3 Desktops

The Advanced Management Console provides administrators with information about how Java technology is used in their enterprise. Through the Advanced Management Console, administrators can determine such things as how many computers are running an insecure version of Java, what versions of the JRE are installed on enterprise computers, and what deployment rule sets are active in the enterprise. The Advanced Management Console also enables administrators to push deployment rule sets to managed computers.

This topic includes the following sections:

• About Desktops

• Desktops Tab

• Generating Reports for Desktops

• Installing JRE

• Uninstalling JREs

• Push Deployment Rule Set

• Other Actions

• Desktop Properties

• Filter Criteria for Desktops

• JRE Security Baseline

• JRE Management Architecture

About Desktops

Desktops in the Advanced Management Console represent the client computers in an enterprise. Information about the desktops that are managed by the Advanced Management Console is shown in the Desktops tab and the Status tab.

For a desktop to be managed by the Advanced Management Console , the Advanced Management Console agent must be installed on the desktop. The agent gathers the information about the desktop and sends it to the central server. The agent also processes the requests to install a deployment rule set on the desktop. See Advanced Management Console Agent Installation and Configuration in the Advanced Management Console Installation and Configuration Guide.

A report of retired desktops and rule set failures is available from the Status tab.

Desktops Tab

The Desktops tab of the Advanced Management Console shows information about the desktops that are managed by the Advanced Management Console . Filters are available to get reports about selected desktop properties. The ability to push Deployment Rule Sets to desktops and export desktop information to an HTML file or comma-separated values (CSV) file is also provided.

Views for Desktops

The table in the Desktops tab shows the properties for desktops that are managed by the Advanced Management Console . The properties view provides more detailed information for each desktop. Depending on the display option selected, information can also be shown as a pie chart or a bar chart.

The table view is the default view. The table view is available for all display options. However the properties that are shown are dependent on the display option selected. Click the arrow that appears in the column heading to sort the data by the values in that column. Use the navigation bar below the table to view additional pages when the number of desktops exceeds the page size.

The properties view is available only when Desktop is selected as the display option. Click the column heading in the Installed JREs table or Command Queue table to sort the data by the values in that column. Use the navigation bar to scroll through the properties for other desktops that match the filter criteria.

The pie chart and bar chart are available when something other than Desktop is selected as the display option. Click a segment from the pie chart or a bar from the bar chart to see the desktops that match the selected value.

Filters for Desktop Properties

The display option and the filter criteria in the Desktops tab determine what information is shown for the desktops managed by Advanced Management Console .

The default display option is Desktop, which shows the properties for each managed desktop in a table. The other choices for the display option show the values for the selected option and the number of desktops that match each value. For example, selecting Java Runtime Environment (JRE) Major Version shows every major version of the JRE that is installed on at least one desktop and the number of desktops on which it is installed.

The filter criteria further refine the information shown. The choices available for the criteria are based on the properties of the desktops. For example, if the only major JRE versions found across all managed desktops are 1.7.0 and 1.8.0, then 1.6.0 is not shown as a choice for the JRE Major Version criterion.

You can use the display option and filter criteria together to get answers to questions similar to the ones in the following list:

• Which desktops are running insecure versions of the JRE?

  Set Display to Desktop. Add the criterion JRE Security, and set it to some JREs are insecure. The table shows the list of desktops that have at least one insecure JRE installed.

• How many desktops are running versions of JRE 7?

  Set Display to JRE Major Version. See the number in the Hosts column for the row showing JRE Major Version 1.6.0.

  To show only the data for version 1.7.0, add the criterion JRE Major Version and set it to 1.7.0. If 1.7.0 is not shown in the table or in the list of major versions available, then no desktops are running a version of JRE 7.

• Which deployment rule sets are desktops using?

  Set Display to Active Rule Set. The table shows the list of rules sets that are active and the number of desktops for each rule set.

• Which desktops are using the rule set rule-set-name?

  Set Display to Desktop. Add the criterion Active Rule Set and set it to the name of the rule set that you are interested in. The table shows the list of desktops that are using the selected rule set.

