Open MTIP Meeting April 5, 2000
Issues with current lab setup (from last meeting) Easier/faster application deployment and maintenance Client diversity Education Auditing Universally accessible file system Workstation maintenance (ties with security)
Today’s focus Easier/faster application deployment & maintenance Workstation maintenance (ties with security) Client diversity
Solution overview Use ZENWorks 2 for Desktops to deploy, configure and maintain applications, to assign apps to workstations rather than users, and manage application security Use the Novell GINA rather than the NCSUGINA Novell Client v4.6 SP 2 for Win NT (not 4.7!) NT labs: Transarc AFS client; Departmental Win9x labs: SAMBA, if dept. provides
Issue: Applications are too hard to deploy and maintain. Installs require administrators to physically visit machines. Lead time on new apps is too long/too few people create applications. Workstation security interferes with application functioning.
(Apps too hard, continued) Application assignment to.USERS is all-or- nothing, and can only be done centrally. Locally desired apps must be installed manually/icons can’t be in NAL.
Zen 2 Application Deployment Configure as “Install/run” rather than having a separate Install and Run Assign applications to workstations and labs, not to users Run as “Unsecure User” applications that can’t run with restrictions
Unattended (by administrators) application installations / repairs ZENWorks 2 for Desktops offers scheduled, “lights-out” installations. Install/Run ZEN apps let users initiate installation of new or updated software. Install/Run also enables “self-healing” feature for ZEN applications. Force-run/run-once technologies offer additional possibilities for installing ZEN apps.
Shorter lead time for deployment Application assignment to workstations means that testing need not be global. Local apps can be created by local admins who are most familiar with configuring and installing them. ZEN Install/Run can ship apps anytime, without need to do an install step. First user to run app pays install time penalty.
(Short lead time, continued) Ability to run apps as “unsecure system user” means no real development time devoted to security fix-ups
Purpose of security Make sure students get the access for which they paid. As a secondary goal, make life easier for the administrators.
Workstation security ZEN option to run as “Unsecure System User” allows applications to run with admin privileges: user can only access what the application can access while the app runs. Continue to use current approach for labs where running applications with admin privileges is not appropriate.
(Workstation security, continued) For extremely secure systems, use current approach plus a faceless “Secure System User” app to unlock only those keys/files only while the application is running.
Use Imaging for faster workstation rebuilds Set up a “hidden” partition in the first 2 GB of a workstation’s disk drive When booted from this partition, automatically run Ghost to restore image from the partition or from a network server After Ghost completes, set the partition to invisible and boot the OS partition First boot of OS partition runs any fixup or re-registration chores
Issue: Client Diversity Zen 2 works for all Windows platforms, Windows 3.1, Windows 95/98, Windows NT 4, and Windows 2000 (with service pack) ITD still focusing on NT 4 in the short term, to have an AFS client Many applications will also run under Win95/98 or Win2K
Remaining Issues Universal File System –Zip drives being ordered for ITD labs –Looking into Web accessible file systems Education –Working to have regular Zen classes offered by ITD –Working on web site to consolidate information
(Remaining Issues, continued) Auditing –Site License for “Audit Login” software to account for NetWare file servers –Working on auditing method for all platforms
Features Zen 2 provides the core functionality needed to make applications easier to maintain and deploy; enhances app security options, and supports client diversity Zen 2 is on our site license, so it’s a cost effective solution Zen 2 has significant on campus expertise, and allows us to leverage external resources (other institutions/groups, vendor support)
(Features, continued) Zen 2 has additional functionality, such as Inventory and secure Remote Control, which were not identified as “critical” but are definitely desirable. We won’t disrupt existing setup - faculty can continue to run NCSUGINA and run applications from AFS space.
Gotchas & anti-features Can’t get single sign on to AFS and NetWare (2nd login to get to AFS space) No hesiod group functionality will be implemented initially No auto synchronization of NT profiles between NW and AFS after initial migration Netscape bookmarks don’t follow from Solaris to NT until NetWare 5.1
To Do/Status List Contextless login: waiting on new hardware for replica servers, but have a contingency plan should hardware not arrive before deadline; cannot test effectively without this. Profile storage: waiting on new hardware to hold the NT Roaming Profiles, can test with a test account configured to store on a different box
(To Do/Status List, continued) Workstation registration: every machine will need to be registered/imported into the tree - user policy package for admin accounts in the workstation containers Imaging: Ghost images/Restore mechanism for workstation-specific info / Need input from COM on hidden partitions; need file space to store lab images for multicast
(To Do/Status List, continued) Applications: modify existing apps to store settings in NW profile space No new apps for Summer created by ITD. Migrate settings from AFS space to NW profile space- need to wait for semester break when labs are closed
(To Do/Status List, continued) Copy app files from AFS to NW space- need to set up space for them User policy package assigned to.USERS modified to store Roaming Profiles on NW server / need to wait for semester break when labs are closed - use a test user account to test beforehand.
Timetable Spring exams end May 16. Summer begins May 24. –Apr 15 Contextless Login –May 1 Profile Storage –May 1 Application modifications completed (note: existing apps will be duplicated and changed, not replaced!) –May 1 Application servers online, application files copied from AFS space –May 1 NT Roaming Profiles policy for.USERS
(Timetable, continued) –May AFS NW migration for NT profiles –Workstation Registration: local schedule –Ghost Images: local schedule –Hidden partition: work to be done during the summer, for release in the fall
Worst-case scenario No contextless login no move to Zen 2 Roaming profiles may not migrate properly from AFS versions Others?
How to deal with workstation registration
New apps - you do them, and you CAN do them
Documentation on the web