Open MTIP Meeting April 5, 2000 Issues with current lab setup (from last meeting) • Easier/faster application deployment and maintenance • Client diversity • Education • Auditing • Universally accessible file system • Workstation maintenance (ties with security) Today’s focus • Easier/faster application deployment & maintenance • Workstation maintenance (ties with security) • Client diversity Solution overview • Use ZENWorks 2 for Desktops to deploy, configure and maintain applications, to assign apps to workstations rather than users, and manage application security • Use the Novell GINA rather than the NCSUGINA • Novell Client v4.6 SP 2 for Win NT (not 4.7!) • NT labs: Transarc AFS client; Departmental Win9x labs: SAMBA, if dept. provides Issue: Applications are too hard to deploy and maintain. • Installs require administrators to physically visit machines. • Lead time on new apps is too long/too few people create applications. • Workstation security interferes with application functioning. (Apps too hard, continued) • Application assignment to .USERS is all-ornothing, and can only be done centrally. • Locally desired apps must be installed manually/icons can’t be in NAL. Zen 2 Application Deployment • Configure as “Install/run” rather than having a separate Install and Run • Assign applications to workstations and labs, not to users • Run as “Unsecure User” applications that can’t run with restrictions Unattended (by administrators) application installations / repairs • ZENWorks 2 for Desktops offers scheduled, “lights-out” installations. • Install/Run ZEN apps let users initiate installation of new or updated software. • Install/Run also enables “self-healing” feature for ZEN applications. • Force-run/run-once technologies offer additional possibilities for installing ZEN apps. Shorter lead time for deployment • Application assignment to workstations means that testing need not be global. • Local apps can be created by local admins who are most familiar with configuring and installing them. • ZEN Install/Run can ship apps anytime, without need to do an install step. First user to run app pays install time penalty. (Short lead time, continued) • Ability to run apps as “unsecure system user” means no real development time devoted to security fix-ups Purpose of security • Make sure students get the access for which they paid. • As a secondary goal, make life easier for the administrators. Workstation security • ZEN option to run as “Unsecure System User” allows applications to run with admin privileges: user can only access what the application can access while the app runs. • Continue to use current approach for labs where running applications with admin privileges is not appropriate. (Workstation security, continued) • For extremely secure systems, use current approach plus a faceless “Secure System User” app to unlock only those keys/files only while the application is running. Use Imaging for faster workstation rebuilds • Set up a “hidden” partition in the first 2 GB of a workstation’s disk drive • When booted from this partition, automatically run Ghost to restore image from the partition or from a network server • After Ghost completes, set the partition to invisible and boot the OS partition • First boot of OS partition runs any fixup or re-registration chores Issue: Client Diversity • Zen 2 works for all Windows platforms, Windows 3.1, Windows 95/98, Windows NT 4, and Windows 2000 (with service pack) • ITD still focusing on NT 4 in the short term, to have an AFS client • Many applications will also run under Win95/98 or Win2K Remaining Issues • Universal File System – Zip drives being ordered for ITD labs – Looking into Web accessible file systems • Education – Working to have regular Zen classes offered by ITD – Working on web site to consolidate information (Remaining Issues, continued) • Auditing – Site License for “Audit Login” software to account for NetWare file servers – Working on auditing method for all platforms Features • Zen 2 provides the core functionality needed to make applications easier to maintain and deploy; enhances app security options, and supports client diversity • Zen 2 is on our site license, so it’s a cost effective solution • Zen 2 has significant on campus expertise, and allows us to leverage external resources (other institutions/groups, vendor support) (Features, continued) • Zen 2 has additional functionality, such as Inventory and secure Remote Control, which were not identified as “critical” but are definitely desirable. • We won’t disrupt existing setup - faculty can continue to run NCSUGINA and run applications from AFS space. Gotchas & anti-features • Can’t get single sign on to AFS and NetWare (2nd login to get to AFS space) • No hesiod group functionality will be implemented initially • No auto synchronization of NT profiles between NW and AFS after initial migration • Netscape bookmarks don’t follow from Solaris to NT until NetWare 5.1 To Do/Status List • Contextless login: waiting on new hardware for replica servers, but have a contingency plan should hardware not arrive before deadline; cannot test effectively without this. • Profile storage: waiting on new hardware to hold the NT Roaming Profiles, can test with a test account configured to store on a different box (To Do/Status List, continued) • Workstation registration: every machine will need to be registered/imported into the tree - user policy package for admin accounts in the workstation containers • Imaging: Ghost images/Restore mechanism for workstation-specific info / Need input from COM on hidden partitions; need file space to store lab images for multicast (To Do/Status List, continued) • Applications: modify existing apps to store settings in NW profile space • No new apps for Summer created by ITD. • Migrate settings from AFS space to NW profile space- need to wait for semester break when labs are closed (To Do/Status List, continued) • Copy app files from AFS to NW spaceneed to set up space for them • User policy package assigned to .USERS modified to store Roaming Profiles on NW server / need to wait for semester break when labs are closed - use a test user account to test beforehand. Timetable • Spring exams end May 16. Summer begins May 24. – Apr 15 Contextless Login – May 1 Profile Storage – May 1 Application modifications completed (note: existing apps will be duplicated and changed, not replaced!) – May 1 Application servers online, application files copied from AFS space – May 1 NT Roaming Profiles policy for .USERS (Timetable, continued) – – – – May 17-19 AFS NW migration for NT profiles Workstation Registration: local schedule Ghost Images: local schedule Hidden partition: work to be done during the summer, for release in the fall Worst-case scenario • No contextless login no move to Zen 2 • Roaming profiles may not migrate properly from AFS versions • Others? How to deal with workstation registration New apps - you do them, and you CAN do them Documentation on the web