Good morning and welcome. The topic today for our first session is Third Party Client Management Solutions: Managing Mac OS X in the Enterprise. Presenting is Senior Consulting Engineer John DeTroye. Good morning, the dedicated few, the ones who survived the party, survived the week. We're whistling the tune to the longest day this morning.

Client management lifecycle. Some of you have attended the desktop management session yesterday and over the last year or so you've seen this.

Remote Control, Help Desk, Training Center, and Teaching Lab. Usage Management, Keeping the Users on Track. This doesn't necessarily mean you can't launch something, although it does, but it also means keeping the systems more in tune with what the policies and procedures are, the acceptable use stuff, you know, not putting software on systems you shouldn't have, being able to use the software you want in a teaching environment and education.

It comes down to if you sit down in front of a computer and the instructor wants you to use a certain piece of software, that's what they want you to use. They don't want you off here doing something else. License management, key thing. Okay. In fact, it's tapered off a bit now, but just think of all of the articles we saw in all the IT magazines and InfoWorld and so forth, with everybody talking about all the lawsuits flying around.

You know, Company A bought one copy of such and such software, and they deployed it 11,000 times and thought they could get away with it, you know, or didn't know. They just got a copy in for evaluation, and somebody left it on their desk, and next thing you know, it's everywhere.

Patch and upgrade. We're back to that. I did the image, but now I need to upgrade my systems. I need to do lots of them. And then the help desk management, which is the call for help. I need something. Take a look at this for me. Talk to me. My favorite one is the email message you get that says the internet is down.

Do you respond to them by email telling them that you don't think so? Or do you just call them on the phone and go, "Really? Is it?" There are days when we wish it actually just would go down and stay there for a while. Well, let's take a look at all the different players. Alphabetically, I'm going to go through them except for Apple.

I get away with that. Apple Client Management Solutions. We have three primary pieces that we play within. Apple Remote Desktop, the NetBoot NetInstall technologies, and Managed Client for Mac OS X. Apple Remote Desktop is designed to support software distribution, asset management, some remote administrative tools, and the remote assistance or the help desk stuff. In a nutshell, we handle distribution and updates by the way of copying files, packages, and so forth out across the network doing remote installs.

We can do asset tracking through reports, and we can do remote administration. We can control and observe workstations, one or many. We can also copy and delete files on a system, and one of the ones that everybody likes to brag about is the sending Unix commands. That can be done out to a whole lot of systems. So, yes, you can send one of that RMDIR-R, you know. Yes, you can.

We can support Mac OS X and Mac OS 9 images with Netboot technology. And the images can be anything. I can have complete image sets. I can have departmental image sets, you know, the staff versus the technical support people versus the people in the library versus the people in the research department can all have completely different Netboot sets. I can have a diagnostic set. So instead of me running around with a bunch of CDs or a bunch of floppy disks or FireWire drives or whatever I need, I can actually Netboot to a complete set of diagnostic tools and then work on the system.

I can do installers, automated installers. The automated installer is what we call the unintentional install where the system, you boot to it, it automatically erases your drive, installs the operating system and everything. And it's really fun to have somebody who has a good system sit down and accidentally do that. That could be really fun. Now erasing hard drive.

And you can do upgrade sets so that you can also store packages and so forth out on the net and have them available so you can do an upgrade. A single image can span multiple servers or you can have multiple servers supporting a single image for throughput so that you can have this single Netboot image sitting on a whole cluster of X servers. We like to see that. Netbooting a whole bunch of machines. And the pictures you've seen this week. Of the University of Tokyo Netboot lab, that's what they're doing. They use a single image but a whole cluster of servers and it load balances.

Managed Client for Mac OS X is, in a nutshell, the ability to set up a defined experience for the end user. And it can be done by user level, group level, work group level, or by computer level. So I can define the settings for different machines. It's network-based preference management.

So that was Apple. AltiriS. AltiriS has some really, really fascinating stuff that they brought to the IT lifecycle management for the Mac.

They have a completely heterogeneous cross-platform environment, and here's some of the tools that come with the AltiriS client management suite in that they support Mac, Windows, the Unix platforms, Linux, and some of the handheld OSs.

Server-side components. It is Windows server-based. It uses a web-based admin console.

Everybody talks about how they want a lot of things web-based. Very, very good for that. Role in scope-based security to make sure that you stay within the limits that you're allowed and encrypting the transport. We don't want all the asset management information to move across the net in the clear.

Plus, things like adaptive display technology so that you can handle that. I don't know if they handle the spoken interface stuff that we've just introduced, but that is definitely something that a lot of people look at for qualification when they bring their software into play. The shortcuts and wizards, obviously something to help you get up to speed really quickly so that we're not spending a lot of time learning how to use all the different pieces. And extensible is obviously a requirement in that we want to be able to take the architecture and say, you know, I always need the one more thing. And it's really good not to have everything boiler-plated for me.

