In-Depth
Cover Your Assets
Get a grip on your networked assets with the right asset management tool.
When someone asks how many PCs are in your organization or how many copies of Excel are in use and on which systems, you should know the answers. If you don't, you need to get busy.
In this age of compliance, it's essential to know what you have and where it is at all times. Gartner surveyed attendees of its 2005 Gartner Data Center Conference and found:
- 51 percent did not have an asset management system in place
- 92 percent did not have a link between their asset management system and
their change/configuration management tools
- More than 50 percent did not track software usage as well as software
assets
- Of those using an asset management system, only 65 percent included both
desktops and servers
- Of those considering an asset management system within the next two years -- almost
all were looking for an integrated asset management/change and configuration
system
[Click on image for larger view.] |
Compliance and costs are the major reasons why inventory alone no longer flies.
It's also why including usage data with license management is essential. Otherwise,
you'll either be non-compliant or paying for products you don't use. The asset
management technologies included in this roundup can help your organization
maintain control of its technology resources:
- Altiris Service & Asset Management Suite -- a complete suite of asset
management tools
- KACE KBOX IT Automation Appliance -- a hardware appliance for hardware
and software inventory management
- Novell ZenWorks Asset Management -- a tool that provides comprehensive
software asset management capabilities
- Special Operations Software Specops Inventory -- a tool that uses Microsoft's
Active Directory to do inventory management
Missing from this roundup are vendors like Microsoft, LANDesk and CA. Microsoft declined to participate because its Systems Management Server is undergoing significant changes and will soon be released under a new name -- Microsoft System Center Configuration Manager 2007. Others declined for various reasons. These products give you an idea of the type of system you'll need to finally gain control over your technology assets.
Altiris Service & Asset Management Suite
Depending on which components you select, the Altiris Service and Asset Management
Suite (SAMS) focuses purely on asset tracking, asset lifecycle management or integrated
asset and service management. SAMS supports each phase of an asset's lifecycle
-- reception, preparation, deployment, inventory, maintenance and retirement.
It can tie assets to individuals and track them throughout the organization, supporting
the move, add, and change process during an employee's lifetime. Altiris sells
these components in three “levels.”
Level one is the electronic inventory and asset management system. It also has an application metering function that gives you a general view of software usage, denial or blocking. This feature is essential for generating reports on who is using what software. One common problem organizations face with software licenses is installing software that employees never use, paying for extra licenses without reaping any benefits.
Level two adds asset control. With this you can add custom assets such as desks, chairs, telephones, cubicles and so on. This gives you a complete view of a user's needs. It also adds contract management, which links contracts to asset inventories and supports proactive license management. Bar-coding (with or without a device) for receiving and tracking assets is also part of level two.
Level three integrates service management. This means help desk personnel have
immediate access to the supporting information when a ticket is opened on a
particular asset, including service contracts, warranties, organization servicing
this asset and so on.
[Click on image for larger view.] |
Figure 1. The Altiris Console
is a comprehensive, Web-based interface. |
The first level requires a license for each managed asset. Levels two and three
only require licenses for those using them or accessing the information. Licenses
are transferable as long as only one user accesses a license at one time.
Installing SAMS is straightforward. Altiris uses a step by step, easy to follow process. First install the Altiris Server (or Notification Server), then connect it to a Microsoft SQL Server database. This can be the Microsoft SQL Server Desktop Engine, but we'd recommend using a real version of SQL Server 2000 or even SQL Server 2005. Next, move on to the Configuration tab and Upgrade/Install Additional Solutions. Select the solution level you need and install it.
Altiris just released version 6.5 of the Altiris console, making it much easier
to work with the product. Version 6.5 provides a Web-based dashboard and lets
you customize your desktop exactly as you need (see Figure 1).
One of the most compelling features is the Resource Association Diagram, which
lets you view all devices associated with a user, drill down into each device,
see its association with others and so on (see Figure 2). This is a live view,
so you can directly interact with assets.
[Click on image for larger view.] |
Figure 2. The Altiris Resource
Association Diagram provides a graphical representation of asset associations. |
Because it starts with the initial entry into the asset database, SAMS lets
you track an asset from the moment it's acquired to the moment it's retired.
This means you can generate thorough historical reports on what has happened
to a device throughout its service cycle.
Altiris SAMS is simple to use, supports multiple operating systems (Windows, Unix, Linux, Macintosh OS and personal digital assistant OSes) and controls assets through policies. It's one of the most comprehensive systems available.
KACE KBOX
The KACE KBOX IT Automation Appliance differs from the others, as it's a rack-mounted
server device that you work with through a Web console. It's configured as a
management toolkit to handle electronic inventory and software deployment.
The KACE KBOX is driven almost entirely by open source software, including FreeBSD, Apache Web Server, PHP, MySQL, SendMail and ZipLib. The KBOX comes with a RAID 1 configuration of mirrored drives and a third backup drive for simple data protection. Installation and deployment is easy -- place it in a rack, connect its ports and then log on to the Web console. Still, KACE offers a free hour of training to all customers. KACE also provides consulting services, if needed.
