Getting Started

Getting Started with
® Asset
Numara
Management Platform
Note
Numara® Software, Inc. reserves the right to make changes in specifications and other information
contained in this document without prior notice. The reader is advised to consult Numara® Software, Inc.
to determine whether any such changes have taken place.
Under no circumstance and to the minimum extent permitted by law, including none, shall Numara®
Software, Inc. be liable for any damages whatsoever, including but not limited to consequential or
incidental damages due to loss of business, loss of time, loss of information, loss of profit or loss of
opportunities, arising in whole or part out of or related to this manual or the information contained in it,
even if Numara® Software, Inc. has been informed of such danger or should have been informed or is in
possession of knowledge of such danger or implications.
This product and documentation are provided on a RESTRICTED basis. Use, duplication, or disclosure by
the US Government is subject to restrictions set forth in Subparagraphs (c) (1) and (2) of the Commercial
Computer Software Restricted Rights at 48 CFR 52.227-19, as applicable.
1994 - 2010© Copyright Numara® Software, Inc.

Portions Copyright© 1989-95 GROUPE BULL
Portions Copyright© 1999-2000 Dave Smith
Portions Copyright© 1998, 1999, 2000 Thai Open Source Software Center Ltd
Portions Copyright© 2001 by First Peer, Inc.
Portions Copyright© 1995 Eric Young
Portions Copyright© 1994, Tom Boutell, Cold Spring Harbor Labs
Portions Copyright© 1991 by Ozan S. Yigit
Portions Copyright© 1995-1998 Jean-loup Gailly and Mark Adler
Portions Copyright© 1999 - 2005 NetGroup, Politecnico di Torino (Italy)
Portions Copyright© 2005 - 2008 CACE Technologies, Davis (California)
All rights reserved.
This document may not be reproduced in part or whole by any means, for any purpose or transmitted in
any way, except small quotations not exceeding one thousand characters and in such case only with clear
reference to the source and mentioning the Numara® Software, Inc. copyrights, without the express written
permission of Numara® Software, Inc.
Numara® Software, Inc.

2202 North West Shore Blvd. Suite 650
Tampa, FL 33607
USA
http://www.numarasoftware.com/
Numara, the Numara Software logo, Track-It! and FootPrints are registered trademarks of Numara Software,
Inc. Microsoft is a registered trademark and Windows is a trademark of the Microsoft Corporation. Pentium
is a trademark of the Intel Corporation. All other marks are property of their respective companies.
Introduction
The Numara® Asset Management Platform (NAMP) is a unique solution for managing and securing systems that
provides a global overview of the complete infrastructure by using its automating administration tools as well as
its securisation functionalities. Once installed on all systems the NAMP agents allow the administrator to monitor
all devices from the NAMP administration console.
The Numara Asset Management Platform is composed of a Master server, a unique agent, installed on all devices
and relay agents for an optimised architecture, a database as well as a unique administration console.
Organisation
This manual is designed for the new user of the Numara Asset Management Platform as well as users that
acquired new functionalities and are trying to familiarise themselves with these. It provides you with detailed
examples on specific topics such as step-by-step instructions on how to create your first objects and execute
operations as well as setting up the security in the software.
To be able to execute the examples of the chapters in this manual it is taken as granted that the Numara Asset
Management Platform and its components were installed as explained in the Installation manual with all their
default values.
The manual is divided into the following sections and topics:
Section I - Basic Objects and Functionalities

This first section of the Getting Started manual introduces you to the basic objects and functionalities of the
Numara Asset Management Platform. These objects are common to all modules and specific functionalities of the
suite. It is therefore recommended to follow the order of the chapters in this manual to arrive at the required
proficiency regarding these objects, their functioning and possibilities and the impact they have on other objects
and modules of the suite. The section has the following chapters:
• First Steps in the Console - Topology, Direct Access, Remote Control
• Inventory Step-by-Step - Hardware and Software Inventory
• Queries and Device Groups Step-by-Step
• Configuration Management Step-by-Step - Operational Rules
• Directory Server Synchronisation Step-by-Step - Device Groups, Administrator Groups and User Groups
• Reports Step-by-Step
Section II - Advanced Management Suite

This second section of the Getting Started manual introduces you to the advanced functionalities and their
specific objects of the Numara Asset Management Platform. The examples and exercises in these chapters are
based on those of the first section, we therefore recommend you to do these first.
• Operating System Deployment Step-by-Step
• Software Distribution Step-by-Step
• Resource Monitoring Step-by-Step
• Application Management Step-by-Step
• Power Management Step-by-Step
4 - Numara Asset Management Platform
• Peripheral Device and Data Control - Step by Step

• Patch Management Step-by-Step
• Vulnerability Management Step-by-Step
• Device Compliance Step-by-Step
• Setting Up Security
What’s New in this Version

The main new features and changes since the last version are the following:
• A new parameter was added to the safe reboot functionality of the patch management that allows to bypass
locked sessions.
• A new system variable was added to the Console and new parameters were added to the kiosk.ini file to
manage the accessibility of the Application Kiosk page of the browser agent interface.
• A new parameter was added to the timer module to manage timers related to specific users and a new
operational rule was added to be able to configure the module.
Further Documentation
In addition to this little manual you will find detailed information on all possible aspects and topics regarding the
Numara Asset Management Platform in subject oriented manuals, which are located on the Numara Asset
Management Platform Installation DVD under the /docs directory in their respective language directories. There
you will find a reference manual containing detailed information on general topics such as all parameters,
modules, security, as well as more technical information on topics such as the autodiscovery.
Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Section I - Basic Objects and Functionalities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
Chapter 1 - First Steps in the Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.1 Populating in the Device Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.2 Remote Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
1.3 Direct Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
1.4 User Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Chapter 2 - Inventory Step-by-Step . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.1 Device Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
2.2 Device Group Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
2.3 Inventory Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
Chapter 3 - Queries and Device Groups Step-by-Step . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.1 Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
3.2 Device Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
3.3 Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
Chapter 4 - Configuration Management Step-by-Step . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
4.1 Operational Rule Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
4.1 Rule Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75
Chapter 5 - Directory Server Synchronisation Step-by-Step . . . . . . . . . . . . . . . . . . . . . . . . 85
5.1 Synchronising with Active Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
5.2 Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93
Chapter 6 - Reports Step-by-Step. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
6.1 Report Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
6.2 Report Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Section II - Advanced Management Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125
Chapter 7 - Operating System Deployment Step-by-Step . . . . . . . . . . . . . . . . . . . . . . . . . 127
7.1 Operating System Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129
7.2 Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170
Chapter 8 - Software Distribution Step-by-Step . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
8.1 Software Distribution Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182
8.2 Software Distribution Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .194
8.3 Software Distribution Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .198
Chapter 9 - Resource Monitoring Step-by-Step . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
9.1 Resource Monitoring Examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
9.2 Monitoring Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .224
Chapter 10 - Application Management Step-by-Step . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
10.1 Managed Application Examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .229
10.2 Application Management Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245
10.3 Application Management Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .249
Chapter 11 - Power Management Step-by-Step. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
11.1 Power Management Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .259
11.2 Power Management Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .268

11.3 Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .281
Chapter 12 - Peripheral Device and Data Control - Step by Step . . . . . . . . . . . . . . . . . . . 289
12.1 Device Management Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .289
12.2 Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .297
Chapter 13 - Patch Management Step-by-Step . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
13.1 Patching Your System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300
13.2 Patch Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .312
13.3 Patch Management Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .315
Chapter 14 - Vulnerability Management Step-by-Step . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
14.1 Making Your System Secure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .326
14.2 Vulnerability Management Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .350
Chapter 15 - Device Compliance Step-by-Step. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
15.1 Compliance Rule Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .363
15.1 Compliance Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .380
15.2 Rule Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .384
Chapter 16 - Setting Up Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
16.1 Capabilities and Access Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .391
16.2 Security Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .391
16.3 Basic Operation Principles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .392
16.4 Specific Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .398
16.5 Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .400
Table of Contents - 7
Section I
Basic Objects and Functionalities

This first section of the Getting Started manual introduces you to the basic objects and
functionalities of the Numara Asset Management Platform. These objects are common to all
modules and specific functionalities of the suite. It is therefore recommended to follow the
order of the chapters in this manual to arrive at the required proficiency regarding these
objects, their functioning and possibilities and the impact they have on other objects and
modules of the suite. The section has the following chapters:
• First Steps in the Console - Device Topology, Direct Access, Remote Control and User
Preferences
• Inventory Step-by-Step - Hardware and Software Inventory
• Queries and Device Groups Step-by-Step
• Configuration Management Step-by-Step - Operational Rules
• Directory Server Synchronisation Step-by-Step - Device Groups, Administrator Groups and
User Groups
• Reports Step-by-Step
All examples and exercises assume that you have installed the Numara Asset Management
Platform and its or any additional components as explained in the Installation manual with the
default values.
1
First Steps in the Console
Once you have rolled out agents in your network you can watch your database fill up with information about your
managed devices, being sent by the agents running on these machines as they finish installing and come on line.
1.1 Populating in the Device Topology

A good starting point to watch this is the Device Topology node, where you will see all managed devices
appearing one after the other in their NAMP hierarchy as the type of machine they represent.
Select the Device Topology node in the left window pane, then your master. In the right window pane select then
the Graph tab. The tab pane will now display the network hierarchy of the devices which you just installed and
rolled out with the master server as its central point. For more information on the graph and its possibilities please
refer to the respective chapter in the Numara Asset Management Platform Console Guide. This type of graph is
also available for the user groups, inventories and vulnerabilities.
If you do not have the graph, you may see your clients coming online by selecting first the master in the left
window pane, the right window pane should then display the relay under the Members tab. And when you click
on the relay in the left window pane, its Members tab will display all managed devices as they come online. The
icon representing the devices as a node displays which functionality the device has in the network, i.e. if it is a
simple client ( ), a relay ( ) or the master ( ). The status of the device is expressed in the colour of the
screen of the device, however in this situation they should all be green for a status of online with no problems. If
the agent has been able to find the operating system this will also be displayed in the icon: client with Windows
OS ( ), with Linux ( ) or Solaris ( ).
Subnodes
When you select one of the managed devices in the left window pane, for example the master, you can see all the
information it provides in its tables or through its list of subnodes:
• Agent Configuration - this node provides access to all configuration settings of the agent running on the local
client.
• Direct Access - if you need to see or modify specific settings on a client you may do so via this node.
• Remote Control - in this node you may establish a remote control connection with the currently selected
devices.
• Inventory - here you will find all possible information on hardware, software, custom, security, patch, power
management and vulnerability inventory of the client.
• Assigned Objects - this node groups all objects which are assigned to the currently selected device.
• Events - this node provides access to all events concerning the selected device.
Tabs
The tabs in the right window pane of the master also provide some information:
• Members tab - This table lists the devices which are located under the master. For our case this should be the
manually installed relay. When you click the relay and then its Members tab you should see the list of all
devices to which the agent was rolled out.
• Parent Device Groups tab - this tab lists all groups of which the currently selected device is a member. If you
reselect the master in the left window pane, this tab will display already one group, called All Devices, even
though we have not created any. However, we imported the Out-of-the-Box objects that also include this one
group.
• Graph tab - as you have already seen above this tab displays your newly installed device topology in graphical
format.
• General tab - this tab displays all available information on the selected device, such as name, IP address,
topology type, OS, agent version, if it is a patch manager, a package factory or a scanner, etc.
1.2 Remote Control

From this location you may take over the control of the remote devices that you have just installed. To do so
proceed as follows:
If you are using NAT configurations the devices can not be accessed via Remote Control and Direct
Access.
1 Select one of the devices to which you rolled out the agent in the left window pane under the Device Topology
node, or the relay.
2 Select the Remote Control node of the device.
3 An identification window appears on the screen, in which you must provide a valid login and password for the
remote device.
4 Click the Edit->Connect menu item or the respective icon ( ) in the icon bar.
5 The Connection Status appears on the screen.
6 Once the connection is correctly established, the screen of the target client appears in the right window pane.
Chapter 1 - First Steps in the Console - 13
7 You may now execute any required functions or manipulation on the target machine.
8 If you have the remote device in your view, you will see, that the NAMP icon in the systray, which normally is
blue ( ) and oscillates green when the agent is busy, has turned yellow ( ), to indicate that the client has
been taken over via remote control.
9 Now we will try some operations on the remotely controlled device:
a Start the file Explorer on the remote device and close it.
b Open a text editor and create a new file. Save it under c:\temp as test.txt.
c You may also reboot the remote device by clicking the Reboot Remote Device icon ( ) in the tool bar.
Click Yes in the confirmation window to confirm the reboot.
d After the device is up and running again you can copy some text from your local device to the text file you
just created under step b on the remote device.
1 To do so open Notepad, for example, type some text, select it and then copy it to your local clipboard
using CTRL + C keyboard shortcut.
2 In the Remote Control Console window open the test.txt file on the remote device.
3 Click the Send Clipboard icon ( ) in the tool bar. The contents of the local clipboard are copied to the
clipboard of the remotely controlled client.
4 Now place the cursor at the end of the test.txt file and use the CTRL + V keyboard shortcut to copy the
content to the file. Save it.
e You may do the same operation in the other direction using the Retrieve Clipboard icon ( ).
f You can also retrieve the test.txt file from the remote device and save it on your local device.
1 Select the File Transfer icon ( ) in the tool bar.
2 The File Transfer window opens on the screen. This window allows you to copy files from the local to
the remove device and vice versa.
3 Find the source file, i.e. the test.txt file to be copied in the tree hierarchy of the remote device and select
it.
4 Select the target directory, i.e. c:\temp on your local device.
5 Click the arrow between the two fields to start the transfer. The transfer may be stopped and thus the file
copy being cancelled by clicking the stop transfer button ( ).
6 Select the Close button at the bottom of the window when all required files were transferred.
g Delete the test.txt file on the remote device in the same way as you would do on your local device.
10 To disconnect now select the Disconnect icon ( ) in the tool bar.
11 A confirmation window appears. Click the Yes button to continue.
12 The connection will be interrupted and the image of the remote screen disappears from your right window
pane.
1.3 Direct Access

Some parts of the remote devices, such as the file system, the Windows Registry and the services may also be
accessed via the direct Direct Access node in the console. To do so proceed as follows:
If you are using NAT configurations the devices can not be accessed via Remote Control and Direct
Access.
1 Select one of the devices to which you rolled out the agent in the left window pane under the Device Topology
node.
2 Select the Direct Access node of the device.
3 If you are using the same device as for the Remote Control example, the connection will be established
directly, as you have already provided an identification. If you are using another device the Identification
window will appear and you must provide a valid login and password for the selected device.
4 Once the connection is established, you can see the available parts of the remote system which you can access:
File System
Registry
Services
Process Management
Windows Events
File System
1 First select the File System node.
2 The file system of the remote device will be displayed in a way very similar to Windows Explorer. It allows you
not only to view a device’s complete directory structure with its files and folders but also to manipulate them:
a Go down in the hierarchy to C:\temp. Here we will create a new directory:
1 Choose the Edit->Create Directory menu item or click the respective icon ( ) in the icon bar.
2 The Create a new Directory popup dialog box opens.
3 Enter Test as the name for the new directory then click OK to confirm.
b To edit an existing file on the remote device, such as a configuration file proceed as follows. Be aware that
the file must be smaller than 200 KB to be editable for performance reasons.
1 In the table in the right window pane select the text file to be edited, e.g. go down the directory structure
of to the config directory of the NAMP client and select the relay.ini file. We will turn the currently
selected device from a simple client to a relay.
2 Select the Edit->Edit File menu item or the respective icon ( ) in the icon bar.
3 An Edit Text File Window opens on the screen with the contents of the file.
4 For the first entry called IsEnabled modify the value from 0 to 1 and the select the OK button at the
bottom of the window to confirm the modification.
c You may also transfer files between the remote and local device in the file system, it works exactly in the
same way as described above under the Remote Control chapter.
Registry
1 Now select the Registry node in the left window pane.
2 Browse down into the structure of the remote registry to key HKEY_LOCAL_MACHINE/SOFTWARE/Numara
Software/Numara AMP.
3 Now create a new key by choosing the Edit->Create Key menu item or the respective icon ( ) in the icon bar.
4 The Create New Key popup dialog box opens.
5 Enter Test Key as the name for the new key then click OK to confirm.
6 The new key will be created directly and selected.

7 Now we will create a string value for the new key.

8 For this select the Edit-> Create String Value menu item or click the respective icon ( ) in the icon bar.
9 The new value will automatically be created under the key and displayed in the table of the right window
pane.
10 To name the newly created value, either choose the Edit->Properties... menu item or click the respective icon
( ) in the icon bar or right click the relevant value in the right pane, then choose Properties... in the
displayed contextual menu.
11 The Properties dialog box appears on the screen. Enter the following values:
Value
Enter the name for the newly created value, e.g. Test Key Value.
Data
Enter here “This is a test for the registry”.
12 Click OK to confirm the new value.

13 Now, to delete the new value select the Edit->Remove Value menu item or click the respective icon ( ) in the
icon bar.
14 Click Yes in the confirmation message box.
15 The value will be deleted immediately.
16 To delete the Test Key select it and then click the Edit->Remove Key menu item or click the respective icon
( ) in the icon bar.
17 Again click Yes in the confirmation message box.
18 The key will be deleted immediately.
Services
1 Now select the Services node in the left window pane.
Be aware, that the NAMP agent may NOT be stopped or restarted from this location.
2 The table in the right window pane displays the list of all services on the remote device.
3 Here you can start or stop services and configure startup options.
4 Select a service which is currently stopped.
5 Then select the Edit->Start menu item or the respective icon ( ) in the icon bar.
6 The service will be started directly.
7 Select the now running service to stop it again by selecting the Edit->Stop menu item or the respective icon
8 The service will be stopped immediately.
9 Now select another service and restart it by selecting the Edit->Restart menu item or the respective icon ( )
in the icon bar.
10 You may also modify some values of a service, such as the display name or the startup type.
11 To do so select the Numara Asset Management Platform Agent service and then the Edit->Properties... menu
item or the respective icon ( ) in the icon bar.
12 The Properties dialog box appears on the screen.
13 Change the startup type here from Automatic to Manual.
14 Click OK to confirm the modification.

15 Repeat steps 11 to 14 and undo the modification.
1.4 User Preferences

The NAMP console provides the administrator with a number of options to configure the console‘s general look‘n
feel and its way of working. This is done via the User Preferences which is accessible everywhere via the Options
menu.
To access the User Preferences window proceed as follows:
1 Select the Options->User Preferences. menu option.
2 The User Preferences window opens on the screen
3 Select the icons in the left window pane to move from one page to the next.
4 After you have set your preferences in all the tabs of the dialog box click the OK button at the bottom of one of
the pages to confirm all choices and entries and apply these to your configuration and close the window. To
cancel any changes and entries made click the Cancel button.
We will make the following changes to these options for illustration:
1 In the General tab you may define the general settings of your console window. In the Console Appearance
box:
From the dropdown field Look’n Feel select another
skin for the general appearance of the console. This will
change the colour scheme, of the console window itself.
In the Language dropdown field select Japanese.
In the Time Zone box check the unselected radio
button and in the now accessible field select the time
zone in which you are located.
From the Date Format dropdown field select the date
format you want to use.
In the System Settings box modify the Auto LockDown
Delay value to 0. This entry defines the maximum time
that may elapse without any input to the computer by
the keyboard or mouse before the console is locked
down for security reasons. If that time has elapsed the
user/administrator must enter his logon again to unlock
the console. The default value for this number is 600
seconds. For our tests set this value to 0, which
deactivates the lockdown function.
2 Click the OK button to close the window and see the effect of the changes.
3 To open the User Preferences window again reselect the menu before the last and select the option at the
bottom.
4 In the window click the arrow on the first field to the right to select UK English as the Language again.
5 Click OK to confirm and close the window.
6 The console is back to English as language.
7 Select the User Preferences window again.
8 Then select the Tables tab in the left window bar.
9 The Tables tab is for setting the properties of the tables in
the right window pane of the console. Make the following
changes:
In the Table-Row Settings box modify the colours for the
table lines, by clicking the Modify button. The field to
the left of the button displays the current colour. In the
appearing window select a colour of your choice. Then
repeat the process for the even lines and also for the grid
between the lines.
In the Row Height field enter 15 to increase the height of
the table rows.
In the Automatic Refresh box move the cursor of the
time scale to the left until the value to the right of the
Enable Regular Automatic Refresh field indicates 15
seconds. Now all right window panes that have
automatic refresh will be a refreshed every 15 instead of
the default 30 seconds.
In the Paging Settings box change the value for the table
rows per page to 15.
10 Now select the Fonts icon. In this page you may select the
size and type of font to use.
Select a font type from the dropdown field.
The Font Preview box displays a Sample for the
selected font and size.
You may also increase the size of the font as we have
increased the row hight.
11 The Object Assignments page defines the standard
behaviour of the assignments between the NAMP objects.
We will make no modifications here, as we will be using
the predefined default schedule in our examples later.
12 Select the E-mail page. The parameters in this tab define
the basic settings of the mail server in your organisation.
This information is required to be able to execute a number
of the examples we will define in later chapters, amongst
others to send reports as e-mails and the notification option
of the Task Management. The following parameters must be
defined:
Server Name
Enter the name of your mail server to which all mail is set
for routing.
Port
Defines the port number of the mail server, the default
value is 25.
Authentication
This field defines if the mail server requires authentication
for its communication, possible values are Force
Authentification, Authenticate if possible or
Never Authenticate. Select the value your mail server
requires.
User Name
Enter into this field a valid login to the mail server. This
may be any login, not necessarily that of the user defining
his preferences in via these options.
Passwords
The corresponding password.
13 Then click the OK button to confirm all modifications and to close the window.
14 You can now see the main modifications you made to the console appearance.
15 To make the e-mail system work for the later examples two more steps need to be made in the console:
16 Go to the Global Settings->System Variables node and select the Mail tab.
17 Select one of the table rows in the right window pane and then the Edit->Properties... menu item or click the
respective icon ( ) in the icon bar.
19 Enter the required values as above in the E-mail page.
20 Click the OK button to confirm and close the window.
21 Now go to the Global Settings->Administrators node and select the admin entry in the left window pane. We
will configure this administrator here for e-mailing, as we will execute all our examples as this administrator.
22 Select one of the table rows in the right window pane and then the Edit->Properties... menu item or click the
24 Find the E-Mail field and enter your e-mail address.
25 Then click the OK button to confirm and close the window.
26 The e-mail function is now set up.

27 Now open again the User Preferences window and modify any of the settings you don‘t like or return to the
default values.
2
Inventory Step-by-Step
The agent of the Numara Inventory Manager allows you to collect any type of inventory data for the individual
machines of your network. The collected information is related to the individual properties of the object and
contains extensive information, such as the installed processor and its type, speed, RAM, BIOS name and date,
the software installed on the managed devices as well as any other custom defined attributes, such as the
geographical location, the values of registry or of a configuration file entry. Not all of the above, however, will be
available for all platforms.
The NAMP agent also creates an inventory of patches missing on the devices, of vulnerabilities present on them, and
collects a number of parameters regarding the device’s security situation. The Custom inventory allows you to collect a
number of specific device parameters you may need in your day to day network tasks. These types of inventory are filled
in either via operational rules or device scanning and are therefore still empty when being selected here for the first time.
You will find more information on how to fill these in under chapters Configuration Management Step-by-Step, Patch
Management Step-by-Step and Vulnerability Management Step-by-Step.
The different types of inventory are available:

• for devices
• for device groups
• on the agent interface for the local device.
The types of inventory may be accessed via the Inventory node
• for a device
via the Device Topology top node or
via a device group node of which the respective device is a member.
• for a device group
via the group’s node
All types of inventory are by default generated and uploaded when the agent is started. However, as the collection may be
extensive, this may take a while before all information is gathered and uploaded to the database. When you access the
Hardware Inventory and Software Inventory for the first time, they may still be empty.
2.1 Device Inventory

The inventory for a device is accessed through the device’s node and its Inventory subnode via the Device
Topology. For our examples here we will select the Device Topology node and then the Inventory subnode of our
master. As you can see in the graphic below, the Inventory node displays a separate node for all different types of
inventory available. The table in the right window pane also indicates the date and time at which the respective
inventory was last updated.
2.1.1 Hardware Inventory

The hardware inventory for devices shows a number of objects which may or may not be applicable to all
supported operating systems, i.e. Windows, Solaris and Linux. Each of these objects will be displayed split up
into object specific properties.
To get a first view of the Hardware Inventory for the master do as follows:
1 Select your master device under the Device Topology node.
2 Then from its subnodes select the Inventory node.
3 The right window pane presents you now with the complete selection of available inventory types. Select
Hardware Inventory.
4 The right window pane now displays the most general level of hardware inventory for the master. The number
of objects shown depends on the operating system installed on the master, but the objects shown in the picture
below are a common minimum for all different operating systems.
5 If you double-click one of these entries, the Network Adapter entry for example, the right pane will show the
processor details as shown below. The amount of details displayed depends on the hardware object selected.
To display the history for an inventory refer to Option (a).
To display the hidden elements for an inventory refer to Option (b).
To add or remove an inventory object refer to Option (c).