Another idea of a report from them is going out and looking at all my systems on the network and getting a pretty decent report of, you know, what's there. And you notice that doing it as a web-based report makes it really simple. You know, pick your browser and go for it. The Mac agent, important to the Mac community, is the fact that it looks like it's a Macintosh piece. It does follow the look and feel of the Mac.

Some of the features that I like in this are the ability to be able to do blockout periods where I can say, you know, at this time I don't want things being brought to me. You know, there's a period in which work gets done versus updates get done. Checkpoint recovery, the idea of being able to say, you know, what if we get an interruption during the update process or during the reporting process and we want to be able to say, you know, resume at a later time.

And then things like scheduled wake-ups for the systems, you know, nighttime we want to do the updates at 2 a.m. so we wake the systems up, handle, take care of the reports, the inventory, and so forth. And then being able to do client-side logging so that we can keep track of everything on there and see what's been happening with it.

The roadmap for Altiri, the inventory solution for the Mac, and the software delivery solution, second half of 2004. The deployment solution with patch management. And the remote control portions are slated for 2005. And here are some of the customers that will definitely crow about what Altiri has been up to.

This is the first of many reminders that the Enterprise IT Lab from noon to 3 today is going to have these companies. All these people are going to be over there to be able to answer questions and talk to you about stuff and get a chance to take a look at some of their solutions.

FileWave. FileWave is software distribution and asset management for the Mac. They're a cross-platform desktop and portable management solution provider, and they provide their solution fully native to the Mac OS. That's both client and server are native to the Mac OS. The FileWave products, they have software distribution. The software distribution is uses a Mac OS X-based server, captures all the asset information from the clients cross-platform, and provides you with a series of reports and information that I need to be able to do my job from an asset management point of view.

John DeTroye uses a Mac OS X-based server, captures all the asset information from the clients cross-platform, and provides you with a series of reports and information that I need to be able to do my job from an asset management point of view. the clients will pull information from the system and then provide the reports back to the databases. The server itself runs as a Unix-based daemon. It has an admin process and a file server process for the client requests. Very scalable using this booster technology so that instead of having just one server to worry about, I can deploy multiple servers out on the network.

The administrator-driven model is the idea of you define as the administrator who gets what packages, who gets what parts in the distribution, and at what time. I can also... Under FileWave, I can drag and drop install. So for instance, Office as an example is a drag and drop install. So I can take Office and I can drag it into a FileWave set and it'll just deploy it to the machines that are in that set.

I can also do customized installs where I can take snapshots of systems. I can build a known good system, take a snapshot, then install a bunch of components on it, and then take another snapshot, and then I can install that new snapshot onto my systems across there, across the network. Very easy to use. Here's an idea of the admin screen with some of the things it brings up. We have file sets, the clients and groups that you can manage.

Very simple. The FileWave client, Unix daemon under Mac OS X, a service under Windows. It basically, the client just pings the server for an update when it's time for it, grabs the manifest from the server if there's an update, and then pulls the solution down from the storage, from storage. So, we have a, this, in this case, it's a, when the client needs to go get something, it goes and gets it. It's not a push, it's a pull system at that point.

And here are what some people have had to say about our friends at FileWave. I like the extra plug for Netboot. Netboot is cool. If you want to visit FileWave, you can either stay here in San Francisco or you can go to I think my boss is around here somewhere.

I have to go visit FileWave, but they keep asking me. It's a short trip, right? : LANDesk used to be part of Intel. LANDesk is its own entity now. They're out in the client management space fully. Cross-platform, very good client management suites. Here's a look at some of their products.

The solution, you know, and one of the things I really like is I love grabbing graphics from everybody for this stuff. I mean, this is my client management. Asset management, remote control, problem resolution, patch management, software license monitoring, and software distribution across Mac OS 9, 10, Linux, Unix, and Windows. From a server side, they use a PC server-based environment to host the core of the management process.

What it comes down to is that the admins see exactly the same thing regardless of whether they're managing Macs or PCs. Very scalable.

Here's an idea of some of the pieces on the LANDesk side. As an example, we have an update. The policy manager found a new update for the system.

So we support Mac OS X 2, X 3, and Mac OS 9. Directory integration is key. Directory integration is an important piece with policy-based management and the ability to do both hardware and software inventories.

Remote control management, taking charge of systems remotely, and doing distribution with multicast. Multicast is a key item in the fact that when you do unicast broadcasts versus multicast broadcasts, you're talking about bandwidth and the cost of network usage. And having it localized into the various languages makes deployment for multinationals definitely a bonus here. And here's the everything I can do slide.

And if you look at this, we're actually looking at all the devices that are out on a system, looking at the computer. You can spot the computers that are sitting there, looking at the tasks that are scheduled, looking at the patches that are set up to run, looking at all of the different inventory information that's available up here.

And at the same time, and this is something that always makes me just kind of... You wonder, every time I see a PC window with a Mac screen on it, it's just, it's always, that's fascinating to me. But then it's, you know, it's kind of like the same thing that when we did the ARD demo and we were showing the Windows screen on that.

