create a new report for each example, but this will not be explained specifically.

Report 1: Power Management Reporting - SummaryWe will generate this report via the wizard, which is available from everywhere in the console.



Step 1: ReportThe first window of the wizard, Report, appears on the screen. It defines the base information of the report:

1 Enter Summary as the name into the Name field.2 Enter Power Management Summary as the name into the Report Title field.3 In the Report Type field select Template-based from the dropdown list.4 In the Report Template field select Power Management Status from the dropdown list.5 Power management only provides one report which however provides you with several options.6 Leave all other values as they are.


Step 2: OptionsIn the Options window the criteria for the report are defined, e.g. if it is to be a summary, if it is generated for a specific period of time, for a specific group, etc. For our example we will first generate the basic report, a status summary. Therefore leave all values as they are and click Next to continue.


Step 3: Publication and MailThis step allows you to make the generated reports accessible to other associates within your department or company and/or to send it by mail to specific associates. For this example we will make this a public report and send it to our own e-mail account in HTML format. To do so proceed as follows:

1 Enter a name. i.e. a title for the report into the Name field, e.g., Power Management Summary.2 Then check the Public Report box.

3 Go down to the second panel and select the Add e-mail icon ( ).4 The Define Mail dialog box appears on the screen. To specify the recipients as direct recipients, copy

recipients and blind copy recipients, you proceed in the same way.To enter recipients click the To.../CC.../BCC... button and the Select an Address dialog box appears on the screen.

To select an administrator or administrator group from the list click the Select from List radio button and then select the recipient(s) below. You may specify an administrator group as the recipient, in this case the mail will be sent to all members of this group that have a valid e-mail address entered into their general data tab.Or you may click the Select Manually radio button and enter any valid e-mail address into the field below. You may also enter more than one address by separating these with a semi-colon, for example, [email protected];[email protected].

5 Then enter Power Management Summary Report as the Subject of the mail.6 Click OK to confirm the mail and add it to the list.

For more information regarding public reports on the Report Portal see Option (g) in the Reporting chapter.



Step 4: Assigned ObjectsIn this step of the wizard the objects on which the report is to be generated are to be defined. In our example we will assign it to our group All Devices for which we generated the power management events. Proceed as follows:

1 Select the Assign Device Group icon ( ).2 The Assign to Device Group popup windows will appear on the screen.3 Select the device group All Devices from the window.4 Click OK to confirm the assignment and close the window.5 The device group will be added to the table of assigned device groups.6 Click Next to go to the following wizard page.


Step 5: ScheduleThe last step in the wizard is the definition of its generation schedule. Our first report we will generate immediately to be able to examine it right away:

1 Check the Immediately radio button in the Execution Date panel.2 Then check the Immediately generate the report box at the bottom of the window.3 Then click the Finish button to confirm the new report and generate it.

4 As usual a confirmation window appears which allows you to move the focus of the console to the newly created report.

5 Click the Yes button to do so.

Step 6: Report AnalysisOnce the report is created and generated it will be displayed in a browser window. To display it proceed as follows:

1 The focus of the console was moved to the main view of the newly created report.2 In this window select the Edit->View Last Result menu option or the respective icon ( ) in the icon bar.


3 A browser window opens on the screen requesting identification to the agent.4 Enter admin as the login with no password.5 The newly generated report is displayed in the window.

The first part of this summary, the introduction provides you with the following information, which will be the same for all different types of reports we will generate:

• A general description of the contents of this report


• Time Range displays the timeframe for which the report was generated. If you have not selected a timeframe as we did, the dates indicated are the date of the first uploaded event as the start date and the date of the last uploaded event as the end date.

• Group by indicates the distribution of the charts, All in this case meaning that all devices are cumulated in one single graph.

• Unit indicates in this case that the values provided in the graph are in percent.• Number of devices displays the total number of members of the group that is assigned to the report.• Number of devices used for reporting displays the number of devices that uploaded events usable for this

type of report. For the above shown example this indicates that only 2 out of the 8 group members show power management actions.

The second part of this report is the summary of all data displayed in form of a pie chart with the colour explanations below.

• The differently coloured pie parts represent the different types of events generated.• The percentage indicates the representation in percent of the respective event (= power state of the device).• The displayed graph shows that one those two devices were only 2/3 of the time someone was working, for

almost 1/3 of the time the screen saver was running, at they were shut down for only 5% of the time.• It also shows that at all times someone was logged on to both devices.• In this graph it is not possible to know the active/inactive time distribution between the two devices, for this a

report needs to be generated that distinguishes between the devices.

Report 2: Power Management Reporting - Usage per DeviceTo display the same report with details on each of the devices of the device group in addition to the group summary modify the report as follows:

1 Select the report in the left window pane.

2 In the right pane select the Options tab.3 This tab displays the currently selected report options.4 To modify these either double-click the table entry or select the Properties... icon ( ) in the icon bar.5 The Properties window appears on the screen.6 In this window now check the Details by Device option. This will display the same information individually

for each device of the assigned device group.

7 Then click OK to confirm and close the window.8 The report is now reconfigured and must be regenerated.

To know more about the general options and possibilities of reports refer to the general report chapter of this manual or the Console manual.


9 Now select the Edit->Generate Report menu item or the respective icon ( ) in the icon bar.10 The Select Generation Formats window appears on the screen, click the OK button to confirm the preselected

choice.11 The report is now generated.12 Now go to the Report Results->All Devices node below the report.13 In this view all generated reports are listed in their respective format with their generation status.14 Once the status Available is displayed the report is ready for display.

15 Select the report entry in the table and click the Edit->View menu option or the respective icon ( ) in the icon bar.

16 A new tab or window of the browser is opened displaying this new report.

This report now shows a graph for each device providing data for the report, in this case two. The two graphics above display now - compared to the general summary generated before - the activity/inactivity and usage of the two devices.

Report 3: Power Management Reporting - Distribution by Weekly HoursThe created report may be modified to display more detailed aspects of the defined power management. Proceed as follows:



2 In the right pane select the Options tab.3 This tab displays the currently selected report options.4 To modify these either double-click the table entry or select the Properties... icon ( ) in the icon bar.5 The Properties window appears on the screen.6 Uncheck the Details by Device option.

7 In the Group by dropdown list select the value Weekly Hours.

8 Then click OK to confirm and close the window.9 The report is now reconfigured and must be regenerated.10 Now select the Edit->Generate Report menu item or the respective icon ( ) in the icon bar.11 The Select Generation Formats window appears on the screen, click the OK button to confirm the preselected

choice.12 The report is now generated.13 Click the Edit->View Last Result menu option or the respective icon ( ) in the icon bar.14 The Select a Group window opens on the screen.15 Click OK to confirm.16 A new tab or window of the browser is opened displaying this new report.17 This report is of course only really interesting if your test environment has already run for at least one week to

provide data for each day of the week. In our example the report will only show data for one day, but you will still see, how the report may look.


If you leave the option checked the report will provide the same information but per device, i.e., all charts will exists for each device.


The report is divided into three different chart types:

1 The first pie chart displays the overall summary, the same as in the first report we generated.2 The second part consists of a bar chart with one bar for each day of the week. The bars are summarising the

power consumption, i.e. the power states of all devices per day.3 The third part, displayed below, shows a bar chart for each day of the week and each hour of these days and

the energy states for these hours.

Report 4: Energy Costs by Weekly HoursThis report displays the energy costs for each of the hours of the week. To define this report proceed as follows:



7 In the Unit dropdown list select the value Price.8 In the Device Consumption field enter the medium consumption of a device. The average consumption for a

current device is between 300 and 500 watts depending its equipment.9 In the Kilowatt Hour Rate field enter the price you pay for a kilowatt hour. This rate varies depending on your

country, e.g. 0.11€ as a medium value in France.10 In the Currency field list currency, in which the kilowatt rate is entered above, e.g. Euros or €. The currency

will be displayed in the report in the format you enter it here.

If you generated the report by device, the above explained parts will be repeated for each of the devices delivering data, i.e. having uploaded events to the master database.






provide data for each day of the week, as do the screenshots below to provide you with an idea on how this may look.

The report is divided into three different chart types:

1 The first bar chart displays the overall cost summary per occurred device state.2 The second part consists of a bar chart with one bar for each day of the week. The bars are summarising the

power costs per power states of all devices per day.


3 The third part, displayed below, shows a bar chart for each day of the week and each hour of these days and the energy costs for these hours.

Report 5: CO2 Emissions by WeekThis report displays the CO2 emission per month. To define this report proceed as follows:



7 In the Unit dropdown list select the value CO2 Emission.




8 In the Group by dropdown list select the value Week.9 Leave the value in the Device Consumption field.10 In the CO2 Emission (g/kWh) field enter the amount of CO2 that is emitted into the atmosphere in average for

a kWh. This value also varies according to the countries, in France for example it is ~ 120 grams of CO2 per kWh, the European average is 340 grams.



provide data for each day of the week, as do the screenshots below to provide you with an idea on how this may look.

This report only has one chart, a bar chart that displays the weekly consumption per device status in their different colours.


11.3 OptionsThe following paragraphs will provide you with a number of options that may be used with the power management.

(a) Power Management Inventory Upload ScheduleTo define the upload schedule of the Power Management Inventory you have two possibilities:

• Modify the default inventory parameters of the Power Management module• Define a different schedule via an operational rule and assign it to the targets.The following paragraph explains the first option, as creating a specific schedule has already been detailed in the preceding chapters, e.g. in the options of the Configuration Management Step-by-Step chapter. We will change the basic schedule for all devices not only for one, therefore we will do this via the power management configuration rule that we created before:

1 Open the Operational Rules top node in the left window pane.2 Select the Power Management Configuration rule among its children.3 Select the Steps tab in the right window pane.4 Select the entry in the table to the right and double-click it.5 The Properties window appears on the screen.6 It displays the following parameters which are available for the inventory management:

Upload on StartupThis checkbox defines if the inventory is uploaded to the master after being updated the first time on agent startup. It is recommended to activate this option to ensure that the inventory is updated at least at every startup of the agent.Differential UploadThis checkbox specifies if the inventory is to be completely replaced which each upload when differences are detected or only with the delta, i.e., the modifications of the inventory. By default this value is checked to only upload the delta.


Upload IntervalThis value defines the upload period for the inventory in seconds. If it is set to 0, no uploads are configured by the module, but they can still be managed through operational rules. The setting only configures the upload of existing data, it does not include an update of the inventory. The default value is 86400 seconds or 24 hours.Minimum Gap Between Two UploadsThis parameter defines the minimum time interval between inventory uploads in seconds. If the value is set to 0 this option is deactivated and there is no minimum interval.

7 Make the desired modifications, then click OK to confirm the modifications and again OK to confirm the step.8 If modifications have been made to an operational rule it must be reassigned to its targets to notify the local

agents of these.9 Therefore open the Assigned Objects->Device Groups node of the rule.10 Select the entry in the table to the right.11 Select the Edit->Reassign Operational Rule menu item or the respective icon ( ) in the icon bar.12 The reassignment process of the operational rule will be launched.13 You can follow its execution under the Devices node below.14 Once the status Updated is displayed for all devices, the local agents are aware of the modifications and will

from now on manage the inventory upload according to this schedule.

(b) Regularly Generate (Update) the InventoryWhen using the automatic activation a default schedule is assigned to the operational rule: immediate execution, once. In our case we will define a schedule first and then the assignment must be activated.

For our example it may be useful to run the inventory rule at regular intervals, such as once a week to make sure all devices are still on their assigned power schemes and the users have not modified these. To do so proceed as follows:

1 After the device group has been assigned go to the Power Management Inventory->Assigned Objects->Device Groups node.

2 Select the All Devices entry in the table in the right window pane.3 To define the schedule either double-click the table entry or select the Properties... icon ( ) in the icon bar.4 The Properties window will open on the screen. 5 First go to the Validity tab. This tab allows you to define the activation of the execution and its termination.6 In the Execution Date box define on when to run the inventory collection. In our example we will select the

Next Startup radio button to launch the inventory when the agent is started next.7 Then go to the Termination box below, click the Run Forever radio button.

8 Now select the Frequency tab.9 Check the Day of the Week radio button.10 The checkboxes for the individual weekdays become available which are all checked.


11 Uncheck all boxes apart from Sunday to make sure the devices start their work week with the right scheme.12 In the Period drop-down field to the right select the value Once Only.


14 Click OK to confirm the new schedule and close the window.15 The status currently displays Assignment Paused, which means you need to activate the new schedule.

16 Reselect the All Devices entry in the table and then activate it by selecting the Activate Operational Rule icon ( ) in the icon bar.

17 A confirmation window appears on the screen. Click Yes.18 The group status will change to Activated.19 To follow the assignment of the group members select the All Devices subnode and follow the different status

values in the table to the right.

(c) Regularly Upload EventsBy default the events are uploaded to the master database once every day at midnight. If the device is offline at that time, the events are uploaded at agent startup. If this schedule does not fit your requirements you may change it.

When using the automatic activation a default schedule is assigned to the operational rule: immediate execution, once. For our example we will schedule the upload to take place every morning at 7, just in time for you to generate a daily report about the activities of the last 24 hours.

1 If you have unchecked the Default Schedule option in the first window, the last step of the wizard will be the Schedule window.

2 First go to the Validity tab. This tab allows you to define the activation of the execution and its termination.

If the rule was already executed before and the schedule modified afterwards the status will display Update Paused.

If the rule was already executed it must now be reassigned instead of activated, therefore select the Reassign Operational Rule icon ( ).


3 Go to the Termination box below, click the Run Forever radio button.4 Now select the Frequency tab.5 Leave the By Schedule and the Run Every Day radio buttons checked.6 In the Period drop-down field select the value Once Only.

7 In the field below select the time at which to execute the upload, e.g., 07:00. To modify the minute value just click in the field with the selected value and change the value, e.g. to 07:30.

8 Click the Finish to confirm the schedule and terminate the wizard.9 Continue with the general procedure.

(d) Create/Modify Power SchemeCreating new power schemes or modifying existing ones is done via operational rules and its step. The step is the same for both operations:



Step 1: Definition In this first step the operational rule to be created must be defined via its parameters.

1 Enter Change Power Scheme (or any other desired name) into the Name field.2 Leave all other parameters as they are, as neither packages will be distributed nor dependencies are required

for this rule.3 Click the Next button to continue.

Step 2: StepsOnly one step is required for this operation:

1 Select the Add Step icon ( ) on top of the list field.2 The Select a Step popup windows will appear on the screen.3 Expand the item Power Management and select the step Create/Modify Power Scheme.4 Click the Add ( ) button to confirm.5 The Properties dialog box appears on the screen.6 Enter a name for the new power scheme in the respective field.

7 Check the box Active Power Scheme to make the new scheme the active scheme right away.8 Enter the following values for testing purposes in the fields labelled with (AC). This signifies that the

parameter applies to devices with a constant source of alimentation, such as a desktop or a laptop connected to an electrical plug:Monitor Off: 1 Minute.Hard Disc Drive Off: 2 MinutesSystem Suspend: 3 MinutesHibernate System: 5 Minutes

9 Leave all other values as they are.

10 Click OK to confirm the step.11 Click OK again to confirm the list of steps for the operational rule and close the window.12 Click Finish to confirm all choices and create the rule.

If you are modifying an existing scheme make sure you enter the name of the scheme to be modified exactly as it is saved in Windows. Otherwise a new one will be generated.


13 A confirmation window appears on the screen which allows you to directly continue with the Operational Rule Distribution Wizard. Click Yes to continue directly with the distribution of the new rule.

Step 3: Operational RuleIn the first window of the Operational Rule Distribution Wizard you define which rule to distribute as well as some distribution options.


2 Leave all other options as they are.3 Click Next to continue.

Step 4: Assigned DevicesThe operational rule is now created and must be assigned to the devices on which to execute, in our example we will assign the new power scheme to the group Client Devices.

1 To do so select the Assign Device Group icon ( ) on top of the list field. 2 A confirmation window appears on the screen. Click Yes to automatically launch the rule.3 The Select a Device Group popup window will appear on the screen.4 Select the Client Devices group. 5 Click OK to confirm and close the window.6 The device group will be added to the list.7 Click Finish to terminate the wizard.8 The last option of the wizard is, as usual, the choice to go directly to one the

objects. Check the Go to Operational Rule box and click Yes, to directly activate the rule.

Step 5: Verify Power Scheme ApplicationOnce the operational rule is executed on all devices you may verify if it works by continued inactivity on all your client devices. After 5 minutes all devices should be in hibernation.

You may also regenerate a new power inventory by reexecuting (reassigning) the respective operational rule to display the active power scheme and its parameters.

(e) Change Active Power SchemeThe easiest way to change the active power scheme on a group of devices is again by operational rule:



Step 1: Definition In this first step the operational rule to be created must be defined via its parameters.

1 Enter Change Power Scheme (or any other desired name) into the Name field.2 Leave all other parameters as they are, as neither packages will be distributed nor dependencies are required

for this rule.3 Click the Next button to continue.

Step 2: StepsIn this window we need to specify the scheme modification operation:

1 Select the Add Step icon ( ) on top of the list field.2 The Select a Step popup windows will appear on the screen.3 Open the Power Management folder and select the Define Power Scheme step.4 Click the Add ( ) button to confirm.5 The Properties window appears on the screen.


Enter the name of the scheme to make the active scheme into the Replacement Power Scheme field.

6 Then click OK to confirm the parameters and OK again to confirm the new step.7 Click OK again to confirm the list of steps for the operational rule and close the window.8 Now click the Finish button to confirm the settings of the new operational rule.9 A confirmation window appears on the screen which allows you to directly


Step 3: Operational RuleIn the first window of the Operational Rule Distribution Wizard you define which rule to distribute as well as some distribution options:


2 Leave all other options as they are.3 Click Next to continue.

Step 4: Assigned DevicesThe operational rule is now created and must be assigned to the devices on which to execute, in our example the group Client Devices.

1 To do so select the Assign Device Group icon ( ) on top of the list field. 2 The Select a Device Group popup window will appear on the screen.3 Select the Client Devices group.4 Click OK to confirm and close the window.5 The device group will be added to the list window.6 Click Finish to confirm all choices and launch the assignment and configuration

process.7 The last option provided by the wizard is again the choice to go directly to the

operational rule. Check the Go to Operational Rule box and click Yes, to directly activate the rule.

Step 5: Verify Power Scheme ApplicationOnce the operational rule is executed on all devices you may verify if it properly assigned the new scheme by regenerating the power inventory again. Do so by reexecuting (reassigning) the respective operational rule.

Make sure you enter it exactly as it is defined in Windows. You may find the exact name either in the console in the previous inventory, or in the inventory‘s tab, or in the Power Scheme window of Windows.


12

Peripheral Device and Data Control - Step by StepWindows Device Management in the Numara Asset Management Platform is concerned with peripheral devices and allows you to control the usage of these as well as the connected movement of data, especially all data that leaves the company. This is done by enabling or disabling specific peripheral devices in your network, e.g. USB storage, printers, modems, etc.


• Device Management Procedures• Options


• you have different USB storage devices available.• a browser is installed on your master.• you have done the exercises in the chapters of Section I and are familiar with the general concepts of the


12.1 Device Management ProceduresThe following paragraphs explain the different elements of Windows device management and guide you through the generation, monitoring and interpretation of the generated events and data. This is done via the following steps:

1 Configuring Windows Devices for Device Management.2 Controlling the Data via USB Storage Devices.3 Device Control Event Monitoring

12.1.1 Configuring Windows Devices for Device ManagementThe first step when managing the peripherals of Windows devices it to configure the local device management module and make sure it is loaded on all Windows devices. This is composed of the following steps:

1 Load and Configure Device Management Module2 Assign and Execute the Operational Rule

Step 1: Load and Configure Device Management Module1 Select the Operational Rules top node in the left window pane.

The Windows Device Management functionality is, as its name indicates, only applicable to Windows, version 2000 and later.

It is strongly recommended to only create one single rule per peripheral device class. Multiple rules may contradict themselves and thus result in not applying the desired rules in the network. It is however possible to have different rules for the different peripheral classes, e.g. one rule for all USB storage devices, one rule for all CD/DVD burners, another one for all modems, etc.


2 Select the Edit->Create Operational Rule menu item or the respective icon ( ) in the icon bar.3 The Properties dialog box appears on the screen.

4 Enter Device Management Configuration (or any other desired name) into the Name field and click OK to confirm.

5 Select the newly created rule and go to the Steps tab.6 Either choose the Edit->Add Step menu item or click the respective icon ( ) in the icon bar.7 The Select a Step popup window will appear on the screen.8 Expand the item Agent Configuration and select step Load/Unload Module.9 Click the Add ( ) button.10 The Properties dialog box appears on the screen.11 From the dropdown list of the Module Names field select the Windows Device Management option.12 Leave all other options as they are.13 Click the OK button to confirm.14 Now select the step Windows Device Management Module Setup.15 Click the Add ( ) button.16 The Properties dialog box appears on the screen.17 Check the Log Events box.18 Click the OK button to confirm.19 Now click the OK button again to confirm the list of defined steps for the operational rule and to close the

window.

Step 2: Assign and Execute the Operational RuleThe operational rule is now created and must be assigned to the devices on which to execute, in our example we will select the group All Devices.