Client deployment is a bit trickier; you have to set it up through a logon
script. Because the client agent uses the .NET Framework, the logon script will
automatically install both .NET and the agent if the user has the appropriate
rights. If not, you need to use a workaround to grant temporary rights. It's
surprising that there's no other deployment mechanism. Client installation is
an .MSI, so you could always deploy it with AD, but this is kind of redundant,
as one of the KBOX functions is software delivery.
[Click on image for larger view.] |
Figure 3. The KACE KBOX Inventory
Console is a Web-based interface you can use to interact with the server.
|
You need to do one of two things to make sure your clients talk to the right
server. First, create a KBOX entry in your DNS server that redirects clients
to the right location. You could also edit the .MSI, which is the recommended
approach. You can do this directly with free tools like the ORCA .MSI Editor
from Microsoft or through packaging tools like Wise Package Studio or Macrovision's
FlexNET AdminStudio. Editing the .MSI is the best way to go because it gives
you complete control of the settings.
Once the client is deployed, it automatically performs a comprehensive hardware
and software inventory and reports back to the server (see Figure
3). The KBOX's Network Scan feature is how it discovers and manages Macintosh
and Linux systems, routers, printers and other network devices.
The server interface includes several tabs for Inventory, Distribution, Scripting, Security, Help Desk, and Alerts and Reports. Under inventory, the KBOX has tabs for Computers, Software, Network Scan, Computers -- MIA (Missing in Action) and Labels. You can click on any computer's icon, for example, to automatically launch a Remote Desktop Connection to that device.
You can use the Labels function to organize inventory management. For example,
you can use the search feature to identify all machines from a specific subnet
and assign geographic labels to that group. For mobile systems, you can create
custom filters that assign an appropriate label based on dynamic values. This
way, when your user is logged in at the home office, their PC will have a home-office
label. When they're in a branch office, they'll have a branch-office label.
[Click on image for larger view.] |
Figure 4. The Kace KBOX Software
Inventory uses its agent to scan and report on software applications installed
throughout the network. |
The software tab provides a complete listing of all software found running
on the network (see Figure 4). Titles are grouped alphabetically by default,
but you can easily change that setting. For compliance issues, the KBOX offers
several reports, categorized by report type. The KBOX also lets you add licensing
information to your inventory reports to help you manage software assets. If
you're familiar with SQL, you can use the KBOX to generate custom reports. Overall,
the KACE KBOX is a powerful tool with a complete set of services suitable for
small to medium networks.
Novell ZenWorks Asset Management
Novell has long been known for its network operating system. Now it's focusing
on open source technologies. Nevertheless, the majority of Novell's revenues
are generated by its ZenWorks system management tools.
However, comprehensive asset management was always missing from the ZenWorks lineup. Novell has rectified this with its purchase of Tally Systems. The core Tally TS.Census product has become ZenWorks Asset Management (ZAM) and sports a Novell look and feel. At the time of this review, the new tool had not yet been fully integrated with the other ZenWorks components, but Novell is clearly moving in this direction.
You can install ZAM in Standalone or Enterprise mode. In Standalone mode, everything installs on the same server, including the database. In the Enterprise deployment, ZAM distributes different roles to multiple servers. You'll also need to have the database available (either Microsoft SQL Server Desktop Engine, SQL Server 2000 or 2005, or Oracle).
There are six key components to ZAM:
- The ZAM Manager is the primary system interface
- The collection server gathers information on your software assets
- The task server generates scheduled tasks like database cleanup, report
generation and so on
- The file store collects information from clients
- The Web console provides system access
- The asset database itself
Other components include client-side tools like the collector client, which is an agent that collects data and ships it to the file store to be added to the database. There's also an editor to modify collected data before it's stored.
While ZAM performs some hardware inventory, it really shines with software inventory collection and management. ZAM (formerly Tally) uses a highly respected software asset management engine. It's certified by the Software Information Industry Association (SIIA), an organization that aims to protect and support both software vendors and users.
ZAM supports hardware inventory for Windows, Macintosh, UNIX and Linux devices,
as well as networking equipment such as printers, hubs, routers and switches.
It doesn't support personal digital assistants. While you can manually add this
information, it is not yet integrated into bar code scanning technology.
[Click on image for larger view.] |
Figure 5. ZenWorks Asset
Management offers a nice, clean interface through its Web console. |
When you first log into the ZAM Web console (see Figure 5), you'll see inventory
reports, network discovery and software compliance functions. Discovery is fairly
standard, discovering items through network subnets, agent deployment or network
broadcasts. Compliance gives a clear picture of what is out there and who is
using it.
Reporting is the crux of the system. You can set up Reports any way you like. Reports identify systems, applications, server software, hardware, upgrade readiness, license tracking and even software or file usage. ZAM also generates custom reports, and all reports let you drill down to detailed views.
The biggest problem with electronic inventory tools is that they often report too much information. It's not surprising since software is made of executables, dynamic link libraries and other executable files that can be deemed as valid products by an inventory agent. Not so with ZAM. Tally worked extensively with software manufacturers to fully scan and document the installed state of almost every software product on the market.
