Altiris Software Virtualization Solution Implementation Plan for USAF IT Lifecycle Management

© 2006 Altiris Inc. All rights reserved.

Altiris

®

_{Software Virtualization}

Solution

Implementation Plan for

USAF IT Lifecycle Management

White Paper

Altiris, Inc. is a pioneer of IT lifecycle management software that allows IT organizations to easily manage desktops, notebooks, thin clients, handhelds, industry-standard servers, and heterogeneous software including Windows, Linux, and UNIX. Altiris automates and simplifies IT projects throughout the life of an asset to reduce the cost and complexity of management. Altiris client and mobile, server, and asset management solutions natively integrate via a common Web-based console and repository. For more information, visit www.altiris.com.

NOTICE

INFORMATION IN THIS DOCUMENT: (I) IS PROV IDE D FOR INFORMATIONAL PURPOSES ONLY W ITH RESPECT TO PRODUCTS OF ALTIRIS OR ITS SUBSIDIARIES (“P RODUCT S”), (II) REPRESE NTS ALTIRIS’ VIEW S AS OF THE DATE OF PUBLICATION OF THIS DOCUMENT, (III) IS SUBJE CT TO CHA NGE W ITHOUT NOTICE, A ND (IV ) SHOUL D NOT BE CONSTRUED AS A NY COMMITMENT BY ALTIRIS. E XCE PT AS PROVIDE D IN ALTIRIS ’ LICE NSE AGREE MENT GOVERNING A NY P RODUCTS OF ALTIRIS OR ITS SUBS IDIARIE S (“P RODUCTS”), AL TIRIS ASSUMES NO LIABILITY W HATSOEVER, A ND DIS CLAIMS A NY E XP RESS OR IMPLIE D W ARRANTIES REL ATING TO THE US E OF ANY PRODUCTS, INCL UDING W ITHOUT LIMITATION, W ARRANTIES OF FITNESS FOR A PARTICULA R P URPOSE, MERCHA NTABILITY, OR INFRINGEME NT OF ANY THIRD PA RTY INTELLECTUAL P ROPERT Y RIGHTS . ALTIRIS ASSUME S NO RE SPONSIB ILITY FOR ANY ERRORS OR OMISSIONS CONTAINED IN THIS DOCUMENT AND ALTIRIS SPE CIFICALL Y DISCLAIMS A NY AND ALL LIABILITIES AND/OR OBLIGATIONS FOR A NY CLA IMS, SUITS OR DAMAGES ARISING FROM OR IN CONNECTION W ITH THE USE OF, RELIANCE UPON OR DISSE MINATION OFTHIS DOCUME NT AND/OR THE INFORMATION CONTAINED HERE IN.

Altiris ma y ha ve pa tents or pend ing patent applications, trademarks, cop yrigh ts, or othe r intellectual prope rty rights that relate to the Products referenced herein. The furnish in g of this do cument and other materials and information does n ot pro vide an y lice nse, e xpre ss o r im plied, b y estoppel or otherwise, to an y fore go ing intellectual prope rty rights.

No part of this document may be rep roduced, stored in a retrie va l system, o r tran smitted in an y form or b y an y means without the exp ress written con sent of Altiris, Inc.

Customers are sole ly responsible for a ssessin g the su itab ility of the Products for use in particu la r applications. Products a re not in tended for use in medical, life savin g, life sustainin g, critical control or safety systems, or in nuclear facility app lications.

Cop yright © 2006, Altiris, Inc. All rights rese rved.

Altiris, Inc. 588 W est 400 South Lindon, UT 84042

Phone: (801) 226 -8 500 Fa x: (801) 226 -8506

*Other compan y na mes or products m entioned are o r may be trademarks of their respective o wners.

Information in this document is sub ject to chan ge without notice. For the latest documentation, visit www.altiris.com.

www.altiris.com

Project Description ... 1 Altiris® Software Virtualization Solution™ and Wise Package Studio® ... 2 How SVS Fits with the USAF IT Lifecycle Management

Implementation ... 4

Hardware 4 How does SVS fit into the USAF hardware plan? 4

Software and Licensing 5

How does SVS fit into license management for the USAF? 5

Configuration Management 6

How does SVS fit into the configuration management plan

for the USAF? 6

Patch Management 6

How does SVS fit into the patch management plan for

the USAF? 7

Software Distribution 7

How does SVS fit into the software distribution plan for

the USAF? 7

Data Layers 8

SVS Benefits for other USAF Processes ... 10

Legacy GOTS Applications and LUA Issue 10 How does SVS solve the legacy GOTS applications and