1 Click the Assigned Objects, then Device Groups node in the left window pane under your newly created operational rule.

2 Select the Assign Device Group icon ( ) in the icon bar. 3 A confirmation window appears on the screen. Click Yes to automatically launch the rule.4 The Select a Device Group popup window will appear on the screen.5 Select the group All Device.6 The device group will be added to the table in the right pane with the status Activated.7 Once the status of all its members, that you can see under the subnode All Devices is displayed as Executed

the devices are ready for device management.

12.1.2 Controlling the Data via USB Storage DevicesIn this example we will create an operational rule which controls the USB storage devices. That means we will define which storage units are allowed to connect to the network devices via USB and refusing all others. The rule will therefore have the following steps:

• Reset Device Management Rule to make all previous USB storage device rules invalid.• Create Device Management Rule allowing the respective device.• Create Device Management Rule forbidding all other USB storage devices.

Step 1: Create USB Storage Device Control RuleThis rule is to allow the usage of one very specific USB storage device type, that has been distributed to all employees that are allowed to exchange and transfer data via USB storages. All other USB storages will be forbidden.


If you want to create the new rule in a specific folder instead of under the operational rules top node see Option (a) now.

Chapter 12 - Peripheral Device and Data Control - Step by Step - 291

Step 1a: Operational Rule In this first step the operational rule to be created must be defined via its parameters.

1 Enter USB Storage Device Control (or any other desired name) into the Name field.

2 Leave all other parameters as they are, as neither packages will be distributed nor dependencies are required for this rule.


Step 1b: StepsIn this window we need to define the operations necessary to configure the device management which is done via three separate steps:

1 Select the Add Step icon ( ) on top of the list field.2 The Select a Step popup windows will appear on the screen.3 Expand the item Windows Device Management and select step Reset Device Management Rule.

4 Click the Add ( ) button.5 Leave all values as they are, as the USB Storage Devices is already preselected in the Class Type field.

If you want to create the new rule in a specific folder instead of under the operational rules top node see Option (a) now.

A rule defining the management of a specify device class should always use the Reset Device Management Rule as its first step. This is to make sure there are no other rules that are already assigned or used and that may interfere with this new rule.


6 Click the OK button to confirm and add this step to the list of Selected Objects.7 Then select step Create Device Management Rule.8 Click the Add ( ) button.9 The Properties dialog box appears on the screen.10 The USB Storage Devices option is already preselected.11 Check the box Authorise. This will allow the usage of the USB storage defined below.12 In the Filter Type field select the option Exact Match.13 Into the field Device Description Filter enter the exact name of the USB storage to allow. If the name is not

correct, the storage will not be recognised when it is connected.

14 Click the OK button to confirm and add this step to the list of Selected Objects.

15 Then select step Create Device Management Rule again.16 Click the Add ( ) button.17 The Properties dialog box appears on the screen.18 The USB Storage Devices option is already preselected.19 Leave the box Active unchecked. This will prohibit the usage of all other USB storages.20 In the Filter Type field select the option Pattern.21 Into the field Device Description Filter enter the wildcard character asterisks (*).22 Click the OK button to confirm and add this step.

23 Click OK again to confirm the list of steps for the operational rule and close the window.24 Now click the Finish button to confirm the settings of the new operational rule.25 A confirmation window appears on the screen which allows you to directly


Step 2: Assign the Operational Rule to the TargetsThe assignment is directly continued from the creation process via the Operational Rule Distribution Wizard that appears on the screen:


If you are not sure about the exact name see Option (c) now to find out.

To allow all USB keys of a specific manufacturer or type see Option (b) now.

When creating a list of conditions always start with the most restrictive condition and work your way down to the most general. A step prohibiting or allowing „the rest“ or „all others“ should always be the last in the rule.





Step 2b: Assigned DevicesThe operational rule is now created and must be assigned to the devices on which to execute, in our example the group All Devices.

1 To do so select the Assign Device Group icon ( ) on top of the list field. 2 The Assign to Device Group popup window will appear on the screen.3 Select the group All Devices. 4 Click OK to confirm and close the window.5 The device group will be added to the list window.


6 Click Finish to confirm all choices and launch the assignment and configuration process.

7 The last option provided by the wizard is to go directly to one of the objects, i.e. the operational rule or the task, if one was created. for our example we will directly activate the rule and change to focus to it, therefore check the Go to Operational Rule box and click Yes, to directly activate the rule.

8 The device group will be added to the table in the right pane with a status Activated.

9 To follow the assignment process select the All Devices subnode below and follow the status in the right window pane for the group members.

12.1.3 Device Control Event MonitoringEvents may be monitored locally and centrally once the data is uploaded to the NAMP database, and they may be monitored individually for single device or for all the members of the group.

• Local Event Monitoring• Monitoring the Results on the Master

Step 1: Local Event MonitoringOnce the status for the device group members displays Executed the rule was received on the target and the specified peripheral device control is activated. You can now monitor what is happening concerning device management locally on each of the devices of your group. For this some device management activities need to be carried out on one of the devices, i.e. the master.

Once some power management activities are carried out on one of the devices you can monitor these as follows locally:

1 Open the node Device Topology->Master->Agent Configuration->Module Configuration->Windows Device Management.

2 This node displays in its first tab the configuration parameter concerning the event logging which was activated via the first operational rule.

3 Select the next tab, Rule List. Here you will find the list of all steps of the device rules that are assigned to the currently selected device. In our example there is only one rule yet, consisting of two steps. The first step, the rule reset step, will never appear in this list.

4 Now select the tab Events.5 As we have activated event logging, every time a USB storage is connected to the device an event is logged in

this table.6 Connect the USB storage device to the master that was admitted in the second step. Execute some operations

on it, copying, creating, deleting, etc.7 Now connect another USB storage device to the master. The master will recognise the new hardware, it will be

displayed in the Windows Device Manager window but not in the Windows Explorer, as it is unusable.


Depending on the operating systems of the master, an error message might appear in the SysTray that an error occurred with the newly found device.

8 In addition an event is logged by the NAMP agent and displayed in the tab.

Step 2: Monitoring the Results on the MasterUp to now the event data are only available locally on the agent. However, to be able to print reports on this topic and to view them in the console these events must be specifically uploaded to the master and its database. This is done via an operational rule:

1 Go to the Operational Rules top node in the left window pane.2 Click on the Create Operational Rule icon ( ) in the icon bar. 3 The Properties dialog box appears on the screen.4 Enter Upload Resource Management Events into the Name field and then click the OK button.5 The new operational rule is added to the list of members in the right pane. Double-click it.6 In the now displayed General tab you can review the basic information of the operational rule.7 Go to the Steps tab.8 Click the Add Step icon ( ) in the icon bar to add the first step.9 The Select a Step popup windows will appear on the screen.10 It displays the list of available steps in its Available Steps box.

By default these events are configured to be uploaded every 24 hours, i.e. at midnight to the master database. If the agent is not running at this time the events will be uploaded at agent startup. If this schedule does not correspond to your requirements you may assign it a different schedule. Information on how to you will find in the Configuration Management chapter earlier in this manual.


11 Double-click the Event Log Manager folder.12 Select the step Upload Events and click the Add ( ) button.13 The Properties dialog box appears on the screen.14 From the Model Name dropdown list select the Windows Devices value and leave all other fields as they are.15 Then click OK to confirm the parameters and OK again to confirm the new step.16 The operational rule is now configured and must be assigned to the target, i.e. the group All Devices.17 Go to the Assigned Objects->Device Groups node in the left window pane under your newly created

operational rule.18 Select the Assign Device Group icon ( ) in the icon bar. 19 A confirmation window appears on the screen. Click Yes, to activate the operational rule automatically.

20 The Select a Device Group popup window will appear on the screen.21 Select the group All Devices from the list.

22 Click OK to confirm the assignment.23 Follow the execution of the operational rule under the assigned group.24 Once the status is Executed for all members of the all data are uploaded.25 To verify this go to the Events->Event Logs node of the master.26 This node displays the list of all events registered by the event log models for the selected device group.


27 To display the device management events instead of the default software distribution events select Windows Devices from the Model Name dropdown list.

28 Then click the Find button.29 The table below will now display all events that were uploaded and are continued to be uploaded.

30 Now all data are uploaded and ready and reports may be generated.31 For more information on how to create and generate reports see chapter Reports Step-by-Step.

12.2 OptionsThe following paragraphs will provide you with a number of options that may be used to modify the operational rule application.

(a) Creating a Rule in a Specific FolderWhen creating a new operational rule it may be directly created in a folder instead of under the Operational Rules top node, which is the default location. To do so proceed as follows:





window.

(b) Allow all Devices of a Specific ManufacturerInstead of limiting the usage to one specific USB key you may also limit the usage to all keys of a specific manufacturer, for example to those that your company provided to all those employees needing to exchange data. For this proceed as follows:

1 In the Properties dialog box enter the following values:2 In the Filter Type field select the option Pattern.3 Into the field Device Description Filter enter the part name of the USB key that is common to all keys of the

manufacturer preceded if necessary and/or followed by the asterisks (*) wildcard character, e.g. *Cruzer*. This will allow all USB storages who‘s name includes Cruzer to be used on the managed devices.

4 Proceed with Point 14 (page 292) of the general procedure.


(c) Correct Device NameWhen specifically allowing or forbidding the usage of a certain device peripheral the correct name under which the device will be registered in the Device Manager must be used. You can find the correct name thus:

1 Connect the device peripheral in question to a device.2 Open the Computer Management window3 Open the Computer Management (local)->System->Device Manager node in the left window pane.4 In the right window pane the local device will now be displayed with all its parameters.5 Open the node Disk Drives.6 Under this node you should find all hard disks of the device as well as any removable peripheral devices.7 Copy the name that you find here for the desired peripheral exactly to the field Device Description Filter of

the step.

13

Patch Management Step-by-StepToday, network administrators everywhere are scrambling to secure their networks. One of the most potentially destructive security threats is unpatched computers. Keeping security patches up to date is one of the most effective solutions available. The Patch Management functionality of Numara Asset Management Platform, the Numara Patch Manager, is completely automated to make patching painless: it scans, remediates and reports on your whole network, all while at the comfort of your own computer.

As shown in the graphic below, the patching process consists of the following individual steps:

1 Update the patch description file on the master and the clients2 Create and execute the Patch Situation Analysis operational rule on the target device3 Upload the patch inventory for the client population4 Download missing patches from the Internet5 Create the patch packages6 Create the patch groups and have them send the missing patches to the target devices and install the patches.

ConfigFilesInternet

Patch Manager

Master

ConfigFiles.cst

Patch Group

ConfigFiles.cst

Patches

Patch Situation

1

1

3

6

4

Patch Inventory

2b

5

Patch Packages

Target Client

1

By default the devices in the network are configured in such a way that the master will automatically update its patch description file every two days and the client agents will verify with the master at each startup if they are up-to-date. In case they are not, the master will then directly provide them with the newest patch description file. If these settings are not adapted to your needs, you will find the detailed procedure on how to modify these values at the end of this chapter. Our example procedure in this chapter is based on the assumption that both master and clients are up-to-date.


• Patching Your System• Patch Reporting• Patch Management Options

300 - Numara Patch Manager


• the Microsoft XML parser MSXML 3.0 must be installed on all devices to be patched, i.e. on the master and any other target devices. For Windows XP and later it is already preinstalled.

• the master has access to the Internet• the master is the Patch Manager• a browser is installed on your master.• you have done the exercises in the chapters of Section I and are familiar with the general concepts of the AMP

console and its workings.

13.1 Patching Your SystemMaking sure your system is up-to-date concerning the available patches requires the following steps:

1 Update ConfigFiles on master and client2 Create patch inventory operational rule3 Assign operational rule to target4 Monitor rule execution progress5 Verify patch situation via the patch inventory6 Execute Patch - Service Pack Distribution7 Monitor Patch Application8 Patch ReportingIn our main example in this chapter we will make sure that your master is correctly patched.

Step 1: Update ConfigFilesBefore any patch management should be undertaken make sure that the patch description group of files, ConfigFiles, is of the latest version. If you have left the standard settings of the Patch Management module this should be the case. However you may verify by proceeding as follows:

1 Open the Patch Management->Patch Manager->Patch Manager (master)->Configuration->Update node in the left window pane.

2 Select the ConfigFiles entry in the table in the right pane.3 Select the Edit->Update ConfigFiles menu item or the respective icon ( ) in the icon bar.4 A link with the web site will be established to download the newest version of the file.5 It will then be parsed and the list of currently existing bulletins extracted, put into the tables of the respective

nodes and create a custom package containing all the necessary information for the clients which will be published to the master.

If the master device is installed on a Windows operating system it is by default also the Patch Manager, if the master is installed on any other operating system no Patch Manager is defined by default. In this case you need to define a Patch Manager as explained in Option (d) before starting on the procedure described below.

If you want to define another device as the Patch Manager please see Option (d).

To differently configure the Patch Manager update process see Option (h).

If you do not have an Internet connection on the master and need to manually update the Patch Manager see Option (i) now.

Chapter 13 - Patch Management Step-by-Step - 301

6 You can follow these steps via the Status column which will indicate the currently executing step.7 Click the Refresh button ( ) repeatedly to see the status values changing, as this page does not refresh

automatically.8 The update process is finished when the Status column displays the status Database Up To Date.9 Once the package has arrived on the master it will be sent to all devices according to the settings in the

module.10 If you have switched off this option you must manually create an operational rule and send the package to all

the targets for which the patch inventory is to be established.

Step 2: Create Patch Inventory Operational RuleThe next step of patch management is to verify the patch situation of the individual devices in your network by establishing an inventory of the patches already installed on the device and those missing. This is done via an operational rule executed on your target devices. The first action to take is to create the operational rule.

1 To do so select the Operational Rules top node in the left window pane.2 Click the Edit->Create Operational Rule menu item or the respective icon ( ) in the icon bar.3 The Properties dialog box appears on the screen.4 Enter Patch Situation into the Name field and then click the OK button.5 The new operational rule is added to the list of members in the right pane. Double-click it.6 Go to the Packages tab.7 Either choose the Edit->Add Package menu item or click the respective icon ( ) in the icon bar.

8 The Select a Package dialog box opens on the screen. It displays the list of available packages in its display window.

9 Select the ConfigFiles.cst package and click OK to add it to the operational rule and close the window.

Before the patch situation is evaluated on a client it is recommended to always make sure that the client has the latest version of the ConfigFiles package is installed. This group of files are the base on which the patch inventory is established. If you establish an inventory with an obsolete ConfigFiles you might miss newly released important patches.


10 Go back to the Steps tab. You will see that two steps were automatically added to the rule.

11 Select the Install Package step in the table.12 Then click the Edit->Properties icon ( ) in the icon bar.13 The Properties dialog box opens on the screen.14 Select the option Stop on failed step for field Stop Condition.15 Then click OK.16 Now click the Add Step icon ( ) in the icon bar.17 The Select a Step popup windows will appear on the screen.18 Double-click the Patch Management folder and select the Analyse Patch Situation step of this group.

19 Click the Add button ( ) to add the step to the list of Selected Objects.20 The Properties dialog box will appear on the screen displaying the parameters to be defined.21 Check the remaining options: Force Upload, Bypass Transfer Window.

22 Then click OK to close the window.23 Click OK to add the step to the operational rule and close the Select a Step popup window.24 The operational rule is now configured.

Step 3: Assign and Execute the Operational Rule ImmediatelyThe operational rule is now created and must be assigned the target devices, for our example here we will assign it to the group All Devices.

25 To assign the group select the Assign Device Group icon ( ) in the icon bar.

When a package is added to an operational rule the necessary steps are automatically added to the rule as well, i.e. a step to verify if the target has the right operating system on which the package is to be installed and the step to install the package itself.


26 A confirmation window appears on the screen. Click Yes, to activate the operational rule directly.

27 The Assign to Device Group popup window will appear on the screen.28 Select the All Devices group from the list.

29 Then click OK to add it and close the window.30 The patch process is started directly!

Step 4: Monitor Rule Execution ProgressIn the right window pane of the Device Groups->Assigned Objects node you can see the entry for the assigned group with its status Activated. To follow the execution of the rule via the different status the process passes select the All Client Devices without Firefox subnode. In the table to the right you should see all members of the group with the following successive status values:• Assignment Waiting

• Assignment Sent

• Assigned

• Ready to run

• Executed

One of the following status values may be shown if the execution failed:

• Verification Failed - this status may appear, if for example the operating system of the target is of an unsupported type, e.g. Linux or Solaris.

If you want to schedule the execution of this rule at regular intervals, click No and see Option (b).

For more locations where you can monitor the patch distribution and location refer to Option (e).




Step 5: Verify Patch Situation via the Patch InventoryOnce the rule has successfully executed you can verify in the inventory which patches need to be applied. To do so proceed as follows:

1 Open node Device Topology->Relay->Inventory->Patch Inventory->Missing Patches.2 Under this node all patch bulletins that are available for the master’s operating system but have not been

applied are displayed.

Step 6: Execute Patch - Service Pack DistributionOnce the patch inventory has identified the patches which are missing, they must be downloaded and applied.

Patch management offers a wizard via which the patch situation of a device may be directly remedied. In our example here we will use the Patch - Service Pack Distribution directly from the Patch Inventory/Missing Patches node of our Master.

Patch Management is generally done via the concept of patch group, for more information on this please refer to the Numara Patch Manager manual.


1 Select a missing bulletin for the master in the table of the node Device Topology->Master->Inventory->Patch Inventory->Missing Patches.

2 Then select the Edit->Fix menu item ( ) in the menu bar.3 If you have selected a patch that has been replaced with a more recent patch than the selected one the

Superseded Patches window appears on the screen. It lists all patches in the inventory which have more recent versions. You have the choice here to either just continue, then the initial patch as well as the superseding patch will be installed or you can cancel and restart the fixing process by selecting the more recent patch version.

Step 6a: Fix SelectionThe patch wizard appears on the screen with its first window. Here you need to define which type of wizard you want to use.

1 We will do the whole patching process therefore check the option Download and Apply Patches.

The patch wizard is directly accessible from the main menu and other locations in the console as well: from the patch inventory of a device and a device group and as well from individual bulletins in the Patch Management node. Depending on the location from which you launch the wizard its window content and the window order might be different than the one explained below.

Please do not choose an MS Office patch for this first patch process! These patches require quite some additional information and configuring. You will find an example for an MS Office patch installation in the options.

You can verify what type of patch it is by checking the respective entry in the Affected Product column.



Step 6b: Patch ManagerIn the next step the Patch Manager must be selected. Click Next as we only have one patch manager which is already preselected.


Step 6c: Patch GroupThe following window is concerned with the patch groups. Patch application and installation in NAMP is executed via the concept of patch groups. These contain all necessary information of the respective bulletins and the patch executables. As currently no patch groups exists yet, the list in the window is empty and we must create one. Leave the preselected option and click Next to continue.

Step 6d: Patch Group ConfigurationIn the next step the new patch group must be configured. To do so proceed as follows:

1 Enter a name into the Name field, e.g. Relay Patches.


To create the new patch group in a specific folder refer to Option (g) now.


Step 6e: Patch LanguagesThe following step specifies the language of the patch to apply. Check the language of the operating system of your master, most probably English in our case. Click Next to continue.

Step 6f: Installation ParametersIn the next step of the wizard the patch group will be configured, i.e. the way the patches are installed. Make the following choices in this window:


In the Reboot Type box select the value Reboot after deployment. Be aware that if you do not reboot after installation when a reboot is expected by one of the patches installed, this patch will still be seen as missing even if you force a scan after install by the option below.

Check the Force patch inventory scan after install and Force patch inventory upload after install boxes. This will automatically reschedule the patch inventory generation, so you can verify if the patch was properly installed.Under the Office Installation Parameters select No Office Patch Installation from the Office Install Type drop-down list.

Then click Next to continue.

Step 6g: Reboot OptionsAs we have selected to reboot the affected device after the patch installation we need to define the parameters for the safe reboot in the next window.

1 Make the following additional choices and modifications:Check the fields Reboot after Disconnection and Cancel Reboot.Enter the value 1 in both fields Countdown Timer Incrementation Value and Initial Countdown Timer.Enter 3 into the Countdown Timer Maximum Extension field.

A reboot may not be necessary, but to be sure it is always recommendable to do so anyway. If the reboot is required by the patch and you have not selected this option, the patch will not be completely installed until the device is rebooted. Also if no reboot is done, the patch inventory is not updated.

If you are applying and installing an MS Office patch please see Option (a) now.


2 Then click Next.

Step 6h: ScheduleThe last step of the wizard concerns the scheduling of the patch installation on the target. As we want to start the patching process immediately, leave all values untouched and click Finish to confirm all defined options.

If you want to schedule the patching process at a specific later time see Option (c) now.


Step 6i: ActivationThe last step is to directly activate the patch group and thus launch the patching process via the appearing window. If you do not directly activate you must go to the respective patch group and manually activate it at the desired time.

1 To directly go to the patch group selected or created in the wizard after the window has closed check the Go to Patch Group box. For our first test run we will click Yes to directly activate the patch group and check it to go to it.

2 The patch application will now be launched and the installation is started.3 The focus of the console will switch to the Master Patches patch group under the Patch Management node.

Step 7: Monitor Patch ApplicationPatch installation may be monitored via a number of different views. But first you need to give the devices in your group some time to receive the patches, install, reboot and execute a new patch inventory.