Also, ZAM categorizes products on its own to help you identify where it fits
in. These categories are, of course, customizable. You can report by department,
by workstation type, by product type or mix and match. This is great for compliance
issues.
[Click on image for larger view.] |
Figure 6. ZenWorks Asset
Management uses a simple five-step process for license reconciliation. |
The software compliance function lets you reconcile purchased assets with deployed
assets. It uses a simple five-step process (see Figure 6):
- Begin with an inventory
- Import your purchase records
- Reconcile discovered products
- Reconcile product catalog
- Produce final compliance report
The second step, import purchase records, can link directly to vendor-supplied information, which makes it easy to link purchase records to deployed assets. You can generate compliance reports through pie or bar charts to provide management with the cleanest, most up-to-date information in a few simple steps.
Overall, this is the best software asset management tool we've seen. It will be interesting to see how Novell integrates it to its other ZenWorks management tools.
Special Operations Software Specops Inventory
Special Operations Software (aka Specops) relies on AD to conduct most management
operations and that is just what they've done with Specops Inventory (SOI). It
makes sense. If you're already using AD, then why not use it for management tasks?
Even though AD is a database, SOI doesn't use it to store any collected information.
Instead, it uses Microsoft SQL Server as the database. This again makes sense
because relational databases are much more suited to that type of information
management.
[Click on image for larger view.] |
Figure 7. The Specops Inventory
Console is none other than the Group Policy Editor that is built into Windows.
|
The best aspect of SOI is that it takes only a few seconds to deploy, maybe
even less if you already have SQL Server running. The reason setup is so easy
is that everything that makes this solution work is already in place in any
shop using AD. SOI is made up of Group Policy extensions, so everything required
to run it is already in your network. There are no custom agents required on
any client, saving considerable deployment time and facilitating management.
Microsoft should take notes on how Specops uses AD to add more functionality
to this powerful management interface.
SOI can collect hardware, software, GPO settings, registry keys, Windows management
instrumentation data, user data, files, services and scheduled jobs from any
system tied to AD (see Figure 7). To collect inventory information,
simply edit the GPO and check the information to be collected. The next time
Group Policy refreshes on the client, it will gather the data from entire domains,
sites, or single organizational units.
Because it uses AD's common features, you can assign different levels of delegation
to different operators. For example, headquarters may want a full inventory
from everyone in the domain, but site administrators may only want certain registry
keys from the users they manage. SOI will automatically gather the settings
and deliver the information. Since the inventory client uses the operating system's
own GPO processing capability, it has a zero footprint.
[Click on image for larger view.] |
Figure 8. Specops Reporting
is done through a Web interface, and is the easiest reporting tool in this
round up. |
Specops also has a Reporting component that lets you view reports through a
simple Web interface (see Figure 8). Reports include compliance and basic inventory
information. If you want a new report, just check the items you want in the
report, choose a look and an output format (HTML, Excel, comma delimited or
rich text format).
Reports are generated from the SQL database, but you can also run them from any other database. Reports are in XML format so they are very easily transportable. Reporting also supports automatic report generation and email distribution, making it easy to send automated reports to business managers on a regular schedule.
SOI also has a data cleaner utility that lets you link multiple values. For example, you could say that Dell, Dell Inc. and Dell Computers should all translate to Dell to simplify inventory management. Finally, by integrating License Management, SOI can also map licenses to actual software use to reduce costs -- a valuable addition.
The most impressive aspect of SOI is that it uses components already developed by Microsoft and extends their functionality. Instead of forcing GPOs to run a daily inventory, for example, it modifies an existing key to ensure that inventory is collected on a regular basis even if the Group Policy Object hasn't changed. It also uses client side extensions to make sure the clients can use the Group Policy engine to collect inventory data.
It's surprising that this level of innovation has to come from a small company when Microsoft keeps lumbering on with Systems Management Server, a tool that is barely connected to AD, requires AD schema extensions and a duplicate infrastructure for systems management. Specops Inventory is definitely worth watching.
The Final Word
The Altiris Service & Asset Management Suite is the best overall tool since it
covers the entire lifecycle of any asset in your organization. The Altiris Resource
Association Diagram is one of the best interfaces we've seen for determining who
has what and their relationship to the rest of the organization. This is a powerful
tool well-suited for medium to large organizations, especially those with heterogeneous
environments.
If you're managing a Windows shop, but don't want to use Windows tools to do so, then the KACE KBOX IT Automation Appliance is the tool for you. Setup is easy, but customizing anything requires specialized knowledge. If you're a small to midsize shop and you like the default feature set, then the KACE KBOX is for you.
After acquiring Tally Systems, Novell has a powerful software asset management solution. Tally has done a lot of leg work getting this product up to speed. The Novell solution is not yet integrated with other ZenWorks components, so you can't yet get into complete lifecycle management, but if you need software asset management, then this is the tool for you.
Specops Inventory is the most innovative inventory solution we've seen to date.
AD is one of the best technologies Microsoft has ever delivered, so a technology
like SOI that extends its functionality is a boon to overworked and overextended
Wintel system administrators. If you're working in AD, you should take a good
look at SOI.