3 Desktop Management

The Advanced Management Console provides administrators with information about how Java technology is used in their enterprise. Through the Advanced Management Console, administrators can determine such things as how many computers are running an insecure version of Java, what versions of the JRE are installed on enterprise computers, and what deployment rule sets are active in the enterprise. The Advanced Management Console also enables administrators to push deployment rule sets to managed computers.

This topic includes the following sections:

About Desktops

Desktops in the Advanced Management Console represent the client computers in an enterprise. Information about the desktops that are managed by the Advanced Management Console is shown in the Desktops tab and the Status tab.

For a desktop to be managed by the Advanced Management Console, the Advanced Management Console agent must be installed on the desktop. The agent gathers the information about the desktop and sends it to the central server. The agent also processes the requests to install a deployment rule set on the desktop. See Advanced Management Console Agent Installation and Configuration in the Advanced Management Console Installation and Configuration Guide.

A report of retired desktops and rule set failures is available from the Status tab.

Desktops Tab

The Desktops tab of the Advanced Management Console shows information about the desktops that are managed by the Advanced Management Console. Filters are available to get reports about selected desktop properties. The ability to push Deployment Rule Sets to desktops and export desktop information to an HTML file or comma-separated values (CSV) file is also provided.

Views for Desktops

The table in the Desktops tab shows the properties for desktops that are managed by the Advanced Management Console. The properties view provides more detailed information for each desktop. Depending on the display option selected, information can also be shown as a pie chart or a bar chart.

The table view is the default view. The table view is available for all display options. However the properties that are shown are dependent on the display option selected. Click the arrow that appears in the column heading to sort the data by the values in that column. Use the navigation bar below the table to view additional pages when the number of desktops exceeds the page size.

The properties view is available only when Desktop is selected as the display option. Click the column heading in the Installed JREs table or Command Queue table to sort the data by the values in that column. Use the navigation bar to scroll through the properties for other desktops that match the filter criteria.

The pie chart and bar chart are available when something other than Desktop is selected as the display option. Click a segment from the pie chart or a bar from the bar chart to see the desktops that match the selected value.

Filters for Desktop Properties

The display option and the filter criteria in the Desktops tab determine what information is shown for the desktops managed by Advanced Management Console.

The default display option is Desktop, which shows the properties for each managed desktop in a table. The other choices for the display option show the values for the selected option and the number of desktops that match each value. For example, selecting Java Runtime Environment (JRE) Major Version shows every major version of the JRE that is installed on at least one desktop and the number of desktops on which it is installed.

The filter criteria further refine the information shown. The choices available for the criteria are based on the properties of the desktops. For example, if the only major JRE versions found across all managed desktops are 1.7.0 and 1.8.0, then 1.6.0 is not shown as a choice for the JRE Major Version criterion.

You can use the display option and filter criteria together to get answers to questions similar to the ones in the following list:

  • Which desktops are running insecure versions of the JRE?

    Set Display to Desktop. Add the criterion JRE Security, and set it to some JREs are insecure. The table shows the list of desktops that have at least one insecure JRE installed.

  • How many desktops are running versions of JRE 7?

    Set Display to JRE Major Version. See the number in the Hosts column for the row showing JRE Major Version 1.6.0.

    To show only the data for version 1.7.0, add the criterion JRE Major Version and set it to 1.7.0. If 1.7.0 is not shown in the table or in the list of major versions available, then no desktops are running a version of JRE 7.

  • Which deployment rule sets are desktops using?

    Set Display to Active Rule Set. The table shows the list of rules sets that are active and the number of desktops for each rule set.

  • Which desktops are using the rule set rule-set-name?

    Set Display to Desktop. Add the criterion Active Rule Set and set it to the name of the rule set that you are interested in. The table shows the list of desktops that are using the selected rule set.

Deployment Rule Set Distribution

A deployment rule set helps you manage the applications that are allowed to run in your enterprise. The Desktops tab in Advanced Management Console contains an option for pushing a deployment rule set to selected desktops.

The Advanced Management Console agent is used to install the rule set on a desktop. Pushing a rule set sends a command to the agent. The next time the agent contacts the Advanced Management Console server, the agent processes the command. View the status of the rule set by selecting the Rule Set Status display option or setting the Rule Set Status filter criteria.

Generating Reports for Desktops

Reports are used to answer questions about desktops that are managed by Advanced Management Console and about the JRE versions and deployment rule sets installed on those desktops. Set the display option and filter criteria in the Desktops tab to generate the type of report that you want. Report data can be exported to an external file.

Depending on the filters that are used, reports are available as a table, pie chart, or bar chart. See Views for Desktops.

Reports about retired desktops or desktops with rule set failures are available from the Status tab.