We are currently on the Relay Patches patch group under the Patch Management node from where we may follow the execution of the actual patch installation with its different stages.

1 Go to the Downloading Patches tab.2 As long as the patch is listed in this window it is not yet assigned to the patch group. Once it has finished

downloading it disappears here and is listed in the Patches tab.3 Now go to the Assigned Objects->Devices node.4 In the table to the right you will find the entry for the relay and you may follow the patching process in the

view’s schedule Status column. The initial status is Affected and the final stage should be as shown in the graphic below Patch group successfully installed.

5 Once this status appears we may go to the History tab of the Patch Inventory node of the master (Device Topology->Master->Inventory->Patch Inventory). This tab displays a sort of a log of everything that happened to the inventory entries. For the patch inventory this means, that once a patch has been fixed it will move from the Missing Patches node to this tab.

6 If this view is still empty, this means that the patch inventoring process is not yet finished. Keep refreshing ( ) the view.

7 Once the inventory is finished this view will display the entry we selected to be patched from the initial inventory.

To receive more information on the different locations for monitoring the patch application refer to Option (e).


13.2 Patch ReportingOnce data on the patch situation on individual devices and the network in general is available it may be summarised or detailed by reports. The NAMP console provides a number of report templates specifically for patch management, which will be explained in the following paragraphs.

We will create and generate some examples of the available templates. Depending on the content these reports may either be assigned to a device group or to a patch group. You may also create your own style-based reports as explained in the Report chapter earlier in this manual. For a detailed explanation on all available templates refer to chapter Numara Patch Manager Report Templates op page 159 of the Numara Patch Manager manual.

Report 1: Patch Deployment Status by DeviceThis report is already created via the out-of-the-box objects, ready to be assigned to a target and to be generated. Proceed as follows:

1 Open the Patches folder under the Reports node in the left window pane and select the report Patch Deployment Status by Device.

2 Go to its Assigned Objects->Device Groups node.3 Either choose the Edit->Assign Device Group menu item or click the respective icon ( ) in the icon bar.4 The Assign to Device Group popup windows will appear on the screen.5 Select the All Devices group from the window.

6 Click OK to confirm the assignment and close the window.7 The device group will be added to the table of assigned device groups.8 Then go back to the Patch Deployment Status by Device report node in the left window pane.9 Select the Edit->Generate Report menu item or the respective icon ( ) in the icon bar.10 A confirmation window appears on the screen, click the OK button to confirm.


11 The report will be created immediately using the current data in the database concerning the assigned device group.

12 To view the report select the Edit->View Last Result menu item or the respective icon ( ) in the icon bar.13 The generation of this type of report may take a little while, reselect therefore the icon until the report appears.14 Enter again your login in the appearing window.15 A new browser window or tab opens and displays the report.This report displays an overview of the patch deployment situation per device of a device group including the following information:

Report 2: Patch Management Executive SummaryThe next report needs to be created first before it can be generated. Proceed as follows:

1 Select the Patch Management Executive Summary in the left window pane.2 Go to its Assigned Objects->Patch Groups node.3 Either choose the Edit->Assign Patch Group menu item or click the respective icon ( ) in the icon bar.4 The Assign a Patch Group popup windows will appear on the screen.5 Select the patch group that you created in the wizard from the window.

6 Click OK to confirm the assignment and close the window.7 The patch group will be added to the table of assigned patch groups.8 Then go back to the Patch Management Executive Summary report in the left window pane.9 Select the Edit->Generate Report menu item or the respective icon ( ) in the icon bar.10 A confirmation window appears on the screen, click the OK button to confirm.11 The report will be created immediately using the current data in the database concerning the assigned patch

group.12 To view the report select the Edit->View Last Result menu item or the respective icon ( ) in the icon bar.13 The generation of this type of report may take a little while, reselect therefore the icon until the report appears.14 Enter again your login in the appearing window.15 A new browser window or tab opens and displays the report.

The report result which is generated will be put in all the required places according to the reports settings. This means it will be available under the Report Results node of the report, as well as under that of the device group it is assigned to.


This report provides an overview over different aspects of a specific patch group in form of a number of charts on the following different topics:

• Patch Severity Status• Top 10 Vulnerable Devices• Top 10 Missing Bulletins• Top 10 Affected Product Families• Top 10 Affected Products

Patch Severity StatusThis first pie chart displays the classification according to their severity of the distributed patches.

Top 10 Vulnerable DevicesThis bar chart displays a list of the 10 group members on which the most vulnerabilities were found with their respective count.

Top 10 Missing BulletinsThis bar chart displays the 10 bulletins which are missing most often on the group members and show on how many each.


Top 10 Affected Product FamiliesThis pie chart shows the distribution of the product families, the 10 most affected regarding the group members.

Top 10 Affected ProductsThis pie chart shows the distribution of the products, the 10 most affected regarding the group members.

13.3 Patch Management OptionsThe following paragraphs will provide you with a number of options that may be used to modify the patching processes.

(a) Install MS Office PatchMicrosoft Office patches require some very specific information to be entered in the patching wizard:


1 At Step 6: Point Step 6f: (page 308) select Full File Installation from the Office Install Type drop down box.

2 The fields below the drop down list become available now.3 Enter the following values:

PathEnter into this field the location of the MS Office Installation CD. This may be a local path, e.g. C:\patchex\MS\office\office2000 or it may be a network share, such as 192.155.1.24\CDSERVER\MSOFFICE2000.User NameIf the CD location is on a device\share that requires identification you must enter here a user name with which it may be accessed. Otherwise you can leave the field empty.PasswordIf identification is required enter here the password for the login specified above.Product NameThis field needs to contain the exact name of the product to patch. To find the correct name check the respective entry in the Affected Product column of the patch inventory. Then click the Find button to the right and the Product List window opens on the screen. In this window choose the product name as mentioned in the Affected Product column. Click OK.

4 Then continue the process as described in the main procedure.

(b) Schedule the Patch Inventory Update Rule at Regular IntervalsWhen using the automatic activation a default schedule is assigned to the operational rule: immediate execution, once. In our case we will define a schedule first and then the assignment must be activated.

For our example of the Inventory Management rule it may be useful to run this rule at regular intervals, such as every day at start up, to have a most accurate view of the device’s situation. To do so proceed as follows:

1 At Step 3: Point 26 (page 303) answer No.2 After Step 3: Point 29 (page 303) proceed as follows:3 Select the master in the table in the right window pane.4 To define the schedule either double-click the table entry or select the Properties icon ( ) in the icon bar.5 The Properties window will open on the screen. 6 First go to the Validity tab. This tab allows you to define the activation of the execution and its termination.

Not automatically activating an assignment is of interest if a schedule other than the default schedule is to be used, or if the operational rule is to be advertised rather than assigned to a specific device or user. Advertising in this case means, that the operational rule will be available on the browser agent interface locally for further use.


7 In the Execution Date box define on when to run the inventory collection. In our example we will select the Next Startup radio button to launch the inventory when the agent is started next.

8 Then go to the Termination box below, click the Run Forever radio button.9 Now select the Frequency tab.10 In the Period drop down field leave the value Once Only.

11 In the field appearing below select the time at which to execute the inventory collection, e.g., 03:00. To modify the minute value just click in the field with the selected value and change the value, e.g. to 03:30.

12 Leave all other fields as they are.13 Click OK to confirm the new schedule and close the window.14 The status will still display Assignment Paused, which means you need to activate the modified schedule.15 Reselect the Inventory Management rule in the table and then activate it by selecting the Activate

Operational Rule icon ( ) in the icon bar.16 The status will change to Update Waiting.

Inventory collection might be quite resource consuming, thus it is recommendable to run these rules when the network load is low, i.e. during the night, if the devices are not shut down.


(c) Schedule Patching Process at a Specific TimeTo launch the patch assignment and/or installation and application not immediately as done in our main example but at some other time proceed as follows:

1 At Step 6: Point (page 310) modify your choices in the wizard window.a For example to still immediately execute the patch group on the targets but assign it at a less busy time,

such as lunch time mark the following:

In the Select Assignment Date box check the Deferred to radio button and select Today from the drop-down field and then select 12:00 from the drop-down list in the at field.Leave the Immediately radio button selected in the Select Execution Date box.

b To assign the patch group during the night from Friday to Saturday and launch the installation at the next agent start up make the following selections:

In the Select Assignment Date box check the Deferred to radio button and select the date of the next Saturday from the calendar, that appears when you click the little down arrow of the field. Then select 03:00 from the drop-down list in the at field.In the Select Execution Date box select the Next Startup radio button.

2 Then click the Finish button and continue with the next point of Step 6: of the main procedure.

(d) Define a Different Patch ManagerTo be able to manage patches a device must be a Patch Manager. Any device may be a Patch Manager, it only must be defined as such. This may either be done in the properties of the device or in the Patch Management node. To add a device to the Patch Management as a Patch Manager proceed as follows:

1 Select the Patch Management->Patch Manager node in the left window pane.2 Then either choose the Edit->Add Device menu item or click the respective icon ( ) in the icon bar.3 The Add a new Patch Manager popup window will appear on the screen.4 Select the All button ( ) in the left window bar and select the new device which is to be a Patch Manager

from the list.

Assigning a patch group signifies that the patch packages will be sent to all targets. If the patch group contains several packages and maybe even large ones, it may be advisable to assign the group at a low network time, such as lunch time, during the night or even weekends.


5 Then click OK to add it and close the window.6 The device will be added to the table of Patch Managers and its configuration parameter will be updated

accordingly.

(e) Monitor Patch ApplicationPatch installation may be monitored via a number of different views. But first you need to give the devices in your group some time to receive the patches, install, reboot and execute a new patch inventory. Monitoring may be done via:

• The Assigned Operational Rules node of the device group or individual devices• The Assigned Device Groups/Devices nodes of the patch group• The Assigned Device Groups/Devices nodes of the packages contained in the patch groupUnder these nodes you may follow the execution of the actual patch installation with its different stages in the Status columns.

• The All Bulletins and Applied Bulletins tab of the respective bulletins• The Affected Devices tab of the respective bulletins• The Bulletins by Year and Bulletins by Product node


Under these tabs and node you may see the number of affected devices regarding the product family/patch bulletin decrease as the patch installs on the targets and is thus no longer needed.

(f) Patch Inventory of a Device GroupSame as for individual devices, the patch inventory also exists for device groups. It is accessed via the same nodes as for an individual device. In our primary example we already generated the inventory for the group called Clients and Relays:

1 Select the Inventory->Patch Inventory->Missing Patches of the device group.2 Under this node all patch bulletins that need to be applied to the currently selected device are displayed.

3 Then select the Missing Service Packs node.4 The nodes of this view display all the service packs which are missing for at least one member device of the

selected device group.


(g) Creating a Patch Group in a specific FolderWhen creating a new patch group it may be directly created in a folder instead of under the Patch Management top node, which is the default location. To do so proceed as follows:





window.

(h) Automatic ConfigFiles UpdateThe ConfigFiles patch description file is a group of files that contains all information against which the patch situation of the local targets is compared. If this file is not up-to-date you may miss important new patches required by your devices. Updating the file includes downloading it, parsing the file, and creating a new custom package, ConfigFiles.cst, directly under the main Packages node. This package is required by the target clients to know which security updates they need to install.

You may configure the Numara Patch Manager in such a way as to regularly and automatically update this file on the master as well as the clients. This configuration is divided into the following operations:

Step 1: Patch Manager ConfigurationThe first step is to configure the master in such a way as to maintain its ConfigFiles file and the custom package constantly up-to-date. To do so proceed as follows:

1 Go to the Agent Configuration->Module Configuration node on the master and select the Patch Management node.

2 Fill in the following parameter:Configuration Files Internet Download DelayThis value defines the delay in seconds at which the ConfigFiles will be automatically downloaded and updated to a Patch Manager. This value is only applicable to the Patch Manager, for all other devices this value should be set to 0 to deactivate the option. The ConfigFiles will only be downloaded if it is of a newer version than the version currently available on the Patch Manager or if the Force Parse parameter is activated. The default value is 0. Adapt this value to your requirements.

Step 2: Client ConfigurationThe next step is to define if and when the clients are to be automatically updated with the ConfigFiles package. You may either modify these values individually per client or you may create an operational rule to do so:

1 The first step here is to create the target group for the operational rule. For this we create the query collecting the targets. To do so to the Queries node and create a new query.

2 Select the Edit->Create Query menu item or the respective icon ( ) in the icon bar.3 Enter the desired data into the following two fields and leave all others untouched.

NameEnter the name of the new query into this field, use Patch Targets for this case.

4 Go to the Criteria tab of the new query.5 Currently the table is still empty. To define the criteria of the query choose the Edit->Add Criterion menu item

or click the respective icon ( ) in the icon bar.6 The Select Criterion popup window will appear on the screen. It displays the list of available criteria.


7 Select the criterion Patch Manager and then check the Value box in the Criterion Description box.8 Then click the Add ( ) button, to add the criterion to the list.9 Now select the criterion Topology Type from the list and click the Search button in Criterion Description box.10 The Search Criteria window appears on the screen. It displays all existing topology types.11 Select the option Master and click OK.12 The selected option will now be displayed in the Value field of the Criterion Description box.13 Click the Add ( ) button, to add the criterion to the query.14 Then click OK, to confirm the content of the new query and to close the window.15 In the table in the right window pane you can now see all the defined criteria.16 Activate the query.17 Reselect the new query in the tree hierarchy in the left window pane.18 Then either select the Edit->Create Device Group or select the respective icon ( ) in the toolbar.19 If you go now to the Device Groups node you will find the new group called Patch Targets directly under it

with the population defined by the query.20 Now the operational rule must be created. To do so go to the Operational Rules node in the left window pane.21 Click on the Create Operational Rule icon ( ) in the icon bar. The Properties dialog box appears on the

screen.22 Enter a descriptive name in the Name field, for example, ConfigFiles Update.23 Go to the new rule’s Steps tab.24 Click the Add Step icon ( ) in the icon bar. The Select a Step popup windows will appear on the screen.


25 Select the Agent Configuration folder and select below the step called Patch Management Module Setup and click the to-the-right button ( ).

26 The Properties window appears on the screen displaying all available parameters.27 Modify the following values to your requirements:

Update Configuration Files at StartupThis parameter defines if the local agent will verify with the master if its ConfigFiles are up-to-date at agent startup and if not receive them. By default this option is set to Yes, verify and update.

Interval Before Patch Inventory UpdateThis value defines the delay in seconds to wait for a possible update to arrive before any operations, such as a patch inventory or a patch installation, are executed. The default value is 300 seconds or 5 minutes.

28 Click the OK button to confirm the modifications.29 Then assign the operational rule to the group Patch Targets via the Device Groups under the Assigned Objects

node.30 Once the operational rule is executed on all devices the new settings will become valid.

(i) Manual ConfigFiles UpdateThe ConfigFiles patch description file is a group of files that contains all information against which the patch situation of the local targets is compared. If this file is not up-to-date you may miss important new patches required by your devices. Updating the file includes downloading it, parsing the file, and creating a new custom package, ConfigFiles.cst, directly under the main Packages node. This package is required by the target clients to know which security updates they need to install.

If your Patch Manager does not have a permanent Internet connection it cannot use the automatic update procedure detailed in the previous paragraph, instead it must be updated manually periodically. To be able to update at least one device within your network must have at least a temporary Internet connection to download the newest ConfigFiles update file with which to bring your Patch Manager and all clients up-to-date. To manually update proceed as follows:

Step 1: Patch Manager ConfigurationThe first step is to configure the Patch Manager that it allows for the manual update procedure. To do so proceed as follows:

1 Go to the Patch Management -><Patch Manager> ->Configuration ->Update node.2 Select the Edit->Properties menu item or the respective icon ( ) in the icon bar.3 The Properties window appears on the screen.4 Select the Local Update radio button in the Update Type box.5 Click OK to confirm the modification and to close the window.


Step 2: Manually Download ConfigFilesNow the ConfigFiles need to be downloaded from the Internet and saved on the Patch Manager device:

1 On the Patch Manager device verify that the following directory exists, if this is not the case create it:<InstallDirectory>\data\PatchManagementPremium\update

2 Now you need to download the following files from the Shavlik web site and save them in the directory listed above:http://xml.shavlik.com/data/hfnetchk5.cab

http://xml.shavlik.com/data/hfnetchk6b.cab

http://xml.shavlik.com/data/PD5.cab

http://xml.shavlik.com/data/CL5.cab

Step 3: Update Patch ManagerNow that the new versions of the ConfigFiles are locally available Patch Manager must be updated:

1 Go again to the Patch Management -><Patch Manager> ->Configuration ->Update node.2 Select the Edit->Update ConfigFiles menu item or the respective icon ( ) in the icon bar.3 The update process will now search the new ConfigFiles in the local update directory. It will then parse these

files and the list of currently existing bulletins will be extracted, put into the tables of the respective nodes and create a custom package containing all the necessary information for the clients which will be published to the master.

4 You can follow these steps via the Status column which will indicate the currently executing step.5 Click the Refresh button ( ) repeatedly to see the status values changing, as this page does not refresh

automatically.6 The update process is finished when the Status column displays the status Database Up To Date.7 Once the package has arrived on the master it will be sent to all devices according to the settings in the

module.8 If you have switched off this option you must manually create an operational rule and send the package to all

the targets for which the patch inventory is to be established as explained in the option above.

14

Vulnerability Management Step-by-StepFaced with the exponential growth in the number of security vulnerabilities, and the increasing complexity of information systems, an automatic analytical solution is essential for effective operational risk management. The Numara Vulnerability Manager is a non-intrusive vulnerability scanner that is able to scan all devices with an IP address. It then uploads all collected information to the database and makes it available via the NAMP console.

As shown in the graphic below, the vulnerability process consists of the following individual steps:

1 Update the master and scanner with the latest vulnerability version via the VM Updater2 Create and launch scan on target and upload the collected information to the database and display in the

inventory and vulnerability groups3 Create the vulnerability groups4 Fix vulnerabilities via existing patches or other fixes:

a Download available patchesb Apply patches to the targets

1

1

2a

Master

Scanner

Target Client

Internet

VM Updater

3

Scan Inventory

Device Scan

Vulnerability Group

2b4aPatches

Update

Update

4b Patches

Vulnerability scans may be executed on any device, it is not necessary that the scanned device has the NAMP agent installed.


• Making Your System Secure• Vulnerability Reporting• Vulnerability Management Options


To be able to remedy the vulnerability situation via the installing of patches, as explained in the second part of this chapter you also need the Numara Patch Management license. For trial purposes this license is included in the temporary license.

326 - Numara Vulnerability Manager

• that you have the Patch Management License as well as the Vulnerability Management license. The PM license is required for resolving vulnerabilities of which the fix is provided by a Microsoft bulletin,

• the operating system of the scanner device isWindows 2000 (minimum Service Pack 4), Windows XP, Windows 2003, Windows Vista, Windows 2008 orLinux RHEL 3, 4 and 5, SUSE 10, CentOS 4.3, Debian 4.0 or later versions

• the master/scanner has an internet connection,• the master/scanner is connected via Ethernet, it MUST NOT use a wireless connection,• a browser is installed on your master.• you have done the exercises in the chapters of Section I and are familiar with the general concepts of the

NAMP console and its workings.• You have also already familiarised yourself with the Numara Patch Management in the preceding chapter as

this is an integral part of vulnerability remediation.

14.1 Making Your System SecureIn our base example we will scan a number of devices with the NAMP agent installed and repair one of these XP clients installed in our network. Contrary to the patch management we are not scanning our master, as this is not possible - the master is currently our scanner and the scanner cannot scan itself.

1 Update Vulnerability Database on the master and scanner2 Create scan via the Vulnerability Scan wizard3 Monitor scan progress4 Verify vulnerability situation via the vulnerability inventory5 Fix a Microsoft vulnerability6 Monitor vulnerability/patch application

14.1.1 Update Master and Scanner with latest Vulnerability VersionThe first step when scanning your network is to configure the update process and launch it. It is important that the base for the vulnerability testing is always as up-to-date as possible, otherwise the scan might not find the newest know vulnerabilities, which may be critical to your environment.

To update the master and scanner proceed as follows:

1 Open the Vulnerability Management->Configuration->Update node in the left window pane.2 The Status tab in the right window pane displays in its columns Status and Version that the master and

scanner are not up to date, indicated by the status To Be Checked and an empty version number field.3 Also the scanners listed in the bottom half of the window will show a yellow flag with status Requested, to

indicate that they are not up to date.

The master is by default defined as a scanner. Refer to Option (h) to define another device as the scanner.

This step may be automated via the configuration options. For information on how to do so proceed to Option (k).

Chapter 14 - Vulnerability Management Step-by-Step - 327

4 Select an entry and then chose the Edit->Check for Update menu item or the respective icon ( ) in the icon bar.

5 The field Update Status will now indicate if the vulnerability base files need updating (status Out of Date) and the field Available Version displays the number of the currently latest version of the respective file.

6 Now select the Edit->Update Now menu item or the respective icon ( ) in the icon bar.7 A link with the Update Server will be established to download the newest available version.8 All necessary information has been recovered by the master and is then downloaded to all defined scanners

when the status displays Up to Date and the overall status displays a green flag.

14.1.2 Create a Vulnerability ScanNow that all information required to execute a scan has arrived on the scanner the scanning operation of a device may be launched. This is done via the Vulnerability Detection.


