Windows Desktop Applications Life-cycle Management
24 Slides3.03 MB
Windows Desktop Applications Life-cycle Management Sebastien Dellabella, Rafal Otto Internet Services Group IT Department CERN IT Department CH-1211 Genève 23 Switzerland
Agenda Components of the Windows application management activity at CERN – – – – Application pool Deployment tools Monitoring tools Managing updates and communicating with the users community Case Studies – Acrobat Reader : responding to vulnerability disclosures – Microsoft Office : follow up of the product evolution – Java : how to manage unmanaged? CERN IT Department CH-1211 Genève 23 Switzerland Windows Desktop Applications Life-cycle Management - 2
Overview Snapshot of the environment – 6000 managed Windows machines 95% of Windows XP Sp2 5% of Windows Vista – 40 different sets of computers Having different sets of applications “Local administrators” can manage them using a delegation mechanism – Typical managed computers have access to 20 core applications 100 applications are available “on demand” In addition: updates, service packs or patches CERN IT Department CH-1211 Genève 23 Switzerland Windows Desktop Applications Life-cycle Management - 3
Application Support Levels Examples Installation Usage Forced Updates Microsoft Office X X X Hummingbird Exceed X X Adobe Flash Player X Sun Java X Apple QuickTime CERN IT Department CH-1211 Genève 23 Switzerland Optional Updates E-mail Notifications X X X X X Windows Desktop Applications Life-cycle Management - 4
Application Support Levels Examples Installation Usage Forced Updates Microsoft Office X X X Hummingbird Exceed X X Adobe Flash Player X Sun Java X Apple QuickTime CERN IT Department CH-1211 Genève 23 Switzerland Optional Updates E-mail Notifications Monitoring X X X X X X X X X X Windows Desktop Applications Life-cycle Management - 5
Processes and Tools CERN IT Department CH-1211 Genève 23 Switzerland Windows Desktop Applications Life-cycle Management - 6
Deployment Tools CMF: Computer Management Framework – Application deployment system used at CERN Address requirements of Control community in context of CNIC More flexible than previously used solution (especially for delegation) – Used to deploy all applications at CERN Group Policies – Used to deploy all settings and preferences – CMF client is deployed using Group Policies CERN IT Department CH-1211 Genève 23 Switzerland Windows Desktop Applications Life-cycle Management - 7
Monitoring Tools Key components of our monitoring activity CMF Inventory Statistics CERN IT Department CH-1211 Genève 23 Switzerland Monitorin g Websites Users Feedback Windows Desktop Applications Life-cycle Management - 8
Monitoring Tools Key components of our monitoring activity CMF Inventory Statistics CERN IT Department CH-1211 Genève 23 Switzerland Monitorin g Websites Users Feedback Windows Desktop Applications Life-cycle Management - 9
Monitoring Tools Key components of our monitoring activity CMF Inventory Statistics CERN IT Department CH-1211 Genève 23 Switzerland Monitorin g Websites Users Feedback Windows Desktop Applications Life-cycle Management - 10
Monitoring Tools Key components of our monitoring activity CMF Inventory Statistics CERN IT Department CH-1211 Genève 23 Switzerland Monitorin g Websites Users Feedback Windows Desktop Applications Life-cycle Management - 11
Monitoring Tools Statistics CERN IT Department CH-1211 Genève 23 Switzerland Windows Desktop Applications Life-cycle Management - 12
Monitoring Tools Statistics (2) CERN IT Department CH-1211 Genève 23 Switzerland Windows Desktop Applications Life-cycle Management - 13
Reacting Upgrade smoothly: S E V E R I T Y – We group mandatory updates every month – Optional updates may be published anytime – Progressive deployment Send email alert and/or schedule update: – If an exploit is in the wild for a monitored software (i.e. Java) Block an installed software: – If a vulnerability is widely exploited and no update available CERN IT Department CH-1211 Genève 23 Switzerland Windows Desktop Applications Life-cycle Management - 14