Generating Reports for Desktops

Reports are used to answer questions about desktops that are managed by Advanced Management Console and about the JRE versions and deployment rule sets installed on those desktops. Set the display option and filter criteria in the Desktops tab to generate the type of report that you want. Report data can be exported to an external file.

Depending on the filters that are used, reports are available as a table, pie chart, or bar chart. See Views for Desktops.

Reports about retired desktops or desktops with rule set failures are available from the Status tab.

Setting the Display Option for Desktop Reports

Set the display option in the Desktops tab to show how many desktops managed by Advanced Management Console match each value for a specific property.

To set the display option:

1. In the Advanced Management Console , click the Desktops tab.
2. Select a property to see the report for that property.

   The following examples show how the display option is used:

   • To show the JRE versions installed on desktops and the number of desktops that have each version installed, set Display to JRE Full Version. The first column in the table shows the JRE versions that are found. The second column shows how many desktops have that version installed.

   • To show the rule sets that are active on desktops and the number of desktops that have each rule set installed, set Display to Active Rule Set. The first column in the table shows the names of the active rule sets that are found. The second column shows how many desktops have that rule set installed.

   • If a desktop group exists, then show the number of desktops associated with each value for a desktop group by setting Display to the name of a desktop group.

Setting Filters for Desktop Reports

Use filters in the Desktops tab to show only desktops managed by Advanced Management Console that match specific values for selected desktop properties.

To filter the information by a desktop property:

1. In Advanced Management Console , click the Desktops tab.
2. Click Add Criteria and select one or more filters from the list.
3. For each filter selected, select or enter the value to match.

   Filters that provide a list of values show only values that are present in at least one desktop. For example, the JRE Major Version filter shows only major versions that are installed on at least one desktop. For filters that do not provide a list of values, such as First Name and Last Name, enter the string to match and press Enter. Wildcards are not currently supported.

   Some filters require a secondary filter. The secondary filter is automatically shown when the primary filter is selected. For example, if the filter criterion OS Version is selected, then the OS Family filter is also displayed.

To see which desktops match the filter criteria, set Display to Desktop.

Installing JRE

In the Desktop tab of /amcwebui, click Install JRE to install a configured Java Runtime Environment (JRE).

As a prerequisite, in the Installer tab of the Advanced Management Console , click Add Java Version to add and configure a Java version before you start with the JRE installation process:

To install JRE:

1. In the Advanced Management Console, click the Desktops tab. Ensure that you have selected the targeted Desktop from the Display drop-down list.
2. Click Install JRE to display the Install JRE dialog.
   The Enterprise button is highlighted, by default.
3. Select a JRE from the from the Select JRE to install drop-down list.
   You can select an available JRE version added to Installers tab. Once you select a JRE, the corresponding Configuration is displayed in the Select a Configuration for JRE drop-down list. For example, if you select Java 8 Update 141 JRE, then in the Select a Configuration for Java 8 Update 141 drop-down list, 8u141config is displayed.

   
   Description of the illustration install-jre.png
4. Select target desktops on which to install the selected JRE. You can either select the Selected Desktop or All Filtered Desktops. Ensure that you have selected at least one desktop.
   Once you select either of these options, Next is enabled. If you haven’t selected at least one desktop, the Next button is not enabled.

   Note:

   In case you have selected more than 1000 desktops, then a warning message is displayed under Summary.
5. Click Next to display the Schedule screen and select the following (Optional step):
   1. Postpone JRE downloads, hours: Select a value if you want to postpone the time taken to download the JRE.
   2. Time interval to spread JRE downloads uniformly, hours: Select a value to spread the time taken to download the JRE.
6. Click Next to display the summary of the selected JRE. The selected schedule is shown under Summary.
   
   Description of the illustration install-jre-summary.png
7. Click Install JRE to schedule Install JRE command.

Installing a Non-Enterprise JRE

You can install non-enterprise JREs for Windows and on macOS. However, the non-enterprise don’t have the ability to define customization, but can be installed by using Install JRE from the Desktops tab.