1 From anywhere in the console select the Wizards->Vulnerability Detection ( ) menu item.2 The wizard appears on the screen with its first window.

Step 1: Vulnerability Detection WizardIn the first window the scanner must be selected. In our case we have only one scanner defined which is preselected in this window. Therefore just click Next.

Step 2: ScanIn the second wizard window you can give a unique descriptive name to the scan. To do so enter Test Scan into the Name field in the Scan box.

Numara Vulnerability Manager has several wizards which are available from a number of locations, such as the Vulnerability Detection is accessible everywhere from the Wizard menu, but also from the Assigned Scans node under the scanner.

To create the new scan in a specific folder refer to Option (j) now.


Click Next.

Step 3: Scan Configuration SelectionThe Scan Configuration Selection window appears on the screen. In this window you may either select an already existing scan configuration or specify to create a new one. As there are currently no configurations defined yet, leave the selection as it is and click Next to continue with the definition of the configuration.

Step 4: Scan ConfigurationNext the new scan configuration must be defined in the Scan Configuration box:


1 Enter a name into the Name field: Test Scan.

2 Click Next.

Step 5: Protocols and PhasesThis step defines the protocols to verify and phases to execute. It is not absolutely required to specify a set of credentials, however, for an authenticated scan it is recommended and will also provide more extensive results.

1 Select the SMB protocol and click the Add Credentials button to the right.2 The Credentials box is displayed in the wizard window.3 To add a new user identification click the Add button at the bottom.4 A Properties window appears on the screen.5 Enter the login name, corresponding password in the respective fields and re-enter the password for

confirmation.6 To view the passwords you may also uncheck the Hide Passwords checkbox. Both password fields will now be

displayed in clear text format.7 To confirm the new user account click the OK button at the bottom of the window.8 The account will be added to the list in the right window part.9 The default settings in this window are specified to execute a complete vulnerability assessment scan.

Therefore leave all options as they are in the Phases box below.10 Click Next.

To create the new scan configuration in a specific folder refer to Option (j) now.


Step 6: Port ListThe next step defines which ports are to be scanned. A number of predefined port lists are delivered with the software and installed by default, we may therefore use one of those.

1 Select the Use existing port list radio button.2 The list below displaying all existing port lists becomes available.3 As we are only scanning one device we may select the option Ports referenced by Numara Software for TCP.

You may select to check for TCP and UDP ports, however, UDP port checking takes a relatively long time. Click the TCP checkbox next to the field in the first line then click Next.

To create a new port list refer to Option (i) now.


Step 7: Target ListIn the next window, the Target List is defined that are to be scanned. Here you may specify if an existing target list is to be used or a new should be created. As there are currently no target lists yet defined, leave the preselected value and click Next to continue with the target list configuration.

Step 8: Target List ConfigurationThis step defines the target device to scan. First enter a name again, e.g. Test Scan Targets. To select the target devices there are several methods available. As we are scanning devices which have the NAMP agent installed we will use the general device selection method.


1 Therefore select the Add Existing Device menu item or the respective icon ( ).2 The Select a Device window opens which provides you with the different methods to choose the target device.3 Select the All button ( ) in the left window bar.

4 The box displays now the list of all devices which are currently part of your Numara network. Select the device to be scanned, e.g., the relay, and click OK to add them to the target list.

5 Click Next to go to the next step.

Step 9: ScheduleThe next step is concerned with the scheduling of the scan. Leave the window as it and click Finish to confirm all scan definitions.

To scan a device or devices on which no NAMP agent is installed yet, refer to Option (b) now.

To create the new target list in a specific folder refer to Option (j) now.


1 A confirmation window appears on the screen.2 Check the Go to Scan box to move the focus of the console to the scan you just created for monitoring its

progress and click Yes to confirm the immediate activation of the scan.3 The focus of the console is moved to the newly created scan.

14.1.3 Monitor the Scan ProcessThe scanning process is now under way and may be monitored under the Scanners node.

1 Select the Vulnerability Management->Scanners->Master->Assigned Scans node.2 In the table to the right you will find the entry of the scan we just created via the wizard.3 Select the Scan Information tab.4 You can follow the execution process of this scan via the Status column, which starts with Assignment

Waiting. Then it will go through all the respective stages and will display Executed once the scan of the target device is finished.

5 Once the scan status is Execution Scheduled you may also double-click the scan entry and then select its Sessions tab, in which you may see a few more information regarding the scan details.

To schedule the scan at regular intervals refer to Option (g) now.


In this view you can see the following information regarding the executing scan:TargetThe fields of this column display the names of the device targets. There will be an entry for each target of each currently executing scan, no matter its status.StatusThese fields display the status of the respective target. For more information on the possible states refer to chapter Status Reference of the Numara® Asset Management Platform Reference.StageThis field indicates which phase of the scan tests the session is currently executing. Depending on this value other values of this table are filled in.InformationThe number of information items the scan has retrieved. This number starts increasing as soon as the phase Initialisation has finished.Pending ActionsThis is the number of actions which are waiting to execute. An action may be pending because it has not yet received information it requires, such as for example the host name which is delivered by the preceding action, or because the maximum number of simultaneously executing actions is currently reached.Executing ActionsThis is the number of currently running scanning actions.VulnerabilitiesThis number displays the number of vulnerabilities the scan finds. It will only start increasing once the execution stage arrived at Vulnerability Detection.Start TimeThe date and time at which the scanning session was started on the target client.End TimeThe date and time at which the session finished.DurationThe the total time the session needed to execute in the regular time format hh:mm:ss.

14.1.4 Verify Vulnerability Situation via the Vulnerability InventoryOnce the scan is finished the results found by the scan must be interpreted before taking measures to button up the security holes. There are several locations to verify the situation of a device, a group of devices or even your whole network. For our first example we will do so via the Vulnerability Inventory of one of the scanned devices.

1 Open the node Device Topology->...-><Device>->Inventory->Vulnerability Inventory->Vulnerabilities.

The Vulnerability situation may also be investigated via the vulnerability inventory of a device group, the Vulnerability Groups node of the Numara Vulnerability Manager and the Last Results node under the Assigned Scans. See Option (d) for more details.


2 Under this node all vulnerabilities that were found for the device are listed.3 For more information on the presented information refer to the Numara Vulnerability Manager manual.

14.1.5 Fix VulnerabilitiesVulnerability fixing in NAMP is done via the Fix Vulnerability wizard, which is available from all locations at which the vulnerability situation of an object is detailed. For our first example here we will fix a Microsoft vulnerability that has a bulletin available.

To fix a vulnerability from the inventory node of a device proceed as follows:

1 In the table of the Vulnerabilities node select a vulnerability for which a Microsoft bulletin is available in the table in the right window pane.

Available Microsoft Patches are listed in the Vendor ID column and have the format MS<Year>-<BulletinNumber>.

Do NOT use a patch applicable to MS Office, these require specific parameters which are explained under Option (a) of the Patch Step-by-Step chapter. You can see if a patch is applicable to MS Office in the Title of the vulnerability.

To fix a vulnerability without an available Bulletin or Vendor ID refer to Option (c) now.

Vulnerabilities may also be fixed via the Vulnerability Groups node of the Numara Vulnerability Manager. See Option (e) for more details.


2 Select the Edit->Fix Vulnerability menu item or the respective icon ( ) in the icon bar.3 The Fix Vulnerability Wizard opens on the screen.

Step 1: Fix SelectionIn the first window of the wizard you define how you want to fix the selected vulnerabilities. Check the Download and Apply Patches option.

Contrary to the Vulnerability Detection wizard this wizard does not have the vulnerability-red side bar. This is due to the fact that the actual vulnerability remediation is executed by the patching process therefore also by the patch wizard which is PM-blue.

For more information on the Download Patches wizard refer to chapter Patch Management step-by-step where the wizard is explained in detail.


If you have selected a patch that has been replaced with a more recent patch than the selected one the Superseded Patches window appears on the screen. It lists all patches in the inventory which have more recent versions. You have the choice here to either just continue, then the initial patch as well as the superseding patch will be installed or you can cancel and restart the fixing process by selecting the more recent patch version.

Step 2: Patch ManagerThe first window of the actual patching wizard is the Patch Manager window. In this step you select the Patch Manager which is to manage the patching process for the selected patches. If you have not yet done the optional exercises of the patch management chapter this window will only display the predefined and selected master, otherwise you will find your list of patch managers here. Select the master.


Click Next to go to the next window.

Step 3: Patch GroupIn this step the patch group must be defined via which the patching of the target devices is to be done. For our example we will create a new patch group. Leave the preselected option and click Next to continue.

Step 4: Patch Group ConfigurationIn the next step the new patch group must be configured. To do so proceed as follows:

1 Enter the name Vulnerability Patch Group (Test Scan) in the Name field.



Step 5: Patch Parameters In the next window the Patch Parameters are defined. Leave all values as they are.

To create the new patch group in a specific folder refer to Option (j) now.


Step 6: Patch LanguagesThe following window defines the languages in which the patch is to be downloaded and applied. This language choice depends on the language of your operating system, if it is English or any language not available in the displayed list check the box next to English, otherwise select the language of your OS.

Then click Next.

Step 7: Patch Installation ParametersThe next wizard window is concerned with the Patch Installation Parameters.

1 Make the following choices in this window:In the Reboot Type box select the value Reboot after deployment. Be aware that if you do not reboot after installation when a reboot is expected by one of the patches installed, this patch will still be seen as missing even if you force a scan after install by the option below.Check the Force patch inventory scan after install and Force patch inventory upload after install boxes. This will automatically reschedule the patch inventory generation, so you can verify if the patch was properly installed.Under the Office Installation Parameters select No Office Patch Installation from the Office Install Type drop-down list.


2 Then click Next.

Step 8: Reboot OptionsAs we have selected to reboot the affected device after the patch installation we need to define the parameters for the safe reboot in the next window.

1 Make the following additional choices and modifications:Check the fields Reboot after Disconnection and Cancel Reboot.Enter the value 1 in both fields Countdown Timer Incrementation Value and Initial Countdown Timer.Enter 3 into the Countdown Timer Maximum Extension field.This value defines the maximum interval the countdown timer may be extended. If for example the initial value is 2 minutes, the user may each time extend it by 2 minutes as well, and this value is set to 5 minutes, the user may extend the countdown once, 2 min initial 2*2 min extension makes 6 minutes which is higher than the defined 5 minutes. The default value of this option is 5 minutes.


2 Then click Next.

Step 9: ScheduleThe final window of the wizard concerns the scheduling of the assignment and execution of the patch application. Leave all values as they are and click the Finish button to confirm all choices.


Step 10: ConfirmationThe last option provided by the vulnerability fixing wizard is to directly activate patch group and thus launch the patching process. If you do not directly activate you must go to the respective patch group and manually activate it at the desired time. For our first test run we will check the option Go to Patch Group and click Yes to directly activate the patch group and start the patch installation procedure.

14.1.6 Monitor Vulnerability/Patch ApplicationPatch installation for vulnerabilities may be monitored via a number of different views. But first you need to give the device some time to receive the patch, install and reboot. For our example here we will be monitoring the installation via the patch group.

Since we have checked the option Go to Patch Group our focus in the console is now under the Patch Management node at the Vulnerability Patch Group (Test Scan) from where we may follow the execution of the actual patch installation with its different stages in the Status columns.

1 Go to the Assigned Objects->Devices node.2 In the table to the right you will find the entry for the master and you may follow the patching process in the

view’s Status column. The initial status, as with all operational rules is Assignment Waiting and the final stage should be as shown in the graphic below Patch group successfully installed.

3 Once this status appears we may go to the History tab of the Patch Inventory node of the device. This tab displays a sort of a log of everything that happened to the inventory entries. For the patch inventory this means, that once a patch has been fixed it will move from the Patch Management node to this tab.

4 If this view is still empty, this means that the patch inventoring process is not yet finished. Keep refreshing ( ) the view.

5 Once the inventory is finished this view will display the entry we selected to be patched from the initial inventory.

If the remedied bulletin does not appear in this tab, it may be due to the fact that the patch inventory process has not found this patch missing contrary to the vulnerability scan. Therefore it was not included in the patch inventory and cannot be displayed as being removed now, because not missing any longer.


The remedied situation is also visible under the Vulnerability Inventory node of the device.

1 To display the remedied situation you first need to rerun the scan, as this is - contrary to the patch management - not automatically re-launched by option.

2 To do so go to the Vulnerability Management->Scanners-><Scanner>->Assigned Scans node.3 Select the Test Scan entry in the table to the right.4 Select the Edit->Reassign Scan menu item or the respective icon ( ) in the icon bar.5 The status of the scan will turn to Reassignment Waiting to indicate that the scan is now being reassigned

and it will execute according to the defined schedule.6 Continue with Step 3 to monitor the scanning process again.7 Once the scan is finished and has uploaded its information go to Vulnerability Inventory->Vulnerabilities

node of the device.8 There check the inventory listed. You will NOT find the installed patch in this list anymore.

14.1.7 Vulnerability ReportingOnce data on the vulnerability situation on individual devices and the network in general is available it may be summarised or detailed by reports. The NAMP console provides a number of report templates specifically for vulnerability management, which will be explained in the following paragraphs.

We will create and generate some examples of the available templates. You may also create your own style-based reports as explained in the Report chapter earlier in this manual. For a detailed explanation on all available templates refer to chapter Numara Vulnerability Manager Report Templates op page 223 of the Numara Vulnerability Manager manual.

Report 1: Situation by VulnerabilityThe first report was already created in the Reports chapter, it only remains to be generated. Proceed as follows:

1 Open the main Reports node in the left pane and select the Situation by Vulnerability report below.2 Go to its Assigned Objects->Vulnerability Groups node.3 Either choose the Edit->Assign Vulnerability Group menu item or click the respective icon ( ) in the icon

bar.4 The Assign a Vulnerability Group popup windows will appear on the screen.5 Select the Test Scan group from the window.


6 Click OK to confirm the assignment and close the window.7 The vulnerability group will be added to the table of assigned vulnerability groups.8 The go back to the Situation by Vulnerability report in the left window pane.9 Select the Edit->Generate Report menu item or the respective icon ( ) in the icon bar.10 A confirmation window appears on the screen, click the OK button to confirm.11 The report will be created immediately using the current data in the database concerning the assigned

vulnerability group.

12 To view the report select the Edit->View Last Result menu item or the respective icon ( ) in the icon bar.13 The generation of this type of report may take a little while, reselect therefore the icon until the report appears.14 Enter again your login in the appearing window.15 A new browser window or tab opens and displays the report. This report displays the situation of a part of

your network by vulnerability. The target group for the vulnerability analysis was defined via the target list, which also defines the members of the vulnerability group.

This report displays all vulnerabilities by vulnerability group. It is divided into the following parts:

Group DetailsThis first section displays the settings and parameter values defined for the vulnerability group.

Device ListThis section is represented in form of a table which lists all devices that are part of the respective vulnerability group.

Vulnerability ListThis section displays the list of vulnerabilities found on at least one target of the respective vulnerability group with some additional information on the vulnerability.

The report result which is generated will be put in all the required places according to the reports settings. This means it will be available under the Report Results node of the report, as well as under that of the vulnerability group it is assigned to.


Details regarding the identified vulnerabititiesThis last part of the report displays a two tables for each vulnerability found on the device. The information displayed in these tables is the same as in the advisories of the respective vulnerability.


16

Report 2: Display by DeviceThis report is also already created via the out-of-the-box objects, ready to be assigned to a target and to be generated. Proceed as follows:

1 Open the Vulnerability folder under the Reports node in the left window pane and select the report Display by Device.

2 Go to its Assigned Objects->Vulnerability Groups node.3 Either choose the Edit->Assign Vulnerability Group menu item or click the respective icon ( ) in the icon

bar.4 The Assign a Vulnerability Group popup windows will appear on the screen.5 Select the Test Scan group from the window.

6 Click OK to confirm the assignment and close the window.7 The vulnerability group will be added to the table of assigned vulnerability groups.8 The go back to the Display by Device report in the left window pane.9 Select the Edit->Generate Report menu item or the respective icon ( ) in the icon bar.10 A confirmation window appears on the screen, click the OK button to confirm.11 The report will be created immediately using the current data in the database concerning the assigned

vulnerability group.12 To view the report select the Edit->View Last Result menu item or the respective icon ( ) in the icon bar.13 The generation of this type of report may take a little while, reselect therefore the icon until the report appears.14 Enter again your login in the appearing window.15 A new browser window or tab opens and displays the report. This report displays the situation of a part of

your network by vulnerability. The target group for the vulnerability analysis was defined via the target list, which also defines the members of the vulnerability group.

These reports may be generated at regular intervals to provide thus an overview of the general development of your network. See Option (d) of the Reports chapter.


This report shows a technical summary by device and allows you to quickly see all information of all devices that are member of our test scan vulnerability group.

Device ListThis section is represented in form of a table which lists all devices that are part of the respective vulnerability group.

Device DetailsThis second part provides more detailed information on the devices via the following different tables per device:

• Device Details - this table shows all the general information on the device on the device itself, regarding its vulnerability situation and group membership.

• Open Ports - this table lists all the ports which were found open on the device with some additional information on the ports.

• List of Identified Vulnerabilities -this third table displays the list of vulnerabilities that were found on the device with some additional information on these.

• List of all Possible Vulnerabilities - this last table provides the list of vulnerabilities which were found on the device but may actually not be vulnerabilities.

Details regarding the identified vulnerabititiesThis last part of the report displays a two tables for each vulnerability found on the device. The information displayed in these tables is the same as in the advisories of the respective vulnerability.


14.2 Vulnerability Management OptionsThe following paragraphs will provide you with a number of options that may be used to modify the vulnerability and patching processes.

(a) Add Target Devices without NAMP Agent to ScanIf you have already created your scan and would now like to add another device to the scan’s target list before rescheduling proceed as follows:

1 Open the node Vulnerability Management->Configuration->Targets->Test Scan Targets.2 Go to its Members tab.3 Select the Edit->Add Members menu item or the respective ( ) icon.4 The Add an Address Range window opens on the screen.5 Enter the IP address of a device without a NAMP agent installed into the field.6 Click OK to add the device to the target list.7 Now that the target list has been updated the scan must be reassigned to apply the modifications to the

assigned scan.8 Go to the Vulnerability Management->Scanners-><Scanner>->Assigned Scans->Test Scan node.9 Select the Assigned Schedule tab in the right window pane.


10 Select the scan entry in the view.11 Select the Edit->Reassign Scan menu item or the respective icon ( ) in the icon bar.12 The status of the scan will turn to Reassignment Waiting to indicate that the scan is now being reassigned

and it will execute according to the defined schedule.13 Continue with Point 14.1.3 (page 334) to monitor the scanning process again.

(b) Verifying and Patching Systems without the NAMP Agent InstalledThe Numara Vulnerability Scanner may scan all devices of your network, also those that do not have a NAMP agent installed same as any device with a NAMP agent:

1 At Point 14.1.2 (page 327) Step 8: (page 332), select the Add Members ( ) icon in the Target List Configuration window of the wizard.

2 The Add an Address Range window opens on the screen.3 Enter the IP address of a device without a NAMP agent installed into the field.4 Click OK to add the device to the target list.5 Continue with Point 14.1.2 (page 327) Step 9: (page 333) of the main procedure.The inventory and fixing process however is different for these devices it is only possible via Vulnerability Groups, for this refer to Option (e).

(c) Fix Vulnerability without Vendor IDThere are a number of different possibilities on how to fix vulnerabilities, such as patch bulletins for Microsoft vulnerabilities, manual solutions that need to be applied directly at the respective device, such as the modification of login and password, etc.

To fix the vulnerabilities for which no Microsoft Vendor ID or bulletin exists you have two choices:

• Send an e-mail to the team member in charge of resolving such vulnerabilities• Create a task for this team member in the NAMP console.1 At Point 14.1.5 (page 336) select a vulnerability without Vendor ID.2 To fix the problem select the Fix Vulnerability icon ( ).3 This will call the Fix Vulnerability wizard on the screen.4 In this case the wizard will offer you only one window in which you need to choose

to either send an e-mail to the team member concerned with the vulnerability fixing process to inform them of the new vulnerability that was found, or to create a task in the console for the same purpose.

Be aware that for either of these options the mail system information must be set up in the console, as explained in paragraph User Preferences op page 17 in the preceding chapter First Steps in the Console.

4a To send the mail leave the preselected option and enter the following data:ToEnter into this field the e-mail address of the respective personnel.SubjectModify the subject text to “Vulnerability Test Fixing”. It is not needed to specifically add the vulnerability number, etc., as the mail that is sent will contain all information available on the vulnerability(ies).PriorityIn this drop-down box you may select the priority of the vulnerability and its resolution, possible values are Minimal, Medium and High. This is not the priority of the e-mail as used in the regular e-mail applications.Expected Resolution DateIn this window you may select a deadline until which you expect the vulnerability to be resolved.Additional CommentsEnter into this free text field any additional comments to the recipients for the e-mail, for example any additional details of the vulnerabilities to be solved or how you want them solved.

Click the Finish button to send the e-mail.


4b To create a task for the vulnerability proceed as follows:1 Select the Create Task radio button.2 The window content changes to display the fields required for the task.3 Enter Vulnerability Test into the Name field.4 Enter some free text describing the situation into the Description field.5 Leave all other fields as they are.6 Click the Finish button to create the task. An e-mail will also automatically be sent to the e-mail account

you entered into the administrator properties.For more detailed information on the Tasks please refer to the Tasks manual.

