Did you know that BMC Client Management has the ability to add devices running a Windows, Mac OS x or Linux OS as an “Unconnected” device? This feature allows the Enterprise to add devices in isolated environments such as “Sandboxed”, “No Network Connection”, “Highly Secured” among others. This is a sample use case:
Company A has a DEV environment which is totally isolated from the production network and due to security concerns they are not allowed to open the firewall up between these two networks. Company A needs to be able to account for their time, efforts and change control requests using their ITSM solution and CMDB. BCM can collect both Hardware and/or Software inventory of these computer objects using a batch file run locally on the device. Below are the instructions along with screen captures to better understand this concept.
Unconnected devices in BMC Client Management – Inventory are devices of your infrastructure that are never connected to the network. However, CM provides a possibility to inventory (hardware and software) these devices and include the generated inventories in the BCM database . The custom inventory for these devices can only be created directly in the CM console.
Unconnected devices are a specific type of unmanaged devices and are treated in the console as such, that is, in this topic the terms unmanaged and unconnected are treated as synonyms.
Before you can collect data from devices never connected to your organization’s network, you must prepare a USB key, via which the data collection is executed and which will transport the data to any other device of the network. For this, you need a USB key on which the tool provided by BMC Client Management – Inventory is installed. You can find it in the downloaded installation archive in the form of a .zip file under the directory tools/UnconnectedDevices .
The second step for inventorying an unconnected device is to locally collect the information. To do so, proceed as follows:
Under the directory you can see three executable (.bat) files:
allinventories.bat : This file collects both types of inventories.
hardwareinventory.bat : collects only the hardware inventory of the device
softwareinventory.bat : collects only the software inventory of the device.
The data collection on the unconnected device is now finished.
After all the data is on the USB key you must access any device which is connected to your network and has a CM agent installed. From there you can integrate the collected data via the agents browser interface to the master database.
The data integration of unconnected devices is now complete and its results can be viewed in the console.
The identity and inventory data of unconnected devices, that is, devices without CM agent or unconnected devices, can only be displayed via the console.
Since unconnected devices, as their name implies, are not connected to the network, they will not appear under the Device Topology node. They are available in either of the following ways:
Unconnected devices are represented by different icons than the other devices in the console, because they are neither unknown, nor is their connection established or lost. Unconnected devices are represented by an orange icon , which, same as for the other connected devices indicate the operating system of the respective device, if known , , and . As such devices are not necessarily simple desktop devices, but also other network devices such as routers, switches, printers, and so on, they are represented by their specific icons.
The development team for BMC’s Client Management added Mobile Device Management (MDM) with the release of v12.5 last October. This has been a highly requested feature to be included with this very powerful ITIL compliant ITAM solution. This module comes with the core feature and is not an add-on like Patch or Deploy. When a customer upgrades or installs a fresh instance the module and all of it features are readily available. Licensing is counted just like installing an agent on a device running Windows, Linux or MAC OS. If a customer adds a mobile device through enrollment then the “Agent”, “Inventory”, and “Compliance” will be decremented against the total available.
This release is limited to iPhones and iPads only. BMC has stated that it is their intention to add Android devices with a later version but not v12.6. During BMC Engage they did mention that it could be within a 1-2 year time frame but with no promises.
I recently had available time to set up an instance of Client Management in our lab and enrolled an iPhone for both testing and demos. Below are screen captures from an iPhone 5s during the enrollment process. There were about 6 screens the user clicks through but the three screens below will provide you the idea of how the screens can be branded for your organization. (Click on image to see in new window at full resolution)
The CM console to configure and manage mobile devices is straight forward and allows for doing what one would expect a MDM solution to offer. The screen shot below will provide a glimpse into the various menus and the data provided.
This post is not intended to be a whitepaper on “How to Configure MDM” but a notification to our customers about this new and exciting feature added to Client Management.
BMC has added integration paths for their ITSM solutions – Footprints, RemedyForce, Atrium CMDB, and now MyIT and SmartIT for Remedy further proving their commitment and appreciation for Client Management.
To see more documentation and videos on MDM visit MDM on BMC Website.
In the news as of late, we are made more aware of how efficient various countries have become at harvesting data, inserting malware, ransomware, or other various types of gaining access into systems. BMC Client Management is NOT intended to act as an Anti-Virus solution but it has the ability to validate that software tools are current and properly configured. In addition to validation, BCM can also use the native scripts to perform actions such as updating the DAT file, scheduling regular scans or on demand as a one off, and enabling REAL-TIME protection.
Not only does BCM provide the functions mentioned above but it also has the ability to verify hardening standards provided by DISA and USGCB, among others, using OOTB SCAP compliance objects. These validation checks can be run on demand or on a regular schedule and runs in tandem with normal security patching cycles as a means to verify that no settings were changed by way of these updates. This improves awareness and reduces overall costs from other techniques available today. In fact, some organizations do not perform these checks after updates due to personnel limitations due to the complexity involved.
Finally, BCM provides a secure method of transporting data both over the WAN or Internet and provides confidence that its use would not be considered vulnerability but a total solution in protecting data both in transport and in rest. Using role based groups and Active Directory, security customers can feel confident that both the underlying data and the ability to manage endpoints using Client Management is very secure and has not been found to create any opening that would jeopardize any customer.
Steven R. Gibbs
Sr. Systems Consultant