LUA issue? 10

Software Development and Testing Process 11

Comply and Connect 11

Help Desk 11

Migration to Future Operating Systems (Vista and Longhorn) 12

Product Awards and Recognition ... 13 CONTENTS

www.altiris.com Altiris SVS Implementation Plan for USAF IT Lifecycle Management > 1 The United States Air Force (USAF) is standardizing the desktop image (SDC) across the entire enterprise. By the end of 2006, all USAF bases will deploy this image. The standard image provides the USAF with a common set of applications for each MAJCOM/base to build upon while simplifying the management process. There are two phases of the SDC:

• Phase 1: Testing of the SDC at four lead bases. After testing, the SDC will be given to the 10 USAF MAJCOMS to deploy to their respective PCs by the end of 2006.

o By June 2006, each MAJCOM will have deployed a test to one other base

o By the end of 2006, all MAJCOMs will have deployed to all of their bases (expected 80 percent total deployment by EOY)

o Each PC will have the SDC deployed by one of the following methods:

ƒ SDC pre-loaded on new PCs

ƒ Wipe (OS) and re-load with SDC

ƒ Migrate current OS to SDC

• Phase 2: MAJCOMS/bases to package, test, and deploy

hundreds of COTS and GOTS applications on top of this image.

Wise Package Studio® and Altiris® Software Virtualization Solution™ (SVS) are two keys components of a successful software management process. Software management is the process of managing your

applications throughout their lifecycle, including preparation, deployment, management and support, patching, upgrading, and retiring.

SVS is a revolutionary new technology (several patents pending) that allows applications to be deployed and run on a computer without altering the host operating system (SDC) or conflicting with other applications or corrupting the deployed image. No longer must

administrators install, uninstall, or reinstall applications on the computer. Once the SVS agent (system driver) has been deployed to the target PC all software virtualization capabilities can be performed. The SVS agent is a small driver that requires 1.1 MB of disk space and typically requires 150 KB of RAM. It can be distributed in several ways:

• Installed at factory on disk image (see the “Hardware” section later in this document)

• Deployed from Microsoft* Systems Management Server (SMS) (from the Microsoft SMS Snap-in tool for SVS included with the SVS software)

• Script executed from group policy or user profile

Once the SVS agent is in place, the benefits of a virtualized application are tremendous, including:

• On-demand application provisioning: Instant activation, deactivation, or resetting of applications

• Eliminates application conflicts (DLL)

• Multiple versions of same application running side-by-side on PC; for example, Office 2000 and Office 2003

• Significantly reduce testing time, including OS patch virtualization in next version

Wise Package Studio prepares applications and patches for deployment by properly configuring them to the unique requirements of computers in the target population. Packages that can be created by Wise Package Studio range from a simple collection of files to intelligent installations that configure the application based on the requirements of the target computer. Wise Package Studio also provides core functionality for managing and testing packages to help ensure reliable deployments. Wise Package Studio and SVS are complementary technologies that work together to properly configure applications for deployment and reduce the risk of application conflicts. By combining both technologies, you have a best-of-breed approach that helps minimize or eliminate software management issues.

ALTIRIS® SOFTWARE VIRTUALIZATION SOLUTION™ AND WISE PACKAGE STUDIO®

www.altiris.com Altiris SVS Implementation Plan for USAF IT Lifecycle Management > 3 Wise Package Studio can embed an existing .MSI in a “wrapper” that will install the application into a virtual layer if SVS is installed on the target computer. This offers a best-of-both-worlds approach because the target system gets properly configured by the installation logic of the .MSI and the application will run virtually.

The USAF currently has an IT lifecycle management framework that consists of several key steps. SVS provides seamless and non-intrusive integration into the plan’s four steps:

• Hardware

• Software and licensing • Configuration management • Software distribution

Hardware

With the IT Commodity Council in place for the USAF, client hardware is purchased in quarterly bulk buys from the various hardware vendors. Nearly 90 percent of the client PCs in the USAF comes from Dell and HP. Both Dell and HP are Altiris strategic partners. For commercial customers, both vendors include Altiris hardware management

components that ship from the factory. These components are free for their respective commercial customers and provide unique vendor specific management and inventory capabilities not available from any other software company. These include items such as thermal status, battery and chassis integrity, USB drive detection, etc. as well as integrated and automated BIOS settings and updates. While these hardware components are outside of the scope of this proposal to include SVS to the USAF, it is worthy of mention with the high percentage of PCs (90 percent) provided by these leading hardware manufacturers and their usage of Altiris to provide in-depth, vendor-specific hardware management. Altiris and the respective hardware vendor (Dell and/or HP) can make these tools available to the USAF for free. For more information, visit:

• http://www.altiris.com/Products/DellClientManager.aspx (for information about Dell Client Manager)

• http://www.altiris.com/Products/HPClientManager.aspx (for HP Client Manager)

How does SVS fit into the USAF hardware plan?

