Open MTIP Meeting
April 5, 2000
Issues with current lab setup
(from last meeting)
• Easier/faster application deployment and
maintenance
• Client diversity
• Education
• Auditing
• Universally accessible file system
• Workstation maintenance (ties with
security)
Today’s focus
• Easier/faster application deployment &
maintenance
• Workstation maintenance (ties with
security)
• Client diversity
Solution overview
• Use ZENWorks 2 for Desktops to deploy,
configure and maintain applications, to
assign apps to workstations rather than
users, and manage application security
• Use the Novell GINA rather than the
NCSUGINA
• Novell Client v4.6 SP 2 for Win NT (not 4.7!)
• NT labs: Transarc AFS client; Departmental
Win9x labs: SAMBA, if dept. provides
Issue: Applications are too hard
to deploy and maintain.
• Installs require administrators to physically
visit machines.
• Lead time on new apps is too long/too few
people create applications.
• Workstation security interferes with
application functioning.
(Apps too hard, continued)
• Application assignment to .USERS is all-ornothing, and can only be done centrally.
• Locally desired apps must be installed
manually/icons can’t be in NAL.
Zen 2 Application Deployment
• Configure as “Install/run” rather than
having a separate Install and Run
• Assign applications to workstations and
labs, not to users
• Run as “Unsecure User” applications that
can’t run with restrictions
Unattended (by administrators)
application installations / repairs
• ZENWorks 2 for Desktops offers scheduled,
“lights-out” installations.
• Install/Run ZEN apps let users initiate
installation of new or updated software.
• Install/Run also enables “self-healing”
feature for ZEN applications.
• Force-run/run-once technologies offer
additional possibilities for installing ZEN
apps.
Shorter lead time for deployment
• Application assignment to workstations
means that testing need not be global.
• Local apps can be created by local admins
who are most familiar with configuring and
installing them.
• ZEN Install/Run can ship apps anytime,
without need to do an install step. First user
to run app pays install time penalty.
(Short lead time, continued)
• Ability to run apps as “unsecure system
user” means no real development time
devoted to security fix-ups
Purpose of security
• Make sure students get the access for which
they paid.
• As a secondary goal, make life easier for the
administrators.
Workstation security
• ZEN option to run as “Unsecure System
User” allows applications to run with admin
privileges: user can only access what the
application can access while the app runs.
• Continue to use current approach for labs
where running applications with admin
privileges is not appropriate.
(Workstation security, continued)
• For extremely secure systems, use current
approach plus a faceless “Secure System
User” app to unlock only those keys/files
only while the application is running.
Use Imaging for faster
workstation rebuilds
• Set up a “hidden” partition in the first 2 GB
of a workstation’s disk drive
• When booted from this partition,
automatically run Ghost to restore image
from the partition or from a network server
• After Ghost completes, set the partition to
invisible and boot the OS partition
• First boot of OS partition runs any fixup or
re-registration chores
Issue: Client Diversity
• Zen 2 works for all Windows platforms,
Windows 3.1, Windows 95/98, Windows
NT 4, and Windows 2000 (with service
pack)
• ITD still focusing on NT 4 in the short term,
to have an AFS client
• Many applications will also run under
Win95/98 or Win2K
Remaining Issues
• Universal File System
– Zip drives being ordered for ITD labs
– Looking into Web accessible file systems
• Education
– Working to have regular Zen classes offered by
ITD
– Working on web site to consolidate information
(Remaining Issues, continued)
• Auditing
– Site License for “Audit Login” software to
account for NetWare file servers
– Working on auditing method for all platforms
Features
• Zen 2 provides the core functionality
needed to make applications easier to
maintain and deploy; enhances app security
options, and supports client diversity
• Zen 2 is on our site license, so it’s a cost
effective solution
• Zen 2 has significant on campus expertise,
and allows us to leverage external resources
(other institutions/groups, vendor support)
(Features, continued)
• Zen 2 has additional functionality, such as
Inventory and secure Remote Control,
which were not identified as “critical” but
are definitely desirable.
• We won’t disrupt existing setup - faculty
can continue to run NCSUGINA and run
applications from AFS space.
Gotchas & anti-features
• Can’t get single sign on to AFS and
NetWare (2nd login to get to AFS space)
• No hesiod group functionality will be
implemented initially
• No auto synchronization of NT profiles
between NW and AFS after initial migration
• Netscape bookmarks don’t follow from
Solaris to NT until NetWare 5.1
To Do/Status List
• Contextless login: waiting on new
hardware for replica servers, but have a
contingency plan should hardware not
arrive before deadline; cannot test
effectively without this.
• Profile storage: waiting on new hardware
to hold the NT Roaming Profiles, can test
with a test account configured to store on a
different box
(To Do/Status List, continued)
• Workstation registration: every machine
will need to be registered/imported into the
tree - user policy package for admin
accounts in the workstation containers
• Imaging: Ghost images/Restore mechanism
for workstation-specific info / Need input
from COM on hidden partitions; need file
space to store lab images for multicast
(To Do/Status List, continued)
• Applications: modify existing apps to store
settings in NW profile space
• No new apps for Summer created by
ITD.
• Migrate settings from AFS space to NW
profile space- need to wait for semester
break when labs are closed
(To Do/Status List, continued)
• Copy app files from AFS to NW spaceneed to set up space for them
• User policy package assigned to .USERS
modified to store Roaming Profiles on NW
server / need to wait for semester break
when labs are closed - use a test user
account to test beforehand.
Timetable
• Spring exams end May 16. Summer begins May 24.
– Apr 15 Contextless Login
– May 1 Profile Storage
– May 1 Application modifications completed (note:
existing apps will be duplicated and changed, not
replaced!)
– May 1 Application servers online, application files
copied from AFS space
– May 1 NT Roaming Profiles policy for .USERS
(Timetable, continued)
–
–
–
–
May 17-19 AFS  NW migration for NT profiles
Workstation Registration: local schedule
Ghost Images: local schedule
Hidden partition: work to be done during the
summer, for release in the fall
Worst-case scenario
• No contextless login  no move to Zen 2
• Roaming profiles may not migrate properly
from AFS versions
• Others?
How to deal with workstation
registration
New apps - you do them, and you
CAN do them
Documentation on the web