Chapter 2 - Inventory Step-by-Step - 23
2.1.2 Software Inventory

The Software Inventory node of the console displays a single list of all software packages found on the selected
device. The list is generated by the agent and uploaded into the database at regular intervals. As with the other
inventory information, all entries are stored in the database to be available even if the actual device is off-line.
1 Click the Software Inventory node of the device in the left window pane.
2 Below this node you will find the Applications node. Select it.
3 The right window pane will now display all software products which the agent has found on the managed
device with some additional information as shown in the image above.
4 As this list may be very long it is probably paged. You may see this at the bottom of the console window where
the number of pages are indicated and the buttons for moving from one page to another are provided.
The number of lines to be displayed by page as well as a number of additional displaying parameters are
customisable via the User Preferences. For more information on this subject refer to chapter User Preferences
on page 49 in Section I of the console manual.
2.2 Device Group Inventory

The different types of inventory are also available for the device groups, offering an overview over a specific part
of your network, such as the Anti-virus situation of your laptops or the current situation regarding the RAM of the
machines in your development department. The inventory is accessible via the Inventory node below the
respective device group.
2.2.1 Hardware Inventory

The hardware inventory for groups shows a number of objects which may or may not be applicable to all
supported operating systems, i.e. Windows, Solaris and Linux. Each of these objects will be displayed split up
into object specific properties.
To get a first view of the Hardware Inventory do as follows:
1 Select the device group All Devices under the Device Groups node.
2 Then from its subnodes select the Inventory node.
3 The right window pane presents you now with the complete selection of available inventory types. Select
Hardware Inventory.
4 The Inventory node on the left expands to display the types of inventory and the right window pane now
displays the most general level of hardware inventory for the selected device group.
5 Select the Desktop Monitor option.
6 It has a number of properties, Instance Name, Monitor Manufacturer, Width, Height, etc.
7 Select the Name option.
8 The table in the right window pane will now display the list of monitor names found for all devices and the
respective count.
9 Now select the Bar Chart tab. It displays the same information as the Inventory tab in form of a bar chart.
10 The labels to the right of the chart provide the names of the different monitors found.
11 Now select the Pie Chart tab. This graphic displays again the same information in form of a pie chart.
2.3 Inventory Options

The following paragraphs will provide you with a number of options for the different inventory types.
(a) Inventory History

Numara Inventory Manager keeps track of the changes that occur with each inventory upload for all types of
inventory. These changes may be seen in the History tab for each inventory type. This tab displays the inventory
delta, i.e. the differences between the last state of the inventory and the newly uploaded inventory. The following
exercise is valid for all types of inventory, we will do it here as an example for the hardware inventory.
1 After an initial upload of the inventory the History tab will be empty, as no modifications have yet taken place.
At the earliest you might see elements appear in this tab once a second inventory has been generated and
uploaded.
2 In the masters File Explorer select any file, preferably a large one and duplicate it.
3 Now restart the agent service via Services and Applications node of the Computer Management in Windows.
By default the agent is configured in such a way as to generate and upload all inventories when being started.
Be aware that restarting the NAMP agent via Windows is only done in this case as we are still very early in the
usage of the software. Once you have mastered a few more chapters of this manual restarting the agent will be
done as explained in chapter Configuration Management Step-by-Step and the operational rule called Reboot
Device.
4 Now go to your master device under the Device Topology node and open the Inventory->Hardware Inventory
node again.
5 Select its History tab.
6 You might have to wait a bit, as inventory generation tends to take some time.
7 Once the inventory is generated and uploaded the History tab should display an entry with a name of Logical
Disk, Free Space as its property name and a different old an new value, since the available free disk space on
your device has changed.
(b) Hide Inventory Elements

All types of inventory have a third tab, the Hidden Elements tab. In this tab you may define inventory objects
which are not to appear in the History tab of the devices, which are currently of no use to you. The selection you
make in this tab is applicable to all devices, i.e. to the inventory of the master as well as that of the relay and all
rolled out clients. Same as with the History tab this system is applicable to all types of inventory, for our example
we will choose the hardware inventory again.
1 Select the Hidden Elements tab of your master hardware inventory.
2 The table is still empty as all history elements are still displayed in the History tab. Only once a history exists
can elements be moved to this tab, and only those which already exist in the history.
3 To move an element to the Hidden Elements tab now select the Edit->Hide Element menu item or select the
respective icon ( ) in the toolbar.
4 The Add Elements to Hide popup window appears on the screen.
5 It displays all elements which exist in the History tab.
6 Select the Logical Disk element to be removed from the general History tab.
8 The Logical Disk element will now be displayed in the table.
9 If you go back now to the History tab you will see that the table is empty.
If already other elements were present in the table in addition to the Logical Disk element, these will remain in
the list, only the Logical Disk element will disappear.
(c) Modify Hardware Inventory Filter for a Device

The list of inventory objects is a default list that may be modified to your requirements, you may add or remove
objects or modify them. This is done via the concept of Inventory Filters which exist for the hardware and
software inventory. In the exercise below we will add a WMI element from the standard hardware inventory of
our relay.
1 Open the Global Settings->Inventory Filters->Hardware Inventory node.
2 Then select the Edit->Create Filter menu item or click the respective icon ( ) in the icon bar to create a new
hardware inventory filter.
3 The Properties popup window will appear on the screen.
4 Enter Relay Hardware Filter as the name for the new filter into the provided field.
6 The new filter will appear in the list, select it.
7 The filter has several subnodes as you can see, select the WMI Filters node. This node displays the list of WMI
classes which are in the hwinvcfg.xml file. This file is part of the hardware inventory collection, it is made to
suit the users needs.
8 As you can see in the table it lists a default set of WMI elements which are either included (ACCEPT) or not
included (REJECT) in the default hardware inventory.
9 One element which currently is not in the default inventory but still useful to monitor is the USB ports.
Therefore browse down in your list and double-click the USB Controller value.
10 The USB Controller values are now displayed, and you can see it is currently not included in the inventory.
11 Select a table row and then the Edit->Properties menu item or click the respective icon ( ) in the icon bar.
13 Select the ACCEPT value from the Action drop-down list.
14 Click OK to confirm the added inventory object and close the window.
15 Now our new hardware inventory filter is set up and must be saved. To do so select the Edit->Save menu item
or click the respective icon ( ) in the icon bar
16 The filter may now be assigned to the relay. For this select the Assigned Objects->Devices node under the
Relay Hardware Filter node.
17 To assign the filter to the relay select here Edit->Assign Device menu item or click the respective icon ( ) in
the icon bar.
18 A confirmation window appears on the screen. Click Yes to confirm the immediate activation of the
assignment.
19 The Assign to Device popup window will appear on the screen.

20 Select the All button ( ) in the left window bar.
21 Select the relay from the list.

22 Click OK to confirm the assignment and close the window.
23 The assignment process for the new filter is now directly started and will be used to generate the next
hardware inventory for the relay.
24 Once the filter is assigned, i.e. the Status field displays the value Assigned, you can regenerate a new
inventory now. To do so restart the relay agent via a Remote Control connection or if your relay is closely
located directly start it via the Services and Applications node of the Computer Management in Windows. By
default the agent is configured in such a way as to generate and upload all inventories when being started.
Be aware that restarting the NAMP agent via Windows is only done in this case as we are still very early in the
usage of the software. Once you have mastered a few more chapters of this manual restarting the agent will be
done as explained in chapter Configuration Management Step-by-Step and the operational rule called Reboot
Device.
25 Now go to your relay device under the Device Topology node and open the Inventory->Hardware Inventory
node again.
26 You might have to wait a bit, as inventory generation tends to take some time.
27 Once the inventory is generated and uploaded the list should include a value called USB Controller.
28 When you double-click the entry the detailed view opens in the console displaying information for all USB
slots of the device.
3
Queries and Device Groups Step-by-Step
The base for many operations executed in your network via the console are queries and device groups. Device
groups are a way of organising all managed devices within your network. The structure defined through the
groups is individual and freely configurable by the administrator. These groups may contain any type of device,
i.e clients, relays or even the master server. Devices may also be present in more than one group, for example, a
Windows NT client may be in a group called NT Servers and at the same time in another group called Accounting
Clients.
Groups may be created, for example, according to the following criteria:
• Geographical location of the devices: in this case the groups would be divided in the continents, countries,
cities, buildings, etc.
• Corporate structure of the managed devices: The organisation through groups could contain in this case the
administration and functional divisions of the company, such as Engineering, Support, Sales, Accounting,
Directors, etc.
• Characteristics of the devices:
this could mean a grouping according to the physical components of the clients such as the size of the RAM
or hard disk, the type of the processor, etc.,
the clients could be organised according to their operating systems, etc., or
they may be organised according to the function they have within the network, such as relay, first level
relay, second level relay, client, etc.
Queries in Numara AMP allow for the dynamic grouping of the clients into exactly these groups as you have
defined above according to the criteria that you have specified.
The out-of-the-box objects contain quite a number of queries and one device group populated by one of these
queries: All Devices, which contains - as the name already implies - all devices which have a NAMP agent
installed, such as the master, the relay and all clients to which the agent was rolled out.
Prerequisites
To execute the examples provided in this chapter we assume that:
• master, console and database are installed in their default directories.
• you have rolled out the NAMP agent to a number of devices as described in the Installation manual.
• a console is open and connected to the master.
• you have installed the out-of-the-box objects during the master installation.
3.1 Queries
Queries can be carried out on all Numara Asset Management Platform object types and objects (e.g. operational
rules, administrators, devices, etc.) and are either based on a single or multiple criteria and their values defined
by the administrator. These are used to group the target type according to certain criteria, such as for example to
find all managed devices in the network that have 1024 MB of RAM and put them into a specific device group.
Also they may be used in reports to define the contents of the report and find the data.
There are two types of queries in Numara Asset Management Platform, predefined criteria-based queries and free
sql queries. The examples in this chapter will include both types of queries, which serve as a base for other step-
by-step examples further on, such as the operational rules, software distribution and patch management.
Therefore we recommend you to stay as close as possible to the object names and their chosen options.
3.1.1 Criteria Queries

Queries may be composed of criteria which tell the agent on the targets what to check for. The criteria available to
the query depend on the Type of the query, thus not all existing criteria are available all the time.
Query 1: Query Collecting All XP SP2 Devices

The first query to be created is a criteria based query which will be used for a number of objects in other examples
of this section.
1 To create a query, select the main Queries node in the left window pane.
2 Select the Edit->Create Query menu item or the respective icon ( ) in the icon bar.
3 The Properties dialog box will appear on the screen.
4 Enter the following data into the field and leave all others untouched.
Enter the name of the new query into the Name field, use All XP SP2 Devices for this case.
5 Click OK to create the query and to close the window.
6 The newly created query will directly appear in the table in the right window pane.
7 Now double-click the query in the table to access it. It will appear as a node in the left window and display its
tabs and contents to the right.
8 Select the Criteria tab in the right window pane.
9 Currently the table is still empty. To define the criteria of the query choose the Edit->Add Criterion menu item
or click the respective icon ( ) in the icon bar.
10 The Select Criterion popup window will appear on the screen. It displays the list of available criteria in its left
list field.
11 Select the criterion Operating System Name.

12 The Criterion Description box below shows two fields through which you may specify the contents of the
criterion. Do the following:
a In the Operator drop-down box select the value Contains.
b Enter XP into the Value field.
13 Click the Find ( ) button.
14 The Search Criteria popup appears on the screen. It provides the list of all operating systems found which
contain XP in their name.
Chapter 3 - Queries and Device Groups Step-by-Step - 33
15 Select the provided XP operating systems and click OK.

16 The selected option will now be displayed in the Value field of the Search Criteria window.
17 Modify the Operator to Equal to.
18 Click the Add button ( ) to add the criterion to the list.
19 Now select the criterion Operating System Revision.
criterion. Do the following:
a In the Operator drop-down box select the value Contains.
b Enter Service Pack into the Value field.
21 Click the Find button.
22 The Search Criteria popup appears on the screen. It provides the list of all operating systems revisions found
which contain Service Pack in their name.
23 Select the provided Service Pack 2 and click OK.
24 The selected option will now be displayed in the Value field of the Criterion Description window.
25 Modify the Operator to Equal to.
26 Click the Add button ( ) to add the criterion to the query.
27 Then click OK to confirm the new query content and to close the window.
28 All newly created queries are inactive, thus they must be activated before they can manage a group. To activate
select the green coloured option active instead of the currently displayed red option inactive in the Query
Status drop-down field.
29 In the Preview tab you can see a preview of the query’s results.
Query 2: Query Finding all Operational Rules of Type Software

Distribution
The second example is for a query of type other than device, of type operational rule. With this query we want to
find all operational rules which are of type Software Distribution (to be created in the Software Distribution and
Operational Rules Step-by-Step chapters later on) to use as a base for a report, also later on in chapter Reporting
Step-by-Step.
1 To create the query, select the main Queries node in the left window pane.
4 Enter the following data into the respective fields and leave all others untouched.
a Enter the name of the new query into the Name field, use ORs of type SWD for this case.
b Select from the drop-down box of the Type field the Operational Rule value.
6 Now double-click the query in the table to access it.
8 Currently the table is still empty. To define the criteria of the query choose the Edit->Add Criterion icon ( )
in the icon bar.
9 The Select Criterion popup window will appear on the screen.
10 Select the criterion Type.
criterion.
12 In the Operator drop-down box select the value Equal to.
14 The Search Criteria popup appears on the screen. It provides the list of all operational rule types available.
15 Select the Software Distribution option and click OK.

Query 3: Reverse Query Finding all Devices without Firefox

This example query finds all devices on which the Firefox browser is NOT installed.
1 Go to the Queries top node.
2 Create a new query of type Device called Devices without Firefox.
3 To define the new criteria for the query choose the Edit->Add Criterion menu item or click the respective icon
5 Open the Software Inventory - Installed Software folder and select the Name option from the list.
6 Select the Contains option for the Operator, type Firefox in the Value field and click the Find button in the
Criterion Description box.
7 The Search Criteria popup appears on the screen with all applications that contain Firefox in their name.
8 Select the Firefox option and click OK.

11 Now select the Version option from the Installed Software folder.
12 Select the Starts with option for the Operator, type 2 in the Value field and click the Add button ( ).
14 Check the Reverse Query Result box.
If the query results are not reversed it will find all devices on which Firefox version 2 is installed, our task here,
however is to find all those on which it is not yet installed.
15 To activate select the green coloured option active instead of the currently displayed red option inactive
in the Query Status drop-down field.
16 Go to the Preview tab to see a preview of the query’s results.
Query 4: Query Finding All Updated Devices

This query will find all devices that were updated within a certain time frame, for our example we will select one
month.
4 Enter the name of the new query into the Name field, use Updated Devices for this case.
6 Now double-click the query in the table to access it.
8 Currently the table is still empty. To define the criteria of the query choose the Edit->Add Criterion icon ( )
in the icon bar.
10 Select the criterion Last Update.
11 The Criterion Description box below now shows additional fields through which you may specify the
contents of the criterion.
12 In the Operator drop-down box select the value Greater than or equal.
13 Select the newly appeared Timeframe radio button.
14 Leave the preentered time value in the field next to it, -1 for one month ago.
15 Then select the corresponding unit from the drop down list to the right, Month.

3.1.2 Free SQL Queries

This type of query can be entirely freely composed of sql syntax according to your requirements. It may be
assigned to populate device groups and be used as the base for subreports, also they may be selected as static and
dynamic objects within administrator or group security profiles.
Query 5: Devices On Which Word And Excel Are Installed

SQL-based queries may be used to define very specific cases which may not be done via the provided criteria, such
as finding more than one value of the same type.
In this example we need to use a free query as we try to find devices which have both Word and Excel installed.
For this a software inventory table needs to be called twice, and this is not possible via the criteria.
4 Enter the required data into the following two fields and leave all others untouched.
a Enter the name of the new query into this field, use Devices with Word and Excel for this case.
b Check the field Free Query.

7 Now double-click the query in the table to access it. It will appear as a node in the left window and display its
tabs and contents to the right.
8 Select the SQL tab in the right window pane.
9 Enter the following query into the Sql Query text field:
SELECT DeviceName FROM Devices, SoftwareInventory s1, SoftwareInventory s2 WHERE
Devices.DeviceId=s1.DeviceId and s1.name like '%Word%' and s2.name like '%Excel%' and
Devices.DeviceId=s2.DeviceId
The query must start with SELECT.
The content of the query is case sensitive.
The FROM must include the base table linked to the query type: if the type is Device, the query need to include
the Device table.
The query cannot include the following operators: COUNT, SUM, AVERAGE, MAX, MIN, as well as SQL
commands such as UNION, INTERSECT, EXCEPT, MINUS, etc.
10 Once the query is entered verify that the syntax and spelling is all correct.
11 For this select the Edit->Verify SQL menu item or click the respective icon ( ) in the icon bar.
12 The database will verify your syntax and display the result in the Sql Result field below. It will provide
information regarding any errors it found, the detail level of which is based on your database system.
13 Now that the query is finished and correct save it by selecting the Edit->Save Query menu item or click the
14 The SQL query will be saved to the database.
16 Go to the Preview tab of the query.
17 Here you can see the list of all devices which fulfil the criteria of the free query you just created.
3.2 Device Groups

Device groups may be static or dynamic:
• Static groups are populated ’by hand’, i.e. the administrator individually selects the group’s members and adds
them.
• Dynamic groups are populated by queries or a directory server and their members are reevaluated at regular
intervals.
Both types of device groups, static and dynamic are created directly under the Device Groups node or, if they are
based on a query, they may be created directly from the query.
The examples in this chapter will include both types of groups, which serve as a base for other step-by-step
examples further on, such as the operational rules, software distribution and patch management. Therefore we
recommend you to stay as close as possible to the object names and their chosen options.
Device Group 1: Static Device Group

A static device group is created directly under the Device Groups node, and as long as it does not contain any
members it may still become a dynamic group by assigning a query or a directory server to it. To create a new
device group proceed as follows:
1 Select the Device Groups top node.
2 Then either select the Edit->Create Device Group menu item or select the respective icon ( ) in the toolbar.
4 Enter a name for the new group, for example, All My Devices.
5 The drop-down list below this field allows you to define if you would like to only display the members of the
group under the node in the hierarchy tree in the left window pane, only all possible subnodes providing
additional information on the group or both. Leave this value at All to display everything.
6 Click the OK button at the bottom of the window to confirm the new group.
7 It will now appear in the right window pane in the Members tab.
8 Select the new group and go to its Member tab, which is still empty.
9 You may now manually add the group’s members by selecting the Edit->Add Device menu item or the
10 The Select a Device dialog box will appear on the screen.
11 Select some devices which are to be added to the device group from the Available Objects box, e.g., the master
and the relay.
12 Click OK to add the devices to the device group and close the window.
13 The table in the right hand side will now display all the newly defined member devices.
Device Group 2: Create a Device Group from a Query

If the device group to be created is based on a query it may be created directly from the query:
1 For this go to the Queries top node and select the directories Operating Systems and Windows.
2 Go to the folder‘s Members tab and there select the query Windows XP Devices in the table to the right.
3 Then either select the Edit->Create Device Group or select the respective icon ( ) in the toolbar.
4 The new group will be automatically created directly under the Device Groups top node with the same name
as that of the query, i.e. Windows XP Devices, with the query assigned to it being of Status active.
5 You will find the group under the group assignments of the query. To display it click the cross next to the
Windows XP Devices node to display its subnodes.
6 Select the Dynamic Groups->Device Groups node and in the right pane you will see the newly created
Windows XP Devices group.
7 You may also see the group if you go to the Device Groups node. There you will see that the group type is
indicated by its icon, i.e. a query based group ( ).
8 If the new group is not yet displayed click the Refresh ( ) icon.
9 Then select the group in the left window pane and go to the group’s Members tab.
10 It will display all those managed devices of your network corresponding to the criteria set up in the query.
Device Group 3: Device Group Managed by Several Queries

Sometimes it is not possible to put all criteria for a device group in one query. Therefore the target group must be
managed by more than one query. For an example later on we need a group finding all client devices on which the
Firefox browser is not installed.
4 Enter a name for the new group, for example, All Client Devices without Firefox.
6 Open the group’s Dynamic Population->Queries node.
7 Select the Edit->Assign Query menu item or the respective icon ( ) in the icon bar.
8 The Assign a Query dialog box will appear on the screen.
9 Click the All button on the left.
10 Select both the Client Devices and Devices without Firefox queries, then click OK.
Be careful not to modify the query operator in this case, it must remain AND. If you modify it to OR the device
group will contain all devices with XP SP2 as their operating system as well as all those on which Firefox is
installed.
11 Contrary to the queries groups are active immediately.
12 Go to the group’s Members tab to see which devices the query found.
13 Refresh ( ) if no members are displayed yet.
3.3 Options
The following paragraphs provide a number of options for the query as well as the device group application in the
Numara Asset Management Platform and its functionalities.
3.3.1 Query Options

Following you will find a number of options regarding the queries.
(a) Duplicate Query and Modify its Criteria
Once a query is created and assigned it may still be modified if needed. Also, it may be used as a base for other
more specific queries as in our following example. We will duplicate the query All XP SP2 Devices and make it
more specific so it will find all XP client devices:
1 Go to the Queries top node.
2 Select the All XP SP2 Devices query in the table to the right.
3 Then select the Edit->Copy icon ( ) in the toolbar.
4 The query and all its properties have been copied to the clipboard.
5 Now select the Edit->Paste icon ( ) in the toolbar.
6 The query and all its properties will be added to the current console location with the same name increased by
1, i.e. All XP SP2 Devices (1).
7 Now you can rename the query and edit and adapt it.
8 Select the All XP SP2 Devices (1) in the table.

9 Then select the Edit->Properties... icon ( ) in the toolbar.
11 Change its name to All XP SP2 Clients.
12 Double-click the All XP SP2 Clients query.
14 The table already contains the criteria defined for query All XP SP2 Devices, i.e. that the operating system
must be Windows XP. For this new query we still want Windows XP SP2 Devices but under the condition that
they are of topology type Client, i.e. the query is not to collect the master and the relay.
15 To define the new criteria for the query choose the Edit->Add Criterion menu item or click the respective icon
17 Select the Topology Type item from the list and click the Find button in the Criterion Description box.
18 The Search Criteria popup appears on the screen. It provides the list of all topology types available.
19 Select Client option and click OK.

23 In the table you can now see all criteria.
24 Reactivate the query again. Every time a query is modified it becomes inactive automatically and must be
reactivated.
26 Here you should see now the list of all clients with Windows XP SP2 apart from the master and the relay
device.
27 Select the new query in the left window pane and click the Create Device Group icon ( )to create the
corresponding group.
(b) Convert Criteria Query to Free Query
Criteria-based queries may be converted to free queries, but not the other way round. This may come in handy, if
for example you find that the options provided by the list of existing criteria is not specific enough for the query
you would like to create. For our example we will convert the Client Devices query to a free query because we
want to not only find all clients but also the relays.
To convert a criteria query to an sql query proceed as follows:
1 Open the Queries->Numara Asset Management Platform Architecture node and select the Members tab.
2 Duplicate the Client Devices query (see Option (a) above).
3 Then select the new query and the Edit->Properties... icon ( ) in the toolbar.
5 Change its name to Clients and Relays and check the Free Query box.
6 Click OK.
7 In the appearing confirmation window click Yes.
8 Double-click the Clients and Relays query.

9 Select the SQL tab in the right window pane.
10 In the Sql Query box you can see the translation of the selected criterion to general SQL syntax.
11 Modify the displayed syntax to the following:
SELECT DISTINCT Devices.DeviceName FROM Devices WHERE ((Devices.TopologyType
=N'_DB_DEVTYPE_CLIENT_') OR (Devices.TopologyType =N'_DB_DEVTYPE_RELAY_')) ORDER BY
Devices.DeviceName ASC
12 Once the query is entered verify that the syntax and spelling is all correct by selecting the Edit->Verify SQL
menu item or click the respective icon ( ) in the icon bar.
13 The database will verify your syntax and display the result in the Sql Result field below. It will provide
information regarding any errors it found, the detail level of which is based on your database system.
14 Now that the query is finished and correct save it by selecting the Edit->Save Query menu item or click the
15 The SQL query will be saved to the database.
16 All modified created queries are inactive as well and therefore must be reactivated before they can be used. To
activate select the green coloured option active instead of the currently displayed red option inactive in
the Query Status drop-down field.
18 Here you can see the list of all devices which fulfil both criteria of the free query, i.e. all your devices with the
exception of the master.
19 Select the new query in the left window pane and click the Create Device Group icon ( )to create the
corresponding group.
3.3.2 Device Group Options

In the following paragraphs you will find options regarding the device group usage.
(c) Convert a Static Group to a Dynamic Group
You may convert a group from static to dynamic to always maintain it at its most accurate membership level like
in the following example for the group All My Clients, which was created before.
You may also convert dynamic groups to static groups. In this case the query membership remains at the situation of the
last dynamic update of the query, i.e. it retains all its members it comprised at the moment the query was converted.
1 For this you first need to remove all devices you just added manually.
2 To do so open the node Device Groups->All My Clients and go to the Members tab.
3 Select all members in the right window pane.
4 Then select the Edit->Delete Member menu item or the respective icon ( ) in the icon bar.
5 A confirmation window appears on the screen.
6 Select OK to confirm the removal.
7 Then select the Dynamic Population subnode in the left window pane
8 Choose the Queries node among its children.
9 Select the Edit->Assign Query menu item or the respective icon ( ) in the icon bar.
10 The Assign a Query dialog box will appear on the screen.
11 Click the All button ( ) on the left side bar to display the list of all available queries.
12 Select the query called Client Devices from the list. This query will find all devices in your network which
have the Topology Type Client.
13 Click OK to add the query to the selected device group and close the window.
14 If you now return to the Members tab of the group and refresh it ( ), you will find it populated with all the
devices on which the rollout was successfully installed, but neither the master nor the relay device.
15 Also you can see that the icon has changed from the static group icon ( ) to the dynamic query group icon
( ).
4
Configuration Management Step-by-Step
Configuration Management in the Numara Asset Management Platform is execute via the concept of operational
rules. Operational rules define how and in which way the NAMP functions are to be performed. These rules are
made up of a series of commands executed by the agent. A single operational rule can perform more than one
operation, called “step” The steps are divided into several categories according to target and function.
As shown in the graphic below, the operational rule process consists of the following individual steps:
1 Create the operational rule (1)
2 Assign the rule to the target and send the assignment (2, 3)
3 The rule arrives on the target and is executed (4, 5)
4 The target sends the execution status to the master (6).
1 Create Operational Rule
2 Assign Target Device
3 Send Assignment 5
Execute
Pull Operational Rule to Target Device 4 Operational Rule
Master
Send Status 6 Target Client
The examples in this chapter will serve as a base for other step-by-step examples further on, such as the software
distribution and patch management, we therefore recommend you to stay as close as possible to the object names
and their chosen options.
Prerequisites
We assume that:
• the master, console and database have been installed.
• the master and console have been installed in their default installation directory.
• you have already done the exercises in the preceding Queries/Device Groups Step-by-Step chapter to execute
some of the options in the second part of the chapter.
4.1 Operational Rule Examples

The following paragraphs provide you with a number of sample operational rules to execute in your network.
Specifically we will create the following rules:
1 Inventory Management Rule: This operational rule will contain a number of steps which create and update
the Patch, Security and Custom Inventory.
2 Start Program Rule: This rule will launch the calculator on a device after the device’s user has given his ok to
the operation.
3 OR Synchronisation Rule: This rule will synchronise the operational rules at the agent startup.
50 - Numara Asset Management Plattform - Operational Rules
4 Customised Form Rule: This rule will request the local user to provide some information to be entered into the
custom inventory.
5 Reboot Device Rule: This rule reboots a device, also with user confirmation, for example after a patch
application or software distribution.
All operational rules are also available on the Maintenance pages of the agent for direct local application, see Option
(d).
Rule 1: Inventory Management

Most inventory types in the Numara Asset Management Platform are or can be maintained and updated via
operational rules. We will be creating the rule in this example and it will:
• Update the Patch Inventory, i.e. the Patch Inventory will display all patches which are applicable to the OS of
the individual device but are not installed.
• Create a Security Inventory, i.e. it will collect specific information relevant to the security of the device, such
as installed Firewall and installed Antivirus.
• Upload a number of parameters of the device which are collected in the Custom Inventory, such as the Monitor
Manufacturer Information, a number of ini and registry values.
This operation is composed of the following actions:
1 Create Operational Rule via the Operational Rule Creation Wizard
2 Execute the Operational Rule on the Relay
3 Monitor Execution
4 Verify Inventories
Step 1: Create Operational Rule via the Operational Rule Creation Wizard
The first action to take is to create the operational rule. This rule will contain the following steps:
a Patch Inventory:
Analyse Patch Situation
b Security Inventory:
Installed Antivirus
Installed Firewalls
Shared Resources
Windows Start-up Programs
Windows Update Status
Update Security Inventory
c Custom Inventory:
Collect Environment Variable Value
Collect Ini File Value
Collect Registry Key Value
Monitor Manufacturer Information
Upload Custom Inventory
To create this operational rule proceed as follows:
1 Select the Wizards->Operational Rule Creation menu item or the respective icon ( ) in the icon bar.
2 The Operational Rule Creation Wizard appears on the screen.
3 The left pane of the wizard window displays all available steps of this wizard. Depending on the selections
made in the right window panes, some of these steps will become available/unavailable.
Step 1a: Definition
In this first step the operational rule to be created must be defined via its parameters.
1 Enter Inventories into the Name field.
2 Leave all other parameters as they are, as neither packages will be distributed nor dependencies are required
for this rule.
Chapter 4 - Configuration Management Step-by-Step - 51
If you want to create the new rule in a specific folder instead of under the operational rules top node see Option
(c) now.
3 Click the Next button to continue.