Altiris’ relationship with both Dell and HP can be leveraged to include the Altiris SVS agent pre-installed from the factory. This is the only

component needed to provide software virtualization capabilities on the client PC. No server components are required. The agent setup requires 1.1 MB of disk space and typically requires 150 KB of RAM. Once the agent has been installed on the PC all administration of the software virtualization capabilities can be performed within SMS and/or scripts executed from group policies or user profiles.

HOW SVS FITS WITH THE USAF IT LIFECYCLE MANAGEMENT IMPLEMENTATION

www.altiris.com Altiris SVS Implementation Plan for USAF IT Lifecycle Management > 5 If the SVS agent is not loaded as part of the factory-delivered SDC, the agent can be easily rolled-out from SMS.

Software and Licensing

SMS provides license management through the use of inventory and application metering agents on the client PC. These agents run periodic inventory scans to detect what is installed on the PC and what is being used.

How does SVS fit into license management for the USAF?

Applications virtualized with SVS are immediately made visible to the system and thereby detected by SMS inventory and application metering agents. Conversely, deactivated applications are not detected and are invisible to the system. All virtualized applications appear to the system (both file and registry) as if traditionally installed. The simplicity of activating or deactivating virtualized applications provides the USAF license managers with the flexibility to better manage applications where an enterprise software agreement is not in place. Once an application has been deactivated, there is not a single trace of the application on the computer (both file and registry) giving license managers the highest efficiency and flexibility in utilizing purchased licenses. This can be further automated upon user logon with group policies and user profiles that provide immediate role-based provisioning of applications. Once the user logs off, the application is no longer visible to the computer

(including user data, if desired). This single benefit can save the USAF millions of dollars in avoiding unnecessary software purchases and license renewals.

Configuration Management

The USAF is standardized on SMS for providing inventory of hardware and software assets. In addition, the SDC provides a base operating system and standard applications to every PC in the USAF. This pristine baseline provides security, stability, and standardization.

How does SVS fit into the configuration management plan for the USAF? While the SDC provides a pristine baseline for the operating system, SVS provides similar benefits for every application in the USAF with a pristine application baseline. The process for creating these virtual, pristine applications is the same as the traditional method. Configuration managers simply use the Symantec packaging capabilities to create MSI installer packages. These packages can then be accessed by the SVS capture utility and converted into a virtualized package (called a VSP or Virtual Software Package). This is the only additional step required as part of the package creation to transform a Symantec package (or any other USAF package) into a VSP. Once created, these pristine

applications can be leveraged by any USAF command or base, greatly reducing the time and manpower to deploy USAF applications onto new or existing computers.

After the VSP has been created and imported to the client computer, it can be instantly activated, deactivated, or reset on the computer. When the application is reset it returns to the pristine application state, thereby removing any and all file or registry corruption that may have been introduced since its original activation into the environment. The ease of administration of a once time-consuming process, and the time and cost savings that result from no longer having to uninstall troublesome or old applications or repair them, is very significant. By simply activating, deactivating or resetting these applications, configuration managers and tier 1/ 2 help desk personnel have instant rollback capabilities that provide users with on-demand applications that create a stable and reliable end-user environment.

Updating or patching these applications is just as simple. When an application needs to be updated, the administrator simply updates the original VSP file, and then imports it back into the system environment— the application is at its new pristine state. The process of uninstalling or reinstalling the new components on top of the previous version is no longer necessary. Configuration management will never be simpler. Patch Management

The process for the USAF to test and deploy an application or OS patch is targeted for 72 hours. This includes time for downloading the patch, testing it for compatibility, packaging it for distribution, and finally delivering it to the target systems.

www.altiris.com Altiris SVS Implementation Plan for USAF IT Lifecycle Management > 7 How does SVS fit into the patch management plan for the USAF?

