Product Reviews
System Center Configuration Manager 2012 Improves User Access, Deployment
Microsoft makes changes to this flagship of the Systems Center family, aimed at responding to the changing landscape of systems management in the enterprise.
Microsoft's vision for systems management is the Systems Center suite and the flagship of that suite is System Center Configuration Manager. Initially released in 1994 as Systems Management Server, it has undergone major changes, from version 2.0 to Systems Management Server 2003 and then to the incumbent SCCM 2007 R3. It's time now for another big shift, this time in response to the changing landscape of systems management in the enterprise. That's what the forthcoming SCCM 2012 focuses on.
The most sweeping changes in SCCM 2012 are focused on putting users first; Microsoft does this through User Centric Management There's also a new console, a new role-based security model and simplified infrastructure and administration processes. I tested beta 1 of the next version of SCCM, called SCCM 2012. Features and functionality are likely to change between this version and the final release.
The Basics of SCCM
In a nutshell, SCCM works like this: Devices (clients, servers and smartphones) are discovered, usually through Active Directory, and client software is installed on each asset. These components are then inventoried for both hardware and installed software, and this data is stored in a central database; that data is then used to target application deployments to collections of client computers or users. Windows Server Update Services (WSUS) is also integrated into SCCM to provide updates to clients and servers; new machines can automatically have a fresh OS deployed to them, or existing machines can be upgraded to a newer version of the OS. Settings management is used to monitor settings on all devices to ensure they adhere to corporate policy, and SCCM can integrate with Network Access Policy in Windows Server 2008 to ensure that the health of client devices is tested before full network access is granted.
[Click on image for larger view.] |
Figure 1. Gone are the days of complex scripting just to control how an application gets deployed. |
User-Centric Management
The world of corporate IT is changing. Younger employees are "digital natives" who have grown up with technology and who expect to be able to access applications and data wherever, whenever and on whatever device they choose to work. The proliferation of devices that access programs and information is also continuing. Hand in hand with this is the consumerization of technology, where employees expect to bring their private smartphones or laptops to work and use these on the corporate network.
SCCM 2012 changes its focus from systems management to putting the user in the central role and involves end users to give them wider control over what software is installed on their devices and when it gets installed. They can, for instance, define their own work-hour pattern so that software installations take place outside these times. SCCM 2012 accomplishes this by linking users to particular devices. A device that's used most often by a person is called a primary device; a user can have more than one of these. Conversely, a primary user is the main user of a device, and each device can have more than one primary user.
Defining these relationships is done through user-device affinity; this association can either be done by the user (through an imported file) or by an administrator (manually). The most interesting method is where usage statistics are collected and affinity is based on this data. Administrators can, of course, approve the auto-detected affinity. The new SCCM is a user-friendly, one-stop shop for users to do common tasks. Another part of 2012 is the Software Catalog, a Silverlight-based self-service Web site that allows users to search for and request applications.
App and OS Delivery
Hand in hand with the new user focus is a new way of delivering applications to users. The idea is to capture the administrator's intent through requirement rules, deployment purpose (available or required) and deployment types. The latter can be Windows Installer, Script Installer, Microsoft Application Virtualization, Remote Desktop App or Windows Mobile Cabinet.
An administrator can define that an application should be installed natively on a user's primary device. Should the user log in to a device that's not his primary device, SCCM 2012 can distribute the app as an App-V program or Remote Desktop app instead. Dependencies allow you to link one app deployment to another as a prerequisite; application lifecycles are also more supported with a new "retirement of applications" feature. For testing or backup, an application can be exported in its entirety from one 2012 environment to another, and all dependent files are included in the export. Metadata about each application can be harvested from MSI files or manually entered, making it easier for users to find the right application in the Software Catalog.
In SCCM 2007, a separate Status Message Viewer was used to track software installations; in SCCM 2012, the deployment of all software (updates, compliance settings, applications, task sequences, packages and programs) is tracked under the Monitoring node.
Requirement rules are intended to minimize the need for complex collection queries for deployment and will let you set technical or business restraints on application deployments. These rules can be global and apply to any deployment type, or they can be for a specific deployment type. Requirement rules are re-evaluated every seven days to ensure compliance.
[Click on image for larger view.] |
Figure 2. The SCCM 2012 console is easy to use and logically laid out. |
Another feature coming in beta 2 is pre-flight, where an app deployment can be tested without actually deploying it to a client device.
The main improvement in SCCM 2012 for Operating System Deployment (OSD) is that User State Migration Toolkit (USMT) version 4 is now fully integrated into the UI; in SCCM 2007, you had to use the command line to control USMT version 4. Another improvement is hierarchy-wide bootable media, mitigating the necessity for OSD bootable media to be duplicated in every location. Finally, offline servicing of images is now automated; updates and patches that are approved can be targeted to the image library to make sure that your OS installs are up-to-date immediately after installation. SCCM 2012 supports Intel vPro processors that offer Active Management Technology, essentially providing access to computers outside of a working OS.
