Can Asset Management control which users can install or use software?

book

Article ID: 181735

calendar_today

Updated On:

Products

Asset Management Solution

Issue/Introduction

 

Resolution

This white paper article provides information on what Asset Management Solution can and cannot do to control user access to software.

What Asset Management software compliancy can and cannot do


Asset Management has no control over which users can install or use software. This may be implied by Asset Management's software compliancy, such as a software purchase's Software Purchase Owners field (which users "own" the software, which can be meant to be understood who controls access or is responsible financially) or a software license's Authorized Clients field (any computer not on the Authorized Client list is automatically unauthorized). These are not used to control software installations or usage, they are used to provide data for software compliancy. Asset Management cannot enforce software installation or usage; in fact, there is no Symantec Altiris product that can do this.

Software compliance monitors Asset Management software purchases/licenses and compares their numbers with Inventory Solution's software inventory list of installed products. For example:

  • A software purchase for Adobe Acrobat Reader 10 is entered, with the quantity of 20.
  • A software license is entered, and tied into the software purchase. In the software license, the software product is also picked, "Adobe Acrobat Reader 10", which ties into a managed software product (a.k.a. a software component). This in turn ties into files detected by an Inventory Solution software policy.
  • When software compliancy is checked, which can be on Software Catalog, in Resource Manager on the Summary pages or in dedicated software compliancy reports, this shows the total licenses available (20) and, in this example, it shows that there are 50 installations found (by the software policy from Inventory Solution). The customer is therefore out of compliance with this product, as there are 30 unauthorized installations found. The customer would need to deal with these or decide to purchase additional Adobe Acrobat Reader 10 licenses.
  • Beyond this, Asset Management, as previously stated, has no control over the enforcement of compliancy: it merely reports on it. 
  • Asset Management also does not track software product keys. A customization, however, can be added, to help do this. This is documented here:

    How to add software product license keys to an Asset Management Software Purchase or Computer as a custom data class
    http://www.symantec.com/business/support/index?page=content&id=HOWTO75170


For more information about how to use software compliancy, refer to the following article:

How to use Asset Management's Software Product License Compliance
http://www.symantec.com/business/support/index?page=content&id=HOWTO95003

How a software license Authorized Clients list works

Authorized Clients, a field in a software license, implies that it can control access to software. As previously mentioned, this is incorrect in that neither it nor Asset nor Altiris has the ability to enforce this. The Authorized Clients list is basically a "filter" for the software product/license as how it is applied to all Inventory Solution software inventory. Here are examples of how software compliancy works without and with an Authorized Client list:

Without Authorized Clients

  • As there is no Authorized Client list, all computers are automatically applied to the software compliancy for this license.
  • Using the above example from the first section of this article, we see that we have 20 Adobe Acrobat Reader 10 licenses.
     

With Authorized Clients 

  • With Authorized Clients, this sets up a "filter" of which computers are authorized by the license, and by exclusion, which are not.
  • Using the above example from the first section of this article, and adding an Authorized Client list that has 15 specific computers in it, only these 15, if they have installed Adobe Acrobat Reader 10, are "authorized". Any computer not on this list that shows it has installed Adobe Acrobat 10 is "unauthorized" and therefore the license is out of compliancy.
  • An Authorized Client list can be computers, asset owners or primary users. As asset owners and primary users require 100% correctness, however, it is not recommended to use non-computer lists unless the customer is certain that these all comply with their correct data.
  • Again, Asset Management does not control the installation or usage on the unauthorized clients, it just reports on it.


Where to see software compliancy data, including authorized client information

In the Resource Manager > Summaries > Software License Summary for a software license, detailed information on its compliancy is reported. When data exists, this can be clicked on to open up and drill into the respective software compliancy report.

Likewise, under Reports > Service and Asset Management > Contract Management > Software Licensing, many out-of-box reports are available to help the user track this. These include authorized and unauthorized reports, if the customer has set up an Authorized Client list in their software licenses.

Lastly, in the Software Catalog (Manage > Software or Manage > Software Catalog), managed computers can see their usage data represented graphically here. This can be useful to help see if too many licenses have been purchased, indicating that when their renewal is up, the customer purchase fewer licenses to save money. This can also be used for basic software compliance, based on the current active computers reporting in the software product (the number in the bubble above the graph).

Inventory Solution software reports and SQL scripts

It may be possible to use the out-of-box reports and maybe some SQL scripts to help understand who is using what software. Inventory Solution comes with several reports that can help, such as the Installed Software By Computer report. If there is only one user for the computers (a common situation), then that user would be therefore responsible for what they install onto their computer.

As Windows and the Symantec Management Agent report back on who the primary user is for computers, a SQL script could be used to show who this user is, what their telephone number and email address are, so that the Asset Management administrator in charge of software compliancy can contact them if there are any questions about what they have installed onto their computer. This article includes an example SQL script that demonstrates how this works.

Suggestions

There are a few ways to further augment what can be done for software control to restrict user access. These may not provide everything that the customer needs, however, but are provided workarounds to add this type of ability into Altiris.

  • The best suggestion is to use Application Metering. Using it, software can be added to a blacklist that can prevent the software from being installed or ran on specific computers.
  • Application Metering can also track the usage of software (but not per user). This is already part of the software product and can be set up in the enhanced view of the console.
  • Software Management can be configured to not install new software or uninstall software for unauthorized users.
  • Arellia Application Control, a third party product for Altiris, can further control which products can be used by which users. In many situations, this can be what the customer is really looking for. As this is sold and supported by a third party, please contact Arellia with any questions about their product. Information about Arellia Application Control can be found on Arellia's web site: http://www.arellia.com/products/application-control-solution/.


Related Article


Where can I find the available Software License count in Asset Management?
http://www.symantec.com/business/support/index?page=content&id=HOWTO98430

Attachments

Find installed software and related users.sql get_app