ZENworks

ZENworks 11: A First Look

by Sam Tessier

In some respects it's hard to believe that the release of ZENworks 10 Configuration Management was over three years ago. With that release of ZENworks, Novell introduced an entirely new modular underlying architecture - one that was cross-platform, web services-based and directory agnostic. This architecture represented a departure from the full-stack dependence on other Novell technologies (eDirectory, Novell client, ConsoleOne) that older versions of ZENworks had. It also provided an opportunity for full integration of the formerly separate and standalone components of patch, asset and desktop management so that a single agent and single management console could provide a wide array of functionality. Since that initial release, various support packs have extended the scale and deployment capabilities of ZENworks. The scale of ZENworks can now reach tens of thousands of devices per single zone, and the satellite roles assigned to managed devices greatly enhance how ZENworks services are made available across WAN links at remote locations. On November 11th we'll write the next chapter of this product's long history ZENworks Configuration Management 11. This release is packed with many new features and capabilities that broaden the platforms you manage and greatly extend how you can secure and manage those devices throughout their lifecycle. Let's take a closer look!

Integrated Endpoint Security Management

In 2007, ZENworks stepped into the realm of device endpoint security with the standalone product ZENworks Endpoint Security Management. Based on technology acquired in the purchase of security software vendor Senforce, these capabilities greatly differed from the traditional device lifecycle management policies in ZENworks and were made available as a standalone non-integrated product. That has changed now with ZENworks 11, and full integration of these capabilities represents total convergence of device lifecycle management and device security functions inside of a single management console. As with other ZENworks functions, communications to and from the ZENworks infrastructure happen via the Adaptive Agent on standard HTTP(s) protocols, and all features are managed via the ZENworks Control Center. Client Self Defense features prevent users from tampering with the security enforcement components of the ZENworks Key Features: Feature-specific policies allow you to granularly define security settings for the device. These can then be combined to implement a holistic policy. Policy groups allow you to combine security and configuration policies and make a single assignment for enforcement. Most policies can be either user/device assigned and global/location specific. Policies then merge to ensure that the right set is applied for the combination of location, device and user. It's worth noting that this merging is unique to the endpoint security policies and does not apply to non-endpoint security policies. USB device management policies control what devices or types of devices users are allowed to access (if any). agent. Enforcement continues to be at the driver-level for both network and storage security functions.

Figure 1: USB Device policy with imported scan data

4 Open horizons Magazine ISSUE 12, Q4 2010

ZENworks 11 as a truly unified solution for Windows and Linux device management. The Linux agent is Java-based, and has multiple deployment options. Discovery and deployment functions are now extended to Linux devices via SSH, and allow for remote deployment of the ZENworks Adaptive Agent. The agent can also be 'pulled' down via YaST, YUM or a single-file download. Key Features: Inventory provides a full hardware and package inventory and tracks change history. Inventory integrates with Asset Management to allow you to map purchase records to installed packages.
Figure 2: Attributes of a sample USB thumbdrive

(RHN), and ZENworks Linux Management. Provides flexible Linux bundles allowing you to deploy packages and files while also performing required configuration tasks. External Service Policy allows you to centrally configure external repositories that managed devices should have access to. Bundles and bundle groups can be exported to YUM format for easy consumption by unmanaged Linux devices on your network. Introduces ZENworks Application Windows for Linux, bringing the power of Novell Application Launcher (NAL) to the Linux desktop. Remote management for Linux devices via the ZENworks Control Center is provided via integrated VNC and SSH clients. Puppet policies allow you to leverage the configuration management capabilities of the puppet project to configure your devices. Currently there are 100s of puppet recipes available on the web that can be leveraged.

Provides Linux OS deployment of SLEand RHEL-based distributions via integration with AutoYaST and KickStart. Continued support for Dell PowerEdge server bare-metal provisioning via Dell Tookit integration. Full support for ZENworks system variables within AutoYaST / Kickstart scripts, and improved Linux imaging capabilities for imaging EXT3 and ReiserFS partitions, even within LVM.

Storage management features allow you to control access to storage devices and control AutoPlay execution.

Wi-fi management allows you to limit access to only protected networks and to specific wireless access points.

Layer 2 firewall allows you to control all incoming and outgoing traffic on the managed device.

Package and repository management allows you to graphically configure and schedule subscriptions to external package repositories such as YUM, Novell Updates (NU), RedHat Network

Core Enhancements
ZENworks 11 introduces numerous enhancements to the underlying core of the product. One such enhancement is a 64-bit

VPN enforcement policies allow you to require the use of VPN in specified locations.

Application Control policies allows you to restrict application execution or Internet usage by applications.

Data Encryption policies allows you to configure encryption of removable devices and folders/sub-folders on fixed disk.