You know, when you go back and forth between that with all the different products, I think that's so cool that we can go back and forth, you know, and share screens and look at everybody else's stuff. And it ought to be that way. You ought to be able to just do it, right? And here's some comments on Landesk from the customers.

The resources for LANDesk and this information will be available again at the end of the session and over in the IT, over in the Enterprise IT Lab. Once again, from noon to three, make sure you stop in and take a look at these guys. Marimba, another significant player in the client management space. Change in configuration management across platform, Unix, Windows, Mac, right? Very key. Desktops, portables, and servers, the whole gamut.

Software delivery, getting the software out to the systems, installing the software, providing updates when needed, being able to get information, inventory management, asset management, checking on the status of that deployment, what's happening, you know, has everybody been upgraded, where are they in the process? From a client management perspective, we're talking about managing software change. We have known good systems that go out.

You need to modify that. You get new software. You get updates. You want to be able to manage that entire lifecycle. So being able to package applications, being able to target the distribution to specific systems that need it, and being able to follow compliance of that. We don't want to turn around and say, well, we bought 30 licenses of this, but oops, we accidentally installed it on 3,000 computers. You know, we've heard the term unattended installs.

Well, we also have the unintended installs. And that's when the, "Oh, I really only meant to put 10 copies of that out, not 10,000."

Ongoing management, obviously we want to track what's going on. We want our assets tracked. We want to know what's on every system. You know, if somebody comes in and brings the Walmart CD in over the weekend and sticks it on their computer, we want to get a report back and say that isn't supposed to be there. And collecting inventory information.

Here's an idea of looking at some of the information and seeing what's out there. This is the tuner to be able to go out and say, "Here's the information that I want to subscribe to with the updates for various packages." So the administrator can set up what they want made available to the users.

And we do it from a centralized point of view. So what we can do is there's obviously a range of common tasks that we want so that the users get guided through the normal stuff. You know, the users being the administrators get guided through the normal stuff of what they want to be able to put together. John DeTroye And then the idea of centralized administration. We're back to that. I have thousands of workstations or tens of thousands of workstations and I don't want to have to run around every single site, department, or group and make this stuff happen.

Okay. Setting up policies based on users and machines. We want to ensure policy-based management. What we have to have here is the ability to work with the directory architecture that exists so that we can develop the architecture that exists. To define who gets what when based on a directory that's already in place and to be able to do updates. The versionless update idea is doing patch update management based on the parts that are common without worrying about, you know, which version of the software we have versus also being able to do patch updates, you know, from 1.1 to 1.11 and so forth.

and then being able to verify. Verification is absolutely essential. All too often I've seen cases where we've put out updates and stuff to 100 machines, but you get no feedback that all 100 machines got it. And getting verification back is absolutely essential. Policy compliance. Notice the graphic up here.

I like this that we're looking at. It's saying that how much of the package, the green, shows that they're compliant either at 80%, 70%. In red, they're showing how much they're non-compliant, how much they're outside of policy. And then the blue is they haven't reported in about that stuff.

But you look at that and you go, oh. Okay. You know, green is good. I mean, as an administrator, you know, we all think, yeah, you know, I can complicate my life a certain way, but green is good. I can just, you know, look at a report and go, oh, yeah, okay, cool. We're set. Everything's nice.

Inventory discovery, predefined reports help set up your environment for you so that we can turn around using a browser and we can get the reports. We can graph these out and say, you know, here's how much stuff I have and get the charts out. I can also scan.

Client detail, designed for mobility, designed for offline use. The key things here are the checkpoint restart. That's number one in that I want to be able to, if I'm busy doing a check, if I'm busy doing a report, if it breaks from the network, it'll come back and restart right at the checkpoint. And the fact that it's multi-platform is very important. Now, marimba's been acquired.

and they are adding in the remedy. You know, the remedy is being added in, or Marimba's adding remedy to the-- Yeah, BMC software is requiring them, so they're going to be using remedies coming in over top of Marimba to add functionality to the environment. And what we're looking at here is to be able to expand the capability to be able to do repositories, dynamic discovery of systems, okay, being able to dynamically capture systems when they show up, to be able to support literally everything for applications, code changes in the system. and once again policy based

All right, Harley-Davidson and NASA. Now, there's a meeting. And they will be in the lab, the enterprise lab, so you can take a look at their stuff.

Okay? Netopia, another key provider in the Macintosh client management space. Netopia, easy to manage client administrations, remote support, admin, absolutely fully cross-platform. Timbuk2 Pro. Timbuk2 Pro has been around for quite a while. A lot of people have been using Timbuk2 Pro to do remote control, observe, and so forth. File transfers, copies, one to many.

Chatting, instant messaging, and so forth. And NetOctopus for reporting, asset management, checking on your hardware, checking on your software, doing remote setup, setting system settings remotely, being able to grab and install software. Data, files, folders, packages across the network. Here's some of the stuff within the NetOctopus admin. Gathering font information, transferring file folders, virus scanning, restarting, put to sleep. Doesn't apply to the users. Oh, that Bill over in accounting. Let's just put him to sleep.

