Software Distribution and Altiris

Automated software distribution is immensely important in a managed IT operation. If you don’t have effective tools, software either becomes out of date or very time consuming and costly to manage. Altiris provides a powerful set of tools to manage software distribution more easily.

You can do a lot without buying any tools. Group Policy provides a software installation mechanism for Windows environments. You can install anything provided it is in Windows Installer format (an msi file) and has the parameters to allow a silent install. You can also use old-fashioned startup or logon scripts to install software.

Fairly quickly, however, you start to find applications where this is difficult or even impossible. It may only be 5% of all applications, but they still have to be installed. The Oracle client, for example. Or you may have some tweaks that need to be applied to registry or ini files after installation.

One response people adopt is to let software get out of date. But most software revisions are issued to fix problems, especially security problems. We use Qualys to provide reports on software vulnerabilities. If software has vulnerabilities you can be fairly sure that someone will try to exploit them. Running out of date versions of common applications such as Adobe Reader, Flash Player, Java, and QuickTime is very unwise.

If you have out of date software you can close the whole environment down to reduce the scope for damage. For example you can prevent downloads from the internet. But this creates an unproductive and restrictive workplace and it is not necessary for security. It is necessary only to avoid having to update software.

Some people argue that old software versions are required for compatibility. But you can generally run more than one version and specify which is used.

Another response is to allow users to be administrators of their own machines, so they can install software and cut down on your workload. This is also very unwise in a business environment. It is not a question of trust but of reducing the risk of harm. Windows Vista builds this concept into the security model of the whole OS and has User Account Control (UAC) to prevent administrative actions from the desktop.

A good set of tools just makes it easier and less costly to manage software distribution.

The first thing Altiris provides is an inventory. This enables you to have collections of machines with different characteristics. If you install the same software on all machines then all machines are the same and you don’t have too much need for an inventory. However with the proper tools you can have a less restrictive approach. For example you can let users self-select applications to install.

The inventory enables you to identify computers with a specific version of an application whether or not it was installed programmatically. So you can simply have a collection of computers where the version of Adobe Reader is less than 8.1.2. The collection is automatically kept up to date when the software inventory runs. You can have another collection, Adobe Reader KeepUpToDate, which is all computers where Adobe Reader should be the latest version. You can then distribute updates to all computers in the Adobe Reader less than 8.1.2 collection AND in the KeepUpToDate collection.

The engine of software distribution is the Altiris Task Server. Task Server enables you to specify a range of tasks for a collection of computers. The task types include: run script; defrag; deliver software; inventory; ipconfig; power control; backup; service control; and several others. You can assemble these tasks into jobs. So for example a job might be: 1) Wake a machine that is shut down. 2) Install a pre-requisite if not there (e.g. .NET Framework) 3) Run a script to back up some settings. 4) Uninstall an application. 5) Install an application. 6) Stop a service. 7) Apply settings. 8) Start a service. 9) Run a script to check the service is working. Each task in the job can be handled with return codes.
Likewise more complex server operations such as upgrades can be automated to make them accurate and repeatable, for example: run a backup of data the day before an upgrade; then before the upgrade itself stop the service (say for Domino) and make an incremental backup of changes since yesterday; then upgrade or move the service; restart the service and check it is running correctly. This can all be automated so it is the same on every server.

The Altiris software delivery package bundles together the components you need for an installation. In one package you can have several different options. You could have one Citrix client package, with different transforms for web-only client; PN Agent set to sign in automatically; PN Agent not set to sign in etc.

Software packages can be trickled down to the client depending on bandwidth. A large package such as a service pack could be trickled to the clients overnight and then installed from local source. Packages can also be multicast, so if 20 clients need to be updated it can be done in one multicast instead of 20 separate downloads.

You can select a local workstation to be a task server or a package server. In a small office without a dedicated server one workstation can obtain the package and distribute it to the other local clients. Task servers work by "tickling" the client with a UDP packet to tell it there is a job waiting. For an organisation, say, with a large number of shops or small regional offices this enables you to manage software without distributing it over the WAN or putting servers at every location.

Altiris lets you schedule tasks many ways. One of the standard problems is when to update laptops. When people come in to work they often need to start their laptop to get papers for a meeting or check their diary. It is very inconvenient if a large software update kicks off. Likewise at the end of the day they may be hurrying to get away in time for a train. Not a good time to start a 20 minute update. But if you let people just choose whether to install or not, the update may never get installed. Altiris enables you to either notify or warn users, and lets them defer the task for a set period. So you could schedule the update for 12:00 am and let users defer for up to 24 hours.

Altiris provides a software portal on the intranet that lets users choose software they need. This helps to avoid the sense that IT is controlling what people can do. If a user needs Visio or AutoCAD to do a piece of work they can select it from the software portal. A workflow will route a request for approval to a manager. When it is approved the software will be installed automatically. The cost will be charged to the appropriate cost centre and the license count amended. If additional licenses are required a workflow will be triggered to buy them. Without something like Altiris the request can get lost in the system and take weeks to get nowhere.

Most software today is provided as a Windows Installer msi package and can be customised with a transform file. Transformation is required to select options and enter serial numbers. A few products are still not provided as msi’s. If they have a silent command line Altiris can use that instead. Otherwise they can be packaged into Windows Installer packages using Wise Package Studio. Sometimes you require more than one version of an application, or incompatible applications. Software virtualisation is a new technique for dealing with this. The packaged software runs through a filter that provides its own registry and file system to isolate it from other applications.

You can think in terms of around £60 per machine for these tools. This sounds a lot. When you pay maybe £250 for a first rate computer with an OS, an extra £60 for some utilities is something you would rather avoid. You may also already have inventory and license management tools, so you don’t want to pay for them twice. Plus there are some Open Source tools that will do some of this.

I think it is more useful to look at it as an annual cost. For an enterprise of say 1000 machines, the capital cost is £60,000. Over five years, including annual maintenance, you pay £90,000, or £18,000 per year. For that you get lower staff costs and a better service to users.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.