(d) Verifying the Vulnerability SituationIn addition to the Vulnerability Inventory of a device the current situation may also be viewed at the following other locations in the console:

• Last Results node under the Assigned Scans node, where the scan execution is detailed.• Vulnerability Inventory of a device group• Vulnerability Groups node

Last Results of Assigned ScansOnce a scan has finished its execution on a device the Last Results node below the executing scan will display this device. The node has two tabs: The Online Targets tab displays all devices which could be contacted and the scan was executed, the Offline Targets tab displays the list of scan targets that were unreachable and thus could not be scanned. No devices for which the scan is still executing are displayed.

Under the Last Results node a node is displayed for each scanned device that has several tabs which show different types of information on the device and the vulnerabilities found on it.


Vulnerability Inventory of a Device GroupThe vulnerabilities found for the members of a group are displayed under the respective node of the device group: Inventory->Vulnerability Inventory->Vulnerabilities. This inventory will not display any details on the vulnerabilities found on the devices, it will only display a list of vulnerability attributes such as vulnerabilities sorted by ID, by CVSS, etc., and the respective count for the group.

Vulnerability GroupsVulnerability groups are the objects in the Numara Vulnerability Manager via which the security situation on the target devices is resolved. From here you have an overview over the general security situation of a specific part of your environment, you may follow how its security status evolves via graphics in the console and via reports specifically generated for them. And you may launch the fixing process for the group’s vulnerabilities. Here we will create a group for the devices we have scanned:

1 Open the Vulnerability Management->Vulnerability Groups node.2 To create the new group select the Edit->Create Vulnerability Group or select the respective icon ( ) in the

toolbar.3 The Properties popup window will appear on the screen.4 Enter Test Scan as its name into the name field.5 Click OK to confirm and close the window.6 The new group will automatically be created and be displayed in the right window pane.7 Select it. You can see that this node offers quite a number of different nodes and tabs, however in this example

we will only use its Options tab and All Vulnerabilities node. For more information on all other available information refer to the Vulnerability Manual.

8 Go to the Options tab.


9 In the Options tab you configure which part of your network you want to access and visualise via this group.10 In the CVSS box check all boxes.1 In the Target Lists box select the Add Target List icon ( ).2 The Assign a Target List window opens on the screen.3 From the Available Objects list displayed in the window select the Test Scan Targets list.4 Then click the OK button at the bottom of the window to confirm and close the window.5 Then click the Save icon ( ) to save these group settings.6 Now go to the All Vulnerabilities node.

7 It displays the list of all vulnerabilities found on all devices of the target list.


(e) Remediation via Vulnerability GroupsIn the main procedure the vulnerability situation was investigated and resolved via the scanned device’s inventory. The same procedure applies to resolving the situation of device groups via the group’s inventory. Another possibility to take care of the security situation is via the concept of vulnerability groups. Contrary to device groups, vulnerability groups may contain devices on which no NAMP agent is installed, thus their situation may be viewed and resolved as well.

A vulnerability group provides you with an overview over the general security situation of a specific part of your environment, you may follow how its security status evolves via graphics in the console and via reports specifically generated for them. Here we will create a group for the devices we have scanned

1 Open the Vulnerability Management->Vulnerability Groups node.2 To create the new group select the Edit->Create Vulnerability Group or select the respective icon ( ) in the

toolbar.3 The Properties popup window will appear on the screen.4 Enter Test Scan as its name into the name field.5 Click OK to confirm and close the window.6 The new group will automatically be created and be displayed in the right window pane.7 Select it. You can see that this node offers quite a number of different nodes and tabs, however in this example

we will only use its Options tab and All Vulnerabilities node. For more information on all other available information refer to the Vulnerability Manual.

8 Go to the Options tab.

9 In the Options tab you configure which part of your network you want to access and visualise via this group.10 In the CVSS box check all boxes.1 In the Target Lists box select the Add Target List icon ( ).2 The Assign a Target List window opens on the screen.3 From the Available Objects list displayed in the window select the Test Scan Targets list.4 Then click the OK button at the bottom of the window to confirm and close the window.5 Then click the Save icon ( ) to save these group settings.6 Now go to the All Vulnerabilities node.


7 It displays the list of all vulnerabilities found on all devices of the target list.1 Select the All Vulnerabilities node under the newly created Test Scan vulnerability group.2 From here you may proceed to fix a vulnerability that has a Microsoft bulletin as described in the general

procedure from Point 14.1.5 (page 336) onwards.3 To fix a vulnerability without Vendor ID follow the instructions of Option (c).4 To remedy the situation on a device without a NAMP agent see Option (f).

(f) Remedy Vulnerabilities on Device without NAMP AgentAs we have already seen, the vulnerability inventory for devices without a NAMP agent is included in the vulnerability group the respective device is a member of. To fix a vulnerability for such a device you have the following choices:

1 Send an e-mail to the member(s) of your team responsible for the devices without agent to inform them of the vulnerability that needs fixing. The operations necessary for this are the same as explained under Option (c).

2 Create a task for the vulnerability in the console. The operations necessary for this are the same as explained under Option (c).

3 Install the agent on the device and re-execute the general procedure for this device.

(g) Schedule the Scan at Regular IntervalsFor our example of the scan it may be useful to run it at regular intervals, such as every day to have a most accurate view of the device’s situation and how the vulnerability resolving process advances. To do so proceed as follows:

1 At Point 14.1.2 (page 327) Step 9: (page 333) make the following selections in the Execution Mode wizard window:

In the Termination box select the Run Forever radio button.2 Click Next.3 In the Schedule wizard window make the following selections:

Select the Run Every Day radio button. More options will become accessible in the window.In the Period field select the value Once Only from the drop-down box.In the field at define the time of the day when to run the scan, for example during lunch time at 12:30.The months to run are already all pre-checked so leave them unchanged.

4 Click Finish and continue with Point 14.1.2 (page 327) Step 9: (page 333) of the general procedure


(h) Define a Different ScannerTo be able to scan for vulnerabilities a device must be a Scanner. Any device may be a Scanner, it only must be defined as such. This may either be done in the properties of the device or in the Vulnerability Management node. To add a device to the Vulnerability Management as a Scanner proceed as follows:

1 Select the Vulnerability Management node in the left window pane.2 If you have a limited scanner license you may have to remove the existing scanner before you may add another

one. If this is not the case continue directly with point 7.3 To remove a scanner select it in the table of the right window pane.4 Then select the Edit->Remove Device menu item or click the respective icon ( ) in the icon bar.5 A confirmation window appears on the screen. Click Yes to confirm.6 The scanner will be removed from the list of scanning devices.7 To add a new scanner now either choose the Edit->Add Device menu item or click the respective icon ( ) in

the icon bar.

8 The Add a Scanner popup window will appear on the screen.9 Select the All button ( ) in the left window bar and select the new device which is to be a Scanner from the

list. In this list only those devices which, by their operating system may be a scanner, are listed.

10 Then click OK to add it and close the window.11 The device will be added to the list of Scanners and its configuration parameters will be updated accordingly.

Scanning might be quite resource consuming, thus it is recommendable to run scan when the network load is low, i.e. during the night, if the devices are not shut down or at lunch time.

If you only have an evaluation license, only one scanner can be defined. To define another device as a scanner for this example you must therefore first remove the existing scanner before you can define another device as the scanner.


(i) Create a New Port ListIf none of the predefined lists fulfil your requirements you may add your own lists of ports to be scanned. To add a new custom port list proceed as follows:

1 Select the Port Lists node in the left window pane.2 Select the Edit->Create Port List menu item or the respective icon ( ) in the icon bar.3 The Properties popup window will appear on the screen.4 Enter the name for the new list into the Name field.5 Then enter the port numbers to be scanned through this list into the Port Range field. A port list is defined by

using a semicolon (;) as the separator and a dash (-) as an operator defining port ranges. For example: 1;4-7;10 specifies ports 1 and 10 and ports between 4 and 7 included.

6 Click the OK button at the bottom to save the new list.

(j) Add a new Object directly to a FolderWhen adding/creating a new object it may be directly added/created to/in a folder, e.g., a scan configuration to an scan configuration folder, a port list to a port list folder, etc. To do so proceed as follows:

1 In the window you may define the folder into which the object is to be added. By default it will be added directly under the respective object‘s top node, e.g., the Port Lists node under the Configuration node.

2 To add it to another folder click the icon to the right of the field (...). 3 The Select Folder window appears on the screen displaying the folder hierarchy. If the desired target folder



to confirm the new folder. 4 Select the target folder and click the OK button to confirm and to close the window and return to the original

window.

(k) Define Automatic Vulnerability UpdateBy default, when you install the software, vulnerability update is not defined to automatically update before you schedule a scan. You may change those base settings to make sure your system is always as up to date as possible to have your IT at the most secure state. To automate the update process proceed as follows:

1 Open the Vulnerability Management->Configuration->Update node in the left window pane and go to tab Options.

2 Select one of the lines and then select the Edit->Properties menu item or the icon ( ) in the icon bar.3 The Properties window appears on the screen. You have the following options you may define regarding the

automatic update.Automatic VerificationThis value defines if VM will automatically check for available updates. By default this option is deactivated. Check the box to activate the auto-update. The master will then check with the VM Update service if an update is available.Verification FrequencyThe value in this field defines the interval in seconds at which the automatic verification process, if selected, is executed. The default value is 3600 seconds or every hour. You may modify this value to your own requirements. However it is not recommended to go below one hour to not overload the network.Automatic InstallationThis option must be activated if the update process it to be completely automatic. If it is not selected, the scanner will receive all updated files and store them, but it will not install the respective files, i.e. it will not be up-to-date.

Make sure that the parameter UpgradeWinPcap, located in the Numara Vulnerability Manager configuration file VulnerabilityManager.ini, is activated (set to true). If this is not the case the manual vulnerability update can not be completely executed. By default this parameter is activated.


Internet UpdateThis option defines if the master is to check via Internet with the VM Updater of the Numara site if updated files are available. This option is activated by default.Local UpdateIf this option is activated the master checks locally, i.e. on its disk if it can find an update to install. This option is activated by default. This option is applicable if the master server does not have a permanent Internet connection. In this case you must check via another device with an Internet connection with the VM Updater if a new update is available, download the update and store it locally on the master.UserThe user login to access the VM update service. The default login VMUPDATE is already filled in.PasswordThe password corresponding to the above displayed user name. For security reasons the password is displayed in the form or asterisks (*). This field is filled in by default with the corresponding password.

4 Click OK to confirm and close the window.5 The automatic update is now configured and will be executed for the first time immediately and then at the

specified frequencies until you change them again.

(l) Manual Vulnerability UpdateIf the master does not have a permanent Internet connection it cannot use the automatic update procedure detailed in the previous paragraph, instead it must be updated manually periodically. To be able to update at least one device within your network must have at least a temporary Internet connection to download the newest vulnerability update file with which to bring your master and all scanners up-to-date. To manually update proceed as follows:

1 Open a browser window on a device with an Internet connection and enter the following link:https://vmupdater.numarasoftware.com/vmupdate/v3/

2 Click the local option of the provided directories.

Make sure that the parameter UpgradeWinPcap, located in the Numara Vulnerability Manager configuration file VulnerabilityManager.ini, is activated (set to true). If this is not the case the manual vulnerability update can not be completely executed. By default this parameter is activated.


3 Enter the login name and password to access the requested page. This information was sent to you in an e-mail from the Numara Support.

4 A new page opens with only one link, the vmupdate_<update date>.upd file.

5 Download the file.6 Then put the file in the following directory on the master:

<Installation Directory>\Master\upgrade\vulnerabilitymanager

If the directory vulnerabilitymanager does not yet exist create it.7 Now open a NAMP console.8 Go to the Vulnerability Management->Configuration->Update node and select the Options tab.

9 Select a line in the table in the right window pane and then the Edit->Properties menu option or the corresponding icon ( ) in the icon bar.

10 The Properties popup window will appear on the screen.11 Check the option Local Update.12 If the scanners are to be updated automatically after the master update also check the option Automatic

Installation. If this option is not checked, the scanners will receive the update information and file, but they will not update and install, this must be executed manually.

13 Click OK to confirm the modifications and close the window.14 Then select the Status tab.


15 This window shows the current status of the vulnerability module, i.e. if all required components are up-to-date or if they require updating.

16 To update the master click the Edit->Update Now menu option or the corresponding icon ( ) in the icon bar.17 A confirmation window appears on the screen.18 Click OK to continue.19 You can now follow the update progress in this window via the Status column which is updated every 30

seconds and will displays the different stages of the update process of all vulnerability components.20 Once the master is updated the scanners will also be updated if you activated the Automatic Installation

option.21 You can follow the update process of the scanner in the bottom box of the same view where the information

will also be displayed in the respective Status column.22 Once the value Up to Date is displayed in all Status fields for the components as well as all defined

scanners the update process is completed.


15

Device Compliance Step-by-StepDevice compliance in the Numara Asset Management Platform is executed via the concept of compliance rules of the Numara Compliance Manager. Compliance rules are made up of a series of criteria that correspond to the conditions of your compliance policies. Compliance rules may contain only one very specific criterion or a number of different criteria collected in groups that are put into a certain relation to each other.

However, before any device can be verified for its compliance the base data for compliance verification, i.e. the inventories collecting this information, must be available.


• Compliance Rule Examples• Compliance Reporting• Rule Options



NAMP console and its workings.• you have already done the exercises in the preceding chapters on Patch Management and Vulnerability

Management. As mentioned above the device compliance is based on the data available in the database, which must have been collected by the respective inventories, before any evaluation may take place.

15.1 Compliance Rule ExamplesThe following paragraphs provide you with a number of sample compliance rules to execute in your network. As already mentioned for most of these rules the respective inventories must already exist and we assume that this is the case, i.e., has been done via the examples in the preceding chapters. If the database does not have the respective values you may not be able to do some of the following exercises as the options will not be available in the selection windows.

The compliance rule process consists of the following individual steps:

1 Collect the different types of inventory on the target devices.2 Create the compliance rule with its criteria and relation.3 Assign the rule to the targets for compliance evaluation.4 Evaluate the compliance results on the compliance dashboard.Specifically we will create the following compliance rules in this section:

1 Firewall Rule: This compliance rule checks if a device has a firewall installed that is active.2 Patch and Vulnerability Inventory Rule: This compliance rule checks if a device has up-to-date patch and

vulnerability inventories.3 Antivirus Software Rule: This rule verifies if an antivirus software is installed. It does not have to be one

specific application but must be one out of a list of 3 possible software applications.4 Critical Patches Rule: This compliance rule will check if the devices listed for compliance verification have

all critical patches installed.


5 NAMP Client Installation Directory Rule: This rule checks that the Numara Asset Management Platform software is actually installed in its default directory.

Rule 1: FirewallThis compliance rule will verify if the target device has a firewall installed that is active.

A compliance rule defines the criteria to which the target population has to correspond to be considered compliant. These criteria are collected in groups, the criteria groups, which may contain any number of criteria. This rule will only have one criteria group containing only one criterion.

Step 1: Create Compliance RuleTo create this compliance rule proceed as follows:

1 Select the Compliance Management top node in the left window pane.2 Click on the Create Compliance Rule icon ( ) in the icon bar. 3 The Properties dialog box appears on the screen.4 Enter Firewall into the Name field and then click the OK button.5 The new compliance rule is added to the list of members in the right pane. Double-click it.6 In the now displayed General tab you can review the basic information of the compliance rule.7 To add the compliance criteria select the Criteria tab to the right.8 Currently the table is still empty.9 To define the criteria choose the Edit->Add Criteria Group menu item or click the respective icon ( ) in the

icon bar.10 The Criteria Group popup window will appear on the screen.11 It provides access to the list of available criteria in the Criteria Group Definition box. The first line of this box

indicates the index number of the criteria group which is about to be defined, i.e. Criteria Group 1 in our case, as we are only creating the first for this rule.

12 Enter Firewall into the Name field.13 From the Class drop-down list select the Security Inventory option.

14 Then select the table from which the criteria is to be chosen from the Table field, i.e. in our case this is the value Installed Firewalls.

15 The Available Criteria box below now displays all criteria available for the selected class and table. Select the criterion Enabled.

16 Leave the preselected operator Equal to in the Operator drop-down box.17 Click the Find button ( ) next to the Value field.18 The Search Criteria window opens.19 Click the Find button ( ) next to the Value field again.20 The Results field now displays the possible values, TRUE and FALSE. Select the TRUE

value and click the OK button to close the window.21 Then click the Add button ( ) to add the defined criterion to the Selected Criteria box.

If the Security Inventory entry is not available you have not executed the respective example in the operational rules chapter. To complete this example go to Rule 1: Inventory Management (page 50) and then complete this example.

Chapter 15 - Device Compliance Step-by-Step - 365

22 Then click the OK button to add the criteria group to the compliance rule.23 Above the table you can also see, that the Status field still displays the value inactive. All compliance rules

are inactive when they are created.24 To activate the compliance rule select the green coloured option active instead of the currently displayed red

option inactive in the Status drop-down field.

Step 2: Assign the Compliance Rule to the Master and EvaluateThe compliance rule is now created and active and must be assigned to the devices which are to be verified for compliance, in our example the master. Once the assignment is done, the rule will immediately verify if the device is compliant to the specified criteria and display the result right away in the table.

1 Click the Assigned Objects, then Devices node in the left window pane under your newly created compliance rule. The right window pane is empty since no devices have been assigned yet.

2 To do so select the Assign Device icon ( ) in the icon bar. 3 The Assign to Device popup window will appear on the screen.4 Go to the All tab and select the master from the list.

To assign the compliance rule to a device group see Option (a) (page 384).


5 The master will be added to the table in the right pane with the immediately calculated compliance result.6 Click the Refresh icon ( ), if the grey question mark icon remains in the table to update the display.

Step 3: Analyse Result - Compliance DashboardYou can analyse the details of the compliance results right away in this window, they are available via the Properties window of the respective device. To view the result proceed as follows:

1 Select the device in the right window pane.2 Then either choose the Edit->Properties menu item or click the respective icon ( ) in the icon bar.3 The Compliance Results window opens on the screen providing

compliance information on the device.4 The symbol to the next to the device name indicates if the device

complied to the requested criteria group, a green check mark if this is the case, a red x if it is not so.

5 The line below displays the operating system and the installed service pack of the device.

6 The field Criteria Groups Causing Non-compliance offers you to only display those groups containing the criteria which cause the non compliance of the device. If the device is compliant this option is not displayed.

7 The table Criteria Groups displays the following details:IndexThis field displays the index value for the defined criteria group.ResultsThese fields indicate if the device complied to the respective criteria group. Be aware, that a group may be evaluated as

For results regarding an assigned device group see Option (d) (page 387).


compliant even if the overall compliance is negative or vice versa if the relation equation has the NOT operator as the final operator.NameThe fields of this column display the custom defined names of the criteria groups specified for this compliance rule.TableThe fields of this column display the names of the database table from which the criteria were chosen for the criteria group.

8 The field Group Relation below displays the group relation as it was defined when the evaluation took place for which the result is displayed in this window.

9 The Description box shows the details on the criteria defined for the selected criteria group in the table above.10 Click OK to close the window.

Rule 2: Patch and Vulnerability InventoryThis compliance rule will verify if the target device has up-to-date patch and vulnerability inventories, i.e. both are not older than two weeks.

A compliance rule defines the criteria to which the target population has to correspond to be considered compliant. These criteria are collected in groups, the criteria groups, which may contain any number of criteria. The rule also specifies in which relation the individual criteria groups stand to each other for compliance evaluation. This rule will have two criteria groups with two criteria each that are related via the AND operator.


1 Select the Compliance Management top node in the left window pane.2 Click on the Create Compliance Rule icon ( ) in the icon bar. 3 Enter Patch and Vulnerability Inventory into the Name field and then click the OK button.4 The new compliance rule is added to the list of members in the right pane. Double-click it.5 To add the compliance criteria select the Criteria tab to the right and select the Edit->Add Criteria Group

menu item or click the respective icon ( ) in the icon bar.6 The Criteria Group popup window will appear on the screen.

7 Enter Patch Inventory into the Name field.8 In the Class drop-down list leave the Basic option.


9 Then select the Inventory Update table from the Table field.10 The Available Criteria box below now displays all criteria available for this table. Select

the criterion Inventory Type.11 Leave the preselected operator Equal to in the Operator drop-down box.12 Click the Find button ( ) next to the Value field.13 The Search Criteria window opens.14 It displays the possible values, i.e. the list of all inventory types. Select the Patch

Inventory option and then click the OK button to close the window.

15 Then click the Add button ( ) to add the defined criterion to the Selected Criteria box.

16 As a second criterion we will add a date criterion: The last inventory update must have taken place no more than two weeks ago.

17 For this select the Update Date attribute in the Available Criteria box.18 Leave the operator Greater than or equal in the Operator drop-down box.19 To enter the dynamic time value of two weeks select the newly appeared Timeframe radio button.20 Enter then the desired time value into the field next to it, i.e. -2 and select the corresponding unit from the

drop down list to the right, week.

21 Then click the Add button ( ) to add the defined criterion to the Selected Criteria box.22 The criteria group now has two criteria. i.e. to fulfil the requirements of this group, a device must have a patch

inventory executed and its last update date may not be older than the specified value.