For the administrators, you can also run this peer-to-peer, so you can do point-to-point. You don't need the server to get in there. You can just go point-to-point and do one machine to another machine, control, manage, and do asset management from a point-to-point point of view. And you can use the internal database within NetOctopus, or you can point it out to an external database such as Oracle or any of the SQL stuff, DB2.

And the software delivery system, we put one distribution server in place, and then you can set additional staging servers out. It is a poll-based environment from the clients. Once the clients have been told that there is a manifest available or a load set available for them, then they will go and get it based on the schedules that are established. And you can also create sub-administrators and limit which tasks the sub-admins can do. So we can say, you know, I want people to only be able to do this small component. of all of the administration.

Here's a couple more screenshots. For instance, the software package setup. What do I want to install? What parts do I want to go out? And then the log coming back from the distribution center saying, what happened? What was I doing? For the end users, use Timbuk2. The idea is-- The chatting, the text messaging, and so forth between systems, but it also has the opt-in capability where I can say as a user, no, I don't want to be bothered right now. Don't, you know, go away.

I don't want to talk to you. Okay. and NetOctopus agent includes a smart monitoring, same stuff that we use on the XSERV, okay, to be able to give you a warning when the hard drive is going to get weird or something, you know, when we want to react to that.

A couple more screenshots. This is the Timbuk2 chat, sending files, exchanging files, and screen sharing. The roadmap for NetOctopus, some of the things they're planning in the second half of 2004. They're talking about adding in patch management for Mac and PC clients, putting in a software license manager, putting in a web-based UI for NetOctopus. Integrating with Rendezvous and integrating with Active Directory. All key things to watch for. 10 million computers worldwide.

And once again, Netopia will also be in the lab, and they'll be up here as part of the Q&A at the end of the session. Sassafras software. K2, highest mountain in the world. That depends on, you know, where the laser bounces.

Cross-platform support including thin client support, Mac, PC, Linux.

Key server itself. Active control of all license types.

This not only includes the generic, you know, I want to control an app that doesn't have a license, I just own software license copies, but even as granular as saying I have Mac address-based software.

And if you have multiple licenses out in a client and you realize that in your reports you can go back and I can reallocate and reclaim licenses that don't get used.

I look at a machine and found out I put a bunch of software on there that for the last six months they never launched. And I can go back and I can say, no, I don't need that anymore. And I can pull the license for those people and they can't use that software anymore.

The reports and databases, very intense. Bunch of built-in reports, detailed audits. These are just some of the reports that come up under the menu. Pick a few. The daily license report, the hardware report, what kind of logins have we seen, what kind of usage are we seeing from user versus application, you know, how many licenses times how many users are out there. Give me a weekly program report of what applications have been used this week.

John DeTroye You think about the end of the year comes around and some company sends you a bill and says, oh, it's time to renew your $27,000 license for the software you bought, and you go back and you find out you used it for 11 hours. And you go, ooh, that's expensive. Right? And then, you know, you do your audit, but obviously you've got to follow up, so you need to do software compliance with that.

Okay, and this is actually where I told John, I said, this is where the unintended incremental software audit came in. This is the IRS shows up and checks you. The unattended, because the system itself will actually perform its audits in the background, doesn't involve any admin or user interaction. Okay, new computers and applications that show up on the net are automatically discovered.

And you can establish automatic policies. You know, if I only want 30 copies of this software to be used, user 31 launching the software will be stopped in their tracks being told, no, you can't do this.

The admin console, cross-platform. We can configure literally from anywhere. You cart your PowerBook around, launch the admin console, plug in, start making changes.

Organizing things by organizational unit, where it says separate divisions, you think of organizational units that you do for your management. And I can create license records that I track for every single different system.

For more information, once again, the lab, noon to 3. Go grab a bag lunch? Go there. You will definitely, definitely benefit from the experience.

I just plugged that in in the middle of everything. Additional resources for tracking down stuff for Sasfras software. Okay. They're up in New Hampshire. Go visit them. Nice country. That white paper, you want to download that and take a look at it. Good information there.

Those are the key players that I'm going to have up here for Q&A here in a couple minutes.

I also wanted to let you know that in the Mac space, there are a whole lot of other players out there that are doing client management. And just as a real brief mention is an idea of Jamf Software with Casper for software imaging and updates. For ONNX Deep Freeze for management and control of the systems, basically locking a system down that the user uses it, logs in, does their thing, and when they log out, it returns it back to its known state.

Autonomic with the ANSA Patch Management solution and Integrity Software with SoftTrack. There's a lot of client management people who are very, very much investing in Macintosh and Mac OS X. It's not the, oh yeah, those things just go in the graphics department anymore, you know? Now they go into graphics department and you can keep track of them and not feel, you know, like you're doing something strange or...

And here's my esteemed panel group.

If you guys want to go ahead and come on up, and we'll-- I promise not to bang the microphone on the table. They told me not to do that. You guys, just line up as if the firing squad was right here. Yeah. Put your toes on the line. There you go. Okay. Thumbs along the seam of your trousers.

