When Configuration Manager Goes Rogue & How Cireson Can Help

Let me start by saying I Love Configuration Manager!

For those of you that don’t know, System Center Configuration Manager is now 25 years old. Brad Anderson recently blogged about it and even celebrated this milestone at Microsoft Ignite.

Personally, my love affair with ConfigMgr started when it was still SMS (No not a text message service, but Server Management System). Over the years, as the product has grown and become more powerful, my infatuation with the product continued to increase and now it is an awesome tool that I can not imagine doing without.

Before SMS or ConfigMgr, admins would have to visit each machine for updates or for software installs, we had no clue what was installed on what machine and don’t even get me started on patch management.

Throughout the years more and more functionality has been added to the product to make it more efficient and to solve admin issues time and again including software deployment, Patch management, Operating System Deployment, Baseline configuration, inventory reporting, software metering and even anti virus!

However, There is one big issue with all this new found power…..  As someone famous once said:

With great power comes great responsibility!

With the power to deploy a single patch to many machines with just one click comes the potential for disaster of sending the wrong patch to the wrong machines. (or worse, the wrong Task Sequence).

Anyone that has been a Configuration Manager admin for any length of time has war stories of when the wrong advertisement was sent tot he wrong collection and business was impacted in some way. Many of these stories are small slow downs or minor interruptions in service but some are more like “Resume generating events”.

A very public example of this occurred in late July back in 2012. The Commonwealth Bank of Australia (The second largest bank in Australia) was effectively taken “Offline” and unable to open the doors of the majority of their 1,000 branches for trading due to a “Systems Outage”.

The official line from the bank at the time was “a problem with an internal software upgrade”. However, it was reported that “… 9,000 desktop PCs, hundreds of mid-range Windows servers (sources said as high as 490) and even iPads had been rendered unusable….”

Unofficially, a simple mistake by a ConfigMgr admin advertising an OSD Task Sequence  to the “All Systems” collection saw teller machines, AD servers and god knows what else, reboot and format the hard drive in preparation of installation of a new OS.

While there are no official numbers on the business cost to the bank or the cost of restoring the systems, I think we should all ask ourselves, “What would this type of impact cost your company?”

I don’t want to harp on this individual incident and break down the exact DNA of the outage, others have done this in the past. What I do want to do is talk about how we can make sure this does not happen to us, or at least minimise the potential risk.

How Can We Prevent Configuration Manager Disasters?

The biggest risk we have with ConfigMgr is the lack of control or granularity of security around deployments and limitations on what collections can be advertised to.

By default, all admins can send any package to any collection. Role Based Access Control (RBAC) within ConfigMgr does allow for some configuration of administration however it is not simple or straight forward to implement and has many limitations.

When an administrator deploys an OS Deployment task sequence to a collection with hundreds or thousands of  clients, ConfigMgr warns the admin that the action is a “High Risk” deployment and asks them to confirm the action. However, if the same admin sends patches or software updates to the same collection, no warning is given.

  • What if we could put warnings on ANY deployment type when sent to a collection containing large numbers of computers?
  • What if RBAC was more powerful and easier to use?
  • What if we could keep non-critical personnel out of the ConfigMgr console?
  • What if you could even add a bunch of support tools directly in to a single pane of glass?

Well that’s exactly what the Cireson Control Center does! 🙂

The Control Center is Cireson’s latest version of the Configuration Manager platform and allows organisations to control who sees and does what within Config Mgr all while making is super easy for them to come up to speed and learn so they can be more productive faster.

So lets take a look at each of the key points that Config Manager admins and Support Desk managers would be interested in:

Simple and Powerful RBAC

Using super simple RBAC rules it is possible to lock down what computers or users are visible to groups of users. This gives Config Manager admins the ability to limit what users can see and therefore the damage that can be inflicted if someone makes a mistake.

