Auto-magic and SAM, asked and answered

One of this forums users have asked the other day:

“I have a question regarding automatic un-install of software that is not in use for more than 90 days, if you are practicing that and if yes, could you share info on what type of tool you use, do you inform the end users first before un-installing the the software? “

Firstly, we use Global approach to everything. We are located in many countries and so licensing could become a nightmare.

This is why we are not only registering entitlements (registering is essential for reconciliation though), we actually define and build them into our infrastructure as a system in each “service” case.
We have defined all sites in AD, all locations, all normal types of restrictions and the structure is based on basic limitations of license entitlement: computer/user, site, country, region, or globe.
SCCM and all other systems alike mirror this, which of course more or less corresponds to the information in master data.

Secondly, we have a Global policy corresponding to the situation at hand like Harvesting. Our users know of it and are referred to it when software is removed. Helpdesk can easily do that once it’s in place. There are two versions of it, the main version explaining everything, and the short version, which can easily be provided to users. Additionally functionality in both SCCM and Orchestrator can be used for requesting / provisioning and notifications to some degree. Of course users sometimes don’t remember what happened after the fact, but that’s the case every other Monday and passwords too.

We utilize a tool with CMDB capabilities as front, which presents users with a standard form, allowing them to choose from available software services. We have several such tools as we are transitioning from one main tool to another while tickets also need to be managed somewhere. This tool also contains master data copy which uniquely identifies the user and the service as well as many other things like locations, sites, contracts and much much more.
The “software service” is defined through a service database which allows us with a rather friendly form to define these services in terms of which AD containers they regard, how they are restricted, who approves, what they cost, who possesses knowledge and much more.
This is where definition of the entitlement comes in. Entitlement is translated into a service in implementation. We know what we have purchased, where it is possible to use, how it can be used and so we restrict this usage accordingly and then add the output in this database. When users are requesting a “software” in this database, they are choosing a package which is predefined, pointing to a specific server, or using pooled license information, a cloud service or whatever else. Technically they are choosing a compliant already service or software, defined specifically for them, their location or region, shown only where allowed to be used.

AD allows us to control who has access and who doesn’t. Each add-on or removal is recorded with a stamp of the “request” for that particular service, time and date and other information giving traceability and thus enabling a short process of SOX compliance audits internally.

Each package is named to reflect it’s intended deployment “region”, so are the AD groups used and collections. AppDeployToolkit allows for parsing some messaging to users at install/un-install and functionality allowing user to choose a better moment for any actions.

The rest of the magic happens in SCCM which we utilize heavily.

I’ve drawn here a simple likeness of how this works with both provisioning and harvesting. Each and every step allows for roll-back, un-install, install, update or “otherwise”; allows for targeting of specific groups of users / computers or services.

Every action which we perform when implementing or managing is recorded and at a point translated into an SOP; which is periodically refreshed.

This to ensure everyone, with disregard to their location or specific focus can do anything technically as well as making sure we always do everything the same way.

Every standard has been agreed on and recorded as well. This ensures common way of defining “anything” the same way, according to the same principles making everything reproducible and transparent.

The aim is to reach a level of automation which allows for almost a 0 touch approach to maintaining daily operations and focusing on two items. Implementation on one end and continues service improvement on the other.

That’s what we call SAM 5.0, an almost autonomous, self improving service delivering software, preconfigured, licensed and yet always compliant, my idea of heaven.

Fraus hominum ad perniciem, et integritas ad salutem vocat

Dear SAM, as the saying goes, honesty is the best policy.

I started my career in SAM more than 20 years ago, or rather even before that. Part of my education was programming in various languages, above all methodology of development. Thanks to that I can read almost any syntax in most coding languages, almost as when reading text in a familiar language. I never have become particularly good at development. I lean more towards testing and debugging or coordination in development rather than the deed itself.

Partly to further my education, partly due to curiosity I was testing, all and anything back then. I see software as tools, enabling me (anybody) to do what needs to be done. I can’t draw much by hand, but with the right piece of software I could be a Monet, Picasso, you name it.  Continue reading “Fraus hominum ad perniciem, et integritas ad salutem vocat”

“Common sense is not so common.”

Dear SAM

Quoted Voltaire (hero of mine), because I very often get reminded of it.
I do not wish to say and I do not mean that most people are dumb or idiots per se.

I simply think people today focus on other things, sometimes other things than those at hand… Sometimes because they are simply: “too busy…”

It seems to me, we leave a lot to systems nowadays, perhaps to the point where we get used to not thinking anymore. I use a smartphone, to remind me of small things I will surely forget otherwise. I use it as a convenience to hold my data I wish to have portable, that being boarding cards, pdf’s I might need, insurance certificates, you name it…

I’ve been using a computing device for over 20 years on a more or less a daily basis with the internet. I grew up with a microcomputer, was educated as a programmer in a couple of disciplines. During this entire time, I have surely created lots of shortcuts for myself, not to remember or not perform repetitive tasks, if it can be helped. I like “easy” more than I like “hard” as a method of solving a situation. I still struggle with passwords between devices and accounts. Preferably, one day, I’ll be able to move everything I do to the cloud and the internet and be truly device-independent, perhaps to a point where I don’t need to own one.

And thus consolidating needed actions, services and moving them across platforms makes life easier, but it also seems to do little to stimulate our use of brain functions. Asset management and the need for it is not an exception.

I see many systems and solutions in the subject. All are competent in their areas, however, what is lacking is one system covering all needs. You may deploy your software and devices using SCCM and it will cover 70% of technology and devices. There will always be exceptions, of course. However, tracking licenses with SCCM is not possible.

Most systems to track licenses are either asset registrars or discovery/inventory tools. SCCM can track installs, but we know all how licenses seldom equal an installation. The more complicated deployments and solutions, the larger the need for the ability to track it.

And so you have a Service manager surely able to record what you have purchased. You have SCCM to deploy and inventory (some software). You can also use it to meter how software is used, however, this works in only some scenarios.

If you use concurrent licensing in addition, you will need a tool to do that too. Then you’ll need a reconciliation tool or methods between what is installed and what can be licensed. I’ve heard of a few organizations having them all and still lacking some functionality. If your devices use one manufacturer of operating systems, then that part is relatively easy, but what if you use Windows, Mac, Linux? All at once? All of them use software and believe me, not everything downloadable or even purchased is ok to use in all scenarios.

Luckily the software audits are not done as they could be, or else, most IT departments would be busy every month, each year reporting to the vendors. But I do ask myself, as more and more standardization comes from the law side of things and so do data protection laws as well; how will this affect a segment where not only tools are needed, but also people who can use them effectively? Then is the question of how much time to spend adjusting the tool to existing processes, or redrawing processes around the tool? Time is money folks…

I don’t see much sense in above after all, as things are now. Either we speak of much risk or much cost, or both; and for what benefit? Isn’t it time to change things around a bit?