They don't know me. Okay, we won't do basic training, but I'll have you guys go ahead and introduce yourselves. What company? Sound up over here. My name is Martin Bestman from Netopia, and I am the R&D Director for NetOctopus development. Hi, I'm Jeanne Moraine from Marimba. I'm a senior product manager over their client desktop management suite.

Hello, my name is Steve Workman, and I'm the Director of Product Management for LANDesk Software. Good morning, I'm Jerome Brookhausen. I'm the development manager at Altiri for Macintosh products. Ben Forsythe Hi, my name is Ben Forsythe. I'm the technical manager at FileWave. John Tominey Hi, I'm John Tominey. I'm the director of marketing with Sassafras Software.

Cool. So we get people lined up. The microphones are on center. And we have a question right in the middle. Aaron Krimble from Gannett. Does anybody support router or switch auditing and discovery? Or is it just machine-based? In NetOctopus we have a SNMP council and it does discovery of all devices out there network that can talk SNMP. We also support a whole range of special MIPS and if there's a MIP that you need to be looking at, we can compile it and put it into the product. That's not a problem.

As part of the LANDesk Management Suite, we also have a component called Unmanaged Device Discovery that will discover those types of devices, anything with an IP address we can pick up. With our Asset Trustee product, we have an SNMP scanner that will scan the network for any SNMP talking device. Thank you.

After July 15th, we'll have a network discovery product. Remedy actually has something that does asset discovery in those elements. Marimba handles more of the actual systems themselves. Thank you. Cool. Joel Nation, St. Mariners Club Restaurants. I just want to know, we have complex installations, so things that aren't normal, and I want to be able to do them on my clients without them actually seeing it going on.

Does any of the software that you guys produce do that? So with FileWave, there's no user interaction available or needed. The administrator sets up the complex install and captures those files and places them in the FileWave server and associates them with the groups of clients that will download those. Then the clients check with the FileWave server for that software. They download it and automatically install it.

So, yeah, the same is true for an ad octopus. You can build really complex installation packages you want with dependencies whatsoever. And you can even also specify how much user interaction you want on the client end. And clients can even defer package installation for a later time during the day or a couple of days later. And you get full reporting of what the user chooses to do with the package.

We have various modes of installation, so you can either do silent, semi-silent, or a full custom install. So it really depends on your environment and how you want to set up. And then our packaging is all based on, you can do it based on policies. You can set what users get what type of installs on their machines and remotely deploy it out to their systems that way. We have a lot of the same functionality as well that you can set up in a policy base or a push base for either transparent client installation or request client input as well.

Oh, it's over here first. Sorry. Scott Lim, University of Michigan. I want to bring up a topic we don't normally get to discuss at conferences like this, and that's the actual cost of licensing. I think Apple's got it right, licensing by administrator. Licensing by the number of computers or computer access licenses are not the way to go. It gets prohibitively expensive. I can say no to an administrator license. I can't say no to a new computer. I would prefer to see more licensing based on administrators than based on number of computers.

I just want to ask you to clarify what you mean by licensing by administrator. I'm sure that some people understand your intention, but others may not. Aside from Sassafras, because I love you guys. Pardon me? Aside from Sassafras, because I love you guys. The way ARD is licensed right now, we license it by the number of administrators. So I buy a copy for each administrator that's going to use the system.

Where I buy Netopia, I license by how many computers I have, and my computers go up exponentially. The other problem I have is when you have those ghost computers that seem to get in the way of true count, I'm being licensed for that now, and I don't even know which ones are real and which ones aren't.

So you're asking for our products to be licensed that way? Correct. I'll begin. I guess a lot of other people have things to say then. By the way, K2 from Sassafras Software is licensed both by individual node, which most of you are familiar with, many of you are. But we have a new licensing program that we've introduced in the last year that allows floating client licensing. And it doesn't sound exactly the way that the name implies, but it's very, very useful, especially in higher eds and K-12 education sites.

Maybe I'd just add for FileWave, for higher ed especially, we have special licensing where we offer low-cost licensing, still based on the number of clients, but it's good feedback. Low cost is relative. Excuse me? Low cost is relative. Yeah, well... That's interesting feedback. We'll take that into consideration. There are parts of our product offering that we do license per administrator or per console on a concurrent basis. So we are seeing the need for some of that. And like I said, we'll take that feedback and take that into consideration as we look forward.

One thing to note, we do license by our endpoint clients, but we also have enterprise-wide packages. Part of the reason why we do that is because we have some customers that have millions of endpoints like Music Match. So it really depends on your environment. And so the complexity that you're asking for in the endpoint to change the licensing, it also goes back into the support.

What does it take to support the number of endpoints users and the expectation for quality of service? So you've got to put that into the licensing mix as well. But my purchase is going to be based on the cost, not based on your cost. And you always get what you pay for, right? That's the key thing.

In certain environments, we also do a global company-wide or university-wide licensing schemes where we do not count each individual computer, but you get just a company-wide license, and that may work for you. So you should talk to us if you have a scenario like this. Cool. Okay. Guys, hang on to it for a second. Richard.