As a prerequisite, in the Installer tab of the Advanced Management Console , click Add Java Version to add and configure a Java version before you start with the JRE installation process:

To install a non-enterprise JRE:

1. In the Advanced Management Console , click the Desktops tab. Ensure that you have selected the targeted Desktop from the Display drop-down list.
2. Click Install JRE to display the Install JRE dialog.
   The Enterprise tab is highlighted, by default.
3. Select target desktops on which to install the selected JRE. You can either select the Selected Desktop or All Filtered Desktops.
   Once you select either of these options, Next is enabled.
4. Click Non-Enterprise tab.
5. Select a JRE from the Select JRE to install drop-down list.
   
   Description of the illustration non-enterprisejre_install.png
6. Click Next to display the Schedule screen and select the following (Optional step):
   1. Postpone JRE downloads, hours: Select a value if you want to postpone the time taken to download the JRE.
   2. Time interval to spread JRE downloads uniformly, hours: Select a value to spread the time taken to download the JRE.
7. Click Next to display the summary of the selected JRE:
   
   Description of the illustration non-enterprisejre_installsummary.png
8. Click Install JRE to schedule Install JRE command.

Uninstalling JREs

You can uninstall detected Oracle JREs on managed desktops, which are installed using Oracle Java Runtime Environment (JRE) installers or Enterprise Microsoft Windows Installer (MSI). The Advanced Management Console doesn't uninstall privately-installed JREs or JREs that are present on the desktops but are not actually installed.

To uninstall JREs:

1. In the Advanced Management Console , click the Desktops tab. Ensure that you have selected targeted Desktops from the Display drop-down list.
2. Click Uninstall JRE to display the Uninstall JRE dialog.
3. Select the target desktops from which you want to uninstall the JREs. Select either of the following target options: Selected Desktops or All Filtered Desktops.
4. Click Next.
5. Select how you would like to uninstall JRE versions.. You can select either of the following options: Uninstall JRE versions below the security baseline or Uninstall specific JRE versions.
   The Next button is enabled only when you select either of these options. If you select Uninstall specific JRE versions, then a list of JRE versions are displayed as shown:

   
   Description of the illustration uninstalljre.png
6. Click Next to display the Summary of the JREs selected to be uninstalled.
   
   Description of the illustration uninstalljre-summary.png
7. Click Uninstall JRE to uninstall the selected JREs.

Push Deployment Rule Set

A deployment rule set provides rules for allowing or blocking Java applications based on the criteria set in the rule. The Advanced Management Console enables you to distribute signed deployment rule sets to the desktops in your enterprise. When the Advanced Management Console pushes a signed DeploymentRuleSet.jar file to a desktop, the Advanced Management Console agent edits the Java deployment.properties on that desktop to point to a specific truststore that holds the certificates from this DeploymentRuleSet.jar file. By default, the deployment.properties file is located at: C:\Windows\Sun\Java\Deployment\.

If your desktop already contains a deployment.properties file with the deployment.user.security.trusted.cacerts property set to a specific location, then Advanced Management Console overwrites that property value.

Note:

A signed deployment rule set must be available in Advanced Management Console . Otherwise, the option to push a deployment rule set is not enabled.

To push a deployment rule set:

1. In Advanced Management Console , click the Desktops tab.
2. Make sure that Display is set to Desktop.

   The Push Deployment Rule Set button is available only with the Desktop display option.

3. (Optional) Set the filter criteria to show the subset of desktops to which you want to push the rule set.
4. (Optional) Select the target desktops by selecting the check box for the desktop.

   If no desktops are selected, then the target is all desktops that match the filter criteria that is set.

5. Click Push Deployment Rule Set to display the Push Deployment Rule Set dialog
6. Choose one rule set from the list provided.

   Only signed rule sets can be distributed. If the rule set that you want to push is not in the list, then the rule set is currently unsigned.

7. Choose the target.

   • To push only to selected desktops, select Selected Desktops.

   • To push to all desktops matched by the filter criteria that is set, select All Filtered Desktops.

8. Click Push.

The next time the agent on the target desktops contacts the Advanced Management Console server, the agent downloads and installs the rule set. View the status of the rule set by selecting the Rule Set Status display option or setting the Rule Set Status filter criteria.