Step 1b: Steps
Operational rules are made up of steps which tell the agent on the target devices which actions to execute. In this
window you will select the steps to execute.
1 Select the Add Step icon ( ) on top of the list field.
2 The Select a Step popup windows will appear on the screen.
3 It displays the list of available steps in its Available Steps box. When you click a step a description will
appear in the text field at the bottom of the window.
4 To add the steps for the rule proceed as follows:
a Patch Management Steps:
1 Double-click the Patch Management folder.

2 Select the step Analyse Patch Situation and click the Add ( ) button.
3 The Properties dialog box appears on the screen. In addition to the preselected options also check the
Force Upload option:
4 Click OK.
5 The step is now added to the list of Selected Objects.
6 This step will update the patch inventory for all targets.
b Security Inventory Steps:
1 Now, to add the steps for the Security Inventory double-click the Security Inventory folder.
2 As the first step select Installed Antivirus and click the Add ( ) button.
3 Click OK to add it to the list.
4 Next select step Installed Firewalls.

5 Click OK to add it.
6 Next select step Shared Resources.

7 Again this step has no parameters to define so only click OK in the Properties dialog box to add it.
8 Next select step Windows Start-up Programs.
10 Next select step Windows Update Status.
12 All steps collecting inventory data have now been added to the rule, however another rule is required to
upload all this collected data to the master database. For this select the Inventory Management group.
13 Select step Update Security Inventory and click the Add ( ) button.
14 In the appearing Properties dialog box check the following additional options:
Upload after update
Force Upload
15 Click OK to confirm it.
Make sure the Update Inventory step is always the last step in any type of inventory collection, as the
steps are executed in the specified order, therefore if you put it somewhere in the middle the data
collected after the upload step will not be uploaded to the master and the database.
16 All steps for creating an initial Security Inventory have been added now.
c Custom Inventory Steps:
1 To add the steps for the Custom Inventory double-click the Custom Inventory folder.
2 As the first step select Collect Environment Variable Value and click the Add ( ) button.
3 The Properties dialog box appears on the screen. Enter the following data in the respective fields:
Environment Variable: PATH
Custom Inventory Instance Name: Variable
4 Click OK.
5 For the second step select the Collect Ini File Value. Click the Add ( ) button.
6 In the appearing Properties dialog box enter the following values for the requested parameters:
File Path: C:\Program Files\Numara Software\Numara Asset Management
Platform\Client\config\mtxagent.ini
Section Name: Security
Entry Name: SSL
These two values, Section Name and Entry Name, must always be entered exactly as they appear in the
configuration file, otherwise the agent will not be able to find them in the ini file and thus cannot upload
them.
Custom Inventory Instance Name: Type of Agent Communication (SSL Mode)

Entry Type (String or Integer): Integer
7 Click OK to add the step.

8 As the next select step Collect Registry Key Value. Click the Add ( ) button.
9 In the appearing Properties dialog box enter the following values for the requested parameters:
Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Value Name: ProductName
Custom Inventory Object Name: Windows Version
Custom Inventory Instance Name: Product Name
10 Click OK to add the step.
If you would like more information on this registry key, repeat steps 8-10 for the same key and values:
CurrentVersion and CSDVersion, see Option (f).
11 As the next step select Monitor Manufacturer Information. Click the Add ( ) button.
12 In the appearing Properties dialog box leave all preselected values.
13 Click OK to add this last step.

14 All steps collecting inventory data have now been added to the rule, however another step is required to
upload all this collected data to the master database. For this select the Inventory Management group.
15 Select step Update Custom Inventory and click the Add ( ) button.
16 In the appearing Properties dialog box check the options Upload after update and Force Upload

18 Now click OK to confirm the list of steps and their order of execution of the operational rule.
5 Now click the Finish button to confirm the settings of the new operational rule.
6 A confirmation window appears on the screen which allows you to directly
continue with the Operational Rule Distribution Wizard. Click Yes to continue
directly with the distribution of the new rule.
Step 2: Execute the Operational Rule on the Relay

The operational rule is now created and must be assigned to the devices, in our example the relay, on which to
execute via the Operational Rule Distribution Wizard.
Step 2a: Operational Rule

In the first window of the Operational Rule Distribution Wizard you define which rule to distribute as well as
some distribution options:
1 The Name field is inaccessible as the operational rule to distribute is already preselected, i.e. the one we just
created.
2 From the Target Type dropdown field select the option Devices, as we will distribute this rule only to the
relay.
If you want to schedule the rule to execute at a specific date and time and/or at regular intervals, uncheck the
Default Schedule option, and then see Option (a).
To manually modify the execution schedule after an initial execution follow the wizard explanations without
any optional modifications and then see Option (b).
3 Leave all other options as they are.
4 Click Next to continue.
Step 2b: Assigned Devices

To assign the rule to the relay proceed as follows:
1 To do so select the Assign Device icon ( ) above the list field.
2 The Select a Device popup window will appear on the screen.
3 Go to the All tab and select the relay from the list.

5 The relay will be added to the list of assigned devices.
6 Click Finish to confirm the assignment and launch the rule execution with the
default schedule, i.e. once immediately.
7 The last option provided by the wizard is to go directly to the object. For our
example we will directly activate the rule and change to focus to it, therefore
check the Go to Operational Rule box and click Yes, to directly activate the rule.
Step 3: Monitor Execution

The execution can be monitored from several locations. For our example here we remain under the Devices node.
1 In the right window you can see the relay and the Status column. Currently this status should be Assignment
Waiting.
2 Once the assignment is done the status will change to Ready to run, to indicate that now the scheduling of
the actual operational rule step is being executed.
3 Once the operational rule has executed on the relay, i.e. it has collected all the requested information and
updated the database with it, your Status field should have changed to Executed.
If the status reads Execution failed, you may have entered a wrong path to for one of the step
parameters.
Step 4: Verify Inventories

Once the rule is executed the results, i.e. the generated inventories may be inspected. To do so proceed as follows:
1 Open the node Device Topology->Master->Relay->Inventory.
2 The table in the right window pane lists all possible types of inventory and you can see the date at which the
inventories were updated last, i.e. if your operation rule was already executed.
3 Select the Custom Inventory node.
4 Now the table should display the following objects in addition: Configuration Values, Screen Information,
System and Windows Version.
5 Double-click each of the entries to find out what information they contain.
6 Then select the Security Inventory node.

7 Below you should find one entry for each of the steps of the executed operational rule. Refresh ( ) if the
entries are not displayed yet.
8 Double-click each of the entries to find out what information they contain.
9 Now select the Patch Inventory node and the Missing Patches node below.
10 The table in the right window pane will display the list of all patches which are applicable to the operating
system of you relay, i.e. Windows XP, but have not yet been installed. For information on how to rectify this
situation see chapter Patch Management Step-by-Step.
11 The node Missing Service Packs displays the list of service packs which are missing for the relay.
Rule 2: Start Program

In this example we will create a rule that might launch the calculator on the master device if the user, i.e. you,
decided to do so. This operation is composed of the following actions:

2 Assign the Operational Rule to the Master
3 Monitor Execution
Step 1: Create Operational Rule
The first action to take is to create the operational rule. This rule must contain two steps:
• A message box which will appear on the window and in which the user has the choice if they want to launch
the execution
• The step launching the execution itself.
To create this operational rule proceed as follows:
Step 1a: Definition
1 Enter Execute Calculator into the Name field.
for this rule.
(c) now.

Step 1b: Steps
4 Click the Add Step icon ( ) on top of the list field.
6 It displays the list of available steps in its display window.
7 Double-click the User Message Box folder.

8 Select the step User Acknowledgement via Message Box and click the Add ( ) button.
Stop Condition: Select the Stop on failed step value from the drop-down list.
Message Title: Execute Calculator
Message Text: Do you want to launch the calculator now on your device?
Validation Button Label: OK
Cancel Button Label: Cancel
Tentatives: 2
Retry Interval: 2
10 Click OK. This message box allows to execute or cancel the execution.
11 Now, to add the second step double-click the Process Management folder and select the Execute Program
step. Click the Add ( ) button.
Executable Path: C:\WINDOWS\system32\calc.exe (for Windows XP devices)
Leave all other fields untouched.
13 Then click OK to add the step and then OK again to confirm the list of steps and to close the window.
14 In the list field you can now see both steps.
Step 2: Assign the Operational Rule to the Master

The operational rule is now created and must be assigned to the devices on which to execute, in our example the
master.

created.
relay.


To assign the rule to the master proceed as follows in this window:
5 Select the Assign Device icon ( ) above the list window.
7 Go to the All tab and select the master.
9 The device will be added to the list field in the wizard window.
10 Click the Finish button to confirm the assignment and execute.

Step 3: Monitor Execution

To monitor the execution you need to have the target device in your visual range as well as the console window, if
you assigned the rule to another device than the master.
1 To check the status of execution select again the Devices node in the left window pane.
2 In the right window you can see the target device and a column called Status. Currently this status is
Assignment Waiting.
4 Check the screen of your target device for the appearance of the message box.
5 Once it appears click the Cancel button. The message box disappears and reappears two minutes later again.
6 This time click OK and wait for the appearance of the Calculator.
7 Once it is on the screen check your Status field again and you will see that it has changed to Executed.
8 If you refused to launch the calculator twice, the status will change to Execution failed, as the rule could
not be completely executed.
If the status reads Execution failed, you may have entered a wrong path to the calculator.
Rule 3: OR Synchronisation
This rule will synchronise the operational rules at the agent startup between those available on the master for the
agent and those actually present on the agent, to make sure none of them get lost and the agent always has the
most up-to-date set of rules available.
This step-by-step instruction may be adapted and applied for all types of synchronisation available in Numara Asset
Management Platform.
When the client receives a synchronisation request it sends back the list of its own operational rules linked to a
checksum. The master then creates an up-to-date list of the device’s operational rules and checks these with the
list it received. If an operational rule on the list from the device does not exist any more, the master sends an order
to the device to delete it; if a more recent version of an operational rule exists on the master i.e. the checksums on
the master and the client are not identical, an update order will be sent to the device; and if a rule is absent on the
client but present on the master, then an assign order will be sent to the client device. Any rule which is ‘paused’
will not be taken into account.
This rule is created and assigned via the Operational Rule Creation and Operational Rule Distribution wizards
and consists of the following steps:
2 Assign the Operational Rule to the Master
3 Verify Result
Step 1: Create Operational Rule

Step 1a: Definition
1 Enter OR Synchronisation (or any other desired name) into the Name field.
for this rule.
(c) now.

Step 1b: Steps
3 Expand the item Agent Configuration and select the step Rule Synchronisation.
4 Click the Add ( ) button to confirm.

6 Leave all preselected options checked and check in addition the last option Bypass Transfer Window.
7 Then click OK to add the step to the list and close the window.
8 Click OK again to confirm the list of steps for the operational rule and close the window.
Step 2: Assign the Operational Rule to the Master

The operational rule is now created and must be assigned to the devices on which to
execute, in our example the master.

created.
relay.
3


master.
1 To do so select the Assign Device icon ( ) on top of the list field.
3 Go to the All tab and select the master.
5 The device will be added to the list field in the wizard window.
6 Click the Finish button to confirm and close the wizard.
Step 3: Verify Result

The rule execution may be monitored as usual under the Devices node of the assigned
device. To see what this rule actually does, we will interrupt the assignment of an operational rule and simulate
an unscheduled restart of the device, by stopping the agent service.
1 For this go to the Computer Management->Services and Applications window of Windows.
2 Select the Numara Asset Management Platform Agent in the list of services.
3 Then open the node Device Topology->Relay->Assigned Objects->Operational Rules.
4 Select the Execute Calculator rule in the right window pane and then select the icon Unassign Operational
Rule ( ).
5 In the appearing confirmation window click Yes, to confirm the unassignment.
6 Now the unassignment is waiting to be executed.
7 Now quickly go to the Computer Management->Services and Applications window and stop the Numara
Asset Management Platform Agent service.
8 Now the unassignment has been sent, but it should not yet have arrived on the agent, therefore the rule will
still be available on the system.
9 Now, when you restart the NAMP agent service, the agent will execute a synchronisation of all its rules with
the master’s list of rules for it. It will find that the Execute Calculator rule is no longer on the list and will
unassign it.
Rule 4: Customised Form

This step creates a form to update the custom inventory of the local target client. Once the rule is executed a
browser window opens on the target, in which a form with several fields is to be filled by the local user. The form
has two buttons, OK to confirm the filled in form and Later to postpone the filling in of the values. Once the form
is completed and confirmed the custom inventory .xml file is updated with the new information. This newly
added information will be added to the custom inventory in the console and the agent interface pages at the next
update. The fields are prefilled in for a personal information form.
For our following example we will create a form in which we ask the user to fill in his personal office data. For this
the following operations need to be executed:
1 Create Employee Information Rule
2 Assign Operational Rule to Master
3 Fill in the Customised Form
4 Custom Inventory - Verify Result
Step 1: Create Employee Information Rule
The rule we will create for this example will contain the following steps:
• Send Customised Form - this step defines all the fields the user is requested to fill in.
• Update Custom Inventory - this step generates the new custom inventory and uploads it from the agent to the
master, so it can be displayed in the console.
This rule is created and assigned via the Operational Rule Creation and Operational Rule Distribution wizards.
Step 1a: Definition
1 Enter Employee Information into the Name field. This value will be used as the entry name for the custom
inventory entry.
(c) now.

Step 1b: Steps
In this window you need to select the steps to execute.

3 Expand the item User Message Box and select the step Send Customised Form.
6 Enter the following values into the respective fields:
Title
Enter the title of the form into this field, e.g. Employee Information.
Header Text
The field should contain a short textual explication for the local user regarding the fields of the form below,
e.g. Please fill in the fields of the following form:.
Form Fields
This field contains the semi-colon separated list of fields of the form to be filled in, as they are displayed in the
HTML page to the user. For our example we will leave the first two values and then add some more: Name;First
Name;Badge ID;Department;Office;Country;Phone Extension.
Form Field Data Type
This field contains the semi-colon separated list of the data types of the fields defined above to be filled into
the form, for the list fields (combo) the type of the list field must also be defined. Possible values are string,
integer, combo:string, combo:integer and boolean. For our example we need the following:
string;string;integer;string;string;combo:string;integer.
Default Field Values
This field allows you to define default values for the form fields that will be displayed to be selected via a drop
down list. The entry default values are separated by commas (,), the default values for each field are separated
by a semi-colon (;). The field is prefilled in with default values for the country,
;;;;;UK,France,Germany,Australia.
Labels of Custom Inventory Fields
This field contains the semi-colon separated list of field names as which they will appear in the custom
inventory. Make sure that the order and the number of the fields is the same as in the Form Fields above. For
our example this will be: Name;First Name;Employee ID;Department;Building;Country;Phone Extension.
Footer Text
This free text field is below the list of fields to be filled in and may contain additional information. We will
enter here Thank you for your cooperation.
Validation Button Label
This parameter defines the text to be displayed on the confirmation button in the dialog box, enter OK.
Cancel Button Label
This parameter defines the text to be displayed on the cancel button in the dialog box, such as for example
Later.
Retry Interval
The retry interval defines the interval at which the step is to effect its retries in minutes. The default value is
set to 2 minutes. Leave it.
8 Now select the Inventory Management group.
9 Select step Update Custom Inventory and click the Add ( ) button.
10 In the appearing Properties dialog box also check the options Upload after update and Force Upload.
11 In this case we will leave the Differential Upload option activated, as a custom inventory already exists. Thus
only the changes, i.e. the new entry will be uploaded, which makes the process faster.

13 Now click OK to confirm the list of steps and their order of execution of the operational rule.
14 All steps are added to the rule and it is ready to be assigned.
Step 2: Assign Operational Rule to Master

The Operational Rule Distribution Wizard allows you to proceed with the target
assignment and scheduling process of the operational rule as follows:

created.
master.


master.
3 Go to the All tab and select the relay.
5 The device will be added to the list window.
6 Click Finish to confirm the assignment.

7 The last option provided by the wizard is to go directly to one of the
objects, i.e. the operational rule or the task, if one was created. for our
example we will directly activate the rule and change to focus to it,
therefore check the Go to Operational Rule box and click Yes, to directly
activate the rule.
Step 3: Fill in the Customised Form

Once the rule is assigned to the master an HTML page will appear on the
screen, which displays the form we just defined.
1 Fill in your personal information.

2 Click the OK button to confirm.
3 The information will now be stored by the agent in the local database and uploaded to the master for display in
the console. This may take a moment, please be patient.
Step 4: Custom Inventory - Verify Result

To verify the rule execution may be monitored as usual under the Devices node of the assigned device. Once the
status is displayed the rule is executed and all data should be available in the Console.
1 Open the node Master->Inventory.
2 In this window you can see in the right pane the list of all available inventory types and the date and time of
their last update.
3 Check the value for the Custom Inventory.
4 Once it is updated to the current time select the node to display its contents.
5 Now select the History tab in the right window pane.

6 The contents of this tab display all elements that were added, removed or modified in the Custom Inventory.
7 Here you will find a new element as well, called Employee Information. The same element which was just
added to the Custom Inventory.
Rule 5: Reboot Device

The operational rule created in this example will reboot a device. This may be useful or necessary after a software
distribution and installation, a patch application or a vulnerability solution.
Contrary to the operational rules created before we will not assign and execute this rule on its own, it will be used
together with the Software Distribution and Patch Management Step-by-Step examples further on.
Step 1: Definition
1 Enter Reboot (or any other desired name) into the Name field.
(c) now.
2 Click the button at the bottom of the window to continue.
Step 2: Steps

3 Expand the item Windows and select step Reboot.
4 Click the Add ( ) button.
6 Click the OK button to confirm and add this step.
7 Now click the OK button to confirm the list of defined step for the operational rule and to close the window.
8 In the list field you can now see the step with its parameters.
9 Click the Finish button to confirm all parameters for the new rule and terminate it.
continue with the Operational Rule Distribution Wizard. Click No, as this rule will
not yet be assigned and executed.
11 The new rule is added to the list of available operational rules under the top node.
4.1 Rule Options

The following paragraphs will provide you with a number of options that may be used to modify the operational
rule application.
(a) Assign the Rule with a Specific Schedule
When using the automatic activation a default schedule is assigned to the operational rule: immediate execution,
once. In our case we will define a schedule first and then the assignment must be activated.
For our example of the Inventory Management rule it may be useful to run this rule at regular intervals, such as
every day at start up, to have a most accurate view of the device’s situation. To do so proceed as follows:
1 In the first window of the Operational Rule Distribution Wizard make sure to uncheck the Default Schedule
option.
2 At Step 2b: Point 6 (page 57) click Next again instead of finishing the wizard.
3 Another wizard window will appear after the Assigned Devices window, the Schedule window.
4 First go to the Validity tab. This tab allows you to define the activation of the execution and its termination.
5 In the Execution Date box define on when to run the inventory collection. In our example we will select the
Next Startup radio button to launch the inventory when the agent is started next.
6 Then go to the Termination box below, click the Run Forever radio button.
7 Now select the Frequency tab.
8 Leave the By Schedule and the Run Every Day radio buttons checked.
9 In the Period drop-down field select the value Once Only.
10 In the field below select the time at which to execute the inventory collection, e.g., 03:00. To modify the
minute value just click in the field with the selected value and change the value, e.g. to 03:30.
Inventory collection might be quite resource consuming, thus it is recommendable to run these rules when the
network load is low, i.e. during the night, if the devices are not shut down.
11 Click Finish to confirm the assignment and schedule and finish the wizard.
(b) Manually Modify the Execution Schedule
Once an operational rule is executed its schedule may still be modified to have the
rule execute according to a specific schedule. For our example we will use the OR Synchronisation rule and have
it execute every Monday morning, to make sure the agents and their operational rules are up to date for the start in
the new week.
Manually modifying a schedule consists of two different actions:
1 Modify the schedule
2 Reassign the rule
If the rule is not reassigned to the targets, the local agent will not be aware of the modifications and thus not be
able to apply them.
Proceed as follows:
1 After the execution of the rule select the OR Synchronisation rule in the left window pane.
2 Go to its Assigned Objects->Devices node.
3 Then select the master entry in the table in the right window pane.
4 The entry should currently display the status Executed.
5 To define the schedule either double-click the table entry or select the Properties icon ( ) in the icon bar.
6 The Scheduler window will open on the screen.
Next Startup radio button to launch the synchronisation when the agent is started next.
11 Leave the By Schedule radio button checked.
12 In the By Schedule panes select the Day of the Week radio button.
13 The box below will become editable, uncheck all boxes apart from Monday.
15 In the field below select the time at which to execute the synchronisation, e.g., 07:00.
16 Click OK to confirm the new schedule and close the window.

17 Now select the master entry again in the table to reassign the rule.
18 To do so select the Reassign Operational Rule icon ( ) in the icon bar.
19 The status will change to Reassignment Waiting and then all other status values until it arrives at Updated,
to indicate that the rule was updated on the device an is ready for execution again.
(c) Creating a Rule in a Specific Folder
When creating a new operational rule it may be directly created in a folder instead of under the Operational Rules
top node, which is the default location. To do so proceed as follows:
1 To add it to another folder click the icon to the right of the Folder field (...).
2 The Select Folder window appears on the screen displaying the folder hierarchy. If the desired target folder
does not yet exist you can also create a new folder.
a To do so first select the parent folder of the new one and then select click the New Folder icon ( ) below
the hierarchy.
b The Properties dialog box appears on the screen.
c Enter the desired data into the respective fields and then click the OK button at the bottom of the window
to confirm the new folder.
3 Select the target folder and click the OK button to confirm and to close the window and return to the original
window.
(d) Operational Rules in the Maintenance Pages
The Maintenance pages of the Agent Interface were specifically created for maintenance crews and support
people to facilitate their tasks on site. In case of a problem they may execute specific operational rules directly
from the local interface to solve the issue. By default all operational rules an administrator can see and manage in
the console are available on the Maintenance pages in the Agent Interface. To log on to the Maintenance pages
proceed as follows:
1 Go to the target device (physically go there, you cannot do it from you desk via the console or the Agent
Interface if the target device is not the device you are currently working from). In our case we will do this on
the master’s interface, so no need for travelling.
2 Right-click the blue NAMP agent icon ( ) at the bottom-right of the Windows device.
3 Left-click on the Agent Interface menu item.
4 A browser window opens displaying the HCHL interface of the local agent.
5 Select the Identification item on the top right corner of the window.
6 Identify yourself with a local login in the appearing popup window.

7 The browser window now reloads and displays a number of additional tabs. Select the Maintenance tab.
8 An new login page appears. Enter the following login data:
Name: Enter the name of the master
Port: 1610
Login: admin
9 Click OK.
To refresh these pages always use the Refresh button at the bottom of the page, NEVER the browser’s button.
10 The Maintenance page appears in the window. There are two types of rules available on the Maintenance
pages:
a Active Operational Rules
Active rules are all those rules that have been assigned to a device or a device group. Here you should find
the first three rules that were created in this chapter with their respective execution status and schedule.
1 You can execute rules directly from the active rules page of the interface, e.g. the Execute Calculator
rule.
2 To do so select it by checking the respective box under the Select column at the right border.
3 Then click the Activate button at the bottom left of the page.
4 A confirmation window appears on the screen. Click OK to proceed.
5 The status of the rule will change to Updated once the rule has been reassigned and then it will be
executed. You will see this once the confirmation message box to launch the calculator is displayed
again on the screen. If you click Yes, and the calculator is displayed the status will become Executed
again, if you click No, the status will be Execution failed, since the rule could not be successfully
completed.
b Additional Operational Rules
Additional rules are all those rules that have been created but are not assigned to any device or group. On
this page you should now see two rules, a distribution rule which is always automatically created
concerning patch management, ConfigFiles.cst, as well as the Reboot rule which we created but didn’t
assign to any device.
1 To assign a rule, e.g. the ConfigFiles.cst distribution rule, from the Additional Operational Rules page to
the local device select it, i.e., check the respective box under the Select column at the right border.
2 Then click the Activate button at the bottom left of the page.
3 Active Operational Rules.
(e) Assign Operational Rule to a Device Group
Instead of distributing an operational rule to an individual or a number of individual devices you may assign it to
a group, preferably dynamic.
Dynamic groups are maintained either via a directory server or a query and their members are updated regular.
For more information refer to chapter Queries and Device Groups Step-by-Step earlier in this manual. You will
also find the guidelines there on how to create the group we will be using for the rule assignment in this example.
Assigning an operational rule such as the inventory collection will ensure that all devices fulfilling specified
requirements will apply this rule, without you having to specifically telling them so.
Proceed as follows to assign the Inventory Management rule (Rule 1) to a group containing All XP SP2 Devices of
your network:
1 At Step 2: open the node Operational Rules->Inventory Management->Assigned Objects->Device Groups.
2 Select the Edit->Assign Device Group menu item or click the respective icon ( ) in the icon bar.
3 In the appearing confirmation window (Would you like to automatically activate...?) click Yes.
4 The Assign to Device Group popup window will appear on the screen.
5 Select the All XP SP2 Devices group from the list in the Available Objects box.