Richard Glaser with the University of Utah, Microsoft Labs. First, I want to make a comment. You didn't mention the open source tools that a lot of people are using in enterprise deployments. So, example, Radmine. A lot of big companies are using it. So, people in the audience, it's open source, free.

You might really consider looking at that before you pay for a solution. You might not need to. Second, what type of installers do you guys support? Do you support package installers? Richard Glaser: Do you have to repackage installers to use it with your solutions, distribute applications? We support a wide variety of package installation formats.

The key thing is we do have, with a lot of the installer products out there out there in the market today, if you want to use various ones that are available, they can put a wrapper on it and push it out through our technology. We have different agents that are available that you can create custom installers for if that's what you want to do. We also support third-party package installers and can provide, once they're packaged up, we can then do the software distribution, either push or pull base, but it's just a broad third-party application support.

We have a similar story at Altiriis. If you have something that's been packaged through one of the third-party solutions, like device or Aladdin or any of them, we'll be able to push those out. Similarly, on the Windows side of the fence, we have recently acquired Wise Solutions and have installer technology available through that as well.

With FileWave, the paradigm is a little bit different, let me say. So we actually don't deliver installers necessarily. We deliver the files that get installed. So we'll support any installation, essentially. K2 from Sassafras has several rapid deployment technologies available both on Windows and Macintosh and our tech support people can tell you a lot more about that.

NetOcupus fully supports all kind of installers including Apple PKGs and PKGs. We even teamed up with MindVision Software and we ship a special version of MindVision Software installer-wise that allows you to repackage software and we have a snapshot utility also in the product. On the Windows front, we fully support MSI installations and all of the other installers out there. Full integration with reporting, etc.

With regards to distributing your software to both desktop and portable clients, how many of you support interrupted and then resumed downloads through your software? That's the checkpoint restart component that we had talked about. And we actually, even for our own client, we have remote deployment of the agent out to the endpoints as well. So after you've discovered it through our discovery component, you can push it out.

Yeah, we also support resume installations when mobile users move to a different spot or get from the wire to the wireless network that's fully automatic behind the scenes. We also support installing our initial agent throughout the network fully automatically so you don't have to do a sneaker net to install our own agents. And with the next version, we will also support that for Mac OS X where you can get the agent out to Mac OS X even though there's nothing on that machine besides Mac OS X.

Support for mobile devices is paramount for the LANDesk product. We also provide the checkpoint restart, dynamic bandwidth throttling, those type of functions to support interrupted distribution of software. At Altiriis, we also support what we're calling Checkpoint Recovery, and we also have a bandwidth throttling mode so that if the bandwidth isn't sufficiently high, we'll either not send it or we'll send it slowly so that we can better manage network traffic.

With FileWave, the client is not necessarily connected to the server at any time, so laptops can be away for weeks or months, and when they get an active network connection and they can see the FileWave server, they'll log in and download their software. If for some reason that's, I guess you guys call it the checkpoint, so if for some reason that network connection is severed, the client will pick up where it left off. Key Server Key Auditor works in concert with other software deployment tools, so we're not deploying software ourselves, but rather we're deploying licenses through a very unique approach that manages not only shared use, concurrent use licenses, but also manages node-locked single computer licenses.

Will Jorgensen, Pacific Northwest National Laboratories. So for those of us who are considering client management solutions that are out there, a lot of you have very similar features, central management, patch management, asset management. And could each of you take a second to give us the one distinguishing feature or whatever you think makes your particular product better than others so that we can help? John, do we have 30 seconds? Yeah, keep it short, please. I told them they could do that, but they get 30 seconds apiece. It's the elevator pitch. So, yeah, go ahead, guys.

We've got plenty of time. Key Server has been in the marketplace since 1989. We are one of the pioneers in software asset management, focused towards software license management for many years. A number of years ago, we introduced software auditing, hardware auditing, and integrated those two products into K2.

Our unique point of advantage is that we manage any type of a software license, not just shared use licenses, where many products will resort to auditing to figure out how to manage single user node-like licenses. We actually manage them in an active process, and we integrate all of that together into a web-based management council.

With FileWave and Asset Trustee, we're a Macintosh-centric solution, let's say. So our servers are running on the Macintosh, and I think what distinguishes us is we're a mass deployment technology and a mass collection technology. So where computers are coming and going on and off networks, FileWave can handle those situations and be able to deploy from one location, say, in the U.S., and you can deploy to clients throughout the world.

When you buy an Altiri solution, you're buying a rich history that started on another platform. But we have tremendous web reporting and that makes it easier, saves time, and I think we have a depth in our reporting capabilities that may not be found in other solutions. I think the biggest value proposition for LANDESK software is our rapid time to value. What I mean by that is you can actually take our solution and get it installed and using it and getting the payback from our feature set, which is highly integrated, all driven from a single console.

Again, the value proposition for an IT manager is that you can manage all devices, regardless of the platform, the same way. We're also very committed to the Macintosh platform, as you can see in the pie chart that was put up earlier. We nearly have all of those pieces filled through inventory, software distribution, patch management, software license monitoring, remote control. We're going to continue to innovate on the Macintosh platform from that point going forward.