If the Patch Inventory entry is not available you have not executed the respective example in the operational rules chapter. To complete this example go to Rule 1: Inventory Management (page 50) and then complete this example.

Be aware, that within a criteria group only criteria of the same class and table may be created. To add criteria of another class and/or table you must create another criteria group, put the desired criteria in and create the necessary relation via the Group Relation box.

You could also enter the same information with the following criteria values: Select the Less than or equal Operator together with the time value of 2.

All criteria within a criteria group are connected via the AND operator. To connect criteria with another operator they must be put into different criteria groups and then be related via the group relation equation.


23 Then click the OK button to add the criteria group to the compliance rule.24 To now add the second criteria group for the vulnerability inventory select again the Edit->Add Criteria

Group menu item or the respective icon ( ).25 Enter Vulnerability Inventory into the Name field.26 From the Class drop-down list select the Basic option.27 Then select the value Inventory Update from the Table field.28 Select the criterion Inventory Type from the Available Criteria box.29 Leave the preselected operator Equal to in the Operator drop-down box.30 Click the Find button ( ) next to the Value field.31 The Search Criteria window opens.32 It displays all inventories. Select the Vulnerability Inventory and click the OK button and close the window.

33 Then click the Add button ( ) to add the criterion to the Selected Criteria box.34 Then, same as above, select the Update Date attribute in the Available Criteria box.35 Select the operator Greater than or equal in the Operator drop-down box.36 To enter the dynamic time value of two weeks select the newly appeared Timeframe radio button.37 Enter then the desired time value into the field next to it, i.e. -2 and select the corresponding unit from the

drop down list to the right, week.38 Then click the Add button ( ) to add the defined criterion to the Selected Criteria box.39 Then click the OK button.40 The second criteria group is now also added to the compliance rule.41 In the Group Relation box below you will now find the two groups - listed by their respective index values -

automatically related via the AND operator. This is due to the fact, that we have left the default operator above the list field for the criteria groups with its standard value. We will leave the pre-entered syntax as it is, as our devices are to comply to all criteria at the same time.

42 Next to this field above you can also see, that the Status field still displays the value inactive. All compliance rules are inactive when they are created.

43 To be able to activate a compliance rule with more than one criteria group the syntax of its group relation equation must be verified to make sure that it is syntactically correct. To do so select the Edit->Verify Relation menu item or click the respective icon ( ) in the icon bar.

44 The syntax entered into the Group Relation field will be verified immediately.45 If it contains an error, a message box is displayed with an indication as to the error, if the syntax is correct, the

status bar at the bottom of the console window will display Done. which is our case.46 Now to activate the compliance rule select the green coloured option active instead of the currently

displayed red option inactive in the Status drop-down field.

If the Vulnerability Inventory entry is not available you have not executed the respective example in the vulnerability management chapter. To complete this example go to the respective chapter and Create a Vulnerability Scan (page 327) and then complete this example.

To create a less strict compliance rule in which the targets must only comply to one or the other of the defined criteria groups, see Option (f) (page 388).




2 To do so select the Assign Device icon ( ) in the icon bar. 3 The Assign to Device popup window will appear on the screen.4 Go to the All tab and select the master from the list. 5 The master will be added to the table in the right pane with the immediately calculated compliance result.6 Click the Refresh icon ( ), if the grey question mark icon remains in the table to update the display.

Step 3: Analyse Result - Compliance DashboardYou can analyse the details of compliance result right away in this window, they are available via the Properties window of the respective device. To view the result proceed as follows:




1 Select the device in the right window pane.2 Then either choose the Edit->Properties menu item or click the

respective icon ( ) in the icon bar.3 The Compliance Results window opens on the screen providing

compliance information on the device.4 The symbol to the next to the device name indicates that the device

complied to the requested criteria group via a green check mark.5 The line below displays the operating system and the installed service

pack of the device.6 The field Criteria Groups Causing Non-compliance will not be

displayed in this case, as there is no non-compliant criterion.7 The table Criteria Groups displays the following details:

IndexThis field displays the index value for the defined criteria group.ResultsThese fields indicate if the device complied to the respective criteria group. Be aware, that a group may be evaluated as compliant even if the overall compliance is negative or vice versa if the relation equation has the NOT operator as the final operator.NameThe fields of this column display the custom defined names of the criteria groups specified for this compliance rule.TableThe fields of this column display the names of the database table from which the criteria were chosen for the criteria group.

8 The field Group Relation below displays the group relation as it was defined when the evaluation took place for which the result is displayed in this window.

9 The Description box shows the details on the criteria defined for the selected criteria group in the table above.10 Click OK to close the window.

Rule 3: Antivirus SoftwareThis compliance rule will verify if the target device has an antivirus software installed. It does not have to be a specific software but must be one out of the three which are allowed by the company policy. This rule will have three different groups, one for each of the possible antivirus software applications with one criterion each.


1 Select the Compliance Management top node in the left window pane.2 Click on the Create Compliance Rule icon ( ) in the icon bar. 3 Enter Antivirus Software into the Name field and then click the OK button.4 The new compliance rule is added to the list of members in the right pane. Double-click it.5 To add the compliance criteria select the Criteria tab to the right.6 Currently the table is still empty.7 Here we will create one criteria group per allowed antivirus software. And as the devices do not have to fulfil

all of the three criteria groups but only one of them we will first modify the default operator:8 From the drop-down field Default Operator select the OR option.9 Now, to define the criteria groups and their criteria choose the Edit->Add Criteria Group menu item or click

the respective icon ( ) in the icon bar.10 The Criteria Group popup window will appear on the screen.11 The first allowed antivirus software in our example is Norton, therefore enter Norton Antivirus into the Name

field.


12 From the Class drop-down list select the Software Inventory option.13 This class only has one table, Installed Software, that is already preselected.14 Select the criterion Name from the Available Criteria box below.15 Leave the preselected Equal to operator in the Operator drop-down box.16 Click the Find button ( ) next to the Value field.17 The Search Criteria window opens.18 Select the Contains operator from the drop-down field. If you know the exact name as it

is stored in the software inventory, you can leave the Equal to operator.19 Enter part of the name into the Value field, i.e. Norton, otherwise you will get the

complete list of installed software applications in your network.20 Click the Find button ( ) next to the Value field again.21 The Results field now displays the list of software applications found in the database

that correspond to your value entry. Select the Norton entry and click the OK button to close the window.

22 Then click the Add button ( ) to add the defined criterion to the Selected Criteria box.23 Click to add the criteria group to the compliance rule.24 To now add the second and third criteria group for the McAfee and Trendmicro Antivirus

software programs repeat steps 9 to 23 by entering the respective values.

25 In the Group Relation box below you will now find the three groups - listed by their respective index values - automatically related via the OR operator, as this was chosen for the default operator. We will leave the pre-entered syntax as it is, as our devices must only comply to one of the three listed criteria. However, the device will also be compliant if more than one of the required antivirus applications are installed.

26 Now verify the group relation by selecting the Edit->Verify Relation menu item or the respective icon ( ) in the icon bar.

27 The syntax entered into the Group Relation field will be verified immediately and the status bar at the bottom of the console window should display Done.

28 Activate the compliance rule by selecting the green coloured option active instead of the currently displayed red option inactive in the Status drop-down field.

To add more criteria to the specified criteria groups see Option (c) (page 386).

See Option (g) (page 389) to create a group relation on which a device is compliant if only ONE of the listed antivirus applications is installed, but one obligatorily.




2 To do so select the Assign Device icon ( ) in the icon bar. 3 The Assign to Device popup window will appear on the screen.4 Go to the All tab and select the master from the list. 5 The master will be added to the table in the right pane with the immediately calculated compliance result.6 Click the Refresh icon ( ), if the grey question mark icon remains in the table to update the display.






compliance information on the device.4 In the screenshot to the right you can see that the example device is

compliant, it complied to one of the requested criteria groups, as it has the Norton Antivirus software installed.

5 Click OK to close the window.

Rule 4: Critical PatchesThis compliance rule will check if the devices listed for compliance verification have critical patches installed. This compliance rule again has only one group with one criterion.


1 Select the Compliance Management top node in the left window pane.2 Click on the Create Compliance Rule icon ( ) in the icon bar. 3 Enter Critical Patches into the Name field and then click the OK button.4 The new compliance rule is added to the list of members in the right pane. Double-click it.5 To add the compliance criteria select the Criteria tab to the right and select the Edit->Add Criteria Group

menu item or click the respective icon ( ) in the icon bar.6 The Criteria Group popup window will appear on the screen.

7 Enter Critical Patches into the Name field.8 In the Class drop-down list select Patch Inventory option.


If the Patch Inventory entry is not available you have not executed the respective example in the operational rules chapter. To complete this example go to Rule 1: Inventory Management (page 50) and then complete this example.


9 Leave the preselected Missing Patches table.10 Select the criterion Severity from the Available Criteria box below.11 Leave the preselected operator Equal to in the Operator drop-down box.12 Click the Find button ( ) next to the Value field.13 The Search Criteria window opens.14 It displays the possible values, i.e. the list of all grades of severity. Select the Critical

option and then click the OK button to close the window.15 The selected option now appears in the Value field to the left.16 Then click the Add button ( ) to add the defined criterion to the Selected Criteria box.17 Click OK to add the criteria group to the rule.

18 In the Group Relation box below 1 is entered, the index value for the specified group. To check now that all critical patches are installed, we must make sure that the inventory of missing patches does NOT contain any patches with this severity, therefore the following relation equation must be entered:NOT 1

19 Now verify the group relation by selecting the Edit->Verify Relation menu item or the respective icon ( ) in the icon bar.

20 The syntax entered into the Group Relation field will be verified immediately and the status bar at the bottom of the console window should display Done.

21 Activate the compliance rule by selecting the green coloured option active instead of the currently displayed red option inactive in the Status drop-down field.



2 To do so select the Assign Device icon ( ) in the icon bar. 3 The Assign to Device popup window will appear on the screen.

This criterion will check the patches for all available applications and operating systems. To limit this to the Windows operating systems see Option (h) (page 389).

To limit this to Microsoft patches including those which are important see Option (h) (page 389).



4 Go to the All tab and select the master from the list. 5 The master will be added to the table in the right pane with the immediately calculated compliance result.6 Click the Refresh icon ( ), if the grey question mark icon remains in the table to update the display.




compliance information on the device.4 In the screenshot to the right you can see that the example device is not

compliant, indicated by the large red X.5 However, in the criteria groups box below, the one criteria group itself

is marked as compliant. This group looks for critical patches in the missing patch inventory and the device has at least one.The non-compliance in this case is caused by the relation, which is shown in the Group Relation box below, it is defines as NOT 1. This means, that if group 1 is compliant, the overall compliance is NOT compliant, if group 1 were not compliant, the overall compliance would be evaluated as yes, it is compliant.

6 Click OK to close the window.

Rule 5: NAMP Client Installation DirectoryThis compliance rule checks that the NAMP client is installed in its default directory and it also finds all devices from which the software was removed.

This rule will use a constant instead of entering a value or selecting it from the lists provided by the search functionality. This rule will have two criteria groups.

Step 1: Create Compliance ConstantCompliance constants can be used in criteria as placeholders for values. The constants defined here may be used in any compliance rule to be defined. To create the constant that represents the Numara Asset Management Platform installation directory proceed as follows:

1 Select the Configuration node and its Constants tab.2 Select select the Edit->Create Constant or select the respective icon ( ) in the toolbar.



3 The Properties dialog box appears on the screen.4 Enter the following data into the respective fields.

NameEnter PATH NAMP Client as the constant name.TypeSelect the String value from the dropdown list as the constant‘s type.ValueEnter C:\Program Files\Numara Software\Numara AMP as the value that the constant represents.

5 Click the OK button at the bottom of the window to confirm the data for the new constant or click Cancel to abandon without modifications and to close the window.

6 The constant is now added to the table in the right window pane.

Step 2: Create Compliance RuleThe next step is to create the compliance rule:

1 Select the Compliance Management top node in the left window pane.2 Click on the Create Compliance Rule icon ( ) in the icon bar. 3 The Properties dialog box appears on the screen.4 Enter NAMP Client Installation Directory into the Name field and then click the OK button.5 The new compliance rule is added to the list of members in the right pane. Double-click it.6 In the now displayed General tab you can review the basic information of the compliance rule.7 To add the compliance criteria select the Criteria tab to the right.8 Currently the table is still empty.9 As the first step change the Default Operator to OR, as this rule is to find those devices on which the client is

installed in a wrong directory OR not installed at all. If we leave the operator at AND, both conditions have to be true which is not possible.

10 To define the criteria choose the Edit->Add Criteria Group menu item or click the respective icon ( ) in the icon bar.

11 The Criteria Group popup window will appear on the screen.12 Enter Client Path into the Name field. This group will find all devices on which the client is installed in the

specified directory.13 From the Class drop-down list select the Software Inventory option.


14 Then select the table from which the criteria is to be chosen from the Table field, i.e. in our case this is the value Installed Software.

15 The Available Criteria box below now displays all criteria available for the selected class and table. Select the criterion Installation Directory.

16 Leave the preselected operator Equal to in the Operator drop-down box.

17 Click the Constant button ( ) next to the Value field.18 The Constants window opens displaying all defined constants.19 Select the PATH NAMP Client value and click the OK button to close

the window.20 Then click the Add button ( ) to add the defined criterion to the

Selected Criteria box.

21 Now select the criterion Name from the list of Available Criteria.22 Click the Find button ( ) next to the Value field.23 The Search Criteria window opens.24 Select the value Starts with from the Operator dropdown list and enter n into the Value field.25 Click the Find button ( ) next to the Value field.26 The Results field now displays the possible values, i.e. the list of all installed software applications that start

with the letter „n“. Select the Numara Asset Management Platform Agent option and then click the OK button to close the window.

27 The selected option now appears in the Value field to the left.28 Then click the Add button ( ) to add the defined criterion to the Selected Criteria box.29 Click OK to add the criteria group to the rule.30 Then click the OK button to add the criteria group to the compliance rule.31 To add a second criteria group that will find all devices on which the NAMP Client is installed click the Edit-

>Add Criteria Group menu item or icon ( ) again.32 The Criteria Group popup window will appear on the screen.33 Enter Client Installed into the Name field. This group will find all devices on which the client is installed in

the specified directory.34 From the Class drop-down list select the Software Inventory option.35 Then select the table from which the criteria is to be chosen from the Table field, i.e. in our case this is the

value Installed Software.36 The Available Criteria box below now displays all criteria available for the selected class and table.37 Select the criterion Name from the list of Available Criteria.38 Click the Find button ( ) next to the Value field.39 The Search Criteria window opens.


40 Select the value Starts with from the Operator dropdown list and enter n into the Value field.41 Click the Find button ( ) next to the Value field.42 The Results field displays the same list again, select the Numara Asset Management Platform Agent option

again and then click the OK button to close the window.43 The selected option now appears in the Value field to the left.44 Then click the Add button ( ) to add the defined criterion to the Selected Criteria box.45 Click OK to add the criteria group to the rule.46 The table to the right now displays both criteria groups.47 To activate the compliance rule select the green coloured option active instead of the currently displayed red

option inactive in the Status drop-down field.

Step 3: Assign the Compliance Rule to a Group and EvaluateThe compliance rule is now created and active and must be assigned to the devices which are to be verified for compliance, in our example the group Clients and Relays. We cannot use the group All Devices as this one includes the master, which, of course, does not have the NAMP client installed and therefore would always make the group non-compliant. Once the group assignment is done, the rule will immediately verify if the devices are compliant to the specified criteria and display the result right away in the table.

1 Click the Assigned Objects, then Device Groups node in the left window pane under your newly created compliance rule. The right window pane is empty since no devices have been assigned yet.

2 To do so select the Assign Device Group icon ( ) in the icon bar. 3 The Assign to Device Group popup window will appear on the screen.4 Select the group Clients and Relays from the list.

5 The Clients and Relays group will be added to the table in the right pane with the immediately calculated compliance result.


6 Double-click the group to display the members in the table.7 Click the Refresh icon ( ), if the grey question mark icons remain in the table to update the display.8 This view shows all member devices with their individual evaluation result.

9 Now select the Results tab.10 This displays in form of a pie chart the overall result of the group.

15.1 Compliance ReportingOnce data on the compliance situation on individual devices and the network in general is available it may be summarised or detailed by reports. The NAMP console provides a number of report templates specifically for compliance management, which will be explained in the following paragraphs.

We will create and generate some examples of the available templates. You may also create your own style-based reports as explained in the Report chapter earlier in this manual. For a detailed explanation on all available templates refer to chapter Compliance Report Templates op page 55 of the Device Compliance manual.

Report 1: Executive Compliance SummaryThis report is already created via the out-of-the-box objects, ready to be assigned to a target and to be generated. Proceed as follows:

1 Open the Compliance folder under the Reports node in the left window pane and select the report Executive Compliance Summary.

2 Go to its Assigned Objects->Compliance Rules node.


3 Either choose the Edit->Assign Compliance Rule menu item or click the respective icon ( ) in the icon bar.4 The Assign a Compliance Rule popup windows will appear on the screen.5 Select the Patch and Vulnerability Inventory rule from the window.

6 Click OK to confirm the assignment and close the window.7 The compliance rule will be added to the table of assigned compliance rules.8 The go back to the Executive Compliance Summary report node in the left window pane.9 Select the Edit->Generate Report menu item or the respective icon ( ) in the icon bar.10 A confirmation window appears on the screen, click the OK button to confirm.

11 The report will be created immediately using the current data in the database concerning the assigned compliance rule.

12 To view the report select the Edit->View Last Result menu item or the respective icon ( ) in the icon bar.13 The generation of this type of report may take a little while, reselect therefore the icon until the report appears.14 Enter again your login in the appearing window.15 A new browser window or tab opens and displays the report.This report displays the compliance rule executive summary.

• Overall Information

• Compliance Rule Summary

Overall InformationThe table regarding the overall information displays the contents of the compliance rule by criteria group, i.e. it list the criteria groups and their relation as well as their criteria and all their connected data and the number of devices that are assigned to the rule.

This window allows you to select the format in which the report will be generated. By default this is HTML. Here you may define to also/or generate the report in PDF and/or XML by checking the respective boxes.

The report result which is generated will be put in all the required places according to the reports settings. This means it will be available under the Report Results node of the report, as well as under that of the compliance rule it is assigned to.


Compliance Rule SummaryThe summary is presented in form of a pie chart displaying the overall compliance situation of all evaluated devices via its red, green, blue and grey parts.

Report 2: Compliance by DeviceAlso this report is already created via the predefined out-of-the-box objects and only requires generation:

1 Select the Compliance by Device in the left window pane.2 Go to its Assigned Objects->Compliance Rules node.3 Either choose the Edit->Assign Compliance Rule menu item or click the respective icon ( ) in the icon bar.4 The Assign a Compliance Rule popup windows will appear on the screen.5 Select the Patch and Vulnerability Inventory rule from the window.6 Click OK to confirm the assignment and close the window.


7 The compliance rule will be added to the table of assigned compliance rules.8 The go back to the Compliance by Device report in the left window pane.9 Select the Edit->Generate Report menu item or the respective icon ( ) in the icon bar.10 A confirmation window appears on the screen, click the OK button to confirm.11 The report will be created immediately using the current data in the database concerning the assigned

compliance rule.12 To view the report select the Edit->View Last Result menu item or the respective icon ( ) in the icon bar.13 The generation of this type of report may take a little while, reselect therefore the icon until the report appears.14 Enter again your login in the appearing window.15 A new browser window or tab opens and displays the report.This report displays the criteria compliance for each device.

• Overall Information• Devices

Overall InformationThe table regarding the overall information displays the contents of the compliance rule by criteria group, i.e. it list the criteria groups and their relation as well as their criteria and all their connected data.

DevicesThis part shows the compliance situation per device via a table providing more information on the individual device.


15.2 Rule OptionsThe following paragraphs will provide you with a number of options that may be used to modify the compliance rule application.

(a) Assign a Compliance Rule to a Device GroupInstead of assigning a compliance rule to an individual or a number of individual devices for compliance evaluation you may assign it to a group, preferably dynamic.

Proceed as follows to assign the Critical Patches rule (Rule 4) to a group containing All Devices of your network:

1 At Step 2: open the node Compliance Rules->Critical Patches->Assigned Objects->Device Groups.2 Select the Edit->Assign Device Group menu item or click the respective icon ( ) in the icon bar.3 The Assign to Device Group popup window appears on the screen.4 Select the All Devices group from the list in the Available Objects box.

Dynamic groups are maintained either via a directory server or a query and their members are updated regular. For more information refer to chapter Queries and Device Groups Step-by-Step earlier in this manual. You will also find the guidelines there on how to create the group we will be using for the rule assignment in this example. Assigning an operational rule such as the inventory collection will ensure that all devices fulfilling specified requirements will apply this rule, without you having to specifically telling them so.


5 Click OK to confirm and close the window.6 In the right window pane you can now see the device group to which the rule was assigned.

7 If you double-click the group entry it will open in the left window pane and display the list of all devices which are a member of the selected group and their compliance status.