7 In the right window pane you can now see the device group to which the rule was assigned.
8 If you answered Yes to Would you like to automatically activate...?, the distribution process is started directly!
9 If you now select the Assigned Objects->Devices node you will find the list of all devices that are a member of
the group in the table.
(f) Add More Steps to an Operational Rule
Once an operational rule is created and executed you might find that it is missing some steps or might be made
more efficient using some more or other steps. When modifying the following steps need to be executed:
1 Modify the contents of the Inventory Management rule
2 Reassign the rule to the target
Step 1: Modify the Contents of the Inventory Management Rule
For our example we will modify the Inventory Management rule in the following way:
a Remove the Patch Inventory step
b Add more Security Inventory steps:
Number of Administrator Accounts
Open Ports
Process List
To do so proceed as follows:
1 Open the node Operational Rules->Inventory Management and go to the Steps tab.
2 In the right window pane you can see all the steps which are currently executed for this rule.
3 To remove the patch step select the respective step in the first line, Analyse Patch Situation.
4 Now select the Remove Step icon ( ) in the icon bar.
5 A confirmation window appears on the screen. Click Yes.
6 The step will directly disappear from the rule and the list.
7 Now, to add more steps for the Security Inventory click the Add Step icon ( ) in the icon bar.
8 The Select a Step popup windows appears on the screen.
9 Double-click the Security Inventory folder.
10 As the first step select Number of Administrator Accounts and click the Add ( ) button.
11 The Properties dialog box appears on the screen. Enter the value Administrator Account into the field Security
Inventory Instance Name and click OK to add it to the list of Selected Objects.
12 Next select the Open Ports step and click the Add ( ) button.
13 The Properties dialog box appears on the screen. Select the TCP value from the drop-down box, enter TCP
Ports as value into the Security Inventory Instance Name field and click OK to add the step.
14 As the third new step select the Process List step and click the Add ( ) button.
15 The Properties dialog box appears on the screen. Leave both options enabled and click OK to add the step.
16 Click OK now to confirm the new list of steps to add to the existing steps and to close the window.
17 You can see now that all new steps have been added at the bottom of the list. However to be updated at the
next inventory update they must be located before the Update Security Inventory step.
18 Select all three new lines in the table.
19 Then select the Move To icon ( ) in the icon bar.
20 A new Steps window appears on the screen.
21 Enter line 6 into the field and click the OK button.
22 All three selected steps will now be moved up to lines 6-8, i.e. before the Update Security Inventory step, and
push all following steps down.
Step 2: Reassign Rule to Target

Whenever an operational rule was modified in any way, its contents have changed, the schedule was modified,
etc., the rule must be reassigned to the target to update it. To do so proceed as follows:
1 Click the Assigned Objects, then Devices node in the left window pane under the Inventory Management
rule.
2 Select the already assigned master in the table.
3 Then click the Reassign Operational Rule icon ( ) in the icon bar.
4 The reassignment order will be sent to the master and the status will change to Update Waiting.
5 After this you should see the following successive status:
Updated
Ready to run
Executed
6 Once the status is displayed as Executed go to the Security Inventory of the master and check that the new
parameters have been added.
5
Directory Server Synchronisation Step-by-Step
The LDAP Client (notably Microsoft Windows Active Directory) functionality presents organisations with a
directory service designed for distributed computing environments. It allows organisations to centrally manage
and share information on network resources and users while acting as the central authority for network security.
In addition to providing comprehensive directory services to a Windows environment, the directory server is
designed to be a consolidation point for isolating, migrating, centrally managing, and reducing the number of
directories that companies require.
The Numara Asset Management Platform allows you to synchronise its device database with directory services
already existing in your network. You may thus ’copy’ existing directory services items such as organisational
units (OU), computers, etc., into the Numara Asset Management Platform groups and members to then administer
these via the NAMP console. All three types of groups existing in the Numara Asset Management Platform, i.e.
device groups, administrator groups and user groups, can be synchronised.
Prerequisites
• the master, console, database, and some client agents have been installed.
• Active Directory is installed in your network and has its organisation in place.
• you have done the basic exercises in the Queries and Device Groups Step-by-Step chapter or you are at least
familiar with the general concepts of the different groups in the Numara Asset Management Platform.
5.1 Synchronising with Active Directory

This first part of the chapter provides some examples for active directory synchronisations:
• Synchronise a device group
• Synchronise an administrator group
• Synchronise a user group
The first step to execute before any synchronisation can be done is to define at least one directory server in the
NAMP console. To do so proceed as follows:
Step 1: Define the Active Directory Server
The first step in the synchronisation procedure is to define the directory server with which to synchronise in the
NAMP console. To do so proceed as follows:
1 Open the Global Settings->Directory Servers node in the left window pane.
2 Either select the Edit->Create Directory Server or select the respective icon ( ) in the toolbar.
3 The new directory server will be created and the Properties window opens on the screen.
4 Enter the following information into the respective fields of the General tab:
a Enter the user-friendly name of the directory server, under which it is known into the Name field. This
name may be any combination of characters.
b Enter the known network name of the directory server in the Host Name field. This value may be either the
complete or short network name, such as scotty.bridge.enterprise.com or scotty, or it may be the IP
address of the server in its dotted notation, e.g. 175.175.2.1.
c Enter the number of the port at which the directory server may access the database in the Port Number
field. The usual value for this port is 389.
d Enter the base distinguished name into the Base DN field to uniquely identify the directory server. The base
DN is the start entry in the directory tree. You may enter this value either in the LDAP notation or as UNC.
For example for an Active Directory domain with the name kirk.bridge.enterprise.com this entry
would look like this:
LDAP: dc=kirk, dc=bridge, dc=enterprise, dc=com
UNC: kirk.bridge.enterprise.dc=com
e In the User DN field you must enter the distinguished name of the user. This is the name uniquely
identifying the user. You may enter this value either in the LDAP notation or as UNC. This would be for
example cn=username, cn=usergoup where username is the user you wish to connect as, and usergroup
is the folder that contains username in Active Directory Users and Computers, or \\username\usergoup as
UNC.
5 Enter the following data into the respective fields in the Password tab:
a Enter the password of the directory server through which the above defined user may access it into the New
Password field. Be sure to enter the correct password, other wise the directory server cannot be accessed
from the console. For security reasons the password will be displayed in the form of asterisks (*).
b Confirm the password entered into the Confirm New Password field above by re-entering it into this field.
6 Click the OK button at the bottom of the window to confirm the new directory server and to close the window.
7 Now, to make sure you have entered all the data above correctly you may want to try the connection.
8 To do so double-click the newly entered directory server.
9 Select the Edit->Check Connection menu item or the respective icon ( ) in the icon bar.
10 The console will verify its connection with the directory server and make the results known in a message box
displayed on the screen. The results are either Connection successful! if the connection could be
successfully established, or if it failed the message box displays the server’s answer, such as Login Failed or
Server Down.
If the connection failed this may be due either to a physical problem with the network or some directory server
data incorrectly entered.
Chapter 5 - Directory Server Synchronisation Step-by-Step - 87
Synchronisation 1: Device Group

In our first example we will synchronise a device group with an Active Directory group. This process is divided
into the following steps:
1 Define the Active Directory Server in the console if it doesn’t exist yet (see Step1 above)
2 Create the device group
3 Assign the directory server to the new device group and synchronise
Step 2: Create Device Group

The first actual step for synchronisation is to create the device group which is to be a mirror of one of the active
directory groups.
4 Enter a name for the new group, e.g. AD Group. The name of this group is completely irrelevant, you may
leave the default name, as it will be changed to the name of the directory server group once it is synchronised.
If you select Members Only for this value, you will not be able to assign the Directory Server, as the required
subnodes to do so are not displayed.
Step 3: Assign the Directory Server to the New Group

Before the groups can be synchronised a relation must be established between the NAMP device group and the
Active Directory group. To do so the directory server is assigned to the device group.
1 Open the Dynamic Population->Directory Server node of the group.
2 Select the Edit->Assign Server menu item or click the respective icon ( ) in the icon bar.
3 The Select a Directory Server window appears on the screen.
4 Select the directory server entry you just added in the console from the list box. You may either select the
directory server itself or one of its children.
5 Now that the directory server is assigned to the group its name will change to the name of the selected unit, i.e.
Computers in the example above.
The name of a device group synchronised with an active directory server will always be modified to the name
of the synchronised group and the name of the server with the format: <entry>.<directory server
name>.
6 The Properties window opens on the screen. Here you may specify if all devices are
to be synchronised or only those with a NAMP agent installed. Leave the preselected
value and then click the OK button to confirm.
7 A confirmation window appears on the screen. Click Yes to immediately
synchronise with the selected directory server.
If you want to schedule the synchronisation at a specific later time or to execute it at regular intervals click No
and see Option (a).
8 The synchronisation is executed immediately.

9 The Directory Server Synchronisation window appears displaying the results of the operation. It lists all
objects that have been added with their status which in this case will always be New Object. Click Close to
close this window.
10 If you go back now to the Device Groups top node you will see that the name of your group has changed, in the
example here from AD Group to Computers.support.sophia.
Synchronisation 2: Administrator Group

In our next example we will synchronise an administrator group with an Active Directory group. This process is
divided into the following steps:
1 Define the Active Directory Server in the console if it does not exist yet (see Step 1 at the beginning of the
chapter)
2 Create the administrator group
3 Assign the directory server to the new administrator group and synchronise
Step 2: Create Administrator Group

To synchronise an administrator group it must first be created. To do so proceed as follows:
1 Open the Global Settings->Administrator Groups node in the left window pane.
2 Select the Edit->Create Administrator Group menu item or the respective icon ( ) in the icon bar.
4 Enter a name into the respective field. This name is of no importance, it will be replaced with the name of the
active directory group after the synchronisation.
5 Click the OK button at the bottom of the window to confirm the new administrator group.

Before the groups can be synchronised a relation must be established between the NAMP administrator group and
the Active Directory group. To do so the directory server is assigned to the administrator group.
4 Select the directory server entry from the list box. You may either select the directory server itself or one of its
children. In our example we have chosen a subgroup called France. Click OK to confirm.
5 The Administrator Authentication window appears on the screen.

a Normally, when synchronising an administrator group with a directory server the system authentication
will be used at the connection with the console. The Authentication drop-down list allows you to choose
between the system authentication and a PAM authentication for Linux masters.
b The Login Type drop-down list allows you to choose between the following three types of login for the
synchronisation:
Login: james.c kirk
Domain\Login: Enterprise\james.c kirk
Internet Style Login: jckirk@Enterprise.bridge.starfleet.com
The Internet Login type corresponds to the userPrincipalName attribute on the directory server. If this
attribute is not filled in, the administrator will not be synchronised if the login type Internet is selected.
6 Click OK.
7 Now the connection with the directory server is established.
The name of an administrator group synchronised with an active directory server will always be modified to
the name of the synchronised group and the name of the server with the format: <entry>.<directory
server name>.
8 A confirmation window appears on the screen. Click Yes to immediately synchronise with the selected
directory server.
and see Option (a).

close this window.
Contrary to device and user groups, administrator groups do NOT contain subgroups. Therefore, even if the
active directory server unit the admin group was synchronised with did have subgroups these will be
completely ignored. Only administrators located directly under the selected unit will be synchronised.
11 If you go back now to the Administrator Groups top node you will see that the name of your group has
changed, in the example here from AD Group to France.Business..... The format of the new name is
<entry>.<directory server name>.
Synchronisation 3: User Group

In this example we will synchronise a user group with an Active Directory group. This process is divided into the
following steps:
1 Define the Active Directory Server in the console if it doesn’t exist yet (see Step1 at the beginning of the
chapter)
2 Create the user group
3 Assign the directory server to the new user group and synchronise
Step 2: Create User Group

The first actual step for synchronisation is to create the user group which is to be a mirror of one of the active
directory groups.
1 Select the User Groups top node.
2 Either select the Edit->Create User Group menu item or select the respective icon ( ) in the toolbar.
4 Enter a name for the new group, e.g. AD Group. The name of this group is completely irrelevant, you may
leave the default name, as it will be changed to the name of the directory server group once it is synchronised.

Before the groups can be synchronised a relation must be established between the NAMP user group and the
Active Directory group. To do so the directory server is assigned to the user group.
4 Select the directory server entry you just added in the console from the list box. You may either select the
directory server itself or one of its children. In our example we have chosen the Users unit containing all user
subgroups and users.
5 Now that the directory server is assigned to the group its name will change to the name of the selected unit, i.e.
Technical Support in the example above.
The name of a user group synchronised with an active directory server will always be modified to the name of
the synchronised group and the name of the server with the format: <entry>.<directory server
name>.
6 A confirmation window appears on the screen. Click Yes to immediately synchronise with the selected
directory server.
and see Option (a).

close this window.
9 If you go back now to the User Groups top node you will see that the name of your group has changed, in the
example here from AD Group to FabienC. The format of the new name is <entry>.<directory server
name>. Also the icon of the group has been changed from the static icon ( ) to the directory server managed
group icon ( ).
5.2 Options
The following paragraphs will provide you with a number of options that may be used with active directory
synchronisations. The following options will all be executed for device groups, but they work in the same way for
user and administrator groups as well.
(a) Synchronise a Device Group at a Specific Date and Time and/or Regular
Intervals
You may want to schedule the synchronisation for a later moment or periodically re-synchronise your device
group with the directory server to keep your group up to date. The following example is for devices groups, but
the same principle applies also for user and administrator groups.
To schedule a synchronisation and thus synchronise a group proceed as follows:
1 Open the Device Groups-><GroupToSynchronise>->Dynamic Population->Directory Server-
><AssignedDirectoryServer> node.
2 Mark the directory server in the right window pane and select the Edit->Properties... menu item or click the
3 The Properties window appears on the screen.
4 This window provides you with the synchronisation scheduling options:
a For execution at a later date and time select the following:
1 Check the Deferred to radio button to schedule a directory server synchronisation for a later date.
2 Enter a date into the field or click the arrow to call the calendar on the screen and select a date.
3 From the At drop-down box select the time of the day at which the synchronisation is to be launched.
b For a periodic synchronisation once a week on Sundays at midnight:

1 Select the radio buttons Immediately and Run Forever in the Validity tab.
2 Then go to the Frequency tab and make the following additional selections:
3 Check the Day of the Week radio button to schedule a directory server synchronisation for a specific day
of the week.
4 The fields below become available. Uncheck all boxes apart from Sunday.
5 In the Period box select the value Once Only, to run it once on the selected day.
6 In the At drop-down box leave the preselected value 0:00, to launch the synchronisation at midnight.
5 Click OK to confirm the new schedule.

6 The synchronisation between the group and the assigned directory server will be launched once the specified
time arrives.
6
Reports Step-by-Step
Reports in the Numara Asset Management Platform can be created and generated in different ways for almost any
of the object types which exist in the NAMP database. In this exercise we are going to create a number reports
regarding the outcome of the exercises we did in the preceding chapters.
Reports tend to be carried out on a number of clients which can be grouped through a query or they may be
directly assigned to a device group. Most of the reports we will use are predefined reports (Out-of-the-box objects)
but we will also create a report from scratch and execute it.
Report data may be displayed either in tabular format or as a graphical representation. These should provide you
with a very clear picture of the activity on your system and what has happened on the specific objects that you are
interested in. You can explore and analyse your data by using a variety of graphs available in the console.
Two report types are available: style-based and template-based.
Style-based
These reports are based on a layout type that defines the number of subreports the report contains and how
these subreports are ordered on the displayed or printed page. 12 different layout styles are available. Style-
based reports may either base their generated data on the results of a query, on the members of a device group
or both.
Template-based
Template-based reports are provided in XML, HTML in PDF format. This report type is available for
vulnerability management, patch management, power management, application management and compliance
rules.
Prerequisites
We assume that:
• the master, console and database have been installed
• a console is open and connected to the master
• you have installed the out-of-the-box objects during the master installation
• you have done the exercises in the preceding chapters Rollout, Queries and Device Groups, Configuration
Management and Directory Server Synchronisation or at least the one for the object you now want to create the
report for.
6.1 Report Examples

This chapter is divided into the following sections:
1 Out-of-the-box reports based on queries
2 Out-of-the-box reports assigned to device groups
3 Template-based reports
4 Create new style-based reports, assign and generate them.
6.1.1 Out-of-the-box Reports Based on Queries

The out-of-the-box reports that are based on queries are ready to be employed immediately, they only need to be
generated.
Report 1: Hardware Summary List

For our example we will used a report called Hardware Summary List, which is located directly below the main
Reports node. To generate it immediately proceed as follows:
1 Go to the Reports node.
2 Select the Hardware Summary List report in the table in the left window pane.
3 Select the Edit->Generate Report menu item or the respective icon ( ) in the icon bar.
4 A confirmation window appears on the screen, click the OK button to confirm.
5 The report will be created immediately using the current data of the database.
6 To view the Hardware Summary List report select the Edit->View Last Result menu item or the respective
icon ( ) in the icon bar.
7 A login window appears on the screen. Enter the login credentials with which you are currently logged on to
the console, in our case here this should be admin and no password.
8 A new browser window or tab opens and displays the report.
These reports may be generated at regular intervals to provide thus an overview of the general development of
your network. See Option (d).
To view the generated report via the Report Results node see Option (a).
Report 2: Active Directory Results

To view the results of your directory server device group synchronisation generate the report called Active
Directory Devices as described above.
Chapter 6 - Reports Step-by-Step - 97
Report 3: Global Software List

To get an overview of all software programs which are installed on the devices in your network generate the report
called Global Software List as described above.
6.1.2 Out-of-the-box Reports Assigned to Device Groups

All out-of-the-box reports, based on queries, may be assigned to device groups. This report will then display the
same information but limited to the data of the assigned device group. To assign and then generate the Hardware
Summary List report immediately proceed as follows:
2 Select the Hardware Summary List report in the table in the left window pane.
3 Go to its Assigned Objects->Device Groups node.
4 Then select the Edit->Assign Device Group menu item or click the respective icon ( ) in the icon bar.
5 The Assign to Device Group popup windows will appear on the screen.
6 Select the All Devices group from the window.

8 The device group will be added to the table of assigned device groups.
9 The go back to the Hardware Summary List report in the left window pane.
12 The report will be created immediately using the current data in the database concerning the assigned device
group.
The report result which is generated will be put in all the required places according to the reports settings. This
means it will be available under the Report Results node of the report, as well as under that of the device
group it is assigned to.
13 To view the report select the Edit->View Last Result menu item or the respective icon ( ) in the icon bar.
14 Enter again your login in the appearing window.
15 A new browser window or tab opens and displays the report. This report displays now the same type of data as
in the example above, but only for all client devices in your network, i.e. the master and relay are missing from
the list and graphs.
6.1.3 Template-based Reports

Template-based reports, as their name indicates these are templates which may be used to create your own reports
according to a specific model or template, and they are provided in XML, HTML and PDF format. This report type
is only available for Patch Management, Vulnerability Management, Power Management, Application Management
and Compliance Rules. Examples and how to use these are explained in detail in the respective chapters.
If you have imported the out-of-the-box objects one report was created for each of the existing templates in their
respective folders. In this chapter we will create such a report for the vulnerability situation, but it cannot be
generated yet, as no vulnerabilities have been found yet. It will be generated in chapter Vulnerability Management
Step-by-Step.
Report 4: Situation by Vulnerability

To create a new report based on a template proceed as follows:
1 Select the main Reports node in the left pane.
2 Either select the Edit->Create Report menu item or select the respective icon ( ) in the toolbar.
4 Enter the following data into the respective fields and leave all other values as they are:
Name
Enter the name of the new report into this field, e.g. Situation by Vulnerability.
Report Title
Enter the title of the report, you can just copy the name here, e.g. Situation by Vulnerability. This text will
appear on top of your report as the heading.
Report Type
Select from the drop-down list the Template-based option.
Report Template
Select from the drop-down box the report template to use. For this example we will use the template called By
Vulnerability.
If the report is to be made publicly available see Option (g) now.
If the report is to always be generated in other formats than only HTML see Option (f) now.
5 Click the OK button at the bottom of the window to confirm the data for the new and to close the window.
6 The report is now created and configured, it remains to generate it once the required data are available.
6.1.4 Creating and Generating New Reports

The following paragraphs will explain you how to create a new report from scratch for the following
requirements:
• Operational Rule Status report: This report returns the status on all operational rules that were executed for
the different examples in your test environment.
• Agent Rollout Results report: This report returns the results of the agent rollout in your test environment.
• Monthly Device Update report: This report returns the list of all devices that were updated within the last
month.
Report 5: Operational Rule Status

This report returns the status on all operational rules that were executed for the different examples in your test
environment.
Generally when creating a report a query must be created first if the report is not to be executed on a device group,
which is the case for this example. Therefore we will execute the following steps for this report:
1 Create Query
2 Create and Generate Report
3 View Report
Step 1: Create Query
The query for our report will collect all operational rule status that can be found:
a Enter the name of the new query into the Name field, use Operational Rule Status for this case.
b In the Type field select the value Device - Operational Rule Assignment.
7 Since we want the query to collect all possible values no criteria must be defined and the query is set up.
8
To generate a report on a specific status value, for example for the status failed this query must be defined to
collect only the requested status value. Refer to Option (h) how to define the query for this case.
9 Select the Preview tab where you can see a preview of the query’s results.
Step 2: Create and Generate Report

In the second step the actual report will be created. Our report will be in form of a table with four columns which
list the name of the operational rule that was executed, the final execution status, the device on which it was
executed and if, via which device group the rule was assigned. To create the report via the wizard proceed as
follows:
1 Select the Wizards->Report Creation menu item or the respective icon ( ) in the icon bar.
2 The Report Creation Wizard appears on the screen.
Step 2a: Report
The first step defines the report base information as follows:
1 Enter the following data into the respective fields and leave all other values unchanged:
Name
As the name enter Operational Rule Status.
Report Title
Enter the title of the report, for example, Execution Status of all Operational Rules. This text will appear on top
of your report as the heading.
Option (b) explains how to create this report with two subreports, the first in form of a table, the second
displaying the same information in form of a pie chart.
To later on modify the number of subreports (add more subreports) see Option (c).
To make the report available on the Report Portal see Option (g) now.
2 Click Next to go to the following wizard page.

Step 2b: Subreports

This step is concerned with the configuration of the subreports, it provides one tab for each subreport of the
report, i.e. in our case one tab.
1 When creating a report based on a query, the first thing when defining the contents is to select the query which
defines the attributes which may be chosen for the report.
2 To do so first select the Device - Operational Rule Assignment value from the Query Type.
3 The Operational Rule Status query should now be preselected in the Query Name field.
4 As the table is the preselected format for the report we do not need to modify it just now.
If another report format is desired, such as a chart, refer to Option (b) or Option (c) now.
5 Now select the Add Column icon ( ) to add your first column to the report.
6 The Select Report Columns dialog box will appear on the screen.
7 The left list window of the dialog box (Available Columns) will display all available attributes for this query.
8 Select the Status value from directly under the Available Columns, and leave all other values as they are.
9 Click the Add button ( ) to move the attribute to the list of Selected Columns.
10 Then click the Operational Rules folder and select the Name attribute, with the None operator and the Sort
Order Ascending, as we want the table sorted by the operational rule names.
12 Now click the Devices folder and select the Name attribute. This will then display the name of the device on
which the rule was executed with the respective status.
13 Click the Add button ( ) again.
14 Now click the Device Groups folder and select again the Name attribute. This column will display the name of
the device group if the rule was assigned via a device group, if not this column will remain empty.
15 Click the Add button ( ) again.
16 Click OK to close the window.

17 To have a preview of the newly created report click the Subreport Preview bottom below.
18 A new browser tab opens in which you may see how this subreport will appear in the final report.
Step 2c: Publication and Mail
We will not publish this report or send it via e-mail, therefore just click Next to go to the following wizard page.
Step 2d: Assigned Objects

We have assigned a query to our subreport and want to see the results of the whole population, therefore no
device group needs to be assigned.
Step 2e: Schedule
Now that the report is set up it remains only to define its generation schedule. To do so proceed as follows:
1 Check the Immediately radio button in the Execution Date panel.
2 Check the Immediately generate the report box at the bottom of the window.
3 Click the Finish button at the bottom of the window to confirm the new report and immediately generate it.
Step 3: View Report

The report will be directly generated. To display it proceed as follows:
1 Reselect the report again in the left window pane.
2 Then go to the Report Results subnode.
3 The table in the right window pane will show one entry for the generated report.
4 To view the report select the Edit->View menu item or the respective icon ( ) in the icon bar.
5 A new browser window or tab opens and displays the report. This report displays now the data as previewed:
a table with the list of operational rules and their final execution status, as well as the devices/ assigned device
groups.
6
Report 6: Agent Rollout Results

To see how the agent rollout worked we will create a report again in form of a table that will list all devices with
their installation status. To create the report we will need to execute again the following steps:
1 Create Query
2 Create and Generate Report
3 View Report
Step 1: Create Query
The query for our report will collect all push configurations that can be found:
a Enter the name of the new query into the Name field, use Rollout Status for this case.
b In the Type field select the value Push Configuration.
7 Since we want the query to collect all possible values no criteria must be defined and the query is set up.
8
To generate a report on a specific status value, for example for the status failed this query must be defined to
collect only the requested status value. Refer to Option (h) how to define the query for this case.
Step 2: Create and Generate Report

Our report will be in form of a table with two columns which list the name of the device and its installation
status. To create the report via the wizard proceed as follows:
Step 2a: Report
Name
As the name enter Rollout Status.
Report Title
Enter the title of the report, for example, NAMP Agent Rollout Results. This text will appear on top of your
report as the heading.