Our key differentiator is experience and scalability and heterogeneity. We have customers that range from 500 to 15 million endpoints. So if you look at like music match that you've seen on your iPods, we've been running on those for since their inception. Other things that when you look at our particular products, you think about policy orchestration.

We give you the choice push versus pull based on policies that you set up for users or machines so you can formulate how you do your targeting and distribution from one single console based on your company or your business versus based on our technology. So it's flexibility, scalability, and policy based orchestration.

Okay, for the Netopia products, I can say that we are probably the longest time on the Macintosh platform starting in the late 80s. And we are fully cross-platform with the council and the client. We are most parts using the same source code base. So you get really all the features on both platforms, can manage the clients from both platforms, very transparent. And we are trying to design everything for the mobile users. If you look at our software distribution system, it's really designed for the mobility of the users.

Do any of your products support post-install actions? For example, Apple's installer includes the provision for both a pre-flight and a post-flight script. I've been using the post-flight to do things like repair permissions after the installation is completed. Our application packager enables you to do both post- and pre-install components. So if you need to do sequencing of installations versus actions after the install, like kick off a particular application, run an inventory scan, report back to the system on compliance. We have that built into the product today.

Yeah, we have a similar approach too, is we can provide chaining so one event can take place with preconditions associated before that event is required. So we can do job chaining to accomplish that question that you asked. Okay, Altiri's also will deliver a dependency-based solution, and we also have an application that can be run after installation. With FileWave, we can schedule actions at particular times, so you can schedule a post-installation action to run any kind of script you'd like.

Martin keeps giving away the microphone, so hang on to it this time. Martin Blaser: Same is true for NetOctopus. You can do whatever you want before installation or after installation or part of the package. And as I said, we bundle MindVision, a version of MindVision installer-wise where you can also build your own custom preflight and post-flight shell scripts. And the software delivery system also supports executing shell scripts as part of the installation process.

Richard. Can you tell me if your products support a tripwire and what mechanisms you use to check the file system objects? We never know where to begin here. We do not support Tripwire today. That's something that we are actively looking at on our roadmap. So if you want to stop by our lab afterwards, we'd be more than happy to talk to you about your requirements. How do you check your files that something's not been corrupted or modified compared to what you're distributing? Right, okay, so that's different. We do do what we call an MD5 checksum. We use open source descriptor technology that we co-developed with Microsoft back in '98.

In that particular piece, what we do is we do a checksum, an MD5 checksum on the file base to see if anything's changed in that digital fingerprint. If it's changed on that digital fingerprint, then you can either do an automated repair based on a backup that's stored in the workspace or versus something you can go to the head point of the server to do.

You set that up in your installation piece. Or you can do a backup. You can do other things like do a help desk or remote admin to the machine to fix some of those elements to see if there's any corruption for versioning. With FileWave, we have a self-healing mechanism that works on a checksum, essentially, that every day or every time the computer's restarted, it checks the integrity of the delivery that you've made and any files that are not matching the checksum are automatically downloaded and activated again.

Chris Mattia, St. Mary's College of Maryland. We have-- we've had a slight problem over the last year with users bringing their own laptops on the campus and not having all of their updates and virus protection up to date. What sort of enforcement policies or procedures do you all have in any of your software to ensure that those users get either moved to a DMZ or locked out until they're in compliance with all their updates? Well, with FileWave we don't have something that specifically does that. The best I could offer is that when the client does have access to the network, it will automatically get into sync with what you've configured on the FileWave server for it to have as the appropriate software.

With the LANDesk product, we have the capability to run a vulnerability scan on the device to determine if it's in compliance or up to date with patches. But one of the things that we're looking at going forward is concept around IP quarantining, to where when you first log onto the network, you will be checked to make sure that you're at a level before you're allowed onto the rest of the network. So that's plans that we have moving forward in 2005.

So there's a couple things that we do. Out of the box, we have policy compliance component that I talked about. So you can test the system based on their policies. It'll check the manifest and say, are they in policy? If they're not in policy, it'll force them to do an update, uninstall, install things they're supposed to have.

The other thing that we have as part of our field service resource kit is something called an action reaction engine that allows you to state specific actions that you want the system to take based on your company policy. So if it's quarantine, maybe you want them to check and be at DMC first. You can do that.

Or if there's other elements that you want them to do, you can do that. Maybe they're already connected to the LAN that you want to be able to check in because maybe it's not a mobile user. There's different things that you can do in your system. Of course, the other option too is to make sure if it doesn't have an Apple logo on it, you take it away from them.

Hey, John. Back to the MD5. Do you use your own MD5 or are you using the one that's built into OS X? We have our own, like the MD5 checksum that we do were based off Java technologies. Whether or not it's the same one that's built in OS X, unfortunately I don't know that, but you can ask. I brought one of my engineers with me today. Okay. So stop by our lab and he'll be able to tell you that. Thanks.