(b) Create Device Groups based on a Compliance RuleYou can create dynamic device groups based on the results of a compliance rule:

• a device group collecting all devices assigned to the compliance rule that are compliant,• a device group collecting all devices assigned to the compliance rule that are not compliant,• a device group collecting all devices assigned to the compliance rule that could not be evaluated, as the

required data is missing in the database.


Once such a group is created its members are updated each time the compliance rule is evaluated. All the possible groups listed above are created in the same way as described below in the example for a device group with compliant devices:

1 Go to the Compliance Management top node in the console.2 Select the compliance rule for which you want to create a new device group in the right window pane.3 Either select the Edit->Create Device Group - Compliant or select the respective icon ( ) in the toolbar.4 The new group will be automatically created directly under the main Device Groups node with the same name

as that of the compliance rule followed by the suffix (Compliant) to be able to distinguish it, if a non compliant and/or not evaluated group is created as well. The non compliant group will have the suffix (Not Compliant) and the group for which the evaluation was impossible (Evaluation Impossible).

5 Now go to the main Device Groups node.6 You will find the newly created group directly under the main node.7 If the compliance rule is renamed, the device group will automatically also be renamed.8 You may rename the device group if necessary and as long as you do not unassign the group from the

compliance rule the group membership will still be updated with each rule evaluation. However, if the compliance rule is rename, the new custom defined device group name remains.

(c) Add More Criteria to a Compliance RuleOnce a compliance rule is created and the devices were evaluated you might find that it is missing some criteria or might be made more efficient using some more or others. When modifying a rule the following steps need to be executed:

1 Modify the contents of the Antivirus Software rule (Rule 3:)2 Re-evaluate the rule for the assigned target.

Step 1: Modify the Contents of the Antivirus Software RuleFor our example we will modify the Antivirus Software rule by adding a specific version number to each of the antivirus applications:

To do so proceed as follows:

1 Open the node Compliance Rules->Antivirus Software and go to the Criteria tab.2 In the right window pane you can see all the criteria groups which are currently defined for this rule.

3 Select the first criteria group in the table, i.e. the Norton Antivirus group.4 Now select the Edit->Properties icon ( ).


5 The Criteria Group popup window will appear on the screen containing the already defined criterion in the list field to the right.

6 The Name and Class fields are already preselected and may not be changed, as within a criteria group only criteria of one table may be selected.

7 Select the criterion Version from the Available Criteria box.

8 Leave the preselected Equal to operator in the Operator drop-down box.

9 Below in the Value field enter the required version number or search for it and add it via the Search Criteria window.

10 Then click the Add button ( ) to add the defined criterion to the Selected Criteria box.

11 Now click the OK button to close the window and confirm the modifications to the criteria group of the compliance rule.

12 Now select the next criteria group in the table and repeat steps 4 to 11 for both other groups.

Step 2: Re-evaluate TargetsWhenever a compliance rule was modified in any way, i.e. its contents have changed, the targets assigned to the rule must be re-evaluated. To do so proceed as follows:

1 Click the Assigned Objects, then Devices node in the left window pane under the Antivirus Software rule.2 Select the already assigned master in the table.3 Then click the Evaluate icon ( ) in the icon bar.4 The selected device will immediately be re-evaluated with the newly defined criteria and the result be

displayed in this view.

(d) Device Group ResultsDevice group results are best viewed in the Results tab of the compliance rule. It displays the result of the compliance test of all assigned objects, i.e. devices and/or groups in form of a pie chart with some additional information. The pie chart is displayed in red, green, blue and grey, green representing all devices which are compliant, red all non-compliant devices, blue all devices that could not be evaluated due to missing data and grey those that have not yet been evaluated.


Number of devicesThis field displays the total number of devices assigned to the rule.CompliantThe percentage value of all assigned devices which are compliant.Not CompliantThe percentage value of all assigned devices which are not compliant.Evaluation ImpossibleThe percentage value of all assigned devices which could not be evaluated, as the required data are not yet available in the database. This applies only to inventories which are not yet generated. Inventories that are empty, such as patch or vulnerability, because the device has not patches missing and no existing vulnerabilities, will be evaluated compliant or not compliant.Not EvaluatedThis value displays the number of devices as a percentage value that were not yet evaluated on their compliance.Last Evaluation DateThis field displays the date and time of the last evaluation of the compliance rule.

This same view is also available if only an individual device is evaluated, however, the graphic in this case is not really interesting.

(e) EvaluateIt is possible at any time to launch a manual reevaluation of the complete population assigned to a compliance rule. To do so proceed as follows:

1 Either choose the Edit->Evaluate menu item or click the respective icon ( ) in the icon bar.2 The scores will now be reevaluation for all assigned devices and the display will be updated.

(f) OR OperatorTo define a group relation that defines that a device is compliant if it is fulfils one out of the two criteria groups enter the following equation in the Group Relation field:1 OR 2

In this example this indicates that a device on which the inventory of missing patches was executed no longer than two weeks ago is compliant even if no vulnerability scan was ever executed on it or vice versa.


(g) Exclusive ORTo define a group relation that defines that a device is compliant if it has one, but ONLY one of the listed software applications installed enter the following equation in the Group Relation field:(1 OR 2 OR 3) AND ((1 AND NOT 2 AND NOT 3) OR (2 AND NOT 1 AND NOT 3) OR (3 AND NOT 1 AND NOT 2))

If this group relation equation is used for the example then any device on which none of the listed 3 antivirus applications is installed is not compliant, even if it has another antivirus installed, such as AVG. Neither are devices compliant, which have more than one antivirus of the 3 listed applications installed, e.g. a device on which McAfee and Trendmicro are installed is not compliant, however a device on which Trendmicro and AVG are installed is compliant, as AVG is not part of the requirements.

(h) Critical Patches for WindowsTo limit the verification of Rule 4: to all Windows operating systems another criterion must be added to the rule and its existing criteria group.

1 Before Point 17 (page 375) the following second criterion must be added to the group:2 In the Available Criteria box select the criterion Product Family.3 Select the operator Contains in the Operator drop-down box.4 Enter the value Windows into the Value field. Thus the rule will verify only those patches that concern any

type of Windows operating system.5 Then click the Add button ( ) to add the defined criterion to the Selected Criteria box.6 Continue with step 17.

(i) Critical and Important Patches for IETo limit the verification of Rule 4: to the Microsoft Internet Explorer and also add the important patches as a requirement some more criteria groups must be added to the rule.

1 After Point 17 (page 375) the following criteria groups must be added to the rule:2 Another group of the same type must be created for the severity Important.3 Select the Edit->Add Criteria Group menu item or click the respective icon ( ) in the icon bar.4 The Criteria Group popup window will appear again on the screen.5 Enter Important Patches into the Name field.6 In the Class drop-down list select Patch Inventory option.7 Select the criterion Severity.8 Leave the preselected operator Equal to in the Operator drop-down box.9 Click the Find button ( ) next to the Value field.10 The Search Criteria window opens.11 The Results field now displays the possible values, i.e. the list of all grades of severity. Select the Important

option and then click the OK button to close the window.12 Then click the Add button ( ) to add the defined criterion to the Selected Criteria box.13 Click OK to add the criteria group to the rule.14 To add the criterion for the Internet Explorer select the Edit->Add Criteria Group menu item or click the

respective icon ( ) in the icon bar.15 The Criteria Group popup window will appear again on the screen.16 Enter Internet Explorer into the Name field.17 In the Class drop-down list select Patch Inventory option.18 Then in the Available Criteria box select the criterion Product Family.19 Click the Find button ( ) next to the Value field.20 The Search Criteria window opens.21 Click the Find button ( ) next to the Value field again.22 The Results field now displays the possible product families. Select the Internet Explorer option and then

click the OK button to close the window.23 Then click the Add button ( ) to add the defined criterion to the Selected Criteria box.24 Click OK to add the criteria group to the rule.


25 Now in the Group Relation box enter the following equation:NOT ((1 AND 3) AND (2 AND 3))

1 being the critical patches, 2 the important ones and 3 Internet Explorer.26 Continue with step 17.

16

Setting Up SecuritySecurity in the Numara Asset Management Platform must be set up on two different levels: on the clients and on the console.

16.1 Capabilities and Access RightsThe security of the console is enforced through the administrators and administrator groups registered in the Numara Asset Management Platform database.

Each administrator and administrator group has a CCL (Capability Control List) which dictates what it can do. The administrators and administrator groups nodes and their capability definitions specify the access to the console in general, i.e. who may interrogate or manipulate the database and its contents.

The access of administrators to objects is restricted by an ACL (Access Control List) that includes the following possibilities: READ/WRITE/ASSIGN. The Security Profile node or the Security tab define these access rights for specific objects.

When you log on to the console for the first time and go to the Administrators node under the Global Settings node you will find two administrators have already been created:

adminThe admin user is equipped with all permissions and capabilities, i.e. it has full access rights on all objects in the database. It may not be deleted but its password may be modified, however, not its capabilities. It may also be regarded as the superadministrator.systemThe system user is the login used by the master server itself for all database actions which it executes automatically, such as those of the data mover or autodiscovery module. None of its settings may be modified. The icon of this administrator is greyed out to indicate that the account is not activated.

16.2 Security ConsiderationsBefore you start to create administrators and groups you should sketch your system and the people administrating it as well as establish a list of all tasks to be executed and by whom to define which administrators and groups to create and which capabilities and access rights to assign to them.

Considerations to be taken into account when defining the access rights to the objects for each administrator are the following:

1 Capabilities:Which object types is the administrator or group concerned with?Which other objects are implicated through the original object, such as when you create or modify queries, do you also need to be able to see the queries’ object type?What operations is the administrator or group to execute on the object type: only see it or be able to do something with it, such as creating new objects of this type, modify existing ones or deleting them, being able to assign them to object of other types, etc.?

2 Access Rights:


Which top nodes does the administrator need access to, is it easier to provide access via a group and then populate it accordingly?For which objects types is it necessary to create queries to make sure any newly created objects of the type will be accessible by administrators through the dynamic objects?To which other object types do you need at least read access, e.g.,

for reports you need at least read access to some queries, devices and device groups,for operational rules and packages you need read access to some device groups and devices.

No general security is specified for the following main nodes: Administrators, Administrator Groups and Directory Servers, the security is specified via its members. All these nodes are located under the Global Settings.

16.3 Basic Operation PrinciplesThe following list shows which capability and access types are needed for which basic operation. The capabilities and access rights listed are the minimum requirements to execute these operations, but, of course the administrator may have more extensive permissions than those. For example, when specified Write Access Deny, this means that no write access is necessary to execute this operation, but of course the administrator may be assigned write access to these objects anyway.

Groups are divided in two different types: those with and those without the capability populate. User and device groups have the additional capability populate. The capabilities for administrator groups are the same as for administrators, thus they do not have the capability populate. Vulnerability groups neither have this capability, these collect their members according to specific criteria. Administrator/vulnerability groups are treated not as groups but as folders, to learn about their basic operating principles see the explanations concerning folders in the following paragraphs.

Also, be aware, that to be able to assign or modify access rights for other administrators you also must be assigned the capability Manage Security.

Create/Delete an Object in a FolderWhen you want to create an object within a folder or delete one from a folder you need the following capabilities and access rights:

• View and manage capabilities of the object type,• Write access on the object under which the new one is created.By default the administrator creating the new object has read/write/assign access on this new object.

Example:To create a new operational rule under a folder called My Operational Rules or to delete it you need:

CapabilitiesView Operational RulesManage Operational Rules

Access RightsRead Allow, Write Deny on the Operational Rules top node,Read Allow and Write Allow on the folder My Operational Rules.

Create/Delete an Object in/from a GroupTo create an object within a group or to delete it from there you need the following capabilities and access rights:

• View and populate capabilities on the group.• Write access on the object itself and its parent.

Example:To delete a device called MyDevice from the group called AllMyDevices you need:

CapabilitiesView Devices and Device GroupsManage Devices

Chapter 16 - Setting Up Security - 393

Populate Device GroupsAccess Rights

Read Allow, Write Deny on the Device Groups top node,Read Allow and Write Allow on the group AllMyDevices and the device called MyDevice.

Modify an ObjectTo modify the attributes of an object you need the following capabilities and access rights:

• View and manage capabilities of the object type,• Read and write access on the object.

Export an ObjectTo export an object from the console you need the following capabilities and access rights:

• View capability of the object type,• Read access on the object to be exported.

Import an ObjectWhen you want to import an object you need the following capabilities and access rights:

• View and manage capabilities of the object type,• Write access on the object under which the new one is imported (created).By default the administrator importing the object has read/write/assign access on this new object.

Manage Access Rights (Security) of an ObjectTo be able to modify the security profile of an object you need the following capabilities and access rights:

• View and manage Security Profile capabilities,• View capability on administrators,• View capability on the object type,• Write access on the object for which the access rights are to be modified.

Example:To modify the access rights administrator France has on a specific device, the MasterServer, you need the following permissions:

CapabilitiesView and manage Security Profile capabilities,View capability on administrators,View capability on devices,

Access RightsRead Allow, Write Deny on the Device Groups top node,Read Allow and Write Allow on the device MasterServer

Add an Object to/Remove an Object from a FolderTo add an object to or remove an object from a folder you need the following capabilities and access rights:

• View and manage capabilities on the object type,• Read and write access on the parent object to/from which the child object is to be added/removed and Read

access on the child.

Example:To add a query, AllDevices, to an existing folder, General Queries, you need:

CapabilitiesView QueriesManage Queries

Access RightsRead Allow, Write Deny on the Queries top node,Read Allow and Write Allow on the folder General Queries and Read allow on the query AllDevices.


Add an Object to/Remove an Object from a GroupTo add an object to or remove it from a group you need the following capabilities and access rights:

• View and populate capabilities on the group (parent object type), and view capability on the member (child object type),

• Read and write access on the group (parent object) to/from which the member (child object) is to be added, and read access on the child.

Example:To add a device, MyDevice, to an existing device group, MyGroup, you need:

CapabilitiesView Device GroupsPopulate Device GroupsView Devices

Access RightsRead Allow, Write Deny on the Device Groups top node,Read Allow and Write Allow on the device group MyGroup and Read Allow the device MyDevice.

Cut and Paste an ObjectThe cut and paste operation on an object is divided into two different actions: the cut action and the paste action, as cut objects, depending on their type, may be pasted under more than one parent object.

• View and manage or populate (for device and user groups) capabilities on the object type• Read and write access on the old and new parent object, read access on the object to be cut and pasted.

Example:In this example we will cut the My Operational Rule object from its current parent, the My Operational Rules folder and paste it under a new folder called Test Rules.

CapabilitiesView Operational RulesManage Operational Rules

Access RightsRead Allow, Write Deny on the Operational Rules top node,Read Allow and Write Allow on the objects Test Rules and My Operational Rules,as well as Read Allow on the My Operational Rule object.

Copy and Paste an Object (Duplication)Similar to the cut and paste operation the copy and paste also is split in two operations. Only administrators, devices, users and device and user groups can be copied from one location to another (be duplicated), as they can be members of more than one group. You may also duplicate members of folders, but in this case the pasted member must be given a new name.

• View and manage or populate (for device and user groups) capabilities of the object type,• Read and write access on both, the old and new, and read access on the object to be copied,A duplicating operation on an object requires the exact same permissions regarding capabilities and access rights as the copy and paste operation.

Example:For the following example we want to copy a device, which belongs to a group called HQ Devices to another group called Servers.

CapabilitiesView Device GroupsPopulate Device GroupsView Devices

Access RightsRead Allow, Write Deny on the Device Groups top node,


Read and Write Allow on the group HQ Devices as well as Read and Write Allow on the group Servers.Read Allow on the device.

Synchronise with a Directory ServerAll groups, including the administrator groups may be synchronised with a directory server in NAMP. For this administrator needs the following capabilities and access rights:

• View, manage and populate capabilities on device/user groups (parent), or view and manage capabilities on administrators (parent),

• View capability on devices/users,• View and manage capability on directory servers (child)• Read and Write access on the device/user group (parent), or Read and Assign access on the administrator group

(parent)• Read access on the administrators/devices/users and• Read and Write access on the directory server (child), if it populates a device or user group or Read and Assign

access, if it populates an administrator group.

Example 1:For the following example we synchronise our new device group called MyNewGroup, with an existing directory server, for example called AllLabClients.

CapabilitiesView Device GroupsManage Device GroupsPopulate Device GroupsView DevicesView Directory ServersManage Directory Servers

Access RightsRead Allow, Write Deny, on the Device Groups top node,Read and Write Allow on the device group, MyNewGroup,Read and Write Allow on the directory server AllLabClients,Read Allow on (some) clients of the directory server.

The Manage capability and Write access to the group are necessary, as the group name changes to the name of the directory server group as soon as it is synchronised with the server. The Manage capability for the devices is not required, as it is the system which will create the new objects that are added to the group. Therefore you will also not be able to see these new group members, if you do not have at least Read access to the children of the synchronised group.

Example 2:For the following example we synchronise an administrator group called MyNewAdmins, with an existing directory server, for example called AllLabAdmins.

CapabilitiesView AdministratorsManage AdministratorsView Directory ServersManage Directory Servers

Access RightsRead and Write Allow on the administrator group, MyNewAdmins,Read and Write Allow on the directory server AllLabAdmins,Read Allow on (some) administrators of the directory server.

The Manage capability and Write access to the group are necessary, as the group name changes to the name of the directory server group as soon as it is synchronised with the server.


Assign/Unassign an Object to/from Another ObjectWhen assigning/unassigning an object to/from an object of another type, two basic concepts must be distinguished:

• Assign an object to/unassign an object from a group (that causes the contents of the group to change)• Assign an object to/unassign an object from another object (without content modification)

1 Assign an Object to/Unassign an Object from a Group:To assign/unassign an object to a group that modifies its content (queries, directory servers and compliance rules) you need the following capabilities and access rights. Be aware that administrator groups are handled as usual like folders (see below), not like groups.

View and populate capabilities for group (parent)if the directory server is to be synchronised as well, not only to be assigned you also need the manage capability

View capability on the object to be assigned (child),Read and write access on the parent and read access on the child.

Example:To assign a query, AllServers to device group AllServersFrance you need the following permissions:

CapabilitiesView and populate device groupsView queries

Access RightsRead Allow, Write Deny on the Device Groups top node,Read Allow and Write Allow on the group AllServersFrance and Read Allow on query AllServers.

2 Assign/Unassign an Object to another ObjectTo assign/unassign an object to/from another object, such as operational rules, packages, transfer windows, etc., you need the following capabilities and access rights:

View and assign capabilities on the target object (parent),View and assign capabilities on the object to be assigned (child),Read access on the parent and read and assign access on the child.

Example:To assign a transfer window, HighSpeedDownstream to a device ServerFrance you need the following permissions:

CapabilitiesView and assign transfer windows and devices

Access RightsRead Allow, Write Deny on the Transfer Windows top node,Read Allow and Assign Allow on the device ServerFrance and Read Allow on transfer window HighSpeedDownstream.

The following table recapitulates the required capabilities and access rights to manage assignments between the different non-modifying database objects with the understanding that the view capability as well as read access is always required on both the parent and child object:

Parent Child Child Capabilities Parent Access Child Access

Compliance Rule Report Assign Report Assign Read

Device Compliance Rule Assign Compliance Rule Assign Read

Device Inventory Filter Assign Filters Assign Read

Device Managed Application Manage Managed Applications Assign Read

Device Monitored Object Assign Monitored Objects Assign Read

Device Operational Rule Assign Operational Rules Assign Read


* The assignment of a compliance rule to a device group in this case is used by the compliance rule to check the group members for their compliance.

The following table recapitulates the required capabilities and access rights to manage assignments between the different database objects concerning their population. Same as with the table above, the view capability as well as read access is always required on both the parent and child object:

Parent Child Parent Capabilities Parent Access Child Access

Administrator Group Directory Server Manage Administrators Write Read

Device Group * Compliance Rule * Populate Device Groups Write Read

Device Group Directory Server Populate Device Groups Write Read

Device Group Query Populate Device Groups Write Read

User Group Directory Server Populate User Groups Write Read

User Group Query Populate User Groups Write Read

Device Package Assign Packages Assign Read

Device Patch Group Assign Patch Groups Assign Read

Device Rollout Assign Rollout Assign Read

Device Task Assign Task Assign Read

Device Transfer Window Assign Transfer Windows Assign Read

Device Group * Compliance Rule * Assign Compliance Rule Assign Read

Device Group Inventory Filter Assign Filters Assign Read

Device Group Managed Application Manage Managed Applications Assign Read

Device Group Monitored Object Assign Monitored Objects Assign Read

Device Group Operational Rule Assign Operational Rules Assign Read

Device Group Package Assign Packages Assign Read

Device Group Patch Group Assign Patch Groups Assign Read

Device Group Report Assign Reports Assign Read

Device Group Rollout Assign Rollout Assign Read

Device Group Task Assign Task Assign Read

Device Group Transfer Window Assign Transfer Windows Assign Read

Operational Rule Monitored Object Manage Monitored Objects Assign Read

Operational Rule Task Assign Task Assign Read

Package Operational Rule Manage Operational Rules Write Write

Patch Group Package Manage Patch Groups Write Write

Patch Group Task Assign Task Assign Read

Port List Scan Assign Scan Assign Read

Prohibited Applications Schedule Template Manage Scheduled Templates Assign Read

Push Rollout Task Assign Task Assign Read

Query Sub-Report Manage Reports Write Write

Rollout User Account Populate Rollout Assign Read

Scan Task Assign Task Assign Read

Scan Configuration Scan Assign Scan Assign Read

Scanner Scan Assign Scan Assign Read

Target List Scan Assign Scan Assign Read

User Operational Rule Manage Operational Rules Assign Read

User Group Operational Rule Manage Operational Rules Assign Read

Vulnerabilities Task Assign Task Assign Read

Vulnerability Group Report Assign Reports Assign Read

Parent Child Child Capabilities Parent Access Child Access


* The assignment of a compliance rule to a device group here actually populates the device group with the result of its compliance check, i.e. the group will contain all compliant devices, all non-compliant devices or those which could not be evaluated.