Step 2b: Subreports
report, i.e. in our case one tab.
2 To do so first select the Push Configuration value from the Query Type.
3 The Rollout Status query should now be preselected in the Query Name field.
4 Select the Edit->Add Column icon ( ).
6 The left list window of the dialog box (Available Columns) will display all available attributes for this report.
7 First open the Assigned Devices Folder and then select the value Device Name value, with the None operator
and the Sort Order Ascending.
8 Click the Add button to move the attribute to the list of Selected Columns.
9 Then select the Rollout Status value from directly under the Available Columns, with the None operator
and the Sort Order None.

Step 2c: Publication and Mail
We will not publish this report or send it via e-mail, therefore just click Next to go to the following wizard page.
Step 2d: Assigned Objects
We have assigned a query to our subreport and want to see the results of the whole population, therefore no
device group needs to be assigned. Click Next to go to the following wizard page.
Step 2e: Schedule
Now that the report is set up it remains only to define its generation schedule. To do so proceed as follows:
2 Check the Immediately generate the report box at the bottom of the window.
3 Click the Finish button at the bottom of the window to confirm the new report and immediately generate it.
4 A confirmation window appears now on the screen. To directly move the focus of the console to the newly
created report click Yes.
5 The console will now display the main view of the newly created report.
Step 3: View Report

The report will be directly generated. To display it proceed as follows:
1 Reselect the report again in the left window pane.
2 Then go to the Report Results subnode.
3 The table in the right window pane will show one entry for the generated report.
4 To view the report select the Edit->View menu item or the respective icon ( ) in the icon bar.
5 A new browser window or tab opens and displays the report. This report displays now the list of all devices on
which a NAMP agent is installed together with the agent installation status.
Report 7: Monthly Device Update

This report shows in tabular and chart format all devices which were updated during the last month. We will also
schedule this report to be automatically regularly executed on the first of each month.
In this example we will create the report via the wizard, proceed as follows:
Step 1: Report
Name
As the name enter Updated Devices.
Report Title
Enter the title of the report, for example, Monthly Device Update. This text will appear on top of your report as
the heading.
Report Style
From this dropdown list select Style 5. This will give the report two subreports one below the other, as the
little icon indicates.
Step 2: Subreports
report, i.e. in our case two tabs.
1 Our first subreport will contain the graphic, a pie chart detailing the different operating systems found on the
updated devices.
2 As the title enter Devices by Operating System Name into the field Subreport Title.
4 Leave the Device value in the Query Type field.
5 Then select the Updated Devices query in the Query Name field.
6 In the Subreport Format field below select the Pie Chart value.
7 Click the Display the options icon next to the field.
8 The Report Format Options window appears on the screen. This window allows you to configure the pie chart
parameters.
9 Make the following modifications to enlarge and enhance the chart:
Check the Value Labels box.
Increase the Chart Width to 800.
Increase the Chart Height to 400.
Check the Percent Labels box.
Then click the OK button to confirm and close the window.

10 Now select the Add Column icon ( ) of the Data panel.
13 Select the value Operating System Name, leave all other fields.
16 Now go to the Series panel.
17 Select again the Add Column icon ( ) of the Series panel.
19 Select again the value Operating System Name, leave all other fields.
22 No select the Subreport 2 tab.

23 As the title enter Device Details into the field Subreport Title.
25 Leave the Device value in the Query Type field.
26 Then select the Updated Devices query in the Query Name field.
27 Now select the Edit->Add Column icon ( ).
30 Select the value Name, leave all other fields.
32 Now select the value IP Address, leave all other fields.
33 Click the Add button ( ).
34 Then select the value Last Update, leave all other fields.
35 Click the Add button ( ).
36 Finally select the value Operating System Name, leave all other fields.
37 Click the Add button ( ) to also move this attribute to the list of Selected Columns.
39 All subreports are now set up
Step 3: Publication and Mail

We will make this report a public report, this means that it will be available on the report portal and all persons
with a valid access to this HTML page may view this report. Also we will send this report to our own account per
e-mail once it is generated.
1 Enter Monthly Device Update into the Report File Name field.
2 Then check the box Public Report.
3 Above the lower panel select the Add e-mail icon ( ).
4 The Define Mail dialog box appears on the screen. To specify the recipients as direct recipients, copy
recipients and blind copy recipients, you proceed in the same way.
To enter recipients click the To.../CC.../BCC... button and the Select an Address dialog box appears on the
screen.
To select an administrator or administrator group from the list click the Select from List radio button and
then select the recipient(s) below. You may specify an administrator group as the recipient, in this case the
mail will be sent to all members of this group that have a valid e-mail address entered into their general
data tab.
Or you may click the Select Manually radio button and enter any valid e-mail address into the field below.
You may also enter more than one address by separating these with a semi-colon, for example,
scotty@enterprise.com;kirk@enterprise.com.
5 Then enter Monthly Device Update Report as the Subject of the mail.
6 Click OK to confirm the mail and add it to the list.
Step 4: Assigned Objects

It is not necessary to assign this report to a group, we have assigned both subreports to a query and we want to see
the information for our whole network. Therefore just click Next to go to the following wizard page.
Step 5: Schedule
Now that the report is set up it remains only to define its generation schedule, on the first of every month. To do
so proceed as follows:
2 Check the Run Forever radio button in the Termination panel.
3 Check the Immediately generate the report box at the bottom of the window. This will generate a report right
now for immediate results in addition to the monthly schedule.
4 Now go to the Frequency tab.
5 In the By Schedule panel select the Day of the Month radio button.
6 And select from the list below the value 1st day of the month.
7 Now go to the panel to the right and select the value Once Only in the Period field.
8 In the field below, at , enter the time at which it is to be generated, i.e., at 5 in the morning.
9 Then click the Finish button at the bottom of the window to confirm the new report and immediately generate
it.
10 A confirmation window appears now on the screen. To directly move the focus of the console to the newly
created report click Yes.
11 The console will now display the main view of the newly created report.
13 A new browser window or browser tab opens to display the report.
14 Enter admin as your login in the appearing window.
15
6.2 Report Options

The following paragraphs provide a number of options for the reporting functionality of the Numara Asset
Management Platform.
(a) Report Results
Each time a report is generated a new node is created in the Report Results node named using the local generation
date and time of the computer on which the report is generated for the report as its name if no specific name is
provided. These report results are also automatically sorted in folders if they are generated for device groups. This
is valid for the Report Results subnode of the respective report as well as for Report Results subnode of any device
or vulnerability group the report is assigned to.
Each node for an individual report as well as all objects which may be assigned to a report have a subnode called
Report Results. Under this node all reports are stored that were generated. From here you may display all
generated versions of the report.
(b) Report with Two Subreports

This report displays the same data once in form of a table and then in form of a pie chart for the Operational Rule
Status report (Report 5:).
1 At Step 2a: Point 1 (page 100), select Style 5 from the Report Style field.
2 The field below Subreport Count will change from 1 to 2.
3 Continue with Step 2b: (page 101) for Subreport 1.

4 Then select the tab for the second subreport, Subreport 2 and again repeat the steps of Step 2b: (page 101).
5 At the end add two more columns:
Select the Status value from directly under the Available Columns, with the Count operator and the Sort
Order None.
Select the Status value again from directly under the Available Columns, with the None operator and the
Sort Order None and the Group By box checked.
6
These two columns are absolutely obligatory for any type of graphical display. If these are not provided
the data may only be displayed in form of a table.
7 Now select the the Pie Chart option from the Subreport Format box .
8 You can see that the original Data list field was now split in two, and the selected attributes were divided as
required.
9 To have a preview of the newly created subreport select the Subreport Preview button at the bottom.
11 A new browser window or tab opens and displays the report. This view displays now a preview of the
subreport.
12 Continue with Step 2c: to finish defining and then generate the report.
(c) Modify the Number of Subreports
If after setting up a report you find you need more information in this report provided by other subreports you
may modify this by changing the report style and adding more subreports. In this example we will extend the
Operational Rule Status report with a two more subreports, one which shows the same data as the initial report in
pie chart format, and a second report which displays data regarding the operational rules themselves.
1 Select the Operational Rule Status report (Report 5:) in the right window pane and then select the Properties
2 In the appearing Properties window go to the field Report Style and select from its drop-down list the item
Style 3. Then click OK to close the window.
3 The field below Subreport Count will change from 1 to 3.
4 The node in the left window pane will now display three subnodes.
5 The data defined for Subreport 1 will remain as they were defined in the main example.
6 Now the same data must be defined for the graphical representation of this data.
7 If you have done Option (b) you may continue directly with Point 13 below.
8 For this select the second subreport, Subreport 2, in the left window pane and again repeat the steps of Step
2b: (page 101) of the main report procedure.
9 Then add two more columns:
Select the Status value from directly under the Available Columns, with the Count operator and the Sort
Order None.
Select the Status value again from directly under the Available Columns, with the None operator and the
Sort Order None and the Group By box checked.
10
These two columns are absolutely obligatory for any type of graphical display. If these are not provided
the data may only be displayed in form of a table.
11 Then select the Format tab.

12 Select from the Subreport Format box the Pie Chart option.
13 The third subreport will show a list in table format displaying more information about the operational rules
themselves, i.e. their type, who created them and when, etc.
14 For this select the third subreport, Subreport 3, in the left window pane and go to its Columns tab.
15 In the Query drop down box at the top of the table and select again the Operational Rule Status query.
16 Then either choose the Edit->Add Column menu item or click the respective icon ( ) in the icon bar to add
your first column to the report.
18 The left list window of the dialog box (Available Columns) will display all available attributes for this query.
19 First click the Operational Rules folder and select the Name attribute, with the None operator and the Sort
Order Ascending, as we want the table sorted by the operational rule names.
21 Then select the Type attribute, with the None operator and the Sort Order None as well. This attribute will
display if the rule is a general operational rule, a software distribution or a patch rule.
22 Click the Add button again.
23 Then select the Notes attribute. This will display any comments that were added to the rule by its creator.
25 The next column will be the Created By attribute.
27 And the final column will be the Create Time attribute. These two will display who initially created the rule
and when it was created.
30 As the table is the preselected format for the report we do not need to modify it.
31 To have a preview of the newly created report select it again in the left window pane and then the Edit->View
menu item or select the respective icon ( ) in the toolbar.
(d) Regularly Execute a Report
To generate the report regularly and/or at a specific time proceed as explained below. For our example here we will
genreate the report every week on Sunday night. This way we can start examining the data right away on Monday
morning:
1 In window Step 2e: Schedule of the wizard make the following modifications:
3 Check the Run Forever radio button in the Termination panel.
4 Check the Immediately generate the report box at the bottom of the window. This will generate a report right
now for immediate results in addition to the monthly schedule.
5 Now go to the Frequency tab.

6 In the By Schedule panel select the Day of the Week radio button.
7 Now uncheck all boxes in the field below apart from the Sunday box.
8 Now go to the panel to the right and select the value Once Only in the Period field.
9 In the field below, at , enter the time at which it is to be generated, i.e., at 5 in the morning.
10 Then click the Finish button at the bottom of the window to confirm the new report and immediately generate
it.
11 Continue as described by Step 3: View Report of the general procedure.
(e) Modify the Generation Schedule Later
To schedule a report to be generated at a specific time and/or date or be generated at regular intervals do the
following:
1 Select the Hardware Summary List report in the left window pane.
2 Select the Assigned Schedule tab in the right window pane. The table displays the schedule for the report
which is currently disabled.
3 To modify the schedule either double-click the table entry or select the Properties icon ( ) in the icon bar.
4 The Scheduler window will open on the screen on the Validity tab.
5 In the Execution Date box define on when to run the report. In our example we will select the Immediately
radio button to see the outcome right away.
7 Now select the Frequency tab and make the following changes.
8 Check the Day of the Week radio button.
9 The checkboxes for the weekdays become accessible. Uncheck all boxes apart from Friday.
13 The new schedule is effective as of now. The report will execute from now on every Friday at 21:00 until the
schedule is modified again.
(f) Reports in HTML, XML and PDF
Template-based reports may be directly generated in different formats at the same time, the available formats
being HTML, the standard selection, as well as XML and PDF. If more than one format is chosen to be generated,
one file per format and report is generated and made available. For example, to generate the Situation by
Vulnerability report not only in HTML but also in XML and PDF proceed as follows:
1 At Point 4 (page 98) also check the boxes Generate in XML and Generate PDF in the Properties window.
2 The continue the procedure as described.

3 Once the report is generated it will be available in all three formats.
(g) Reports in the Report Portal
The Report Portal is a service provided by the master server which makes publicly reports available to everybody
with the right credentials. To access the report portal type the following address into the browser window: http:/
/<master name>:<master port>/report. This page provides the list of all reports which have been generated
and been defined as public reports. By default these reports are stored indefinitely. (This value may be modified
in the database configuration file, for more information on this subject please refer to section [DeleteThread] on
page 29 in chapter Vision64Database.ini in the Reference Manual.)
The Report Portal displays the following information about the available reports:
Name
This field displays the automatically generated name of the report name of the available report or the name as
defined in the Report File Name field in the general report definition.
Report Title
This field displays the title of the report.
Create Time
The date and time at which the report was actually generated.
Group Name
The name of the device group if the report is assigned to one. If a report is assigned to more than one group, a
separate table entry can be found for each assigned device group.
To make a report available on the report portal proceed as follows, for example for the Operational Rule Status
report (Report 5:):
1 At Step 2c: Publication and Mail (page 101) also check the box for option Public Report in the Properties
window.
2 The continue the procedure as described.

3 Once the report is generated it will become available on the Report Portal.
(h) Report on All Failed Operational Rule Executions
To modify the report in such a way that it will show all operational rules for all devices on which their execution
failed, not the report but the query must be modified, the data on which the report is based. To modify the query
proceed as follows:
1 Select the Operational Rule Status query in the left window pane and go to the Criteria tab.
3 The Select Criterion popup window will appear on the screen. It displays the list of available criteria in its left
list field.
4 Select the criterion Status.

6 The Search Criteria popup appears on the screen. It provides the list of all existing operational rule status.
7 Select the status Execution Failed and click OK.

10 Click OK to confirm the new criterion and close the window.
11 To activate the query now select the green coloured option active on top of the table.
13 Now that the query is modified you only need to regenerate the report by selecting the Edit->Generate Report
menu item or the respective icon ( ) in the icon bar.
15 The report will be created immediately using the current data in the database.
Section II
Advanced Management Suite

This second section of the Getting Started manual introduces you to the advanced
functionalities and their specific objects of the Numara Asset Management Platform. The
examples and exercises in these chapters are based on those of the first section, we therefore
recommend you to do these first.
This section is divided into the following chapters:
• Operating System Deployment Step-by-Step
• Software Distribution Step-by-Step
• Resource Monitoring Step-by-Step
• Application Management Step-by-Step
• Power Management Step-by-Step
• Peripheral Device and Data Control - Step by Step
• Patch Management Step-by-Step
• Vulnerability Management Step-by-Step
• Device Compliance Step-by-Step
• Setting Up Security
Be aware that most of these functionalities require a specific license, they are not included in
the basic Numara Asset Management Platform license. You may however try all these
functionalities with the trial license provided with the product. This license is valid 15 days
and allows you a total of 20 devices for testing the different topics.
7
Operating System Deployment Step-by-Step
To be able to execute the examples described in this chapter a number of general Numara Asset Management
Platform as well as OS deployment prerequisites must be fulfilled, which are listed in the following two
paragraphs. The examples will then guide you step by step through the different possible procedures installing a
new operating system on a remote device or creating a new image to be deployed. The procedures will however
only refer to parameters that need to be filled in or be modified, any parameters of which the preentered default
values are used are not mentioned here. You will find detailed information on these parameters in the general OS
Deployment manual.
Numara Asset Management Platform Prerequisites

• you have done the exercises in the chapters of Section I and are familiar with the general concepts of the
NAMP console and its workings.
Deployment Lab Prerequisites

Before deployments are launched in your infrastructure they should be tested in a lab environment. The
following paragraphs list the components and prerequisites for this lab.
OSD Manager
The OSD Manager is a device of the NAMP infrastructure located within a subnet. For our example here we will
select the master as the OSD Manager. The following prerequisites apply to this device:
• The device figuring as the OSD Manager must have one of the following operating systems: Windows 2000
(minimum Service Pack 4), Windows 2003, Windows XP, Windows Vista or Windows 2008.
• The WAIK (Windows Automated Installation Kit) for Windows 7 must be installed on the OSD Manager/TFTP
server device.
• The TFTP server will execute the function of OSD Manager, i.e., it will be responsible for the OS deployments.
Each subnet can only have one OSD Manager/TFTP server. The TFTP server must be configured as follows:
1 An InstallTFTP.bat file is available on the Numara Asset Management Platform Installation DVD in
directory support\OSD that contains all configuration settings for the TFTP server.
a Copy the InstallTFTP.bat file to directory c:\InstallTFTPServer. If you copy the files to another
directory make sure to modify the corresponding path in the InstallTFTP.bat file.
b Also copy from a Windows 2003 installation disk the files TFTP.EX_ and TFTPD.EX_ to the same
directory.
c Launch the InstallTFTP.bat file.
d The TFTP server is now configured as required.
2 The TFTP server directory must be shared with read and write permission to everyone.
• The TFTP port must be opened on the firewall (by default this is UDP port 69).
• The directory C:\PXETFTP must be defined as the TFTP root directory and it must be shared with write
access. To add the access proceed as follows:
1 Select the C:\PXETFTP directory in the tree in the left part of the Explorer window.
2 Then right click the mouse and select the Properties option in the pop-up menu.
3 The Properties window appears for the selected directory.
128 - Numara Deployment Manager - Operating System Deployment
4 First go to the Share tab.

5 Make sure the Share Directory option is selected, if this is not so select it now.
6 Then go to the Security tab (NTFS only).
7 Select the user group, which will be defined for the access to this directory, it is recommended to NOT use
everyone.
8 The Permissions box below will now display the access rights accorded to this group. Make sure it has the
box Full Control for Allow checked. If this is not the case mark it now.
9 Then click Add above the box to validate the modification.
10 Click Apply to confirm all modifications and activate them.
11 Then click OK to confirm and close the window.
• It is recommended to create a dump of all drivers required for the target devices on the OSD manager, this
facilitates the selection of the required drivers during the project setup. For this create a specific directory for
these drivers with an intuitive subdirectory structure, e.g., split up by operating system, each of these split by
driver type, etc.
DHCP Server
The DHCP server may be located on the same device as the OSD Manager, however it is recommended to use a
different device. It may be either a Windows or a Linux server and must be configured as follows:
• Windows DHCP Server
The DHCP server expected is a Windows 2000 or 2003 server edition component. The DHCP configuration
required to use PXE may be done through the user interface, or the command line.
The detail of the required parameters and an example of the command line to type in are as follow:
Option 060: PXE Client
Some computer have compatibility issues, depending on their PXE version. This parameter is not
mandatory.
Value: PXEClient
Option 066: TFTP boot server host name
Host name or IP address of the TFTP server. This is the IP address of the future TFTP server.
Value: 192.168.0.52
Option 067: Bootfile Name
NBP file name that the computer has to load from the TFTP server.
Value: pxelinux.0
Option 043: Vendor Specific Info
Indicates to the PXE client that the DHCP server is also the TFTP server.
Value: 01 04 00 00 00 00 ff
The tool to edit these options through the command line is named “netsh.exe”, it is present in the regular
installation of Windows XP and 2003, but optional on Windows 2000 Server Edition.
The command lines to set those options are executed locally, on the DHCP server:
netsh dhcp server add optiondef 60 PXEClient String 0 comment=<comment>
netsh dhcp server scope 192.168.0.0 set optionvalue 060 STRING PXEClient
netsh dhcp server scope 192.168.0.0 set optionvalue 066 STRING <TFTP server address>
netsh dhcp server scope 192.168.0.0 set optionvalue 067 STRING pxelinux.0
netsh dhcp server scope 192.168.0.0 set optionvalue 043 BINARY 010400000000ff
It is possible to reserve an IP address, name and description for a particular incoming MAC address:
netsh dhcp server scope 192.168.0.0 add reservedip <IP Address> <MAC Address> <Machine
name> “<Machine description>” {DHCP|BOOTP|BOTH}
Later on, to remove this entry, the command is:
netsh dhcp server scope 192.168.0.0 delete reservedip <IP Address> <MAC Address>
Example:
netsh dhcp server add optiondef 60 PXEClient String 0 comment=PXE support
netsh dhcp server scope 192.168.0.0 set optionvalue 060 STRING PXEClient
netsh dhcp server scope 192.168.0.0 set optionvalue 066 STRING 192.168.0.52
Chapter 7 - Operating System Deployment Step-by-Step - 129
netsh dhcp server scope 192.168.0.0 set optionvalue 067 STRING pxelinux.0
netsh dhcp server scope 192.168.0.0 set optionvalue 043 BINARY 010400000000ff
To reserve a particular IP address for MAC address (will have to be done for each machine):
netsh dhcp server scope 192.168.0.0 add reservedip 192.168.0.112 00504A81F1F1 targetname
“Target description” BOOTP
Delete reservation:
netsh dhcp server scope 192.168.0.0 delete reservedip 192.168.0.112 00504A81F1F1
Important:
On Windows 2000 Server and Advanced Server, setting option 43 via netsh will fail with the following error:
“DHCP Server Scope Set OptionValue failed”, if the hotfix KB884119 is not installed or superseded. (See
http://support.microsoft.com/kb/884119/ for reference.)
• Linux DHCP Server
For a Linux DHCP server (dhcpd) the following lines must be added to the dhcpd.conf file:
allow booting;
allow bootp;
class "pxeclients" {
match if substring (option vendor-class-identifier, 0, 9) = "PXEClient";
next-server <IP du Gestionnaire OSD>;
filename "pxelinux.0"; }
Then the DHCP server must be rebooted.
Sysprep Deployment
The Sysprep deployment has a number of limitations as follows:
• a uniprocessor/core image can only be deployed on other uniprocessor/core devices.
• a multiprocessor/core image can only be deployed on other multiprocessor/core devices.
• The operating system language is fixed by the initial capture.
• No static IP address may be used.
• The administrator login/password of the captured system must be the same as the one specified in the
deployment parameters in the unattended information tab. If this is not the case an invalid login and/or
password Windows error is generated.
Storage Device
At least one device with network shares on which the OS setup, image and ghost to be deployed may be stored is
necessary. For this you may use the OSD Manager or the DHCP server, however, it is recommended to use a
dedicated device. In our examples we will deploy the 64 bit version of Windows Vista, therefore these setup and
image files must be copied to a share called \Vista64, a ghost image is to be copied to a directory called
\Ghosts64. This directory must contain the ghost executable file as well as the ghost image. Be aware, that
Windows NT, 2000 and XP have a limit for concurrent SMB connections per share so a linux server with a samba
share or a Windows Server Edition is advised.
If it is located on the OSD Manager, the same user as for the PXETFTP share must be used, otherwise Windows will
not be able to locate the storage share at deployment time.
Target Devices
Three devices (with or without an operating system installed) must be available in the vicinity of your test
environment to which the operating system may be deployed via the different deployment types. These devices
must have PXE boot set as the first boot device in the BIOS.
7.1 Operating System Deployment

The following paragraphs will guide you through the different possibilities of the operating system deployment in
NAMP. Specifically we will execute one example for each of the four possible operating system deployments:
1 OS Deployment - Setup Mode
2 WIM Image Capture

3 OS Deployment - WIM Image Mode
4 OS Deployment - Custom Mode
7.1.1 OSD Manager Configuration

All these different types of deployment, however, require the selection and configuration of the OSD Manager
before any operation may be executed. This is the same for all types and is done in the first two windows of the
OS Deployment Wizard. Once configured you may just click your way through these two windows for any
further deployments.
1 To launch the OS Deployment Wizard either select the Wizards->OS Deployment menu item or click the
2 The wizard appears on the screen with its first window.
Step 1: OSD Manager
Here you may either select an existing OSD Manager or specify a new one.
1 For our first example we will select the device displayed in the window, the master, who always is defined as
OSD Manager by default if it is installed on a Windows operating system.
If your master is installed on a non-Windows operating system you need to first define a device as OSD
Manager. Go to Option (i) to do so.
Step 2: OSD Manager Configuration

The second wizard window allows you to specifically configure the OSD Manager. You must provide the
following information for this:
1 Enter the following values into the respective fields:
Name
This field displays the name of the currently selected OSD Manager.
Windows AIK Installation Path
Enter into this field the path to the WAIK. If you do not enter any value the default installation path
(C:\Program Files\Windows AIK) will be used. To directly select the path click the Select button next to the
field. A popup window will appear with the directory structure of the device where you can directly select the
installation directory. Click OK to confirm and close the window.
TFTP Port (UDP)
Modify the port number if you need to use another than the default number 69.
TFTP Local Path
Enter into this field the local path to the shared TFTP server directory. To directly select the path click the
Select button next to the field. A popup window will appear with the directory structure of the device where
you can directly select the path. Click OK to confirm and close the window.
TFTP UNC Path
This field displays the network path to the shared TFTP server directory. Once you select and confirm the
TFTP Local Path this field will be automatically filled in.
TFTP UNC Credentials
Into these fields you must enter the access credentials to the shared TFTP server. Read and Write permissions
are required for this.
1 To add or edit the credentials click the Edit button to the right.
2 The Properties window will appear on the screen.
3 Enter a login name that provides you with read and write access into the Login
field and the corresponding password in the respective fields. The login name
must have one of the following formats:
<domain name>\<user login>
<local host name>\<user login>
When the popup is opened for the first time, the wizard will preenter the device name into the field
according to the <local host name>\<user login> scheme.
4 To view the passwords you may also uncheck the Hide Passwords checkbox. Both password fields will now
be displayed in clear text format.
5 To confirm the credentials click the OK button at the bottom of the window.
6 The account will be added in the wizard window fields.
Driver Root Folder