Setting the Display Option for Desktop Reports

Set the display option in the Desktops tab to show how many desktops managed by Advanced Management Console match each value for a specific property.

To set the display option:

  1. In the Advanced Management Console, click the Desktops tab.
  2. Select a property to see the report for that property.

    The following examples show how the display option is used:

    • To show the JRE versions installed on desktops and the number of desktops that have each version installed, set Display to JRE Full Version. The first column in the table shows the JRE versions that are found. The second column shows how many desktops have that version installed.

    • To show the rule sets that are active on desktops and the number of desktops that have each rule set installed, set Display to Active Rule Set. The first column in the table shows the names of the active rule sets that are found. The second column shows how many desktops have that rule set installed.

    • If a desktop group exists, then show the number of desktops associated with each value for a desktop group by setting Display to the name of a desktop group.

Setting Filters for Desktop Reports

Use filters in the Desktops tab to show only desktops managed by Advanced Management Console that match specific values for selected desktop properties.

To filter the information by a desktop property:

  1. In Advanced Management Console, click the Desktops tab.
  2. Click Add Criteria and select one or more filters from the list.
  3. For each filter selected, select or enter the value to match.

    Filters that provide a list of values show only values that are present in at least one desktop. For example, the JRE Major Version filter shows only major versions that are installed on at least one desktop. For filters that do not provide a list of values, such as First Name and Last Name, enter the string to match and press Enter. Wildcards are not currently supported.

    Some filters require a secondary filter. The secondary filter is automatically shown when the primary filter is selected. For example, if the filter criterion OS Version is selected, then the OS Family filter is also displayed.

To see which desktops match the filter criteria, set Display to Desktop.

Exporting Desktop Reports

Data from the desktop reports that are generated by Advanced Management Console can be exported to an external file. Filter criteria is used to choose the desktops that are included in the exported data.

To export data for desktops:

  1. In the Advanced Management Console, click the Desktops tab.
  2. Make sure that Display is set to Desktop.

    The Other Actions button is available only with the Desktop display option.

  3. (Optional) Set the filter criteria to show only the desktops that you want included in the exported data.

    Click Add Criteria and set the values for each filter that you select. Only information that matches the criteria is exported.

    If no filters are set, then all desktops are included in the exported data.

  4. Click Other Actions and then select Export Data.

    The Export Data window is shown.

  5. Choose the output format.
    • HTML: The generated file contains the data in a table with HTML formatting.

    • CSV: The generated file contains the data in text fields that are separated by the value separator that you select.

  6. Click Confirm.

    The browser prompts you to either save or view the data. Depending on the format selected, the default file name is amc2-desktops_YYYY-MM-DD_HH-MM.csv or amc2-desktops_YYYY-MM-DD_HH-MM.html, where YYYY-MM-DD_HH-MM is the server-side time stamp of when the file was created.

The following data is exported for each application that meets the filter criteria.

  • Operating system name

  • Operating system version

  • Operating system architecture

  • Owner name

  • Owner email address

  • Time stamp of last contact

  • Host name

  • IP address

  • Name of active rule set

  • Agent version

  • Number of secure JRE versions installed on the desktop

  • Number of insecure JRE versions installed on the desktop

  • Desktop groups and the value of the group property for any group that includes the desktop

Pushing a Deployment Rule Set

A deployment rule set provides rules for allowing or blocking Java applications based on the criteria set in the rule. The Advanced Management Console enables you to distribute signed deployment rule sets to the desktops in your enterprise. When the Advanced Management Console pushes a signed DeploymentRuleSet.jar file to a desktop, the Advanced Management Console agent edits the Java deployment.properties on that desktop to point to a specific truststore that holds the certificates from this DeploymentRuleSet.jar file. By default, the deployment.properties file is located at: C:\Windows\Sun\Java\Deployment\.

If your desktop already contains a deployment.properties file with the deployment.user.security.trusted.cacerts property set to a specific location, then Advanced Management Console overwrites that property value.

Note:

A signed deployment rule set must be available in Advanced Management Console. Otherwise, the option to push a deployment rule set is not enabled.

To push a deployment rule set:

  1. In Advanced Management Console, click the Desktops tab.
  2. Make sure that Display is set to Desktop.

    The Push Deployment Rule Set button is available only with the Desktop display option.

  3. (Optional) Set the filter criteria to show the subset of desktops to which you want to push the rule set.
  4. (Optional) Select the target desktops by selecting the check box for the desktop.

    If no desktops are selected, then the target is all desktops that match the filter criteria that is set.

  5. Click Push Deployment Rule Set to display the Push Deployment Rule Set dialog
  6. Choose one rule set from the list provided.

    Only signed rule sets can be distributed. If the rule set that you want to push is not in the list, then the rule set is currently unsigned.