Sorry. I had a question. Everybody mentioned package management. Do you guys support uninstalling the package? Do you support OS updates and OS installs? Yes, we have an OS migration product that we call Migration Manager. So it'll help you migrate your operating system. Right now, it's currently primarily targeted towards Windows. We are planning Mac support early next year. The other thing that we have as well as far as uninstalling packages on the system, we can do that as part of our native tool today.

Can you downgrade OS? So let's say you go to 10.2, can you go back down to 10.1 if you wanted to, let's say, for example? We have rollback on the application components. Unfortunately, I don't know the answer to that question, but we can, you know, that's something, like I said, we're planning for the Q1, like early next year timeframe. We'll be able to give you more information then.

You can uninstall software if you know what got installed. We do not check the PKG receipts because it's a little bit dangerous. If you're running a MindVision installer for installation, yes, you can do the uninstall. You can trigger that. Regarding the software update, yes, we do support all software upgrades.

With the exception, we cannot do right now 10.1 to 10.2 or 10.2 to 10.3, but we are currently looking into possibilities to do that at least then when Tiger comes out so that we can migrate from 10.3 to Tiger. In regards to the uninstall, does the installer have to support that or does your software support that? The installer has to support that, but you can also write your own. We have a small installer that would remove the various parts.

One comment: Uninstalling is a very dangerous thing because you do not know what the installer really installed. There's a way with NetOccupy to find out what got installed using FileScripter to get the snapshots before and after the installation. But you don't know if another software requires the same framework or library. And that makes it very dangerous doing uninstalls.

You're referring primarily to the operating system, right? Not packages? Both. Okay. So for packages, it's all based on the digital fingerprint for the MD5 checksum. So they'll do the uninstall and look at interdependencies between the packages on the file system and then remove the components that are associated with that given package.

And we have roaming user element support coming in the later Q3 timeframe. They'll be able to do it user-based. So if you have multiple users roaming users on a machine that are leveraging the same package, it'll look before it uninstalls on the base system itself. Just in reference to your operating system deployment question, we have a very robust migration, profile migration, OS deployment migration as part of LANDesk, primarily on the Windows side, but we are looking at adding that functionality for the Mac platform in the near future.

With FileWave, we can install OS updates as well as application updates. And since we're installing the files, they can be deactivated and new versions can be swapped in or out. Does FileWave check for dependencies? So if I want to remove one package, but it's used by another package? No, we don't check for dependencies explicitly. We leave that up to the administrator to make those decisions.

Pretty powerful tools. Can you speak to the robustness of the granularity you have available for different levels of admins? Yes, part of LANDesk Management Suite, we've added a feature component called User Management, which is really role-based administration for each of the components inside of our product. We also provide the ability to set a certain scope level so you can have certain LANDesk administrators access to certain functions and manage certain people or devices.

The same is true for NetOctopus. You can limit the administrator's view to just view certain data, and you can also limit administrators to only administer certain client workstations fully across platform. There are no limits. Whatever you want to do, you can limit for your sub-administrators. For ours, we have two roles-based administration and delegation of roles, and we actually bring it down to the granular level in the sense that it's do you want to target, do you want to limit who has access to set and what distribution deployments out to what specific systems and machines. We can have more granularity there. We also have a roles-based targeting for granularity on keychain objects as well if you're doing more of a server-based type of deployment to server systems. So there's different levels of roles-based administration and granularity within our product set.

With K2, KeyServer, and KeyAuditor, we have unlimited number of administrator accounts that can be created by the master administrator. Each of those accounts can serve any number of different roles. There is a very expanded menu that I can show you in the session later on today between noon and three, where you can pick and choose whatever roles you want any one of the administrators to have access to, so that you can limit down to just report viewing on up to full access to the administration. Cool.

Last question. Hi. I'm Mike Potter from Calgary Board of Education. I just wanted to reiterate about the cost of client licensing. We have about 12,000 Macs, so most of the products on a client-based license, we can't afford your products. My questions were in regard to... We do custom images that have special permissions on files and stuff.

When we're doing updates and pushes, do you have any control over permissions of the files that are going on to the systems? I'll speak to that client licensing issue quickly just by adding that the floating client option available in K2 was developed in particular for organizations that have very large installations of computers and possibly a small group of specialized programs that you want to distribute to them. It's a very affordable licensing option. Since we don't do software distribution, we'll go to the next.

John DeTroye Ten second answers, guys. John DeTroye Okay. So again, we're FileWave for educational licensing. We have a very good scheme where we give you the software and you just pay for support. So I'd suggest we could talk about that offline. Regarding permissions, every file that we control, we can manage their permissions, the bits and the groups on them and the owner.

Just in the interest of time, I'd love to talk more about this with you. We've got our engineering development team here from LANDesk, and if you want to stop by a little bit later, we can go into more detail on that dependency question. Ours is through the policy-based orchestration I talked about earlier. We do it both by machine-based versus a user-based. So for roaming users, if you have multiple users on a machine, but they may not necessarily have permission for a particular application.