Managing Settings and Compliance

  • Article

It’s become pretty evident to most of us in the enterprise management space that the theme of late has been “consolidation.”  Over the years, we have given IT Pros a LOT of different tools to attack specific problems. In our zeal to solve your needs, this has unfortunately created a proliferation of software and administrative experiences that has in many cases increased your cost in delivering solutions.  In ConfigMgr 2007, we started the consolidation process by integrating basic settings and compliance management into your day-to-day tool for delivering software and managing assets.  With ConfigMgr 2012, we’ve now given you the complete solution for managing settings and compliance, and integrated it across the board with all of your software delivery, asset management, and even security management processes.

As we looked at settings and compliance management for ConfigMgr 2012, our vision was this:

Provide a unified platform for customers and partners to define, monitor, enforce and report configuration compliance in the enterprise for users across all supported ConfigMgr devices.

To attain this, the first thing we had to do was get the complete feature set for settings and compliance, and this meant providing settings enforcement. You’ve heard us call it “DCM set” for years! This provides the ability, on a given setting, to enforce the value of that setting. Now, we still offer monitoring only for a class of settings that either you don’t care to enforce or that you want to manage through your change management processes. But, for the class of settings you know always need to be consistent (and where enforcement won’t be more harmful than the settings drift!) - - we offer automatic enforcement. For settings enforcement, we only honor a subset of settings types (registry, WMI, script-based, and settings on mobile devices.) But, based on customer feedback, this seems to solve most of the settings you need to enforce on a day-to-day basis. And, to make it a little more comfortable for you, you can even deploy your baselines in “monitor only” mode until you have an idea of the level of enforcement you’ll be applying. Great tool for your change management board! 

Secondly, we had to make our settings and compliance experience easier. With ConfigMgr 2007, we found that our settings management feature was one of the last ones customers would actually use. It wasn’t that it didn’t provide value – it’s just that it took them longer to understand and master.  We did a lot of work around simplifying the administrator experience, including:

  • Simplified Baseline creation experience all-up. Much simpler and reduced wizards to create and deploy baselines.
  • Ability to browse gold system when creating configuration items. Settings creation was the hardest task – now you can browse locally and create the settings/values/rules right from the correct system.
  • Re-use of settings across CI boundary. This prevents you from having to recreate settings manually, or carry a full CI into a new baseline just for a few settings.
  • Role-based administration built in “Compliance Settings Management Role”. Just want to do settings and compliance management? Now you can filter all the rest of the features out of your way!

One of the other big simplification efforts was around in-console monitoring and reporting. Throughout ConfigMgr 2012 you now have a very consistent way to see compliance and non-compliance quickly in the console, with all the drill-downs you will need to assess compliance and act. (See screenshot below).

clip_image001

The last big area of investment in settings and compliance management in ConfigMgr 2012 is full product integration. This means a lot of things. First of all, our goal was to have an integrated settings management experience across any device. By natively integrating our settings management for Windows Mobile 6.x and Nokia Symbian devices, we have achieved that. We also needed to make sure that settings and compliance management reflected our user-centric vision for ConfigMgr 2012. So, you can target baselines and measure compliance for either users or machines. Put those two improvements together and you now have a VERY powerful tool. I have a baseline for my accounting department. It has settings from PC’s, servers, and mobile devices. I can now see compliance for those users consistently on any device they perform work. That’s user-centric!

There’s much, more on compliance and settings management that I don’t have room to mention here.  If you went to MMS this year, you heard ALL about it from Onur Koc in his “ConfigMgr 2012 – Compliance and Settings Management” session.  We’ll also be posting some “How Do I” videos about settings and compliance management in the near future, so stay tuned.

Bill Anderson
Principal Program Manager Lead
System Center Configuration Manager