While theres a lot thats new in SMS v4 Beta 1—including a fresher look courtesy of MMC (Microsoft Management Console) 3.0—some important contours that shape SMS development havent changed.
As weve said in reviews of the platform during the past nine years, SMS focuses on managing Microsoft Windows systems and leaves coverage of other operating systems to third-party providers. Add-on management packs are still the order of the day in the beta we looked at.
In contrast, SMS traditional competitors—including IBM Tivolis Configuration Manager and CAs Unicenter Network and Systems Management—still excel at providing integrated system management across a data center with heterogeneous operating systems.
These competitors are also embarking on CMDB (configuration management database) efforts that complement their configuration monitoring tools. (See "Keeping systems in check" at eweek.com.)
Based on our work with the current beta, which is available here,) there are some compelling reasons to start looking now at what will be SCCM 2007, not the least of which is Microsofts NAP (Network Access Protection) scheme.
NAP is a policy-based access enforcement capability that will be built into the forthcoming Windows Vista and Windows Server "Longhorn" operating systems. Its inclusion in the SMS platform indicates that Microsofts initiative is gaining the legs it needs to run in the endpoint security race.
Using SMS v4 Beta 1, we deployed the NAP client to our managed systems to enforce software-update compliance.
Implementation of the NAP infrastructure took a bit of sorting out—we spent several days setting up basic configuration tests that allowed or disallowed our clients network access. For example, we were able to check for the presence of the NAP agent and do some rudimentary checks for the presence of anti-virus software on a test endpoint.
NAP is in the initial stages of implementation in Vista. Microsoft officials told eWEEK Labs that subsequent releases of NAP will have more capabilities, including more extensive endpoint configuration reporting.
Much of our work with the beta was hampered by the fact that the help system for many of SMS v4 Beta 1s features is still in outline form—to be expected with a beta release. However, IT managers who have experience with previous versions of SMS—along with a bit of flair when it comes to policy-based systems management—shouldnt have too much trouble mastering the procedures.
We strongly recommend that organizations evaluating client access solutions immediately set up a testbed to look at NAP as implemented in SMS v4 Beta 1. With the implementation of NAP in what will likely become Microsofts manager of managers when it comes to system configuration, IT managers should become familiar with the strengths and weaknesses of the technology.
One of those strengths is the deep hooks that Microsoft SMS v4 Beta 1 has with Windows, the operating system most likely to be found on enterprise desktops and laptops. We were able to scan clients to get a "health statement" each time an SMS v4 Beta 1-configured client attempted to access the network.
We configured our NAP check to force a fresh scan before the security compliance evaluation of the endpoint began. This resulted in at least a minutes delay before network access was granted because we forced the scan to forgo the use of information cached on the client.
SMS v4 Beta 1 gathers data and gains many discovery and reporting capabilities from Microsofts Active Directory. SMS v4 Beta 1 can discover clients without using Active Directory, but our tests showed that scans for client groups and user account information were much more effective when using the Microsoft directory.
One area in which SMS v4 Beta 1 excels is reporting. We used the applications reports to scout out systems based on any measurable software or hardware condition stored in the Microsoft SQL Server database associated with SMS v4. During the course of our evaluation, changes to our test systems were collected by SMS and stored in the database for use as the basis of configuration reports.
There are also several new reports that categorize output from the database based on machine state. One report that helped us find troubled machines was the "Summary of noncompliant computers in remediation" report. This report could be especially useful for help desk staffers handling calls from users who are unable to get onto the network.
Technical Director Cameron Sturdevant can be reached at firstname.lastname@example.org.