16.4 Specific CasesWhile for most objects of the NAMP database security on the capabilities and access levels can be defined in the same way, there are some exceptions to the rule, which are detailed as follows.

• Administrator Capabilities• Devices and Device Groups• Modifying Administrator Rights• Device Topology• Vulnerability Management

16.4.1 Administrator CapabilitiesThe administrators, their groups and their capabilities have specific requirements regarding their security settings for both the capabilities as well as in the definition of their access.

CapabilitiesThe capabilities defined for the operation with administrators, administrator groups and capabilities are the same. This means, that there is no distinction between working on an individual administrator or on working with a group. It also includes working on the capabilities through their specific node. For example, if an administrator is assigned the capability to manage administrators, he will also be able to create administrator groups and he can also modify or delete these groups as well as modify their capabilities, through the Modify Capabilities tab or through the Capabilities node.

Access RightsAs you can see on the console neither the Administrators nor the Administrator Groups node have a security tab. Access rights must therefore be defined individually through the Security Profile node or the Security tab of the respective administrator or administrator group.

16.4.2 Devices and Device GroupsDevices and device groups are a specific case, as devices cannot be seen or accessed in any way if the corresponding permissions, capabilities and access rights, have not been accorded to the device groups they are a member of.

CapabilitiesContrary to the administrators and their groups, devices and device groups have separate capabilities which must be assigned. Assigning the capabilities for device groups follows the general rules, but if devices are to be viewed/managed as well you need to specify these capabilities separately as well. Device groups also have an extra capability, Populate, which must be defined when the content of the group is concerned, such as when you manually add or remove a device from a group or when the group is to be dynamically managed through a query or a directory server.

Access RightsDevices may be accessed under two different nodes: the Device Topology and the Device Groups nodes. How to define the access to the devices in the Device Topology is explained in the following paragraph, and may be sufficient for a specific type of administrator. However, in other cases, it may be useful for administrators to be able to access their devices via the Device Groups node. For this to be possible, you need to assign at least read access to the Device Groups top node as well as any other device group (including its hierarchy structure to access the respective group) the administrator needs to access.


16.4.3 Modifying Administrator RightsWhen a new administrator is created in the database, he is automatically added to his own Security tab with the following access rights defined: Read Allow and Write Deny. Through this the newly created administrator is able to see himself in the console and to check his capabilities, for example, but he cannot make modifications to any of his settings.

When an administrator is to modify access rights to a specific object he must have the following capabilities and rights:

CapabilitiesView AdministratorsView SecurityManage SecurityView Object TypeManage Object Type

Access RightsRead and write access on the object itself.

It is strongly recommended to NOT provide the general administrators with the possibility to modify their security settings, only the superadministrator should have this option. If administrators can modify their own settings they may gain access to objects, to which they should not.

16.4.4 Device TopologyThe Device Topology node is not an object in the database and as such does not have a specific Security tab defining its accessibility and it cannot be included in the Security Profile either. It will thus always be part of the directory tree of every administrator, even if some of them cannot see anything under the top node. To view devices under this node:

• The administrator has at least the View Devices capability.• The administrator must have at least read access to the devices. Be aware that he needs read access to the

complete hierarchy to these devices, i.e. to the master as well as all the relay hierarchy under which the devices are located.

To provide your administrator with read access to all devices in the system in the Device Topology node, the following steps must be executed:

1 Create a query searching for all devices.2 Create a security access via a Security Profile for the administrator.

1. Creating QueryFor the first step, how to create a query, please see the respective earlier chapters in this manual. The query AllDevices was imported with the Out-of-the-Box objects.

2. Defining the Security AccessThe action which remains to be done is to create the appropriate access rights for the administrator to be able to see them in the topology.

1 Connect as the superadministrator Admin to the console.2 Go to the administrator’s node, and select its Security Profile node, the Capabilities tab will be displayed.3 Select a row in the table and then the Edit->Properties menu item or the respective icon ( ) in the icon bar.4 The Properties dialog box will appear on the screen.5 Check at least the View capability for devices, then click the OK button to confirm.6 Then select the Dynamic Objects tab.7 Select the Edit->Add Query menu item or the respective icon ( ) in the icon bar.8 The Select Dynamic Objects dialog box will appear on the screen, displaying all queries.9 Select again the AllDevices query from the list.10 In the Properties dialog box leave the Allow radio button for Read, Write and Assign Access checked.

Remember here you are not assigning access to the query itself, but to its result, i.e. the devices it will collect.11 Click OK to add the object and close the dialog box.


3. Verifying the Assignments and Access RightsNow to check if everything works as intended proceed as follows:

1 Log off the console.2 Re-logon to the console as the new administrator.3 When the console opens on your screen, you should see at least the following top nodes, depending on which

capabilities you assigned additionally:SearchGlobal SettingsDevice Topology

4 Now select the Device Topology node.5 In its Members tab you will find the same list of devices as in the group.6 If you select the Graph tab, you will see all your devices in form of the graph.Having executed all these operations your administrator can see all managed devices in your system. However, this complete view may be limited by removing access to all devices which he is not supposed to see. This can be done via the query through more restrictive criteria.

16.4.5 Vulnerability ManagementThe Vulnerability Management presents the following specific situations:

WizardsTo be able to launch the scanning wizard an administrator needs to have the VM view capabilities on scan configurations, target lists and devices as well as the manage and assign capability on scan configurations.

The wizard may either use existing objects to execute or they may create new ones. Be aware, that to create new objects you need the manage capability for the top node of the respective object or at least one of its folders. By default objects created with the wizard will be located directly under the object‘s top node. If you do not have access to this node the new object will be created in the first folder for which you do have access rights. Otherwise, i.e. if you do not have access to any of the objects of the type the object created via the wizard will be stored under the Lost and Found node.

Scan TargetsTarget lists in VM may consist of devices known to the database, thus with defined security and devices without NAMP agent. Once a scan is executed on a target list the vulnerability inventory will be available via the console and the administrator, who created the scan may see the inventory for all the devices he was not expressly forbidden the access. As yet unknown devices without NAMP agent will be added to the database now with the status ’scanned’ and no security defined, and any administrator with read access on the respective target list and thus the target devices can view the scan results.

ScannersTo define a device as a scanner or remove it from this functionality the Manage capability as well as Write access rights one the respective device are required.

As scans are assigned to their scanner and not to a top node of this type, when removing a device as a scanner all scans assigned to this scanner will also be removed. The administrator therefore also must have the capability Scan - Manage, as well as the Write access rights to all scans and folders defined under the respective scanner.

16.5 ScenariosThis paragraph will provide you with a number of examples for security scenarios describing the environment in which it is setup, what exactly happens when trying to access and what needs to be defined to ensure the respective scenario works according to definition.

We propose, that you create these profiles not for individual administrators but for administrator groups, thus it is easier to add new admins with the same profile and to make sure there always is at least one administrator of the specific profile. The administrator in these cases will be created with no capabilities and no access rights, all these will be given to him via the groups he is a member of.


Also we assume that the Out-of-the-box objects have been imported, as they contain a number of very useful settings which we refer to in the following scenarios.

• New Administrator with System Logon• User Administrator• Read-Only Administrator• Installer• Reporting• Scan Administrator• Vulnerability Manager• Compliance Analyst• Compliance Manager

16.5.1 New Administrator with System LogonThe following scenario describes what happens when an administrator tries to log on to the console:

• that has never before tried to log on, • that is not yet created in the NAMP database as an administrator but • who has a valid local system logon.For this to work, you must however have activated the option to create new administrators via their system logon. To make sure this option is activated proceed as follows, as by default it is deactivated:

1 Go to the Global Settings->System Variables and its Security tab.2 Select the entry in the right window pane.3 Then select the Edit->Properties menu item or the respective icon ( ) in the icon bar.4 The Properties dialog box will appear on the screen.5 Check the box in the window and then click the OK button to confirm.6 The required option is now activated.

As the user is not registered in the database, he can only use his local system logon to log on to the Numara Asset Management Platform Console. The following happens:

1 The user logs on with his system logon and password.2 Basic authentication is executed via the HttpProtocolHandler:

a The HTTP protocol handler verifies with the Host Access module if the requesting client is authorised to connect to the master server. If no modifications have been made in the Host Access module since startup the requesting client is authorised.

b Then the HTTP protocol handler verifies with the User Access module if the supplied login and password are authorised. When checking the table of configured users the handler will find an equivalent as system and authorise the login.

c Then the vision64database module will verify with the database if an administrator user exists for this login/password pair, which is not the case. As the login was authorised beforehand, the database module


will create a new user with the provided login and password in the access list. However, no capabilities and access rights are assigned at creation time.

d Now the console window will appear on the screen with a connection to the requested master server, but the displayed contents are very limited:

He will only be able to see the following top nodes: Search, Global Settings, Device Topology and Events. However, he will not be able to view any devices in the Device Topology nor will he be able to execute operations on Global Settings subnodes. As he has no capabilities assigned either, he will not be able to execute any operations on the visible nodes and objects in the console.

This scenario will only work if the default system administrator creation is activated which is not the case by default. To activate it proceed as follows:

1 Log on to the console with the predefined admin login.2 Then go to the Global Settings and the System Variables node.3 Select the Security tab.4 Mark the value in the right window pane.1 Then either select the Edit->Properties menu item or click the respective icon ( ) in the icon bar.2 The Properties popup window will appear on the screen.3 Check the Create Default System Administrator box.4 Then click OK to confirm and close the window.

16.5.2 User AdministratorThe user administrator scenario describes the security settings to be defined for administrators who have quite far reaching rights, similar to the system administrator, i.e., they may access all objects and types apart from the actual system settings.

1 Log on to the console with a superadministrator or the admin login.2 Then go to the Global Settings and the Administrator Groups node.3 Create a new group called UserAdmins.4 Select the Security Profile node below and in the Capabilities tab.1 Then either select the Edit->Properties menu item or click the respective icon ( ) in the icon bar.2 The Properties popup window will appear on the screen.3 In the Modify Capabilities tab select ALL capabilities and then deselect the following:

Both Administrator capabilitiesBoth System Variables capabilitiesBoth Security Profile capabilitiesBoth License capabilities

4 Then click OK to confirm and close the window.5 Then go to the Static Objects tab and via the Properties popup window select all Top Nodes to be added to the

static objects with Read, Write and Assign rights Allowed.6 In the Dynamic Objects tab add all queries which can be found under the folder Numara Asset Management

Platform Database apart from the All Administrators and All Administrator Groups queries with Read, Write and Assign rights Allowed via the Properties popup window. These queries ensure, that the administrator will have access to all objects of any type that will be created in the future by any other administrator.

Remarks regarding this configuration:

• We consider administrators and administrator groups part of the system management and therefore have excluded them from the field of activity of the user administrator.

16.5.3 Read-Only AdministratorThe Read-Only administrator is somewhat an equivalent of the user administrator without the permission for modification. This type of administrator might be interesting for the head of the IT department to have an overview of the whole system and what goes on in it without active intervention.

1 Log on to the console with a superadministrator or the admin login.


2 Then go to the Global Settings and the Administrator Groups node.3 Create a new group called ReadOnly.4 Select the Security Profile node below and in the Capabilities tab.1 Then either select the Edit->Properties menu item or click the respective icon ( ) in the icon bar.2 The Properties popup window will appear on the screen.3 In the Modify Capabilities tab select ALL View capabilities apart from the following:

View AdministratorView System VariablesView Security ProfileView License

4 Then click OK to confirm and close the window.5 Then go to the Static Objects tab and via the Properties popup window select all Top Nodes to be added to the

static objects with Read right Allowed, and Write and Assign rights Denied.6 In the Dynamic Objects tab add all queries which can be found under the folder Numara Asset Management

Platform Database apart from the All Administrators and All Administrator Groups queries with Read right Allowed, and Write and Assign rights Denied via the Properties popup window. These queries ensure, that the administrator will be able to see all objects of any type that will be created in the future by any other administrator.

Remarks regarding this configuration:

• We consider administrators and administrator groups part of the system management and therefore have excluded them from the field of activity of the read-only administrator.

16.5.4 InstallerThis scenario describes the security settings to be defined for an administrator who only executes agent rollouts across the network.

1 Log on to the console with a superadministrator login.2 Then go to the Global Settings and the Administrator Groups node.3 Create a new group called Installer.4 Select the Security Profile node below and in the Capabilities tab.1 Then either select the Edit->Properties menu item or click the respective icon ( ) in the icon bar.2 The Properties popup window will appear on the screen.3 In the Modify Capabilities tab select the following capabilities:

All Rollout capabilitiesAll Device capabilitiesView and Manage Device Group capabilities - no Populate capability

4 Then click OK to confirm and close the window.5 Then go to the Static Objects tab and via the Properties popup window add the following static objects:

Device Groups top node with Read and Assign Access: Allow and Write Access: DenyRollouts top node with Read, Write and Assign Access: Allow

6 In the Dynamic Objects tab add the following dynamic objects via the Properties popup window:The following queries to be found in the Numara Asset Management Platform Database folder:

All Devices and All Device Groups queries with Read Access: Allow and Write and Assign Access: DenyAll Rollout Folders and All Rollouts queries with Read, Write and Assign Access: Allow.

16.5.5 ReportingThis type of administrator profile is created for users who only create reports, but reports regarding any object in the database.

1 Log on to the console with a superadministrator login.2 Then go to the Global Settings and the Administrator Groups node.3 Create a new group called Reporting.4 Select the Security Profile node below and in the Capabilities tab.


1 Then either select the Edit->Properties menu item or click the respective icon ( ) in the icon bar.2 The Properties popup window will appear on the screen.3 In the Modify Capabilities tab select ALL View capabilities apart from the following:

View System VariablesView Security ProfileView Agent ConfigurationView Direct AccessView Remote Control

4 Then in addition check the following capabilities:Manage QueryManage and Assign Report

5 Then click OK to confirm and close the window.6 Then go to the Static Objects tab and add the following top nodes with the following access rights via the

Properties popup window:Device Groups top node with Read and Assign Access: Allow and Write Access: DenyQueries and Reports top nodes with Read, Write and Assign Access: Allow

7 In the Dynamic Objects tab add via the Properties popup window all queries of the Numara Asset Management Platform Database folder with access rights Read Access: Allow and Write and Assign Access: Deny apart from the following which will also be added but with different access types:

All Devices, All Device Groups and All Vulnerability Groups queries with Read and Assign Access: Allow and Write Access: DenyAll Query Folders and All Queries, as well as All Report Folders and All Reports queries with Read, Write and Assign Access: Allow.

A few points regarding this configuration:

• If you have different report creation profiles you may restrict the view to the necessary objects the profiles create reports for. However, make sure you provides them with the same access as above to queries and device groups, as reports are based on either one of these object types. If you do not provide access to the device groups, no reports may be generated being assigned to a device group instead of being based on a query.

16.5.6 Scan AdministratorThis type of administrator profile is created for administrators who only create and execute scans. However this also implies creating/managing the target lists, scan configurations as well as port lists.

1 Log on to the console with a superadministrator login.2 Then go to the Global Settings and the Administrator Groups node.3 Create a new group called Scan Administrator.4 Select the Security Profile node below.5 In the Capabilities tab select the Edit->Properties menu item or click the respective icon ( ) in the icon bar.6 The Properties popup window will appear on the screen.7 In the Modify Capabilities tab select the following capabilities:

View DevicesView Vulnerability ManagementManage Port ListsManage & Assign Scan ConfigurationsManage Target ListsManage, Assign and Schedule Scans

8 Then click OK to confirm and close the window.9 Now go to the Static Objects tab and add via the Properties popup window the following top nodes with the

following access rights:Port Lists, Scan Configurations and Targets top nodes with Read, Write and Assign Access: Allow


10 If the administrators are to be able to not only create their own new scans with all connected other objects but also use those that are created by other administrators you may add the access to these via the Dynamic Objects tab via the Properties popup window:

add all queries concerning scans, scan configurations, as well as port and target lists with access rights Read and Assign Access: Allow and Write Access: Deny.

16.5.7 Vulnerability ManagerThis type of administrator profile is created for administrators who analyse the scan results and actively remedy the current situation on the targets.

1 Log on to the console with a superadministrator login.2 Then go to the Global Settings and the Administrator Groups node.3 Create a new group called Vulnerability Manager.4 Select the Security Profile node below 5 In the Capabilities tab select the Edit->Properties menu item or click the respective icon ( ) in the icon bar.6 The Properties popup window will appear on the screen.7 In the Modify Capabilities tab select the following capabilities:

View & Assign DevicesView InventoryView PackagesView & Schedule Operational RulesView, Manage, Assign & Configure Patch GroupsView, Manage & Configure Vulnerability ManagementView & Manage Vulnerability GroupsView & Manage Target Lists

8 Then click OK to confirm and close the window.9 Now go to the Static Objects tab and add the following top nodes with the following access rights via the

Properties popup window:Operational Rules and Packages top node with Read and Assign Access: Allow and Write Access: DenyPatch Management and Vulnerability Groups top nodes with Read, Write and Assign Access: Allow

10 If the administrators are to be able to not only create their own new vulnerability remediation actions with all connected other objects but also use those that are created by other administrators you may add the access to these via the Dynamic Objects tab via the Properties popup window:

All Scanned Devices and All Scans queries with Read Access: Allow and Write and Assign Access: DenyAll Patch Groups, All Packages, All Operational Rules and All Vulnerability Groups queries with Read, Write and Assign Access: Allow.

A few points regarding this configuration:

• This profile consists mainly of patch management capabilities as the major part of actively remeding vulnerabilities is executed via the patch objects and wizard.

16.5.8 Compliance AnalystThis type of administrator profile is created for administrators who analyse all devices of the infrastructure for compliance.

1 Log on to the console with a superadministrator login.2 Then go to the Global Settings and the Administrator Groups node.3 Create a new group called Compliance Analyst.4 Select the Security Profile node below 5 In the Capabilities tab select the Edit->Properties menu item or click the respective icon ( ) in the icon bar.6 The Properties popup window will appear on the screen.7 In the Modify Capabilities tab select the following minimum capabilities:

View & Manage DevicesView & Manage Device Groups


View, Manage, Assign & Configure Compliance Rules8 Then click OK to confirm and close the window.9 Now go to the Static Objects tab and add the following top nodes with the following access rights via the

Properties popup window:Device Groups top node with Read and Assign Access: Allow and Write Access: DenyCompliance Management top node with Read, Write and Assign Access: Allow

10 Then click OK to confirm and close the window.

16.5.9 Compliance ManagerThis type of administrator profile is created for administrators who ensure the compliance of the complete infrastructure, i.e. they do not only analyse the current situation of the IT park concerning its compliance but take action to keep it compliant.

1 Log on to the console with a superadministrator login.2 Then go to the Global Settings and the Administrator Groups node.3 Create a new group called Compliance Manager.4 Select the Security Profile node below 5 In the Capabilities tab select the Edit->Properties menu item or click the respective icon ( ) in the icon bar.6 The Properties popup window will appear on the screen.7 In the Modify Capabilities tab select the following minimum capabilities:

View & Manage DevicesView & Manage Device GroupsView, Manage, Assign & Configure Compliance Rules

8 Following you will find a list of possible capabilities that may be assigned to the administrator, depending on the compliance targets:

View & Manage Inventory - to provide access to all inventory criteriaView & Assign Packages - if compliance includes specific installed packages as criteriaView & Schedule Operational Rules - if compliance includes specific assigned operational rules as criteriaView, Manage, Assign & Configure Patch Groups - if compliance includes specific installed patches as criteria

9 Then click OK to confirm and close the window.10 Now go to the Static Objects tab and add the following top nodes with the following access rights depending

on the capabilities you added in the previous tab via the Properties popup window:Compliance Management, Operational Rules, Packages and Patch Management top node with Read, Write and Assign Access: AllowDevice Groups top node with Read and Assign Access: Allow and Write Access: Deny

11 The definitions in the Dynamic Objects tab of the Security Profile node also depends on the selections made in the Capabilities tab:

All Patch Groups, All Packages and All Operational Rules queries with Read, Write and Assign Access: Allow.


Corporate Headquarters2202, North Westshore Boulevard, Suite 650 Tampa, Florida 33609, USAp:813.227.4500 f: 813.227.4501

Regional Headquarters2025 Loncoln Highway Edison, NJ 080018, USAp:732.287.2100 f: 732.287.4929

European HeadquartersDavidson House Forbury Square Reading, RG1 3EU, UK

NumaraSoftware.com

©2009 Numara Software, Inc. All rights reserved. Numara and the Numara Software logo are registered trademakrs of Numara Software, Inc.

Date post:	21-Nov-2014
Category:	Documents
Upload:	richard-workman
View:	422 times
Download:	0 times

Getting Started

Documents