It also allows them to limit the number of applications that can be advertised and the number of computers that can be advertised to at one time. This removes the potential for an analyst to accidentally rebuild all your domain controllers to Windows 7. 🙂

Remote Manage Support Tools for Computers

The Control Center now introduces Remote Manage support tools that provide analysts with a wide range of simple tools to provide targeted and simple support to customers and computers all from within the browser.

Right clicking a computer and selecting Remote Manage provides a vast list of support tools including:

  • Basic Hardware information, including CPU, RAM, OS, Make and Manufacturer.
  • Process list and control. You can see and kill processes on the remote machine.
  • Services list and control. You can see and stop, start or restart services on the remote machine.
  • Client Actions and Logs. Support actions that allow analysts to trigger common support tools for client computers. Such as:
    • Remote Control
    • Client re-install
    • WMI repair
    • Remote PowerShell
    • and much more…..

TCC-Remote_Manage-configuration manager

Remote Manage Support Tools for Users

Quite often with Configuration Manager users in an environment are forgotten about. However, all the users in an AD domain are listed in Configuration Manger and are up to date. Wouldn’t it be great to introduce user tools to allow support actions such as Password Reset, Account unlock and Software Deployment?

Well now you can!
All from the one tool!

TCC-User_Manage

Audit Trail

A common security issue that is faced by organisations is how to audit who, internally, invoked specific actions. The most common example is resetting a users password. To allow support staff to reset passwords usually an organisation will grant users access to reset passwords via AD security then give the support staff access to AD Users and Computers. That user then has access to reset anyone’s user account and gain access to their account and there is no audit to show who did what when.

By using the Control Center to reset or unlock user accounts, there is a single service account that can unlock passwords and every time an account is unlocked or has it’s password reset, it event is logged against a specific user account that triggered it.

Simple and Intuitive User Interface

Any of the System Center products, while powerful, are complicated and to administer through a complex console interface. Many of the work-spaces and navigation nodes are not required by most staff and just add complexity and time to the learning of the solution.

The Control Center reduces complexity and removes the excess navigation menus that an average support representative would not require. This makes the time to benefit for analysts that are new to the tool very quick allowing them to be effective faster and with less confusion with the required learning curve.

Support Tool Integration

The nirvana of support tools for analysts is a “Single Pane Of Glass” that they can use to log calls, track and update calls, investigate and resolve calls and also report from.

In all my 20+ years of experience with ITSM tools, I can honestly say, I’ve NEVER seen an ITSM solution that even comes close to this goal……   until now.

With the recent release of v4.8.x of Cireson’s Analyst portal for System Center Service Manager, analysts now have access to all the regular ITSM goodness that the Analyst Portal provides, but now also access to the Remote Manage tools of the Control Center directly from any associated Computer CI!

  • No changing apps.
  • No need for multiple screens.
  • No need for copy and paste of machine names between apps.
  • All while being secure and audited.

Bliss!

But I don’t use System Center Service Manager, I hear you cry. (Why not? I ask…)
Don’t despair, The Truce Control Center functionality has a flexible API that you can use to create a custom integrated solution in to your ITSM tool of choice!

No Console App Required

Traditional use of the Configuration Manager console requires an analyst to install the Configuration Manager console on to their computer to administer or use the tools functionality. This locks the analyst to a specific workstations that they must return to or remote access to achieve even the most basic tasks.

The Control Center is a web based application and can therefore be accessed from anywhere including mobile devices and even outside the organisation. Analysts can trigger the required events from any browser without having the delay and effort of returning or remote accessing to their primary workstation.

Conclusion

The Control Center is an amazing tool that any organisation that runs Configuration manager should review. It quickly and easily delivers real world benefits to any analyst responsible for the configuration and health of end users and computers.

Reducing time-to-resolution is a constant goal for support organisations and the Cireson Control Center solution delivers the tools to drive down the time and effort required to achieve the most common tasks all while ensuring security and the ability to audit activity.

Do your support team a favour and get an onsite trial organised today or even try it out in the online demo environment with no need to install a thing.

Experience Teams Ticketing Today

Start your 14-day free trial of Tikit. No credit card required.