  7. Choose the target.
    • To push only to selected desktops, select Selected Desktops.

    • To push to all desktops matched by the filter criteria that is set, select All Filtered Desktops.

  8. Click Push.

The next time the agent on the target desktops contacts the Advanced Management Console server, the agent downloads and installs the rule set. View the status of the rule set by selecting the Rule Set Status display option or setting the Rule Set Status filter criteria.

Note:

A rule set that is altered on a desktop after being deployed from the Advanced Management Console is no longer recognized by the Advanced Management Console. Properties for any desktop with an altered rule set are updated to indicate that the desktop does not have an active rule set.

Enabling or Disabling Agent Auto Update

The Advanced Management Console provides an option in the Configuration tab to enable or disable the agent auto update.

To enable or disable the agent auto update:
  1. In the Advanced Management Console, click the Configuration tab.
  2. Click the Agent Settings sub tab.
  3. Click Edit.
  4. Select or deselect the Agent Auto Update check box under Agent Action Intervals and Units to enable or disable agent auto update.
  5. Click Save.

Enabling or Disabling Java Auto Update

Java has a mechanism which checks for and installs new versions of Java in the background. As the Advanced Management Console provides finer-grained control of Java Runtime Environment (JRE) management on dekstops, an option is provided in the Desktop tab to enable or disable Java Auto Update on each desktop.

To enable or disable Java auto update:
  1. In the Advanced Management Console, click the Desktops tab.
  2. Make sure that Display is set to Desktop.

    The Other Actions button is available only with the Desktop display option.

  3. (Optional) Set the filter criteria to show only the desktops for which you want to enable or disable the auto update.

    Click Add Criteria and set the values for each filter that you select. The agent auto update is enabled or disabled only for the desktops that match the criteria.

    If no filters are set, then the agent auto update is enabled or disabled for all desktops.

  4. Click Other Actions and then select Set Java Auto Update for Desktop(s) to display the Set Java Auto Update for Desktop(s) dialog.
  5. Select the target desktop on which to set auto update by selecting either of the following options:
    • Selected Desktops: Shows the number of desktops selected.
    • All Filtered Desktops: Shows the number of filtered desktops included.
  6. Select Enabled to enable Java auto update or Disabled to disable it.
  7. Click Confirm.
The Java Auto Update mechanism gets enabled (or disabled) on the selected desktops.

Desktop Properties

The Advanced Management Console agent collects information about the desktops managed by Advanced Management Console. The properties describe such things as the JRE versions, the operating system, and the deployment rule set for each desktop.

The following table describes the desktop properties that are shown when the display option is set to Desktop. Properties that are shown only in the properties view are indicated by an X in the Properties View Only column.

Property Description Properties View Only Optional

Active Rule Set

Name of the active rule set, if any

 

X

Architecture

Architecture of the JRE, for example, 32-bit

X

 

Command Queue

List of commands executed for the desktop, the status of each command, and any additional details, such as the name of the deployment rule set that was pushed

X

 

First Name

First name of the registered user of the desktop

X

X

Host Name

Host name of the desktop

X

 

IP Address

IP address of the desktop

X

 

Java Vendor

Name of the vendor that distributed the JRE

X

 

Java Versions

List all web-enabled JREs found on the desktop.

 

X

Last Contact

Time stamp of the last contact with the agent

   

Last Name

Last name of the registered user of the desktop

X

X

OS

Operating system that the desktop is running

   

OS Architecture

Architecture of the operating system that the desktop is running, for example, 64-bit

X

 

OS Family

Operating system for the desktop

X

 

Other JREs

Lists all other JREs (not web-enabled) found on the desktop.

   

Owner Email

Email for the registered user of the desktop

 

X

Secure

Flag that indicates if the JRE is a secure version. A check mark means that it is secure.

X

 

Path

Path to the location of the JRE. If the JRE is in more than one location, then all paths are shown, separated by semicolons (;).

X

 

Version

Version of the Advanced Management Console agent installed on the desktop

   

When the display option is set to something other than Desktop, the table shows the values for the selected filter criteria for desktops and the number of desktops that match each value.

Web-Enabled JREs

The Advanced Management Console agents can detect whether or not the Java Runtime Environments (JREs) are web enabled. If the JREs are web enabled, then they can be used to run applets and Java Web Start applications.

The Advanced Management Console can detect what JREs are actually used by Java Plugin or the Java Web Start to run Rich Internet Applications (RIAs). These web-enabled JREs are displayed in the Java Versions column of the Desktop Properties and in the Web Enabled JREs table in the Properties view. To view the Web Enabled JREs table, in the Desktops tab, select a Desktop, and click the Properties icon. Details of the selected desktop are displayed in the following tables: Web Enabled JREs, Installed JREs, and Command Queue. All the other JREs are listed in the Other JREs column of the Desktop tab.