This field contains the complete path of the of the directory where the drivers will be copied to for later use.
The default directory for this is <InstallDir>\Master\data\OSDeployment\drivers\. Do not modify this value if
you are following a standard deployment. To directly select the path click the Select button next to the field. A
popup window will appear with the directory structure of the device where you can directly select a different
directory. Click OK to confirm and close the window.
DHCP Server Address
The IP address or DNS name of the DHCP server which will redirect the PXE requests to the local TFTP server.
The DHCP server must have the protocol BOOTP activated.
Skip DHCP Check
If the DHCP server is installed on the same device as the OSD Manager device you must check this box, as the
DHCP server cannot be verified in this case. This test verifies if the BOOTP protocol is activated on the DHCP
server.
2 Once all parameters are defined they must be checked that they are correct. Until the verification is executed
and returns the Status OK - Initialisation Complete, the wizard cannot continue. When checking the
parameters the wizard will highlight the problem field(s) in red, if the entry in one of the fields is incorrect.
3 To verify click the Check Environment button to the right of the Status field.
4 AMP will now verify all entries of this page, i.e. the directories as well as the access rights to them and the
DHCP server address if it is installed on another device.
5 If all values are correct the Status OK is returned, otherwise an error message is displayed in the Status field
indicating where the parameter value is not correct.
6 Once the Status OK is returned click Next to go to the following wizard page.
Be aware that the first initialisation will take several minutes.
7.1.2 OS Deployment - Setup Mode

Our first example will deploy a 32 bit Vista operating system to a device via the Setup Mode. This mode is
executed via an unattended file which so to speak takes the role of the user entering the required information
during the installation process.
Step 3: Deployment Type

In the third wizard window you need to select which type of deployment is to be executed. For our first example
we will use the Setup Mode which is also the preselected option. Do not modify anything in this window and
click Next to go to the following wizard page.
Step 4: Project Parameters

The deployment of a new operating system to a number of targets is managed in its entirety by a NAMP object
called project.
1 This next window defines the parameter for the deployment project, which are the following:
Name
Enter a self explicatory name for the project into this field, for example Vista (64 bit) Setup Deployment.
Architecture
This field indicates the type of architecture for the OS deployment, i.e., the architecture of the WinPE image
launching the setup program. The possible options are 32 Bit for x86 and 64 Bit for amd64 Windows
installations. Select the 64 Bit option for the 64 bit Vista setup deployment.
Target Drive
Select from this field the drive letter on which the operating system is to be installed, in our example we will
use the C drive, therefore select C from this field.
Step 5: Image
This wizard window allows you to either select an existing or create a new operating system image which is to be
deployed by the setup. Images exist for all types of deployment, but the list displayed in this window is already
filtered and will only show the images created for the respective selected deployment type.
The wizard window is still empty as no images have yet been created. The option to create a new image (Create a
new OS image or setup) is selected by default, therefore click Next to go directly to the following wizard page to
define the parameters of the new image.
Step 6: Image Parameters

This next window allows you to define the parameters for the setup image.
1 The following parameters must be defined:
Name
Enter a descriptive name for the image in the Name field, for example Vista (64 bit) Setup Image.
Architecture
This field indicates the type of architecture the image is to be applicable to. The possible options are 32 Bit for
x86 and 64 Bit for amd64 Windows installations.
Type
This parameter defines the image type being used for the deployment. This list is already prefiltered and only
provides image types applicable to the selected deployment mode. Possible values here are Windows Vista/
Server 2008/7 Setup and Windows XP/Server 2003 Setup. For our example select the Windows Vista/Server
2008/7 Setup option.
Location
Enter into this field the network path to the image or setup folder, where you copied the image files required
for the installation, e.g. \\192.168.196.13\Vista64. This is the folder which contains the setup.exe file for
the deployment. This directory may be located on any device in your network, as long as it can be accessed by
the OSD Manager.
Connection Parameters
The login and password to be used by the deploying device to access the network location in read and write
mode.
1 To enter the login information click the Edit button next to the non-editable fields.
2 A Properties window appears on the screen in which you must enter the login name and corresponding
password in the respective fields and re-enter the password for confirmation.
The login name must have one of the following formats:
Be aware that . is not a valid domain in this case.
3 For security reasons the passwords will only be displayed in the form of asterisks.
and returns the Status OK, the wizard cannot continue.
3 To verify click the Check Image button to the right of the Status field.
4 AMP will now verify all entries of this page, i.e. the directory as well as the access rights to it.
Step 7: Image Drivers

In this step of the OSD wizard the drivers must be defined which will be used by the Windows Setup after
installation. This is the equivalent for manually inserting the drivers floppy during the installation process. Here
you can define all drivers that may be needed by the deployment operating system to properly run. The drivers
must be defined here as well in their usual .inf format. If you are creating an XP setup and your targets use a
SATA disk, do not forget to add the required SATA driver here as well.
1 By default no drivers are predefined, therefore this list field is empty.
2 For this example we will first add an Ethernet network driver.
3 To do so click the Create Driver icon ( ) above the list field.

4 The Create a New Driver window appears on the screen.
5 Enter the following data into the respective fields:
Name
Enter a name for the new driver, for example Ethernet
Network Driver.
Driver Type
This drop down list defines the type of the driver, i.e. if it
is a network driver, a SATA disk driver, a keyboard driver,
etc. Select the Modem/Network Driver value from the
list.
Driver .inf File
Enter into this field the name and path of the .inf file of the
driver. This is the path on the local device, i.e. the OSD
Manager and to be entered as such with the drive letter as
well as the name of the file, e.g. D:/Drivers/TEXTORM/
chipset/Vista32/Ethernet/nvfd6032.inf. You may also
indicate a path to a removable device, such as a DVD drive, as the driver files will be copied to a specific
directory in the Numara Deployment Manager.
1 To find the file in its directory structure click the Select button next to the field.
2 The Driver File from <Device> window appears on the screen.
3 It provides the directory structure of the currently selected OSD Manager.
4 Browse the directories to find the correct file, select it and then click the OK button to add it.
7 To verify click the Check Driver button to the right of the Status field.
8 AMP will now verify all entries of this page, i.e. the directory as well as the access rights to it and fill in the
remaining fields with the recovered information, such as the list of driver files.
10 Once the Status OK is returned click OK button to add the new driver to the list and return to the Image
Drivers window.
11 Now the driver appears in the list of available drivers.
12 Repeat steps 2 to 9 to add other drivers. The drivers defined here must be compliant with the image to be
deployed.
13 Then click Next to go to the following wizard page.
Step 8: Target List

The next step in the OS deployment procedure is to select the deployment targets. Targets are not defined via
groups, as these may only contain devices with a NAMP agent installed, they are managed via target lists, which
may also contain devices without a NAMP agent. The individual targets are then added to these lists. This may be
done in a number of different ways. In our example here we will only have one target device which will be added
as a single device.
The option to create a new target list (Create a new target list) is selected by default, therefore click Next to go
directly to the following wizard page to define the members of the new target list.
A target list can only be assigned to one project at a time. To use it with another project and have it be
available in this list it must first be unassigned from its current project.
Step 9: Target List Configuration

In this step of the wizard you must select the deployment targets which are collected in the target list.
1 The first step is to enter the name Vista Setup Target List into the Name field.
2 Then select the template of the unattended file that is to be used for the deployment. You may either use the
template which is provided by Numara, leave the field empty, or you may use you own custom defined file. For
this example we will use the Numara default file, therefore do not modify the entry.
If the unattended file template field is empty, the OSD Manager will use the default unattended file template
corresponding to the image type.
3 This deployment will only have one target device and we will add it as a new target.
To add target devices via lists see Option (a) now.
To add existing devices as targets see Option (b) now.
To add target devices via a PXE subnet see Option (c) now.
4 For this select the Create Target icon ( ) on top of the empty list field.
5 The Create a New Target window appears on the screen with its three
tabs, General Information, Parameters and Unattended Information.
6 Enter the following information into the respective fields of the
General Information tab for the new device:
Name
Enter into this field the short name that the new device is to have,
e.g., scotty. Be aware that the name of the new target may only have
a maximum of 15 characters and may only contain the following
characters: A-Z, a-z, 0-9, the underscore (_) and a dash (-).
Target
Leave the radio button selected as we are defining a single target
and enter the information for at least one of the three following
fields. If the device is already up and running the wizard will
recover information regarding the MAC address, based on the
provided IP address or DNS name.
MAC Address
Enter into this field the current MAC address of the target
device. This is the most precise information to identify the
device and should be preferred to the other two following identification options.
IP Address
Enter into this field the current IP address of the target device. This option may be used if the MAC
address is unknown and device is already running. In this case the respective target device will try to
find its MAC address and provide this information.
DNS
Enter into this field the current DNS information of the target device. This option may be used if the
MAC and IP addresses are unknown and device is already running. In this case the respective target
device will try to find its IP address which in turn will then search for the MAC address and provide this
information.
7 Then select the Parameters tab and fill in the fields for the target
operating system information.
Edition
Select from the drop-down box the Windows edition that is being
installed, e.g. Windows Vista Enterprise. The listed editions have
been automatically detected from the installation CD/DVD.
Language
Select from the drop-down box the language. This language setting
will be applicable to the setup, the operating system to be installed,
the keyboard layout and the user locale. The listed languages have
Product Key
This field defines the preformatted input for the OS product key
(e.g.: ABCDE-FGHIJ-KLMNO-PQRST-UVWXY). Replace the
standard key already entered in this field with the key provided by
Microsoft on your installation DVD.
TCP/IP Parameters
Leave the preselected option Dynamic IP in this box, this will automatically assign the target device its new
IP address via DHCP.
To add target devices with static IP addressing see Option (e) now.
8 Then select the Unattended Information tab and fill in the fields for your organisation.
Screen Resolution
Select from the drop down list the appropriate screen resolution for
the monitor of the target device.
Colour Depth
Select from the drop down list the appropriate colour depth for the
monitor of the target device.
Refresh Rate
Select from the drop down list the appropriate refresh rate for the
monitor of the target device.
Resolution (DPI)
Select from the drop down list the appropriate DPI value for the
target device.
Organisation
Enter into this field the name of your company, e.g. Numara
Software. This is the value that will appear in the license window of
the operating system.
Workgroup
Enter into this field the name of the workgroup to which the newly installed device is to belong to, e.g.,
WORKGROUP. This field will be ignored if a domain is specified.
Administrator Login
Enter into this field the login name for the administrator that is to be created for the newly installed OS
with full administrator rights accorded for the new device. For Vista and later versions this field is prefixed
by Microsoft and modifications will be ignored.
Administrator Password
Enter into this field the corresponding password.
User Login
Enter into this field the login name with which the user is to log on to his device which provides him with
the required user rights. This field is only applicable to Vista and later.
User Password
Enter into this field the respective password to be used (Vista and later only).
Time Zone
Select from this drop down list the time zone which is to be applied to the new device, i.e. in which it is
located.
Full Name
Enter into this field the complete name of the user that is to use the new device, e.g. Jane Doe.
Domain
Enter into this field the name of the domain the new device should belong to, e.g. TESTLAB. Do not enter
anything into this field if you have provided Workgroup information, as this value will override it.
Domain Administrator Name
Enter into this field the login name of the domain administrator with which he may access the new device.
Domain Administrator Password
First Logon Command
This field lists the commands to be executed on the first logon, this may be a path to a batch file to execute,
e.g. E:\Apps.bat or cmd /c REGEDIT /S E:\Apps\patch.reg. This parameter is only applicable to XP.
9 Then click the OK button at the bottom of the window to confirm the data for the new target device and add it
to the target list.
Step 10: Disk Configuration

This wizard window allows you to define the configuration of the disk on which the operating system will be
installed. A number of predefined disk configurations are initially provided by Numara and one of these will be
used for this first example.
1 In the list of available disk configurations select the Disk with two partitions option.
2 This configuration will create two partitions of the hard disk, the first, the boot or active partition with 30 GB
and the second with the remaining space.
To create a new disk configuration see Option (h) now.
Step 11: Drivers

In this step of the OSD wizard the drivers required for the WinPE must be selected. For the deployment to work at
least one driver must be selected, i.e. the network driver, as well as the SATA driver if the target disk is a SATA
disk.

Name
Enter a name for the new driver, for example WinPE
Ethernet Network Driver.
Driver Type
This drop down list defines if the driver is a network or a
SATA disk driver. A network driver is obligatory for each
deployment. All drivers must be Vista compliant drivers as
they are used by WinPE. Select the WinPE Network value
from the list.
All drivers must be Vista compliant drivers as

they are used by WinPE.
Driver .inf File

well as the name of the file, e.g. D:/Drivers/TEXTORM/chipset/Vista32/Ethernet/nvfd6032.inf. You may also
indicate a path to a removable device, such as a DVD drive, as the driver files will be copied to a specific
directory in the Numara Deployment Manager.
10 Once the Status OK is returned click OK button to add the new driver to the list and return to the Drivers
window.
12 Repeat steps 2 to 9 to add a SATA driver if you are using a SATA disk, be aware that also the SATA drivers must
be Vista compliant.
13 Then in the Drivers window mark both check boxes next to the added drivers to indicate that they are to be
used.
Step 12: Project Build Date

In the last step of the operating system deployment wizard the schedule for the project build and its activation is
defined. Building the project signifies to check that all parameters and values of the project are correct and that all
required elements are available and in their correct location.
Be aware that only one project per OSD Manager at a time can be active. If you have more than one deployment
project you must schedule them in such a way that they are not launched at the same time and that the first
deployment has finished before the next one starts, i.e. that they are not active at the same time. It is however
possible to execute simultaneous deployments via different OSD Managers in different subnets. If you activate a
new project via this wizard any other project in the same subnet will automatically be deactivated.
As we want to activate and execute this first deployment right away leave all values as they are and click Finish to
launch the deployment.
Step 13: Project Monitoring

The project will now be build, i.e. all parameters are verified, the files are copied to the location required for the
remote installation, etc. You can follow the progress of the project in its console node, as the focus of the console
will automatically be moved to this object when the wizard is finished. In this view you can follow the different
stages of the build.
If any other than the final status Build completed successfully. is displayed the build failed and you need to
review the parameters of the project as well as maybe the source files.
Step 14: Deployment Execution

Once the build is successfully completed the files are put at the required location on the OSD Manager for
deployment. To now start the actual operating system deployment to the target device you must switch on the
device. It will boot on the PXE boot section and the operating system installation is executed.
Do not start the target devices before the project is finished and ready to launch the installation. If the target
devices are already running the PXE boot will not find the files for the installation and the deployment and
installation of the new OS on the target devices will not take place.
You can follow the progress of the installation by selecting the Assigned Objects->Target List->Vista Setup
Target List node in the left window pane. The right pane displays the target list members with their status
information.
7.1.3 WIM Image Capture

As the next example we will create a new master WIM image of the device on which we just installed the Vista
operating systems via the setup mode via the WIM Image Capture option of the wizard. This mode makes a
snapshot of an existing system on the active disk, usually C and creates a WIM image of it, which may then be
used to be deployed to new devices as we will do in the next example. To start this mode the OS Deployment
Wizard must be started again:
2 The wizard appears on the screen with its first window in which the OSD Manager is selected.
3 We only have one OSD Manager which is already preselected.

5 In this window the parameters of the OSD Manager must be defined.
6 However, we have already done this with the previous example, so you can just click Next to go to the
following wizard page.
In this third wizard window you must select which type of deployment is to be executed. For this example we will
select the WIM Image Capture option at the bottom. Then click Next to go to the following wizard page.

The capturing and creating of a WIM image which can then be deployed to other devices is also managed by the
NAMP object called project.
1 This window defines the parameters for the capture project, which are the following:
Name
Enter a self explicatory name for the project into this field, for example Vista (64 bit) Capture.
Architecture
installations. Select the 64 Bit option for the 64 bit Vista capture.
In case of a Sysprep capture select Shutdown from the Operation after Installation field.
Target Drive
Select from this field the drive letter on which the operating system is installed of which the image is to be
created, in our example we will use the setup deployment we executed in the previous example, therefore the
respective drive is the preselected C drive.
Step 5: Image
In this wizard window you must define the base parameters of the WIM image to create. If other images have
already been created they will be shown in this list and you may select such an existing image and modify and
overwrite it with the new image to create.

This window allows you to define the parameters for the WIM image.
Name
Enter a descriptive name for the image in the Create a new OS image or setup field, for example Vista
Capture.
Type
This parameter defines the image type being used for the deployment. Select Windows Vista/Server
2008/7 Setup for our example.
In case of a Sysprep capture select Windows Vista/Server 2008/7 Sysprep WIM Image.
Location
Enter into this field network path including the name to the image folder, where the image to create is to be
stored, e.g. \\192.168.196.13\Build\WinVista.wim. This directory may be located on any device in your
network, as long as it can be accessed by the OSD Manager and the target device of which the image is created.
mode.
Step 7: Target List

The next step in the OS capture procedure is to select the target. A capture target list may always only contain one
target device, i.e. the device of which the image is to be created. For our example we will use the device on which
the setup mode installed the Vista operating system in the previous example.
This may be done in a number of different ways. In our example here we will add the target as a single device. All
other possible ways will be explained in the options.

In this step of the wizard you must select the target device of which the image is to be created. Remember, this list
can only contain one single device.
To add the target device via a list see Option (a) now.
To add an existing device as the target see Option (b) now.
1 Enter the name Vista Capture Target List into the Create a new target list field on top of the empty list field.
2 Then select the Create Target icon ( ) on top of the empty list field.
3 The Create a New Target window appears on the screen with its General
Information tab.
4 Enter the following information into the respective fields for the device:
Name
Enter into this field the short name of the target device exactly as you
entered it for the setup, e.g., scotty.
Target
Leave the radio button selected as we are defining a single target and enter
the information for at least one of the three following fields, preferably the
MAC Address. If the device is already up and running the wizard will
recover information regarding the MAC address, based on the provided IP
address or DNS name.
MAC Address
Enter into this field the MAC address of the target device.
IP Address
Enter into this field the IP address of the target device.
DNS
Enter into this field the DNS information of the target device.
5 Then click the OK button at the bottom of the window to confirm the data for the target and add it to the target
list.

This wizard window allows you to define the configuration of the disk of the image. When an image is captured of
an existing operating system installation the disk configuration is already defined. Therefore a specific image
capture disk configuration must be used, which is provided by Numara at installation time.
1 In the list of available disk configurations select the Unchanged disk for custom deployment option.
2 This configuration contains all information required for the image capture.
Be careful not to select a disk configuration that will format the drive or partition!

Step 10: Drivers

In this step of the OSD wizard the Vista compatible drivers required for the WinPE must be selected. For the
capture to work at least one driver must be selected, i.e. the network driver, as well as the SATA driver if the target
disk is a SATA disk. As we have already executed the Setup mode in which the two required drivers were defined
we will use these now for the current example.
1 The wizard window will show the two drivers already defined during the previous example.
2 Check both their boxes if you have a SATA drive, otherwise only the Ethernet driver.


defined. Building the project signiefies to check that all parameters and values of the project are correct and that
all required elements are available and in their correct location.
In case of a Sysprep distribution, the target MUST be running before the project becomes active! Also, you must
manually launch the provided batch file \\<OSD Manager>\PXETFTP\SYSPREP\RUNSYSPREP.BAT, that will
sysprep the target and finally reboot it. The file must be executed as a privileged user (admin). If the file can not be
found in this location the project is not activated or not set as a Sysprep image type.

The project will now be build, i.e. all parameters are verified, to make sure the capture can be properly executed.
You can follow the progress of the project in its console node, as the focus of the console will automatically be
moved to this object when the wizard is finished. In this view you can follow the different stages of the build.
review the parameters of the project as well as maybe the state of the target device.

Once the build is successfully completed the snapshot of the target device is started. You can follow the progress
of the image creation process by selecting the Assigned Objects->Target List->Vista Capture Target List node in
the left window pane. The right pane displays the target list member with its status information.
7.1.4 OS Deployment - WIM Image Mode

In this third example we will install a new device via the WIM Image Mode using the WIM image we captured in
the preceding example. The WIM Image Mode uses a snapshot of an operating system taken of an installed device
to install the same operating system on the target device or a sysprepped OS, able to be deployed on various
hardware types. The snapshot or image file contains all information required to install the new device. To start
this mode the OS Deployment Wizard must be started again:
select the WIM Image Mode deployment option. Click Next to go to the following wizard page.

called project.
1 This next window defines the parameters for the deployment project, which are the following:
Name
Enter a self explicatory name for the project into this field, for example Vista (64 bit) WIM Deployment.
Architecture
installations. Leave the preselected option 64 Bit for the 64 bit Vista WIM deployment.
Target Drive
Select from this field the drive letter on which the operating system is to be installed, in our example we will
use the C drive, therefore select C from this field.
Step 5: Image
deployed by the WIM mode. Images exist for all types of deployment, but the list displayed in this window is
already filtered and will only show the images created for the respective selected deployment type, i.e. in this case
any existing WIM images.

This window allows you to define the parameters of the WIM image.
Name
Enter a descriptive name for the image in the Create a new OS image or setup field, for example Vista WIM
Image.
Location
Enter into this field network path to the folder, where you stored the image file that we created in our previous
example including the name of the image, e.g. \\192.168.196.13\Build\WinVista.wim. This directory may
be located on any device in your network, as long as it can be accessed by the OSD Manager and the target
devices, i.e. it is therefore recommended to put it on a device within the subnet.
mode.
If you are using a WIM-Image with Sysprep support see Option (f) now.
Step 7: Target List

done via a number of different ways. In our example here we will only have one target device which will be added
as a single device. All other possible ways will be explained in the options.

1 Enter the name Vista WIM Image Target List into the field on top of the empty list field.
To add target devices via a PXE subnet see Option (d) now.
4 The Create a New Target window appears on the screen.
5 Enter the following information into the respective fields of the General
Information tab for the new device:
Name
Enter into this field the short name that the new device is to have, e.g.,
Device1. Be aware that the name of the new target may only have a
maximum of 15 characters and may only contain the following characters:
A-Z, a-z, 0-9, the underscore (_) and a dash (-).
Target
the information for at least one of the three following fields. If the device is
already up and running the wizard will recover all remaining information
directly from the device and add it to the respective fields.
MAC Address
Enter into this field the current MAC address of the target device. This
is the most precise information to identify the device and should be preferred to the other two following
identification options.
IP Address
DNS
information.
If you are using a WIM-Image with Sysprep support see Option (g) now.
to the target list.

used for this first example.
1 In the list of available disk configurations select the Disk with two partitions option.
2 This configuration will create two partitions of the hard disk, the first, the boot or active partition with 30 GB
and the second with the remaining space.
Step 10: Drivers

In this step of the OSD wizard the Vista compatible drivers required for the WinPE must be selected. For the
deployment to work at least one driver must be selected, i.e. the network driver, as well as the SATA driver if the
target disk is a SATA disk. As we have already executed the Setup mode in which the two required drivers were
defined we will use these also now for the current example installation.
1 The wizard window will show the two drivers already defined for the previous examples.
2 Check both their boxes if you have a SATA drive, otherwise only select the Ethernet driver.



devices are already running before the PXE boot will not find the files for the installation and the deployment
and installation of the new OS on the target devices will not take place.
You can follow the progress of the installation by selecting the Assigned Objects->Target List->Vista Image
information.
A Sysprep installation is quite long (~1 hour, depending on the hardware) and requires several reboots.
7.1.5 OS Deployment - Custom Mode

As the last example we will install a new device via the Custom Mode. This mode allows you to use other
applications with which snapshots of existing installations may be created and then be ’duplicated’ on other
devices, such as for example ghost images. To start this mode the OS Deployment Wizard must be started again:
select the Custom Mode. Then click Next to go to the following wizard page.

called project.
1 This window defines the parameters for the deployment project, which are the following:
Name
Enter a self explicatory name for the project into this field, for example XP (64 bit) Custom Deployment.
Target Drive
This field is used to configure the MBR file and is there accessible. HOWEVER only modify the preentered
value if required.
Step 5: Image
deployed by the setup. Images exist for all types of deployment, but the list displayed in this window is already
filtered and will only show the images created for the respective selected deployment type.

This window allows you to define the parameters for the custom deployment image.
Name
Enter a descriptive name for the image in the Create a new OS image or setup field, for example XP Custom
Mode Image.
Location
Enter into this field network path to the folder, where the custom image and the program is located, e.g.
\\192.168.196.13\ghosts64. This is the folder which contains the ghost executable file for the deployment
as well as the ghost image. This directory may be located on any device in your network, as long as it can be
accessed by the OSD Manager and the target devices.
mode.
Custom Image Command Line
This field contains the command required to deploy the image, e.g., ghost32.exe -
clone,mode=restore,src=W:\XP32.GHO,dst=1:0 -SURE for a ghost image, whereby W: is the mounted share of
the UNC OS location in the WinPE. An example when using imagex would be: imagex /apply
"W:\MyImageFile.wim" 1 C:.
Step 7: Target List

done via a number of different ways. In our example here we will only have one target device which will be added
as a single device. All other possible ways will be explained in the options.

1 Enter the name XP Custom Mode Target List into the Name field on top of the empty list field.

To add target devices via a PXE subnet see Option (d) now.
4 The Create a New Target window appears on the screen.
5 Enter the following information into the respective fields of the General
Information tab for the new device:
Name
Enter into this field the short name that the new device is to have, e.g.,
scotty. Be aware that the name of the new target may only have a maximum
of 15 characters and may only contain the following characters: A-Z, a-z,
0-9, the underscore (_) and a dash (-).
Target
the information for at least one of the three following fields. If the device is
already up and running the wizard will recover information regarding the
MAC address, based on the provided IP address or DNS name.
MAC Address
Enter into this field the current MAC address of the target device. This is the most precise information to
identify the device and should be preferred to the other two following identification options.
IP Address
DNS
information.
to the target list.

used for this custom example.
1 In the list of available disk configurations select the Unchanged disk for custom deployment option.
2 This configuration will contains all the required information for the standard ghost installation.