The capability to virtualize OS patches is scheduled to be added to SVS later this year. For critical patches that need to be immediately deployed to a computer, SVS will provide the ability to instantly activate these OS patches on the targeted PCs. If there are any conflicts, administrators simply deactivate the patch. No trace of the patch will be on the computer. Testing time will be significantly reduced. Included with this feature is the ability to “merge OS patch to base.” This means that once the administrator determines that the patch has been successfully implemented virtually, the patch can then be merged to the base OS (SDC) and becomes part of the base going forward. This new capability will revolutionize the way organizations look at and deploy operating system patches and other kernel-level components such as device drivers.

Software Distribution

The USAF is standardized on SMS for delivering software to the desktop. How does SVS fit into the software distribution plan for the USAF?

SVS provides a revolutionary way of distributing software applications to the desktop. With traditional application installation, administrators go through a lengthy process of installing applications to the targeted systems. If an application is corrupted or fails for any reason over time, many times the administrator needs to uninstall or reinstall the

application. This can be very time-consuming to the administrator and disruptive to the end user. Most applications require a re-boot at the end of the process. None of these steps are required with SVS.

SVS uses new commands to manage applications: activate (install), deactivate (uninstall), and reset (reinstall). These commands provide a very different approach to provisioning applications, and the differences are more than just the terminology. SVS uses VSPs that undergo the same process as traditional application packages. Once VSPs are imported into an end-user’s computer environment, they can be

activated, deactivated, or reset instantly—in about two seconds. Access to activating or deactivating applications can be granted to one or more groups of users, including end users, help desk workers, SMS

Altiris also provides an SMS plug-in tool that automates the already simple SVS command interface (see screen below).

Data Layers

Another sometimes overlooked feature of SVS is the use of data layers. A data layer is similar to an application layer, though the data files are captured into a virtual data layer as they are created by end users or applications. SVS data layers can be configured to capture all data (one or more types) on the computer into a virtual layer regardless of the application that creates them. This allows administrators to control where critical data files are actually stored on the desktop. It also provides high security for administrators who do not want any remnant of a data file on the system (through the use of the deactivate application/data layer).

© Altiris Inc.

© 2006 Altiris, Inc.

The life of a Virtual Software Package (VSP)

1 Repackage to .VSA

Lab PC

2 Deliver to target machine(s)

Production PC

3 Import VSP

6 Reset VSP 7 Deactivate VSP 5 User runs appnormally 4 Activate VSP

www.altiris.com Altiris SVS Implementation Plan for USAF IT Lifecycle Management > 9 Data layers can also be configured to store any file added to one or more particular directories such as the Root directory or the System directory. This further enhances system security.

Legacy GOTS Applications and LUA Issue

Currently, one of the biggest challenges the USAF MAJCOMS face is legacy GOTS applications that do not run on the SDC. Much of this issue revolves around LUA (Least-privileged User Account) security—accounts that do not have the rights to, for example, create files in the Root

directory or add system registry entries. The USAF is mandating the MAJCOMS to fix these legacy applications by 31 Oct. 2006 and comply with the SDC or remove the application from the network.

How does SVS solve the legacy GOTS applications and LUA issue?

One of the unique “side” benefits of SVS is its ability to allow each application (or groups of applications) to run in their own virtual layer. This allows legacy GOTS applications that currently do NOT run on the SDC to be isolated from other normally conflicting applications and provide immediate availability to the SDC. Numerous examples of this have already been realized at various locations throughout the USAF. For example, at AFPCA, VSPs were created for problem applications such as Office Binder 2000 and AMJAMs. In addition, at

Wright-Patterson AFB, a VSP was created for the Standard Purchasing System (SPS). All of these applications had compatibility issues such as Office 2000 with Office 2003, Word 2000 with Word 2003, and older Oracle Client configurations with newer ones—and all of these situations were solved with SVS. At Hill AFB, two standard applications that were never able to run on the same desktop together (ABSS-Financial and Impresa), were made to work together with SVS. All of these troublesome

applications were virtualized in less than one hour and made available to the SDC immediately. Now created, any USAF MAJCOM or base can utilize these virtualized packages, saving countless hours of

troubleshooting and work-arounds for these applications.

SVS will specifically address the legacy GOTS applications that are hard-coded for older components, but will not address the LUA security issue on its own. Altiris also has a solution called Credentials Solution™ that can be added to the SVS product that will specifically address the LUA issue. Credentials Solution allows applications to run with specified elevated rights without having to grant the LUA user any additional security privilege. Combined, SVS and Credentials Solution will solve all of the legacy GOTS compatibility and LUA issues on the SDC today. While the USAF will mandate the MAJCOMS to comply with the legacy applications fix there will undoubtedly be a number of critical applications that do not meet the 31 Oct. 2006 deadline. SVS can address this issue today.