Agenda Components of the Windows application management activity at CERN – – – – Application pool Deployment tools Monitoring tools Managing updates and communicating with the users community Case Studies – Acrobat Reader : responding to vulnerability disclosures – Microsoft Office : follow up of the product evolution – Java : how to manage unmanaged? CERN IT Department CH-1211 Genève 23 Switzerland Windows Desktop Applications Life-cycle Management - 15
Case Studies Acrobat Reader: Reacting to vulnerabilities Deployment – Supported application preinstalled on each Windows computer by default Monitoring – Arbitration to stay with version 7.0.9 and being able to upgrade to version 8.0 if required. Version 7.0.9 was working fine but: – 4 critical vulnerabilities since 01-2007 Version 8.0 solved vulnerabilities but: – Printing problem with version 7.0.9 – Only first page of the document printed when Postscript driver used CERN IT Department CH-1211 Genève 23 Switzerland Reacting – Decided to upgrade to version 8 at the end of 2007 Migrate Postscript drivers to PCL first Windows Desktop Applications Life-cycle Management - 16
Case Studies Microsoft Office (in 2007): Product evolution CERN IT Department CH-1211 Genève 23 Switzerland Deployment at CERN (2007) – Office 2003 as default Office suite preinstalled on each new computer – Office XP still supported and installed widely at CERN Monitoring – Microsoft released Office 2007 (11-2006) – Big change in functionality – Suitable only for powerful computers ( 1GB of memory) – Increasing user demands for the new version “Wild” installations started to appear Reacting – In order to limit number of supported Office suites – Office 2007 deployment combined with Office XP phase out – Package for Office 2007 has been prepared and optional upgrade announced – New training courses were organized – After some time (08-2007) Office 2007 became the default Office suite preinstalled on all computers having at least 1 GB of RAM Windows Desktop Applications Life-cycle Management - 17
Case Studies Microsoft Office (in 2008): Product evolution Deployment at CERN (2008) – Office 2007 default Office suite on new computers (032008) – Office 2003 SP2 installed on 80% of computers Monitoring – Microsoft releases monthly security patches – Microsoft released Office 2003 SP3 and Office 2007 SP1 (09-2007) Reacting – Gradual deployment of Service Packs on centrally managed computers – Updates proposed to “local administrators” to schedule them according to their needs CERN IT Department CH-1211 Genève 23 Switzerland Windows Desktop Applications Life-cycle Management - 18
Case Studies Microsoft Office (in 2008): Follow-up evolution Deployment progression of MS Office CERN IT Department CH-1211 Genève 23 Switzerland Windows Desktop Applications Life-cycle Management - 19
Case Studies Sun Java: manage the unmanaged CERN IT Department CH-1211 Genève 23 Switzerland Deployment – Three branches of Java are packaged by us and made available for installation (1.4.x, 1.5.x and 1.6.x) Monitoring – Computers very often have multiple versions of Java installed – We cannot force updates Many critical experiment applications require a particular version of Java – Vulnerabilities are disclosed almost every month! Reacting – Packages for each new version are created – E-mail notifications are sent automatically to owners of vulnerable computers – E-mail notifications are sent automatically to “local administrators” encouraging them to deploy new packages Windows Desktop Applications Life-cycle Management - 20
Case Studies Sun Java: manage the unmanaged Mail sent to “Local administrators” CERN IT Department CH-1211 Genève 23 Switzerland Windows Desktop Applications Life-cycle Management - 21
Case Studies Sun Java: manage the unmanaged Mail sent to computer’s owners CERN IT Department CH-1211 Genève 23 Switzerland Windows Desktop Applications Life-cycle Management - 22
Summary Application lifecycle management – Application monitoring activity increased over the years Statistics, Websites, RSS Feeds, etc. Monitoring is now focused on security rather than application improvement. – Deployment is easier Packaging technologies are now mature – Our tools allow us to react fast and with modularity Making a package and deploying it CERN wide is possible in 30min ! CERN IT Department CH-1211 Genève 23 Switzerland Presentation title - 23
Questions ? CERN IT Department CH-1211 Genève 23 Switzerland Presentation title - 24