Note:

A rule set that is altered on a desktop after being deployed from the Advanced Management Console is no longer recognized by the Advanced Management Console . Properties for any desktop with an altered rule set are updated to indicate that the desktop does not have an active rule set.

Other Actions

This topic contains the following sections:

• Export Data

• Edit Desktop Properties

• Unregistering Desktops

• Set Java Auto Update for Desktops

Export Data

Data from the desktop reports that are generated by Advanced Management Console can be exported to an external file. Filter criteria is used to choose the desktops that are included in the exported data.

To export data for desktops:

1. In the Advanced Management Console , click the Desktops tab.
2. Make sure that Display is set to Desktop.

   The Other Actions button is available only with the Desktop display option.

3. (Optional) Set the filter criteria to show only the desktops that you want included in the exported data.

   Click Add Criteria and set the values for each filter that you select. Only information that matches the criteria is exported.

   If no filters are set, then all desktops are included in the exported data.

4. Click Other Actions and then select Export Data.

   The Export Data window is shown.

5. Choose the output format:

   • HTML: The generated file contains the data in a table with HTML formatting.

   • CSV: The generated file contains the data in text fields that are separated by the value separator that you select.

   • JSON: The generate file contains the data in machine-readable JSON format.
6. Click Confirm.

   The browser prompts you to either save or view the data. Depending on the format selected, the default file name is amc2-desktops_YYYY-MM-DD_HH-MM.csv or amc2-desktops_YYYY-MM-DD_HH-MM.html, where YYYY-MM-DD_HH-MM is the server-side time stamp of when the file was created.

The following data is exported for each application that meets the filter criteria.

• Operating system name

• Operating system version

• Operating system architecture

• Owner name

• Owner email address

• Time stamp of last contact

• Host name

• IP address

• Name of active rule set

• Agent version

• Number of secure JRE versions installed on the desktop

• Number of insecure JRE versions installed on the desktop

• Desktop groups and the value of the group property for any group that includes the desktop

• Latest Usage column that indicates timestamp of most recent usage for the respective Java version

Edit Desktop Properties

The Advanced Management Console enables you to edit the desktop (user) properties such as First Name, Last Name, and Owner Email.

To edit the desktop properties:

1. In the Advanced Management Console UI, click the Desktop tab.
2. Ensure Display is set to Desktop.
   The Other Actions button is enabled only if the Desktop display option is selected.
3. Select the desktop whose properties need to be edited.
4. Select the Properties icon in the Display As: field.
5. Click Other Actions and then edit User Properties.
6. In the Edit User Properties dialog, you can edit any of the following fields:
   • First Name
   • Last Name
   • Owner E-mail

   Note:

   These fields show the existing values of the three properties. The fields are empty if they are not initialized while agent registration.
7. Click Save.

Refresh the page to view the edited user properties. The Advanced Management Console server also initiates a command to the agent to edit the properties in the AMCUser.properties file located in the agent-bundle-{OS}\AMC_Agent\conf directory in localhost.

If you had skipped the optional user properties initialization step during agent registration, then this command will create an AMCUser.properties file with the edited properties.

Select the Commands tab on the Status page to check the status of the command.

Set Java Auto Update for Desktops

Java has a mechanism which checks for and installs new versions of Java in the background. As the Advanced Management Console provides finer-grained control of Java Runtime Environment (JRE) management on dekstops, an option is provided in the Desktop tab to enable or disable Java Auto Update on each desktop.

To enable or disable Java auto update:

1. In the Advanced Management Console , click the Desktop tab.
2. Ensure that the Desktop is selected in the Display drop-down list.

   The Other Actions button is available only with the Desktop display option.

3. Ensure that the Table icon is selected.
4. (Optional) Set the filter criteria to show only the desktops for which you want to enable or disable the auto update.
   1. Click Add Criteria .
   2. Select the filters and set the values for each filter that you select.

   The agent auto update is enabled or disabled only for the desktops that match the criteria. If no filters are set, then the agent auto update is enabled or disabled for all desktops.