Step 10: Drivers

In this step of the OSD wizard the drivers required for the WinPE must be selected. For the deployment to work at
least one driver must be selected, i.e. the network driver, as well as the SATA driver if the target disk is a SATA
disk. As we have already executed the Setup mode in which the two required drivers were defined we will use
these now for the current example installation.
1 The wizard window will show the two drivers already defined for the setup example.
2 Check both their boxes if you have a SATA drive, otherwise only select the Ethernet driver.




devices are already running before the PXE boot will not find the files for the installation and the deployment
and installation of the new OS on the target devices will not take place.
You can follow the progress of the installation by selecting the Assigned Objects->Target List->XP Custom Mode
information.
7.2 Options
This following section will provide you with a number of option available for the different modes of operating
system deployment.
(a) Add Target from Lists
Devices may be added to the target list through a number of different ways. One is through different types of lists.
Be aware that you cannot add the master as a target device. To do so proceed as follows:
1 Select the Add Members from Lists icon ( ).
2 The Select Devices from the List window opens which provides you with the following methods to choose the
scan targets:
AutoDisc Object
AutoDisc Device
Network
CSV List
a AutoDisc Object
The AutoDiscovery module provides a list of all devices of any type found in the network, such as printers
or devices with and without the agent installed. This list is also available for the vulnerability scan
functionality to facilitate the selection of the scan targets. However, the list displayed in this case will only
show all clients of type device and only those with a status of Verified or Learned, which means that all
devices in this list have been verified for existence either by the local client or a neighbour client and exist
on the network. To add a device from the list of all autodiscovered devices known to the database proceed
as follows:
1 Select the AutoDisc Object tab ( ) in the left window bar.
2 The field Available Devices displays the list of all available devices. You will find more information on
the list of autodiscovered devices in chapter Autodiscovered Objects on page 209 in the Console manual.
3 Select the device/devices to be added as targets from the list and then click the Add button ( ) to move
the selected devices to the list of Selected Devices.
4 Click OK to confirm the selections and close the window.
b AutoDisc Device
The tab AutoDisc Device allows you to select
your target devices from a list of
autodiscovered devices by one specific
network device. Proceed as follows:
1 Select the AutoDisc Device tab ( ) in the
left window bar.
2 The Select a Device window opens on the
screen.
3 Select the device of which the
autodiscovered list is to be used from one of
the tabs of the Select a Device dialog box.
4 Click OK to confirm the selection and close
the window.
5 The Select Devices from the List dialog box
now only displays the devices that were
discovered by the selected network device.
6 Select the device/devices to be added as targets from this list and then click the Add button ( ) to move
the selected devices to the list of Selected Devices.
7 Click OK to confirm the selections and close the window.
c Network
You may add a device from the list of your Microsoft network neighbourhood. To do so proceed as follows:
1 Select the Network tab ( ) in the left window bar.
2 The field Available Devices displays now the Microsoft Windows Network Neighbourhood structure
on the screen.
3 Select the device/devices to be added to the list from one of its groups.
4 Click OK to confirm the addition and close the window.
d CSV List
To add a device to the scan from an existing .csv file proceed as follows:
1 Select the CSV List tab ( ) in the left window bar.
2 A window opens, in which you may choose the file containing the device list.
3 Click the Open button at the bottom of the window to open the list.
4 The field Available Devices displays now the list of all devices contained in the selected CSV list.
5 Check the box Header, if your CSV file has a title line which is to be removed.
6 Select the device to be added to the scan from the list in the window. You may also select all devices in
the list by using the Select All button.
7 Click OK to add the device and close the window.
3 Continue with the general procedure.
(b) Add Device
You may also add a device or all devices of a target list via the device selection window. This is the easiest way to
add device to the target list if you install only devices that are already known to the NAMP database. Device
without agents are not available in this window. To add devices proceed as follows:
1 Select the Add Device icon ( ).
2 The Select a Device window opens on the screen.
3 Select the device to be added from one of the tabs of the Select a Device dialog box.
4 Click OK to confirm the addition and close the window.
(c) Create Target via PXE Subnet (Setup Mode)
You may also create new target devices by specifying a subnet in which they will be located. When creating new
targets in this way, it will be added to the OS Deployment database specifically for this deployment. To do so
proceed as follows:
1 Select the Create Target icon ( ).
2 The Create a New Target window opens on the screen with its three tabs, General Information, Parameters
and Unattended Information.
3 Enter the following required information for the target device in the General Information:
Name
Enter into this field the short network name that the new device is to have, e.g., scotty.
Description
This field is a free text field and may contain some descriptive text or necessary information about the
object.
Architecture
This field indicates the for which type of architecture the target list is applicable to. The possible options
are 32 Bit for x86 and 64 Bit for amd64 Windows installations. This field is generally not accessible, as the
architecture is defined by the target list.
Enabled
This parameter defines if the target device is active, i.e. if it will
recuperate the image or setup file to install. By default this option is
set to Yes, enabled or active target. If a target device is disabled, it
must be activated manually via this option and then the project
must be rebuilt for this modification to become effective.
PXE Subnet Filter
This field displays the IP address for the subnet which contains the
target devices. A new field next to the Name field appears in the
window. You may enter into this field the way the device names
within a subnetwork are automatically incremented. The default
value here is 001, i.e. the name with the suffix 001, 002, etc., e.g.
HQ001, HQ002, ... HQ099.
PXE Subnet Filter
Enter into this field the IP address in its dotted notation for the
subnet which is to contain the target devices. The address may
be entered with the wildcard character asterisks (*):
192.168.1.*, 192.168.*.* or 192.*.*.*.
4 Then select the Parameters tab and fill in the fields for the target
operating system information.
Edition
Select from the drop-down box the Windows edition that is being installed, e.g. Windows Vista Enterprise.
The listed editions have been automatically detected from the installation CD/DVD.
Language
Select from the drop-down box the language. This language setting will be applicable to the setup, the
operating system to be installed, the keyboard layout and the user locale. The listed languages have been
automatically detected from the installation CD/DVD.
Product Key
This field defines the preformatted input for the OS product key (e.g.: ABCDE-FGHIJ-KLMNO-PQRST-
UVWXY). Replace the standard key already entered in this field with the key provided by Microsoft on your
installation DVD.
TCP/IP Parameters
The fields in this box allow you to define the parameters for static or dynamic IP address management:
Dynamic IP
Select this radio button to dynamically assign the IP addresses for the devices. This option is only
applicable to Setup projects. This is the default value.
Static IP
Select this radio button if the IP addresses are statically assigned to the devices. The following fields
must be defined for static IP addressing:
IP Address
Enter into this field the IP address which is to be attributed to the target device. This field is
mandatory.
Subnet Mask
Enter into this field the subnet mask for the target device. This field is mandatory.
Gateway
Enter into this field the IP address of the gateway of the target device. This field is mandatory.
Prefered DNS Server
Enter into this field the IP address of the preferred DNS server of the target device. This field is
mandatory.
Alternate DNS Server
Enter into this field the IP address of the alternate DNS server of the target device. This field is
optional.
Click the Default Values button below these fields to preenter the Subnet Mask, Gateway and Prefered DNS
Server fields with the default values.
5 Then select the Unattended Information tab and fill in the fields for your organisation.
Screen Resolution
This parameter defines the resolution in pixels of the target screen. The value in parenthesis behind the
value indicates for which screen size the respective resolution is generally used.
Colour Depth
This parameter defines the colour depth in bits per pixel of the target screen.
Refresh Rate
This parameter defines the refresh rate in Hertz of the target screen (e.g.: 85 for CRT, 60 for LCD).
Resolution (DPI)
This field displays the resolution in dpi that is to be used for the fonts displayed on the screen of the device
to be installed.
Organisation
This field displays the name of your organisation, e.g Numara Software.
Workgroup
The network workgroup of the target devices, e.g. WORKGROUP. If you enter a value here and as well into
the Domain field later on, this value will be ignored.
Administrator Login
Enter into this field the login name to which is to be created for the newly installed OS with the full
administrator rights accorded on the new device. For Vista and later versions this field will be greyed out, as
the login name is predefined by Microsoft and may not be modified.
User Login
Enter into this field the login name with which the user is to log on to his device which provides him with
the required user rights. This parameter is only applicable to Vista.
User Password
Enter into this field the respective password to be used. This parameter is only applicable to Vista.
Time Zone
The timezone in which the target device is located.
Full Name
Domain
Enter into this field the name of the domain the new device should belong to, e.g. TESTLAB. If you entered
a name for the workgroup above the domain value will prevail.
First Logon Command
6 Click the OK button at the bottom of the window to confirm the data for the new target list or click Cancel to
abandon without modifications and to close the window.
(d) Create Target via PXE Subnet (Non-Setup Mode)
You may also create new target devices by specifying a subnet in which they will be located. When creating new
targets in this way, it will be added to the OS Deployment database specifically for this deployment. To do so
proceed as follows:
1 Select the Create Target icon ( ).
2 The Create a New Target window opens on the screen with its three tabs, General Information, Parameters
and Unattended Information.
3 Enter the following required information for the target device in the General Information:
Name
Enter into this field the short network name that the new device is to have, e.g., scotty.
Description
This field is a free text field and may contain some descriptive text or necessary information about the
object.
Architecture
This field indicates the for which type of architecture the target list is applicable to. The possible options
are 32 Bit for x86 and 64 Bit for amd64 Windows installations. This field is generally not accessible, as the
architecture is defined by the target list.
Enabled
This parameter defines if the target device is active, i.e. if it will
recuperate the image or setup file to install. By default this option is
set to Yes, enabled or active target. If a target device is disabled, it
must be activated manually via this option and then the project
must be rebuilt for this modification to become effective.
PXE Subnet Filter
This field displays the IP address for the subnet which contains the
target devices. A new field next to the Name field appears in the
window. You may enter into this field the way the device names
within a subnetwork are automatically incremented. The default
value here is 001, i.e. the name with the suffix 001, 002, etc., e.g.
HQ001, HQ002, ... HQ099.
PXE Subnet Filter
Enter into this field the IP address in its dotted notation for the
subnet which is to contain the target devices. The address may
be entered with the wildcard character asterisks (*):
192.168.1.*, 192.168.*.* or 192.*.*.*.
(e) Create Target in Static IP Mode
Target devices may also be created in static mode. To do so proceed as follows:
1 In the Parameters tab of the Create a New Target window make the following changes:
2 In the TCP/IP Parameters box select the Static IP radio button.
3 Then enter the following parameters:
IP Address
Enter into this field the IP address which is to be attributed to the
target device. This field is mandatory.
Subnet Mask
Enter into this field the subnet mask for the target device. This field
is mandatory.
Gateway
Enter into this field the IP address of the gateway of the target
device. This field is mandatory.
Prefered DNS Server
Enter into this field the IP address of the preferred DNS server of
the target device. This field is mandatory.
Alternate DNS Server
Enter into this field the IP address of the alternate DNS server of the
target device. This field is optional.
Click the Default Values button below these fields to preenter the
Subnet Mask, Gateway and Prefered DNS Server fields with the
default values.
(f) Sysprep WIM Image Deployment - Additional Drivers
If you are executing a sysprep installation, an extra wizard window will be displayed in which additional drivers
required by the SysPrep installation must be defined.
In this step of the OSD wizard the drivers must be defined which will be used by the Windows Setup for
installation. This is the equivalent for manually inserting the drivers floppy during the installation process. Here
you can define all drivers that may be needed by the deployment operating system to properly run. The drivers
must be defined here as well in their usual .inf format. If you are creating an XP setup and your targets use a
SATA disk, do not forget to add the required SATA driver here as well.
Proceed as follows:
1 Before Step 7: of the WIM Image Deployment wizard an Image Drivers window will appear on the screen to
define the additional drivers.

Name
Enter a name for the new driver, for example Ethernet
Network Driver.
Driver Type
This drop down list defines the type of the driver, i.e. if it
is a network driver, a SATA disk driver, a keyboard driver,
etc. Select the Modem/Network Driver value from the
list.
Driver .inf File
well as the name of the file, e.g. D:/Drivers/TEXTORM/
chipset/Vista32/Ethernet/nvfd6032.inf. You may also
indicate a path to a removable device, such as a DVD
drive, as the driver files will be copied to a specific directory in the Numara Deployment Manager.
11 Once the Status OK is returned click OK button to add the new driver to the list and return to the Image
Drivers window.
13 Repeat steps 2 to 9 to add other drivers. The drivers defined here must be compliant with the image to be
deployed.
(g) Sysprep WIM Image Deployment
A sysprep WIM image deployment requires the configuration of the additional parameters. Proceed as follows:
1 At Point 4 (page 158) of Step 8: Target List Configuration of the WIM Image deployment parameters of two
more tabs must be defined:
2 Select the Parameters tab and fill in the fields for the target operating
system information.
Edition
Select from the drop-down box the Windows edition that is being
installed, e.g. Windows Vista Enterprise. The listed editions have
Language
Select from the drop-down box the language. This language setting
will be applicable to the setup, the operating system to be installed,
the keyboard layout and the user locale. The listed languages have
Product Key
This field defines the preformatted input for the OS product key
(e.g.: ABCDE-FGHIJ-KLMNO-PQRST-UVWXY). Replace the
standard key already entered in this field with the key provided by
Microsoft on your installation DVD.
3 Then select the Unattended Information tab and fill in the fields for
your organisation.
Screen Resolution
Select from the drop down list the appropriate screen resolution for the monitor of the target device.
Colour Depth
Select from the drop down list the appropriate colour depth for the monitor of the target device.
Refresh Rate
Select from the drop down list the appropriate refresh rate for the monitor of the target device.
Resolution (DPI)
Select from the drop down list the appropriate DPI value for the target device.
Organisation
Enter into this field the name of your company, e.g. Numara Software. This is the value that will appear in
the license window of the operating system.
Workgroup
Enter into this field the name of the workgroup to which the newly
installed device is to belong to, e.g., WORKGROUP. This field will be
ignored if a domain is specified.
Administrator Login
Enter into this field the login name to which is to be created for the
newly installed OS with the full administrator rights accorded on
the new device. For Vista and later versions this field is prefixed by
Microsoft and modifications will be ignored. This login and
corresponding password must be the same as the administrator
login/password of the previously captured system.
User Login
Enter into this field the login name with which the user is to log on
to his device which provides him with the required user rights.
This field is only applicable to Vista and later.
User Password
Enter into this field the respective password to be used (Vista and later only).
Time Zone
Select from this drop down list the time zone which is to be applied to the new device, i.e. in which it is
located.
Full Name
Domain
Enter into this field the name of the domain the new device should belong to, e.g. TESTLAB. Do not enter
anything into this field if you have provided Workgroup information, as this value will override it.
First Logon Command
to the target list.
5 Then click Next to go to the following wizard page and continue with the general procedure.
(h) Create new Disk Configuration
If none of the predefined disk configurations answer the requirements of your distribution you may create a new
disk configuration. Creating new disk configurations consists of the following two steps:
1 Create new Disk Configuration
2 Create Partitions for the new configuration
Be aware that WinPE has a number of limitation as described on the Microsoft web site (http://technet.microsoft.com/en-
us/library/cc507857.aspx) such as the fact that drive letter assignments are NOT persistent between sessions. This means
that no matter which drive you assigned specific drive letter in the disk configuration of an OS deployment, the drive
letter assignments will be in the default order after WinPE is restarted.
Step 1: Create new Disk Configuration

Proceed as follows to create a new disk configuration in the OSD wizard for a distribution:
1 At Step 10: Disk Configuration of the wizard select the Create Disk Configuration icon ( ) above the list
window.
3 Enter the desired data into the respective fields.
Name
Enter a name for the new disk configuration, for example FullDisk_3Partitions.
Description
This field is a free text field and may contain some descriptive text or necessary information about the object.
Size
This value displays the total size of the respective hard disk in MB.
Delete Disk Partitions
This parameter defines if any partitions that already exist on the target device are deleted, possible values are
Yes and No.
This option should be used with caution, as any data on the disk will be lost irretrievably if selected, even if
you selected not to format the partition in the partition definition.
Disk Number
The physical disk number on the device, 0 indicating the first disk, 1 the second, etc.
Status
This field displays the current status of the selected disk configuration.
4 Before the disk configuration may be created it must be verified that all entered data is correct.
5 To execute a check on the disk click the Check Disk Status button next to the non-editable field. Be aware that
the disk creation cannot be confirmed until the disk verification succeeded, i.e. the status value OK is
displayed.
6 Click the OK button at the bottom of the window to confirm the data for the new disk configuration and to
close the window.
7 The new configuration will be added to the list field.
Step 2: Create Partitions

Now that the disk is configured its partitions must be defined that will be created during the installation process
on the remote target device.
1 Select the new disk configuration in the list field.
2 Select the Create Partition icon ( ) above the list field.
3 The Disk Partitions for <Disk Name> dialog box appears on the screen. It displays the list of all partitions
defined for the currently selected disk.
4 To add a new partition click the Create Partition icon ( ) above the list field.
5 The Create a new partition window appears on the screen.
6 Enter the desired data into the respective fields.
Name
Enter a name for the new partition.
Description
This field is a free text field and may contain some descriptive text or necessary information about the object.
Format
This parameter indicates the format of the partition, possible values being NTFS, FAT-32 or Do Not Format, if
the disk is not to be formatted but to use the current configuration, such as to keep another partition type for
Linux or to keep partitions with existing data.
This formatting options should be used with caution, as any data on the partition will be lost irretrievably if
one of these options selected.
Type
This parameter defines the type of the partition, i.e. if it is a primary, extended or logical partition.
Extend
This parameter is of interest if the defined disk partitions do not completely use up the available disk space.
Possible values are Yes, extend partition, in this case the size fixed for the disk will be ignored and the
remaining disk space will be added to the respective partition. If you select No, do not extend the partition, the
remaining disk space can not be used. Only one partition per disk may be extended. As FAT-32 disks may not
be larger than 32 GB, extending it over this limit will generate an error.
Size
This value displays the total size of the respective disk partition in MB. FAT-32 disks may not be larger than 32
GB. The specified size is adjusted to the cylinder snap and may therefore be somewhat smaller or larger than
the defined value.
Label
The unique name of the partition, e.g. SYSTEM, DATA or BACKUP).
Drive Letter
The logical drive letter from C to Z assigned to the drive, each letter may only be assigned once. You may
assign the partition a specific drive letter, however, WinPE may change this after rebooting if it does not
coincide with its internal sorting logic.
Active Partition
This parameter defines if a partition is active, i.e. if it is potentially bootable. This partition must be used to
install the operating system on, which is to be booted. Only one partition may be active per disk.
Partition Number
The unique physical partition number on the disk the currently selected entry belongs to, 1 is the first
partition, 2 the second, etc.
7 Click the OK button at the bottom of the window to confirm the data for the new partition and to close the
window.
8 Repeat these steps until all partitions for the disk configuration are defined.
9 To change the order of the partitions you may move one up or down in the list.
10 Select the partition in the table in the right window pane.
11 Either choose the Edit->Move Down/Move Up menu item or click the respective icon ( / ) in the icon bar
until the partition is at the desired position.
12 Click the OK button at the bottom of the window to confirm the data for the new disk partition and to close the
window.
13 Continue with Step 10: Disk Configuration of the main wizard procedure.
(i) Add OSD Manager
To define a device as OSD Manager proceed as follows:
1 Choose the Add Device icon ( ).
2 The Add an OSD Manager popup window will appear on the screen displaying the list of all devices, that may
be a OSD Managers due to their operating system.
3 Select the device to be added from one of the list boxes.
5 The device will be added to the table of OSD Manager and its configuration parameter will be updated
accordingly.
6 Continue with Step 1: OSD Manager of the main procedure.
8
Software Distribution Step-by-Step
Using the Numara Deployment Manager you can control and manage software installations and distributions
across the entire network. The architecture offers a ’pull’ system, whereby the agents will collect (or pull) software
packages from the software depot, the master or a relay on the network and proceed to install and configure the
software on the clients.
As shown in the graphic below, the software distribution process consists of the following individual steps:
1 Download the installation file for the product to distribute from the Internet (1)
2 Create the package to distribute in the Package Factory and publish it to the master/relay (2, 3)
3 Assign the package to the target device and distribute (4, 5)
4 Install the package on the target and sent execution status to the master (6, 7).
Package Factory Internet
1 Installation Files
2
Create package
3
Publish package to Master
4 Assign Target Device 6

Install package
Pull package to Target Device 5
Master Send Status 7
Target Client

• Software Distribution Examples
• Software Distribution Reporting
• Software Distribution Options
Prerequisites
• in your test environment you have at least one, preferably several devices on which Firefox and Orca are not
yet installed.
• your master has a Internet connection to download the setup files.
• a browser is installed on your master.
182 - Numara Deployment Manager - Software Distribution
8.1 Software Distribution Examples

The software distribution process is illustrated in this chapter via two examples:
• Creation and distribution of Mozilla Firefox version 3 via a custom package.
• Distribution of the database editor Orca via an msi package. (If you are executing rpm distributions you may
also follow the general guidelines of this process as the two package types are very similar.)
To create rpm packages your package factory must be a Linux operating system. If you do not have a Linux
master first see Option (i) on how to define another device as Packager which you will need to use.
Distribution 1: Firefox Custom Package

The actual software distribution process is split into the following individual steps:
1 Download Firefox Setup-File from the Mozilla site.
2 Create Firefox Custom Package and Make It Available.
3 Assign and Distribute Package Immediately.
4 Monitor Distribution Progress and Results.
Step 1: Download Firefox Setup-File
The first step before a software package can be distributed is to download the original installation package of the
manufacturer, for our example the file Firefox Setup 3.0.7.exe for Mozilla Firefox version 3. To do proceed as
follows:
1 On the device you defined above as the Packager download the new Firefox version from http://
www.mozilla.com/en-US/firefox/all.html.
2 Save the file Firefox Setup 3.0.7.exe on the local disk.
To see the command line options, open a cmd shell, go to the directory where you have saved the file, and execute
Firefox Setup 3.0.7.exe /help: the /quiet option can be used to install in silent mode, with no user
interaction.
Step 2: Create Firefox Custom Package and Make It Available

Now that the software to be installed is available locally, the distribution package can be created and then be
made available for the actual distribution:
1 Select the Wizards->Package Creation Wizard ( ) menu item.
2 The Package Creation Wizard appears on the screen and guides you through the individual steps required to
create a new custom package.
Step 2a: Package Factory

In the first window, Package Factory, you need to select the Package Factory on which the new package is to be
created as well as the type of the package to be created.
1 Select the one defined packager.
If you want to define another device as the Packager please see Option (i).
2 In the panel Package Type you must define which type of package is to be created via the wizard. Select the
Custom Package option.
Chapter 8 - Software Distribution Step-by-Step - 183
3 Click Next to continue
Step 2b: Custom Package

In the next wizard window, Custom Package, the new package must be configured. For this the following
parameters must be defined:
1 Enter the name for the new package into the respective field, for instance Firefox v3.0.7.
If you want to create the new package in a specific folder instead of under the packages top node see Option (k)
now.
If your antivirus heavily attacks .zip files, choose the .pkg Archive Type.
Step 2c: Installation Options

This window provides two panes for configuration:
The Installation panel defines the parameters how the execution of the installation of the package on the target(s)
is effected.
1 In the Destination Path field enter the path in which you want the Firefox Setup 3.0.7.exe to be stored
temporarily, for instance c:/temp.
2 In the Run Command field enter c:/temp/Firefox Setup 3.0.7.exe /S.
In this field you need to enter the destination path to which the executable file is to be copied and under which
it is stored in the package, therefore the path in the Run Command field must be c:/temp/Firefox Setup
3.0.7.exe /S, the /S option is optional and indicates a silent installation.
The Overwrite box defines which files the package may overwrite when installing on the target and which it may
not touch.
1 Check the Overwrite Non-system Files, Overwrite older file versions only and Overwrite read-only files
boxes.
Step 2d: Add Files

To add the files to install to the custom package proceed as follows:
1 Select the Add File icon ( ).
2 The Files from dialog box appears on the screen.
3 In the Add Files to Custom Package tab go to the drive and directory in which you stored the Firefox
installation file Firefox Setup 3.0.7.exe and select it.
4 Uncheck the option Enable Full Path.
This option allows you to control where the file will be put on the target devices.
5 Click OK to confirm and to close the window.

6 The firefox installation file was added to the list window.
Step 2e: Publication

Publishing a package signifies making it available for distribution within the network after creation or
modification. We will simply publish the package to the master which is also the preselected option, therefore do
not make any changes in the window and click the Finish button confirm all settings and finish this wizard.
Step 2f: Package Distribution

Once the package is created a popup window appears in which you may continue
directly with the distribution of the newly created package via the respective wizard.
Check the Deploy the Package radio button and click Yes to continue directly with
the distribution of the new package.
Step 3: Assign and Distribute Package Immediately

The distributable package is now available on the master ready to be assigned and distributed to the target
devices. Since we have chosen to continue directly with the distribution, the Package Distribution Wizard
appears on the screen.
Step 3a: Package

In the first window of the wizard you define which package to distribute as well as some distribution options. In
our case the package is already preselected, the one we just created.
If you want to schedule the distribution at a specific later time, uncheck the Default Schedule option, and
then see Option (a) when the Schedule wizard window appears.
If you want to advertise the distribution to users via the Application Kiosk refer to Option (h) now.
If you want to schedule the distribution with Wake-On-LAN enabled, uncheck the Default Schedule option
and then see Option (b) when the Schedule wizard window appears.
Make no changes and click the Next button to continue.

In this next window you need to define the targets of the package distribution. As we have not made any changes
in the previous window we will assign the package to a device group, one we created in a previous chapter called
All Client Devices without Firefox.
1 Select the Assign Device Group icon ( ).
2 The Select a Device Group popup window will appear on the screen.
3 Select the device group All Client Devices without Firefox from the list box.
5 The device group will be added to the list field.
If you want to schedule the distribution at a specific later time see Option (a) now.
If you want to schedule the distribution with Wake-On-LAN enabled see Option (b) now.
6 Click the Finish button confirm all settings and finish this wizard.
Step 3c: Distribution Activation

The last option provided by the wizard is to immediately activate the package and/or
go to the package. Check the Go to Package box to change the focus of the console
window to the package distribution view. Click Yes to confirm the activation.
If you want to distribute the software via multicast (limit the network bandwidth used during distribution) click No
here and refer to Option (c) now.
If you want to advertise the distribution to users via the Application Kiosk click No here and refer to Option (i)
now.
If you want to put more conditions in your distribution, for instance to be sure to distribute only to machines with
at least 256 Mb of RAM, click No here and see Option (d) now.
If you want to put more post-processing in your distribution, for instance leave to the user the possibility to reboot
immediately or later, click No here and refer to Option (g) now.
Step 4: Monitor Distribution Progress and Results

The focus of the console was moved to the Device Groups under the Assigned Objects node of the newly created
package. In the right window pane you can see the entry for the assigned group with its status Activated. To
follow the execution of the distribution via the different status values the process passes select the All Client
Devices without Firefox subnode. In the table to the right you should see all members of the group with the
following successive status values:
• Assignment Sent
• Assigned
• Ready to run
• Executed
At any moment you can use the Refresh button ( ) in the toolbar.
The bottom right counter tells you the seconds before the status is refreshed automatically.
Distribution 2: Orca MSI Package

The actual software distribution process of distributing an msi package is split into the following individual steps:
1 Create MSI Package and Make It Available.
2 Assign and Distribute Package.
3 Monitor Distribution Progress and Results.
Prerequisites
In addition to the general prerequisites mentioned at the beginning of the chapter we also assume that:
• the msi file to install orca is stored on the master
• orca is not yet installed on the master
Step 1: Create MSI Package and Make It Available
The first step for the msi distribution is to create the package on the Packager and then make the package available
for the actual distribution:
1 Select the Wizards->Package Creation Wizard ( ) menu item.
2 The Package Creation Wizard appears on the screen and guides you through the individual steps required to
create a new MSI package.
Step 1a: Package Factory
In the first window, Package Factory, you need to select the Package Factory on which the new package is to be
created as well as the type of the package to be created.
1 We only have one packager defined therefore leave it selected.
If you want to define another device as the Packager please see Option (i).
2 In the panel Package Type you must define which type of package is to be created via the wizard. Select the
MSI Package option.
Step 1b: MSI Package

In the next wizard window, MSI Package, the new package must be created. Created in this case means selecting
the downloaded msi file and specifying it as the msi package to handle. Proceed as follows:
1 Click the Select button to the right of the Name field.