New Console
The Microsoft Management Console-based console in SCCM 2007 was notoriously slow in large environments; the new "System Center framework" console certainly seems snappier, while also providing a whole new look to SCCM. Much expanding and collapsing of trees is eliminated by the fact that the middle main pane has tabs at the bottom. The new console adapts the "Outlook" metaphor with Administration, Software Library, Monitoring, and Assets and Compliance buttons in the "Wunderbar." Yes, you read that right; that's the official term in Microsoft's documentation.
RBAC
Initially pioneered in Exchange 2007, the role-based access control (RBAC) model for how to "do security" in large applications that are managed by many different people across an organization is also used in SCCM 2012.
RBAC is quite an intuitive approach to security. It eliminates Primary Sites as security boundaries and replaces the model used in SCCM 2007. Security roles are groupings of typical administrative tasks that are combined with groups of permissions called security scopes. This also controls the UI in the new console, so if a particular administrator shouldn't manage a site, for instance, it won't show up in the console. In beta 1 there are 13 roles defined and you can, of course, create new security roles and security scopes.
New Infrastructure
One aim of SCCM 2012 is to flatten your SCCM hierarchy and allow you to create a simpler, more modern infrastructure with fewer site system servers. As there's no in-place upgrade, you have to set up a new SCCM 2012 structure and migrate to it from SCCM 2007 SP2. Keep in mind that SCCM 2012 is x64 only, requiring 64-bit hardware and software as well as requiring Windows Server 2008 or Windows Server 2008 R2 and SQL Server 2008 SP1 (x64) or later. Reporting in SCCM 2012 relies on SQL Server Reporting Services. The only pieces of the infrastructure that can run on 32-bit OSes are distribution points.
The new piece in the puzzle is the Central Administration Site (CAS), used only for administration and reporting; you can't assign clients to it. You need a CAS if you have more than one Primary Site. If you have a single Primary Site now, you can continue with that model in SCCM 2012. Unlike SCCM 2007, Primary Sites don't provide a partition for security, client agent settings or administrative roles. The main reason to have more than one Primary Site in SCCM 2012 is scale out: Each Primary Site supports about 100,000 clients. You also eliminate single-point-of-failure situations by having more than one Primary Site. Unlike SCCM 2007, a Primary Site can't be a child of another Primary Site; Secondary Sites, however, can be tiered.
Replication of content hierarchy now uses SQL Server replication instead of the file-based model in SCCM 2007, although file-based is still there and used for software packages, OS images and patches. This means Secondary Sites need to have a SQL Server database (the default is SQL Server Express). Data is replicated at one-minute intervals and is separated into Global data or Site data. Global data is administrator-created objects that are replicated from the CAS to all sites (Secondary Sites receive a subset). Site data is operational information created at Primary Sites, which is replicated up to the CAS but not to all other sites. A process known as Replication Configuration Monitor keeps track of database replication.
Another reason you might be able to eliminate some existing sites in your new SCCM 2012 world is that client agent settings can be customized per collections instead of at the site level. Clients can even receive multiple custom settings from multiple collections.
One thing that hasn't changed from SCCM 2007 is Active Directory schema extensions; if you've already extended your schema, you won't need to touch it for SCCM 2012 to be able to publish site information.
A new feature of Windows Server 2008 R2 is BranchCache, so if you have a Distribution Point (DP) on Windows Server 2008 R2 and your clients are on Windows 7 (Enterprise or Ultimate), consider using it. In small branch offices with fewer than 100 computers and where BITS bandwidth control is sufficient, you can use a Branch DP and host packages on a designated workstation computer.
One site is designated as the discovery-processing site, and it will process all discovery data records, regardless of where discovery is run. This means that there's no chance of duplicating database IDs.
Alerts are new in SCCM 2012. They're intended to help administrators in their day-to-day tasks in the console by letting them know when something's amiss; they're linked to site operations and they can, for instance, trigger if a configuration baseline falls below a defined level. Alerts don't connect to other System Center products, nor can you generate an e-mail based on an Alert.
DP groups are a way to manage content. When you add new content to a group, every DP in the group receives the content; if you add another DP, it automatically receives all previous content. SCCM 2012 lets you copy content manually to Branch DPs and standard DPs. In SCCM 2007, you could only do this for Branch DPs.
The Final Word
While there are a few features still to come in beta 2, it's clear that this is a major overhaul of SCCM. A simpler and more efficient hierarchy should appeal to organizations relying on SCCM 2007 today, while the inclusion of mobile management, role-based security and an accessible console will charm administrators. The concepts of user-centric management and giving the end user more control, along with the improvements and flexibility in application deployment, are also sure-fire winners.
Microsoft System Center Configuration Manager 2012 Beta 1
No pricing available
Microsoft Corp.
425-882-8080
microsoft.com