5. Click Other Actions and then select Set Java Auto Update for Desktop(s) to display the Set Java Auto Update for Desktop(s) dialog.
6. Select the target desktops by selecting either of the following options:
   • Selected Desktops: Shows the number of desktops selected.
   • All Filtered Desktops: Shows the number of filtered desktops included.
7. Select Enabled to enable Java auto update or Disabled to disable it.
8. Click Confirm.

The Java Auto Update mechanism is now enabled (or disabled) on the selected desktops.

Desktop Properties

The Advanced Management Console agent collects information about the desktops managed by Advanced Management Console . The properties describe such things as the JRE versions, the operating system, and the deployment rule set for each desktop.

The following table describes the desktop properties that are shown when the display option is set to Desktop. Properties that are shown only in the properties view are indicated by an X in the Properties View Only column.

Property	Description	Properties View Only	Optional
Active Rule Set	Name of the active rule set, if any		X
Architecture	Architecture of the JRE, for example, 32-bit	X
Command Queue	List of commands executed for the desktop, the status of each command, and any additional details, such as the name of the deployment rule set that was pushed	X
First Name	First name of the registered user of the desktop	X	X
Host Name	Host name of the desktop	X
IP Address	IP address of the desktop	X
Java Vendor	Name of the vendor that distributed the JRE	X
Java Versions	List all web-enabled JREs found on the desktop.		X
Last Contact	Time stamp of the last contact with the agent
Last Name	Last name of the registered user of the desktop	X	X
OS	Operating system that the desktop is running
OS Architecture	Architecture of the operating system that the desktop is running, for example, 64-bit	X
OS Family	Operating system for the desktop	X
Other JREs	Lists all other JREs (not web-enabled) found on the desktop.
Owner Email	Email for the registered user of the desktop		X
Secure	Flag that indicates if the JRE is a secure version. A check mark means that it is secure.	X
Path	Path to the location of the JRE. If the JRE is in more than one location, then all paths are shown, separated by semicolons (;).	X
Version	Version of the Advanced Management Console agent installed on the desktop

When the display option is set to something other than Desktop, the table shows the values for the selected filter criteria for desktops and the number of desktops that match each value.

Web-Enabled JREs

The Advanced Management Console agents can detect whether or not the Java Runtime Environments (JREs) are web enabled. If the JREs are web enabled, then they can be used to run applets and Java Web Start applications.

The Advanced Management Console can detect what JREs are actually used by Java Plugin or the Java Web Start to run Rich Internet Applications (RIAs). These web-enabled JREs are displayed in the Java Versions column of the Desktop Properties and in the Web Enabled JREs table in the Properties view. To view the Web Enabled JREs table, in the Desktops tab, select a Desktop, and click the Properties icon. Details of the selected desktop are displayed in the following tables: Web Enabled JREs, Installed JREs, and Command Queue. All the other JREs are listed in the Other JREs column of the Desktop tab.

You can also view the web-enabled JREs when you select either the JRE Full Version or the JRE Major Version from the Display drop-down list in the Desktop tab.

Desktop Properties Shared With Advanced Management Console Server

When the Advanced Management Console agent registers, it sends some information (Desktop Properties) to the Advanced Management Console server. This is information pertaining to both the Java Usage as well as the Java Runtime Environment (JRE).

The agent sends the following information about itself to the server:

• First Name (Optional)

• Last Name (Optional)

• Email (Optional)

• Heartbeat: Current time stamp of the agent trying to register.

• IP Address

• Host Name

• OS Architecture, for example 64–bit

• OS Version, for example, 10.9.5

• OS Name, for example, macOS

The values for First Name, Last Name, and the Email are the values entered in the AMCUser.properties file, which is the properties file of the Advanced Management Console agent. If the properties file is absent or the agent chooses to leave some of these values empty, then the values of the three properties are reported as null. Once the agent starts running, with the usage tracking record configured, details, such as the usage tracking records for webstart applications, applets — both jnlp and html, and the standalone applications are collected and shared periodically with the Advanced Management Console server.