You can also view the web-enabled JREs when you select either the JRE Full Version or the JRE Major Version from the Display drop-down list in the Desktop tab.

Desktop Properties Shared With Advanced Management Console Server

When the Advanced Management Console agent registers, it sends some information (Desktop Properties) to the Advanced Management Console server. This is information pertaining to both the Java Usage as well as the Java Runtime Environment (JRE).

The agent sends the following information about itself to the server:
  • First Name (Optional)

  • Last Name (Optional)

  • Email (Optional)

  • Heartbeat: Current time stamp of the agent trying to register.

  • IP Address

  • Host Name

  • OS Architecture, for example 64–bit

  • OS Version, for example, 10.9.5

  • OS Name, for example, Mac OS X

The values for First Name, Last Name, and the Email are the values entered in the AMCUser.properties file, which is the properties file of the Advanced Management Console agent. If the properties file is absent or the agent chooses to leave some of these values empty, then the values of the three properties are reported as null. Once the agent starts running, with the usage tracking record configured, details, such as the usage tracking records for webstart applications, applets — both jnlp and html, and the standalone applications are collected and shared periodically with the Advanced Management Console server.

The agent also periodically scans for JREs on the Desktop and shares the following information with the server:

  • Java Version (both major and minor)

  • Architecture

  • Vendor

  • Path where the JRE is installed

  • Type of installation

  • Whether the JRE is web enabled

Filter Criteria for Desktops

The filter criteria available in the Desktops tab is used to generate reports about the desktops managed by Advanced Management Console. The filters and the values chosen provide administrators with specific information about the desktops and JRE versions in use in the enterprise.

The following table describes the filters that are available for desktops, and indicates if the criteria is set as the display option or as a filter. For filters, the valid values are provided in the drop-down list, except where noted in the description.

Criteria Description Display Option Filter Criteria

Desktop

List of desktops managed by Advanced Management Console

X

 

JRE Major Version

Major version of the JRE, such as 1.7.0 or 1.8.0.

X

X

JRE Minor Version

Version number of the update release for a major release. The JRE major version filter is also shown when this filter is selected.

 

X

JRE Full Version

Major and minor version of the JRE, such as 1.7.0_67 or 1.8.0_40

X

 

JRE Architecture

Architecture of the JRE, such as 32 for the 32-bit JRE

X

X

JRE Security

Security status based on the JRE security baseline. Set the filter to show desktops where all installed JREs are secure, all installed JREs are insecure, or some installed JREs are insecure.

 

X

OS Family

Operating system for the desktop

X

X

OS Version

Version of the operating system. The OS family filter is also shown when this filter is selected.

 

X

OS (Family + Version)

Family and version of the operating system

X

 

OS Architecture

Architecture of the operating system

X

X

Last Contact

The following types of desktops listed in this drop-down list: Retired, Online, and Offline. Set the filter to display the desktop type:

  • Retired: a desktop that hasn't contacted the Advanced Management Console server for more than a month. It is a desktop that contacts the Advanced Management Consoleagent and not the server. It may happen that a desktop is actually on, but for some reason the agent can't contact the server, and such a desktop is shown either as retired, or as offline.

  • Offline: a desktop that hasn't contacted the Advanced Management Console server for more than a day but less than a month.

  • Online: desktops that have contacted the server in the last 24 hours.

Note:

In the future releases of the Advanced Management Console, the values (1 month or 1 day) can be changed, or a way to configure them may be provided in the Advanced Management Console UI.
 

X

Owner First Name

First name of the registered user of the desktop. Enter the name to match.

 

X

Owner Last Name

Last name of the registered user of the desktop. Enter the name to match.

 

X

Owner Email

Email of the registered user of the desktop. Enter the email address to match.

 

X

Active Rule Set

Name of the active rule set installed on the desktop

X

X

Rule Set Status

Status of the request to push a rule set to the desktop

X

X

Agent Version

Version of the Advanced Management Console agent that is running on the desktop

 

X

Desktop-group

Filter for each desktop group that is defined, if any. Desktop-group is the name of the group.

X

X

JRE Security Baseline

The JRE security baseline identifies the latest version of the JRE that contains security-related changes. A baseline is identified for each JRE family. The Status tab of Advanced Management Console shows the current security baseline.

The Java Security Baseline section of the Status tab shows the following information:

  • URL: Location from which Advanced Management Console downloads information about the security baseline version

  • Baseline Date: Date and time that the security baseline at the location identified by the URL field was last updated

  • Baseline: The security baseline version for each JRE family

  • Last Check: Date and time that information about the security baseline was last checked by the Advanced Management Console