Note: Altiris will provide Credentials Solution to the USAF free of charge with an enterprise agreement of SVS.

SVS BENEFITS FOR

www.altiris.com Altiris SVS Implementation Plan for USAF IT Lifecycle Management > 11

Software Development and Testing Process

Throughout the USAF, many MAJCOMs oversee the development, testing, and acceptance of custom software (GOTS). SVS can greatly aid in the code review and testing process as GOTS software is upgraded. Developers can simply submit a virtualized software package (VSP) “build” of a new GOTS software release to the USAF project office for testing and acceptance. USAF project managers can then import the new build and immediately begin the test and review process—even with previous builds of the application on the same computer. This will significantly aid in identifying the success or failure of the build and acceptance of new features and fixes.

Comply and Connect

Altiris® Quarantine Solution™ and the Cisco* Network Admission Control framework combine to provide CMDB-driven network access policies that defend the network from risks associated with open access. When used with other Altiris solutions, comprehensive endpoint assessments can result in hands-free, policy-based remediation to fix identified

vulnerabilities.

Quarantine Solution reduces the time and expense of manually

identifying and fixing unpatched or otherwise incompliant computers. The solution allows administrators to leverage other Altiris solutions such as SVS by extending functionality to include network access control

policies. For example, by using the Altiris Configuration Management Database (CMDB) to identify devices that should be exempt from the Cisco NAC process and ensure access to devices such as network printers, non-Cisco network devices, and critical servers. Quarantine Solution supports Cisco NAC phase I and II.

With SVS, computers can be quickly remediated with updated virtual versions of critical software. Virtual versions can easily be activated on the quarantined computers without causing new conflicts.

Note: Cisco has standardized on Altiris technology and is rolling out SVS to their entire client enterprise.

Help Desk

SVS can provide help desk workers, network managers, and end users with a quick efficient method for provisioning new and updated software. Authorized workers, manager, and end-users could easily activate or deactivate applications. Help desk workers could reset corrupted

applications—one of the top five types of help desk incidents. End users with access could be able to activate approved applications from a self-help, or network application service, Web page.

Migration to Future Operating Systems (Vista and Longhorn)

When the USAF decides to roll out the next desktop and server operating systems, SVS can be used to efficiently move and activate current

applications into the new OS. SVS will be supported with the next Microsoft Windows operating systems release.

Special Note: Software Virtualization Solution will be a FREE solution for IT professionals for personal or home use. With the revolutionary approach SVS brings to the IT environment, SVS is anticipated to be a standard tool throughout the IT industry. This rapid adoption will provide benefits in the workplace as well as IT professionals take their home and personal usage of SVS into the working environment.

www.altiris.com Altiris SVS Implementation Plan for USAF IT Lifecycle Management > 13 Altiris® Software Virtualization Solution™ is

named Best New Product at Microsoft TechEd 2006.

—Windows IT Pro and SQL Server

Software Virtualization Solution takes Top Honors as the Best New Product at Microsoft Management Summit 2006.

—Windows IT Pro

Software Virtualization Solution wins “Best of Show” at FOSE.

—GCN and sister publication Washington Technology

Altiris virtual software wraps apps to beat DLL hell. “This all means you can do otherwise impossible things, such as run Microsoft Office 2000 and 2003 on the same PC simultaneously. It also keeps the operating system clean, so badly behaved applications don't conflict with it or each other—the ‘DLL hell' familiar to PC support techs—and it allows an application installation to be fully reversed if it causes problems.”

—Techworld

“Altiris' Software Virtualization Solution could reshape the PC landscape at the IT level…. SVS impressed us enough to share the spotlight with Firefox. And that's saying something.”

—PC Magazine

PRODUCT AWARDS AND RECOGNITION

Altiris shakes up Windows configuration management with Software Virtualization. “No messy installation scripts that break under tightened security; no troublesome ‘artifacts’ in the Windows Registry; no leftover files lurking in obscure folders on the local hard disk, waiting to trip up the next

deployment. In the software deployment world according to Altiris, applications would

materialize and/or dematerialize with the flick of a switch.”

—InfoWorld

“Everything you know about software

deployment is about to change…SVS has the potential to rewrite the rules of how software is pushed down to client systems.”

—Computer Reseller News

“…SVS fundamentally alters your perception of what is possible with IT…SVS will have long-term ramifications for the Windows configuration management market…SVS is paradigm-shifting technology.”