The agent also periodically scans for JREs on the Desktop and shares the following information with the server:

• Java Version (both major and minor)

• Architecture

• Vendor

• Path where the JRE is installed

• Type of installation

• Whether the JRE is web enabled

Filter Criteria for Desktops

The filter criteria available in the Desktops tab is used to generate reports about the desktops managed by Advanced Management Console . The filters and the values chosen provide administrators with specific information about the desktops and JRE versions in use in the enterprise.

The following table describes the filters that are available for desktops, and indicates if the criteria is set as the display option or as a filter. For filters, the valid values are provided in the drop-down list, except where noted in the description.

Criteria	Description	Display Option	Filter Criteria
Desktop	List of desktops managed by AMC	X
JRE Major Version	Major version of the JRE, such as 1.7.0 or 1.8.0.	X	X
JRE Minor Version	Version number of the update release for a major release. The JRE major version filter is also shown when this filter is selected.		X
JRE Full Version	Major and minor version of the JRE, such as 1.7.0_67 or 1.8.0_40	X
JRE Architecture	Architecture of the JRE, such as 32 for the 32-bit JRE	X	X
JRE Security	Security status based on the JRE security baseline. Set the filter to show desktops where all installed JREs are secure, all installed JREs are insecure, or some installed JREs are insecure.		X
OS Family	Operating system for the desktop	X	X
OS Version	Version of the operating system. The OS family filter is also shown when this filter is selected.		X
OS (Family + Version)	Family and version of the operating system	X
OS Architecture	Architecture of the operating system	X	X
Last Contact	The following desktop states are listed in this drop-down list: Retired, Offline, and Online. Set the filter to display the desktop state: Retired: a desktop that hasn't contacted the AMC server for more than a month. It may happen that a desktop is actually on, but for some reason the AMC agent cannot contact the server. See Unregistering Advanced Management Console Agents and Usage Tracker Properties in the Advanced Management Console Installation and Configuration Guide for instructions used in removing Retired desktops. Offline: a desktop that hasn't contacted the AMC server for more than a day but less than a month. Online: desktops that have contacted the server in the last 24 hours.		X
Owner First Name	First name of the registered user of the desktop. Enter the name to match.		X
Owner Last Name	Last name of the registered user of the desktop. Enter the name to match.		X
Owner Email	Email of the registered user of the desktop. Enter the email address to match.		X
Active Rule Set	Name of the active rule set installed on the desktop	X	X
Rule Set Status	Status of the request to push a rule set to the desktop	X	X
Agent Version	Version of the AMC agent that is running on the desktop		X
Desktop-group	Filter for each desktop group that is defined, if any. Desktop-group is the name of the group.	X	X

JRE Security Baseline

The JRE security baseline identifies the latest version of the JRE that contains security-related changes. A baseline is identified for each JRE family. The Status tab of Advanced Management Console shows the current security baseline.

The Java Security Baseline section of the Status tab shows the following information:

• URL: Location from which Advanced Management Console downloads information about the security baseline version

• Baseline Date: Date and time that the security baseline at the location identified by the URL field was last updated

• Baseline: The security baseline version for each JRE family

• Last Check: Date and time that information about the security baseline was last checked by the Advanced Management Console

JRE Management Architecture

The Java Runtime Environment (JRE) management workflow consists of the following components: User Interface (UI), Server, and agents.

This topic describes the JRE architecture:

• UI: The user interface for JRE Management is facilitated through the Desktop and the Status tabs in the Advanced Management Console

  • Desktops: In the Desktops tab, select required desktops, where a JRE should be installed or uninstalled, and click Install JRE or Uninstall JRE respectively.

  • Status: In the Status Tab, you can see view the details of all the scheduled actions (commands) with information about the number of desktops, where each action is completed, failed, or in progress.

  • Installer: In the Installers tab, you can add Java versions and configure them for both enterprise and non-enterprise JREs. Enterprise JREs are similar to .msi packages, which contain both JRE packages and configuration files, while non-enterprise JREs don’t contain any configuration files. Non-Enterprise JREs cannot be configured. They are used without configuration.

• Server/Database: The information about each install JRE or uninstall JRE action is stored. Each action contains information about all desktops, where it is targeted to, as well as status on each desktop

• Agents: The agent actions perform the JRE installation and uninstallation processes.