Open MTIP Meeting

April 5, 2000

Issues with current lab setup (from last meeting)

• Easier/faster application deployment and maintenance

• Client diversity• Education• Auditing• Universally accessible file system • Workstation maintenance (ties with security)

Today’s focus

• Easier/faster application deployment & maintenance

• Workstation maintenance (ties with security)

• Client diversity

Solution overview

• Use ZENWorks 2 for Desktops to deploy, configure and maintain applications, to assign apps to workstations rather than users, and manage application security

• Use the Novell GINA rather than the NCSUGINA

• Novell Client v4.6 SP 2 for Win NT (not 4.7!)

• NT labs: Transarc AFS client; Departmental Win9x labs: SAMBA, if dept. provides

Issue: Applications are too hard to deploy and maintain.

• Installs require administrators to physically visit machines.

• Lead time on new apps is too long/too few people create applications.

• Workstation security interferes with application functioning.

(Apps too hard, continued)

• Application assignment to .USERS is all-or-nothing, and can only be done centrally.

• Locally desired apps must be installed manually/icons can’t be in NAL.

Zen 2 Application Deployment

• Configure as “Install/run” rather than having a separate Install and Run

• Assign applications to workstations and labs, not to users

• Run as “Unsecure User” applications that can’t run with restrictions

Unattended (by administrators) application installations / repairs

• ZENWorks 2 for Desktops offers scheduled, “lights-out” installations.

• Install/Run ZEN apps let users initiate installation of new or updated software.

• Install/Run also enables “self-healing” feature for ZEN applications.

• Force-run/run-once technologies offer additional possibilities for installing ZEN apps.

Shorter lead time for deployment

• Application assignment to workstations means that testing need not be global.

• Local apps can be created by local admins who are most familiar with configuring and installing them.

• ZEN Install/Run can ship apps anytime, without need to do an install step. First user to run app pays install time penalty.

(Short lead time, continued)

• Ability to run apps as “unsecure system user” means no real development time devoted to security fix-ups

Purpose of security

• Make sure students get the access for which they paid.

• As a secondary goal, make life easier for the administrators.

Workstation security

• ZEN option to run as “Unsecure System User” allows applications to run with admin privileges: user can only access what the application can access while the app runs.

• Continue to use current approach for labs where running applications with admin privileges is not appropriate.

(Workstation security, continued)

• For extremely secure systems, use current approach plus a faceless “Secure System User” app to unlock only those keys/files only while the application is running.

Use Imaging for faster workstation rebuilds

• Set up a “hidden” partition in the first 2 GB of a workstation’s disk drive

• When booted from this partition, automatically run Ghost to restore image from the partition or from a network server

• After Ghost completes, set the partition to invisible and boot the OS partition

• First boot of OS partition runs any fixup or re-registration chores

Issue: Client Diversity

• Zen 2 works for all Windows platforms, Windows 3.1, Windows 95/98, Windows NT 4, and Windows 2000 (with service pack)

• ITD still focusing on NT 4 in the short term, to have an AFS client

• Many applications will also run under Win95/98 or Win2K

Remaining Issues

• Universal File System– Zip drives being ordered for ITD labs– Looking into Web accessible file systems

• Education– Working to have regular Zen classes offered by

ITD– Working on web site to consolidate information

(Remaining Issues, continued)

• Auditing– Site License for “Audit Login” software to

account for NetWare file servers– Working on auditing method for all platforms

Features

• Zen 2 provides the core functionality needed to make applications easier to maintain and deploy; enhances app security options, and supports client diversity

• Zen 2 is on our site license, so it’s a cost effective solution

• Zen 2 has significant on campus expertise, and allows us to leverage external resources (other institutions/groups, vendor support)

(Features, continued)

• Zen 2 has additional functionality, such as Inventory and secure Remote Control, which were not identified as “critical” but are definitely desirable.

• We won’t disrupt existing setup - faculty can continue to run NCSUGINA and run applications from AFS space.

Gotchas & anti-features

• Can’t get single sign on to AFS and NetWare (2nd login to get to AFS space)

• No hesiod group functionality will be implemented initially

• No auto synchronization of NT profiles between NW and AFS after initial migration

• Netscape bookmarks don’t follow from Solaris to NT until NetWare 5.1

To Do/Status List

• Contextless login: waiting on new hardware for replica servers, but have a contingency plan should hardware not arrive before deadline; cannot test effectively without this.

• Profile storage: waiting on new hardware to hold the NT Roaming Profiles, can test with a test account configured to store on a different box

(To Do/Status List, continued)

• Workstation registration: every machine will need to be registered/imported into the tree - user policy package for admin accounts in the workstation containers

• Imaging: Ghost images/Restore mechanism for workstation-specific info / Need input from COM on hidden partitions; need file space to store lab images for multicast

(To Do/Status List, continued)

• Applications: modify existing apps to store settings in NW profile space

• No new apps for Summer created by ITD.

• Migrate settings from AFS space to NW profile space- need to wait for semester break when labs are closed

(To Do/Status List, continued)

• Copy app files from AFS to NW space- need to set up space for them

• User policy package assigned to .USERS modified to store Roaming Profiles on NW server / need to wait for semester break when labs are closed - use a test user account to test beforehand.

Timetable

• Spring exams end May 16. Summer begins May 24.

– Apr 15 Contextless Login– May 1 Profile Storage– May 1 Application modifications completed (note:

existing apps will be duplicated and changed, not replaced!)

– May 1 Application servers online, application files copied from AFS space

– May 1 NT Roaming Profiles policy for .USERS

(Timetable, continued)

– May 17-19 AFS NW migration for NT profiles– Workstation Registration: local schedule– Ghost Images: local schedule– Hidden partition: work to be done during the

summer, for release in the fall

Worst-case scenario

• No contextless login no move to Zen 2

• Roaming profiles may not migrate properly from AFS versions

• Others?

How to deal with workstation registration

New apps - you do them, and you CAN do them

Documentation on the web