Integrated Linux Device Management

ZENworks has been managing both SUSE and Red-Hat Linux environments for several years via ZENworks Linux Management. With the release of ZENworks 11, these Linux management capabilities have been extended into the ZENworks Configuration Management world. This integration qualifies
Figure 3: Subscription dialog showing source options

ISSUE 12, Q4 2010 Open horizons MAGAZINE 5

JVM on 64-bit hardware and OS, allowing you to fully leverage todays hardware. Location-awareness greatly extends your ability to assign policies and bundles based on 'where' a user or device is. It adds a new dimension to the identity-driven nature of ZENworks and is available for both Windows and Linux device management. You can define 'locations' that consist of various elements of data including networking hardware and addressing information. Locations can be used as system require-

PC Power Management and Reporting

There are two actionable elements in power management enacting changes across your environment and viewing the compliance of your devices with respect to your policies. Managing the power settings on a device with previous versions of ZENworks was possible with bundles that ran scripts or

compliance to your power management policies. Additionally, Intel vPro integration allows you to remotely perform power-on actions to supported devices on a scheduled basis, or even enhance other activities such as software distribution, patching, remote control, etc.

Enhanced Patch Management

The patch management capabilities in ZENworks get some improvements in ZENworks 11 as well. ZENworks 11 provides cross platform patch management for Windows, SUSE Linux Enterprise and Red Hat Enterprise Linux devices.

Figure 4: Dialog showing change management options

Most notably, you can now promote existing ZENworks Configuration Management bundles to become patches. This allows the 'discover applicable update' (DAU) process to help you quickly identify the devices on your network that need a specific bundle and then target those devices. It also allows for the tracking of these bundles/devices via the patch management reporting as well. Also, new email notification capabilities make it easier than ever to determine when new patches are available for your environment.

ments for policies and bundles, used to determine closest servers, and can be used for bandwidth throttling. Other enhancements: The Sandbox is a bundle and policy change management feature that helps ensure that changes are only deployed to your production network when you publish the changes. In the ZENworks Control Center, you can now assign administrative authority to existing Novell eDirectory and MS Active Directory groups. Action level system requirements gives you more flexibility than ever when it comes to building bundles for software delivery. Manual device creation and reconciliation capabilities allow you to pre-create devices and then have them reconcile based on Serial number, MAC address and/or Hostname.

modified the registry, but that has been made much simpler via a new power management policy. As with other ZENworks policies, you can define over-arching power management policies that apply everyone, and then assign separate policies for specific users/groups or types of devices. You can be even more granular with your policies by leveraging location-awareness and have the power profile of a device be dependent upon it's physical location. New reports in ZENworks 11 allow you to view

Figure 5: Policy settings for power management

6 Open horizons Magazine ISSUE 12, Q4 2010

Enhanced Reporting Services

The ZENworks Reporting Server (ZRS) is an included optional component of ZENworks Configuration Management that is based on the latest version of the BusinessObjects Enterprise engine. Leveraging this capability is as simple as installing the ZRS on a primary server in an existing ZCM zone. These reporting services allow you to execute canned reports and build new reports quickly and easily via a web-based interface that spawns from the ZENworks Control Center. Key features: The reporting universe has been expanded to include endpoint security policies. Allows you to build custom reports for information about any endpoint security management policy and provides several new canned reports related to endpoint security policies. Allows you to build custom power reports related to green capabilities of your machines and the power policies of the machine. Provides new canned reports for power policy and capability compliance reporting. New reporting universe objects for subscriptions allows you to build custom reports for Linux repository subscriptions and provides new canned reports for subscription status.

The ZENworks Primary Server can be hosted on Windows 2003 Server, Windows 2008 Server, Windows 2008 R2 Server, SUSE Linux Enterprise Server 10 or 11, and Red Hat Enterprise Linux Server 5.5.

On the Horizon
Today, many thousands of customers have fully migrated from older versions and are relying on ZENworks 10 Configuration Management to manage their endpoints. It doesn't matter whether the environment is large or small, centralised or highly distributed, ZENworks is the foundation for a secure and consistent experience for both administrators and end users. ZENworks 11 takes us into 2011 with many new capabilities that enhance how we provision, manage and secure our endpoints, but that's not all 2011 will offer. For first half of 2011, we are working on a support pack for ZENworks 11 that adds significantly increased platform support and security capabilities. And in the late 2011 time-frame, look for a ZENworks release which greatly enhances how ZENworks manages your endpoints...across both physical and virtual environments!

Sam Tessier is a Product Manager for Novell's ZENworks product line. Based in the US in the New York area, Sam spends most of his time working with customers, partners, analysts and driving the strategic direction of the ZENworks portfolio. Sam joined Novell in 1999 and worked in field support and pre-sales engineering roles prior to joining Product Management. He has been a BrainShare presenter since 2004, presenting topics focused on the ZENworks portfolio.

Supported Platforms
Managed device support covers Windows XP, Vista and 7, Windows Embedded Standard 2009, WEPOS 2009, 2003 Server Standard and Enterprise, 2008 Server Standard and Enterprise, 2008R2 Standard and Enterprise, Novell SUSE Linux Enterprise Desktop and Server 10, Novell SUSE Linux Enterprise Desktop and Server 11, Red Hat Enterprise Linux 4.6+ and 5.3+ as managed devices

ISSUE 12, Q4 2010 Open horizons MAGAZINE 7