2 The MSI Packages window will appear on the screen.
3 This dialog box provides you with a list of all available drives from which you
may select the MSI package.
4 To find the orca package browse down into the directory tree and select it.
If your antivirus heavily attacks .zip files, choose the .pkg Archive
Type.
If you want to create the new package in a specific folder instead of under
the MSI packager top node see Option (k) now.

6 The msi package will be automatically created with its name being Orca, as
taken from the msi file.
If you know, that the msi package requires additional files for installation check
the Additional Files box in the Options panel and see Option (j) when the
respective window appears.
7 Then click Next to continue.
Step 1c: Installation Options

The Installation options provide information on the execution of the installation of the package on the target(s).
Make the following changes:
1 In the User interface field select the option None instead of the preselected value. This will ensure that the
installation is executed in the background without disturbing the user.
If you have checked the Additional Files box in the Options panel to add required files to the msi, the window
appears now on the screen. See Option (j) now for instructions.
Step 1d: Publication

Publishing a package signifies making it available for distribution within the network after creation or
modification. We will publish the package to the master which is also the default. Click the Finish button confirm
all settings and finish this wizard.
Step 1e: Package Distribution

Once the package is created a popup window appears in which you may continue
directly with the distribution of the newly created package via the respective wizard.
Click Yes to continue directly with the distribution of the new package.
Step 2: Assign and Distribute Package

The distributable package is now available on the master ready to be assigned and distributed to the target
devices. Since we have chosen to continue directly with the distribution, the Package Distribution Wizard
appears on the screen.
If you want to distribute the software via multicast (limit the network bandwidth used during distribution), refer to
Option (c) now.
Step 2a: Package

In the first window of the wizard you define which package to distribute as well as some distribution options. In
our case the package is already preselected, the one we just created.
1 In the Target Type drop-down box select the option Devices, as we want to distribute the software only to one
device, the master.
If you want to schedule the distribution at a specific later time, uncheck the Default Schedule option, and then see
Option (a) when the Schedule wizard window appears.
If you want to advertise the distribution to users via the Application Kiosk click No here and refer to Option (h) now.
If you want to schedule the distribution with Wake-On-LAN enabled, uncheck the Default Schedule option and then see
Option (b) when the Schedule wizard window appears.

In this next window you need to define the targets of the package distribution. As we have selected Devices in the
preceding window, we can only add individual devices here.
1 Select the Assign Device icon ( ).
3 Mark the device to which you want to distribute orca, e.g. the master, then click OK.
4 The device is added to the list in the wizard window.
5 Now click the Finish button to confirm the distribution.
If you want to schedule the distribution at a specific later time see Option (a) now.
If you want to schedule the distribution with Wake-On-LAN enabled see Option (b) now.
Step 2c: Distribution Activation

The last option provided by the wizard is to immediately activate the package and/or
go to the package. Check the Go to Package box to change the focus of the console
window to the package distribution view. Click Yes to confirm the activation.
If you want to distribute the software via multicast (limit the network bandwidth used during distribution) click No
here and refer to Option (c) now.
If you want to advertise the distribution to users via the Application Kiosk click No here and refer to Option (i)
now.
If you want to put more conditions in your distribution, for instance to be sure to distribute only to machines with
at least 256 Mb of RAM, click No here and see Option (d) now.
If you want to put more post-processing in your distribution, for instance leave to the user the possibility to reboot
immediately or later, click No here and refer to Option (g) now.
Step 3: Monitor Distribution Progress and Results

In the right window pane of the Devices node you can follow the execution of the distribution via the different
status the process passes. You should see the following successive status:
• Assignment Sent
• Assigned
• Ready to run
• Executed
8.2 Software Distribution Reporting

Up to now the event data regarding software distributions are only available locally on the agent. However, to be
able to generate reports on this topic and to view them in the console together with other data these events must
be specifically uploaded to the master and its database. Once data is available on software distributions on your
network, you may generate different reports to summarise the general situation or detail specific distributions.
The following chapter will guide you through some of these possibilities. The general information on reports you
will find in the Reporting chapter earlier in this manual.
Step 1: Upload Software Distribution Events to Master Database
The event data of all types of software distributions may be uploaded to the master database via an operational
rule:
By default these events are configured to be uploaded every 24 hours, i.e. at midnight. If the agent is not running
at this time the events will be uploaded at agent startup.
1 Go to the Operational Rules top node in the left window pane.

2 Click on the Create Operational Rule icon ( ) in the icon bar.
4 Enter Upload Software Distribution Events into the Name field and then click the OK button.
5 The new operational rule is added to the list of members in the right pane. Double-click it.
6 In the now displayed General tab you can review the basic information of the operational rule.
7 To configure all the steps it is to contain go to the next tab, the Steps tab.
8 Click the Add Step icon ( ) in the icon bar to add the first step.
10 It displays the list of available steps in its Available Steps box.
11 Double-click the Event Log Manager folder.

12 Select the step Upload Events and click the Add ( ) button.
14 From the Model Name dropdown list select the Software Installations value and leave all other fields as
they are.
15 Then click OK to confirm the parameters and OK again to confirm the new step.
16 The operational rule is now configured and must be assigned to the target, i.e. all devices, since we executed
software installations on the master as well as the clients.
17 Go to the Assigned Objects->Device Groups node in the left window pane under your newly created
operational rule.
18 Select the Assign Device Group icon ( ) in the icon bar.
19 A confirmation window appears on the screen. In this window you may define if the device group assignment
will be activated according to the default schedule defined in the User Preferences. Click Yes, to activate the
operational rule automatically.
21 Select the All Devices group from the list.
22 The group will be added to the table in the right pane with a status of Activated.
23 Go to the subnode All Devices and follow the execution of the operational rule for the individual group
members.
24 Once their status is Executed all data are uploaded.

25 To verify this go to the Events->Event Logs node of the All Devices group.
26 This node displays the list of all events registered by the event log models for the selected device group.
27 The software installation events are the default selection therefore click the Find button directly.
28 The table below will now display all software installation events that were uploaded and are continued to be
uploaded.
29 Now all data are uploaded and ready and the report may be generated.
Step 2: Generate Reports

The Numara Asset Management Platform provides a number of predefined reports for the software distribution
with its out-of-the-box objects. They are all collected in the Distribution Statistics folder. Proceed as follows to
generate a report:
1 Open the Reports->Distribution Statistics folder in the left window pane.
2 Select a report, for example Monthly Software Distribution Statistics.
7 A login window appears on the screen. Enter admin and no password.
Report 1: Monthly Software Distribution Statistics
This report is composed of two vertical subreports, displaying a chart each, one for the Software Distribution
Count by Month and the second the Distributed Volume by Month.
Report 2: Software Distribution Results by Group

This report is also composed of two subreports, horizontally divided, the above subreport displaying a pie chart
for the Overview over Software Distribution Results, i.e. it shows all different final status values for the
executed distributions. The second subreport displays in tabular format all device groups with their respective
distribution status.
Report 3: Software Distribution Results by Month

This report is also composed of two subreports, horizontally divided, the above subreport displaying a pie chart
for the Overview over Software Distribution, i.e. it shows all different final status values for the executed
distributions. The second subreport displays in tabular format the different months with the number of times a
distribution finished with a specific status value.
Report 4: Software Distribution Results by Package

This report shows two charts next to each other, the pie chart showing the package repartition in percentage and
the bar chart the Distributed Volume by Package.
Report 5: Software Distribution Results by Type

This report shows two charts next to each other, the pie chart showing the package type repartition in percentage
and the bar chart the Distributed Volume by Package Type.
8.3 Software Distribution Options

The following paragraphs will provide you with a number of options that may be used to modify the software
distributions.
Almost all these options use the Firefox custom package for their example as well as the hyperlink target, however, you
may use all these examples as well for the msi package simply be replacing any reference to Firefox v3.0.7.cst by
orca.msi.
(a) Schedule a Software Distribution for a Given Time and Date

Software distributions can be quite heavy on the network and therefore it might be better to schedule it for a time
when general network load is low, such as the lunch break or at night.
Make the following changes in the Schedule window if you have unchecked the Default Schedule option in the
first window of the wizard:
1 The Schedule window appears on the screen displaying its first tab Assignment.
2 In the Assignment Date box check the Deferred to radio button and then select the desired date and time in
the list boxes to the right.

(b) Distribution with Wake-On-LAN enabled
Numara Deployment Manager allows you to use the Wake-On-LAN functionalities to make sure the software is
distributed to all assigned devices no matter their current state.
Make the following changes in the Schedule window if you have unchecked the Default Schedule option in the
first window of the wizard:
1 The Schedule window appears on the screen displaying its first tab Assignment.
2 Check the box Wake-up Devices, to enable the WOL option.

(c) Multicast Distribution (Distribute Using a Predefined Bandwidth)

Multicast delivery enables parallel software distribution to an unlimited number of client systems while
simultaneously reducing server and network resource requirements and bandwidth consumption for high-
volume, high population software distribution. It enable software to be distributed to thousands of desktops in the
same time it takes to deliver software to a single desktop, while making optimal use of server and network
resources. The multicast principle is to send a file on a virtual multicast address advertised to all target clients
where each of these will get the file. Contrary to unicast the server sends the file only one time. For more detailed
information on the multicast principle refer to chapter Multicast Software Delivery on page 197 in the Reference
manual.
Be aware that you need the special Multicast license if you want to execute software distributions via multicast. For trial
purposes this license is included in the temporary license.
A software distribution via multicast consists of the following steps:

1 Modify the multicast parameters on the relay if you have a specific configuration for which the default values
may not be used. The default values are specified for a speed of 128 KB/s which should work for all types of
networks. You will find a detailed explanation to all parameters in the Console manual under paragraph
General on page 291 of the File Store chapter.
2 Create a multicast transfer window and assign it to the multicast relay. Be aware that if a transfer window of
type multicast is assigned to a relay, this relay can only execute multicast software distributions, no unicast
distributions.
3 Assign the package to distribute via multicast to the targets.
To now distribute our Firefox software package to all clients without firefox in the network proceed as follows. We
will assume that the default parameters may be used with our network and thus require no specific configuration.
1 Go to the Transfer Windows node under the Global Settings top node.
2 Select the Edit->Create Transfer Window menu item or the respective icon ( ) in the icon bar.
4 Enter the desired name, for instance Standard Multicast, select Multicast as the transfer channel and KB/
second from the Slot Type list.
5 Click the OK button to confirm these settings and to close the window.
6 Select the newly created window, e.g. Standard Multicast, in the left pane and select its Planning tab.
7 The right window pane displays an hour/day of the week grid. Mark the periods for which the bandwidth
restrictions are to apply by selecting the first slot, e.g., Monday 08:00 and move your mouse cursor to the last
slot, e.g. Friday 18:00, to restrict the bandwidth for all working days from 8am to 6pm.
8 Select the Edit->Define Time-slots menu item or click the respective icon ( ) in the icon bar.
9 The Define Transfer Window Time-Slots window appears on the screen.
10 Enter 128 (or any other desired value) and click OK to confirm.
11 Select the Assigned Objects->Devices node of the Standard Multicast.

12 Either choose the Edit->Assign Device menu item or click the respective icon ( ) in the icon bar.
13 A confirmation window appears on the screen, click OK.
16 Select the device to which you want to apply bandwidth control, i.e. the relay, and click OK to confirm.
From now on, and in the time slot defined, no communication between the selected device and its parent (the
master or a relay) will ever exceed 128 KB/second, in both the ascending (inventories) and descending
(distributions) directions. You can now distribute the Firefox package without any risk of limiting the network
access to the end-user.
Now the required transfer window is defined and the distribution of Firefox may be continued:
1 Open the Packages->Firefox v3.0.7.cst->Assigned Objects->Device Groups node.
2 Select the All Client Devices without Firefox entry in the right window pane.
3 Select the Edit->Properties menu item or the respective icon ( ) in the icon bar.
4 The Scheduler window appears on the screen displaying its first tab Assignment.
5 Select the Validity tab.
6 In the Execution Date box either check Immediately to directly launch the installation or the Deferred to
radio button and then select the desired date and time in the list boxes to the right to start the installation at a
later time.
7 Go to the Assignment tab.
8 In the Assignment Date box select the option Immediately to directly activate the distribution.
9 Click the OK button to confirm the schedule.

10 The software distribution process via multicast to the clients is now started.
11 To verify that the distribution was correctly executed via multicast go to the All Client Devices without
Firefox subnode.
12 In the table to the right all member devices of the group are listed with their status values and other data.
13 Check the column Transport Mode.
14 As long as the software distribution has not executed it will display the value Unknown.
15 Once the distribution started it will display Multicast, if the multicast distribution worked properly. If this is
not the case the software distribution will be executed in the regular way and this field will display Unicast.
(d) Distribute Only to Device with at Least 256 MB RAM

When a package is assigned for distribution, an operational (distribution) rule of the same name as the package
will automatically be created containing the necessary actions (steps) to execute the package installation on the
target device. This operational rule is editable, i.e. conditions may be added to it before the package installation,
such as making sure the package will only be installed on a device with XP SP2 as its operating system and at
least 256 MB RAM. Proceed as follows:
1 Select the Operational Rules top node in the left window pane.
2 The right window pane will display the list of existing operational rules and folders. Select the Firefox
v3.0.7.cst operational (distribution) rule.
3 Go to tab Steps in the right window pane.
4 Either choose the Edit->Add Step menu item or click the respective icon ( ) in the icon bar.
6 In the window list expand item Monitoring and select step Check Installed RAM.
8 In the appearing Properties window choose the option Stop on failed step for field Stop Condition and enter
256 in the RAM (MB) field.
9 Click OK to add the step to the list.

10 Click OK to confirm the step list.
11 In the table to the right select the line Check Installed RAM and then click the Edit->Move Up menu item or
click the respective icon ( ) in the icon bar once.
Now the required new step is added and at the right position: If a target device does not have at least 256 MB of
RAM, the distribution will not be executed. To continue the distribution of Firefox now do the following:
2 Select the device group to which the package is assigned, All Client Devices without Firefox.
later time.

10 However, as you can see under the Status column the rule Firefox v3.0.7.cst was not activated in the last step
of the distribution wizard, it must be done now. Select the rule in the table.
11 Select the Edit->Activate Operational Rule menu item or click the respective icon ( ) in the icon bar.
12 The rule will be activated immediately with the default schedule.
(e) Kill Firefox Before Starting the Distribution
If you are using this software distribution to upgrade existing Firefox versions it might be good to make sure that
any existing version of the Firefox browser is stopped on the target devices before starting the installation. To do
2 The right window pane will display the list of existing operational rules and folders. Select the Firefox
v3.0.7.cst operational (distribution) rule.
3 Go to tab Steps in the right window pane.
6 In the window list expand item Process Management and select step End Processes.

8 In the appearing Properties window choose the option Stop on failed step for field Stop Condition and enter
firefox.exe in the Process Names field.

10 Click OK to confirm the step list.
11 In the table to the right select the line End Processes and then click the Edit->Move Up menu item or click the
respective icon ( ) in the icon bar once.
Now the required new step is added and at the right position: If any version of Firefox is currently being executed
on a target device, it will be stopped before the installation process is started. Now, to continue the distribution do
the following:
2 Select the device group to which the package is assigned, All Client Devices without Firefox.
later time.

(f) Reboot the Device at the End of the Distribution
Rebooting the device after the installation may be done in one of the following ways:
1 Add a new step ’restart’ to the distribution rule; for this execute the same operations as explained above under
Option (d): Distribute Only to Device with at Least 256 MB RAM or Option (e):Kill Firefox Before Starting the
Distribution.
2 Add a reboot step to the software distribution rule itself. The Reboot rule was already created under the
exercises in the operational rules chapter, thus we only need to add it here.
a Select the Reboot operational rule in the left window pane under the main Operational Rules node.
b Go its the Dependencies tab.
c Either choose the Edit->Add Dependency menu item or click the respective icon ( ) in the icon bar.
d The Select an Operational Rule dialog box opens on the screen.
e Open the Software Distribution folder and select the Firefox v3.0.7.cst operational rule.
f Click OK to confirm the dependency.
g Open Device Groups->All Client Devices without Firefox node.
h There open the Assigned Objects->Operational Rules node.
i The rule Firefox v3.0.7.cst rule is already assigned.
j Select the Edit->Assign Operational Rule menu item or click the respective icon ( ) in the icon bar.
k In the appearing confirmation window click Yes.
l The Assign an Operational Rule popup window will appear on the screen.
m Select the All button ( ) in the left window bar.
n Select the rule called Reboot and click OK.
o Click OK to confirm and close the window.
p However, as you can see under the Status column the rule Firefox v3.0.7.cst was not activated in the last
step of the distribution wizard, it must be done now. Select the rule in the table.
q Select the Edit->Activate Operational Rule menu item or click the respective icon ( ) in the icon bar.
r The rule will be activated immediately with the default schedule.
The distribution will now be performed, and at the end the device will be rebooted. If you would like to give the
user the choice if and when he wants to reboot follow the instructions of the next option.
(g) Define the Device Reboot after Distribution as User Choice
There are two possibilities to do so:
1 We are going to:
a Create an operational rule for the Firefox distribution. Depending on where in the distribution process you
interrupt, this rule may already be created.
b Create a second operational rule to control the reboot process.
c Create a dependency between these 2 rules.
d Assign and activate the 2 rules.
2 There is also a faster method to do this:
a Create an operational Rule for the Firefox distribution. Depending on where in the distribution process you
interrupt, this rule may already be created.
b Add the steps to control reboot to this rule.
c Assign and activate this rule.
The drawback of this method is that if the user chooses not to reboot, the whole distribution result will be
reported as Failed, while in the first case, the distribution rule will be Executed (Ok) and the Reboot rule
will be Failed (normal as the user decided not to reboot).
Our example will use the first method with the Firefox distribution rule already created and assigned but not
activated. Thus we only need to create the second reboot rule.
2 Select the Edit->Create Operational Rule menu item or the respective icon ( ) in the icon bar.
4 Enter Firefox Reboot with User Confirmation into the Name field and click OK to confirm.
5 Select the newly created rule Firefox Reboot with User Confirmation and go to the Steps tab.

8 Expand the item User Message Box and select step User Acknowledgement via Message Box.
Stop Condition: choose the option Stop on failed step
Message Title: Firefox Distribution
Message Text: Do you want to reboot now or later?
Validation Button Label: Now
Cancel Button Label: Later
Number of Retries: 20
Retry Interval: 5
11 Click OK to confirm and add the step to the list.

12 Expand the item Windows and select step Reboot.
16 Click the OK button to add the list of steps to the operational rule now.
17 Now go to the Dependencies tab.
18 Either choose the Edit->Add Dependency menu item or click the respective icon ( ) in the icon bar.
19 The Select an Operational Rule dialog box opens on the screen.
20 Open the Software Distribution folder and select the Firefox v3.0.7 operational rule.
21 Click OK to confirm the dependency.
22 Open Device Groups->All Client Devices without Firefox node.
23 There open the Assigned Objects->Operational Rules node.
24 The rule Firefox v3.0.7 rule is already assigned.
25 Select the Edit->Assign Operational Rule menu item or click the respective icon ( ) in the icon bar.
26 In the appearing confirmation window click Yes.
27 The Assign an Operational Rule popup window will appear on the screen.
29 Select the rule Firefox Reboot with User Confirmation.cst and click OK.
The distribution will now be performed, and at the end the user will have the choice if to reboot or not. If the user
chooses not to, the popup window will come back 20 times at a 5-minute-interval before the reboot is abandoned
and the rule is viewed as having failed in its execution.
(h) Advertise the Package to Users (Application Kiosk)

Advertising a package to users means that the package is assigned to specific devices. The user of the device is
thus informed that the package is available and it is then their choice if and when to install the application.
1 In the window of the wizard make the following changes:
2 In the drop-down Assignment Type select the option Advertise.
3 Then continue with the wizard in the main procedure.
Application Kiosk
To actually perform the distribution on a target proceed as follows:
1 Go to the target device (physically go there, you cannot do it from you desk via the console or the Agent
Interface if the target device is not the device you are currently working from).
2 Right-click the blue NAMP agent icon ( ) at the bottom-right of the Windows device. If the package has
already arrived on the target, the icon should be displayed with the package ( ).
3 Left-click on the Agent Interface menu item.
4 A browser window opens displaying the HCHL interface of the local agent.
5 Select the Application Kiosk tab.
6 Identify yourself with a local login in the appearing popup window.
7 You will now see a web page proposing the Firefox v3.0.7 package for installation.
8 To install the package mark the check box Select at the right end of the Firefox v3.0.7 package.
9 Click the Download & Execute button.

10 The package will now be installed.
11 You can follow the different stages of the installation in the console window. The Agent Interface will only
display once the installation is finished (Executed) or if it has failed (Execution Failed) in the Status
column.
(i) Define a Different Package Factory
Any device may be a Packager or Package Factory, it only must be declared as such. This may either be done in the
properties of the device or in the Package Factory node. To add a device to the Package Factory as a Packager from
the Package Factory node proceed as follows:
12 Select the Add Device icon ( ) above the list field.
13 The Add a new Package Factory popup window will appear on the screen.
15 Select the device to be added as a Package Factory from the list displaying all existing devices.

17 The device will be added to the table of Packagers and its configuration parameter will be updated accordingly.
18 When you select the device you will see all types of packagers which you can create on this device. The types
of packages depend on the operating system of the device, i.e. it is not possible to create rpm packages on a
Windows device.
(j) Add Additional Files
Sometimes it is necessary to add some more files to the MSI distribution packages. This may be done via the
Additional Files window of the wizard. To add more files proceed as follows:
1 Select the Add File icon ( ) on top of the table.
2 A dialog box with the name of the package appears on the screen providing the list of all available drives.
3 Find the storing location either on your hard drives or on the CD/DVD drive and select the additional files
required for installation, such as the sku026.cab and sku0a4.cab files, located on the same level as the .mis
file and required for the installation.
4 Click the OK button at the bottom of the window to confirm the additions or Cancel to abort and close the
window.
5 Then click the Next button to continue with the Publication wizard window on page 191.
(k) Creating a Package in a Specific Folder
When creating a new package it may be directly created in a folder instead of under the package type‘s top node,
which is the default location. To do so proceed as follows:
the hierarchy.
to confirm the new package folder.
window.
9
Resource Monitoring Step-by-Step
The Resource Monitoring allows the administrator to monitor a number of system resources and their usage and
access on the managed remote devices. Resource monitoring can be very time and resource intensive on the
devices as well as on the network traffic. It is therefore recommended to limit the monitoring to some few clients
and to monitor only sensitive areas.
Be aware, that the resource monitoring module is only applicable to Windows operating systems NT4 and later.
Prerequisites
• at least one of the test devices is connected either locally or remotely to a printer.
• at least one of the test devices has Internet access and MS Internet Explorer installed.
9.1 Resource Monitoring Examples

This chapter will provide you with an example for each of the resources that may be monitored via the NAMP
agent:
• Printer
• File System
• Web History
9.1.1 Printer
Printer monitoring provides the administrator with information regarding the usage of the printer by all clients
and is effected via querying of the printer queues. Some documents, such as very small ones that may remain only
a very short time in the printer queue, may not appear in the list, especially if the defined query values are high.
Remote print monitoring should only be done by very few clients in the network, as this will generate heavy
traffic and may cause the printer to slow down considerably, as it is occupied most of its time answering to remote
print monitoring queries instead of printing.
1 Configure Printer Monitoring
2 Locally Monitoring the Printer Activity
3 Printer Monitoring Results
4 Generate a Print Monitor Report
Step 1: Configure Printer Monitoring
The first step before the printing activities of a device may be monitored is to activate and configure the module
which, by default, is deactivated. Proceed as follows to do so:
212 - Numara Asset Management Platform - Monitoring
1 Go to the Device Topology->Master->Agent Configuration->Module Configuration->Resource Monitoring-

>Printer node.
2 The General tab displays the list of the configuration parameters of this module.
3 Highlight an entry in the table to the right.
4 Then either select the Edit->Properties menu item or the respective icon ( ) in the icon bar.
6 Make the following modifications to the available parameters:

Check the Enable printer monitoring parameter.
If your master does not have a local printer connected, check the Enable remote printer monitoring box.
In this case you may also uncheck the Enable local printer monitoring box above.
Modify the Printer discovery delay to 10 seconds. For a production environment you should not modify
this value below 60 seconds, as this will generated a lot more network traffic. We will use a smaller value
her for seeing immediate results.
8 Printer monitoring is now activated on the master.
Step 2: Locally Monitoring the Printer Activity

To be able to monitor this activity you need to print some documents on one or more printers, either local or
remote depending on your configuration above. Then proceed as follows to see the activity locally on the device:
>Printer node.
2 Then select the Events tab.
3 It displays the list of the documents printed by the device. Refresh ( ) the page if it is still empty.
Chapter 9 - Resource Monitoring Step-by-Step - 213
4 The following information is displayed:

Event Date
The date and time at which the document arrived at the printer.
Printer Name
The network name of the printer.
User Name
The name of the user logged on to the client from which the print job was sent.
Document Name
The name of the document to be printed. This document may be listed with its full or short network path
which may also be truncated. Which option is used depends entirely on the application from which the
document was printed.
Page Count
The number of pages of the document which were to be printed. If the number is listed as Unknown or 0, it is
due to the way the application sent the document, sends its data to the printer.
Step 3: Printer Monitoring Results

Up to now the event data are only available locally on the agent. However, to be able to print reports on this topic
and to view them in the console together with other data these events must be specifically uploaded to the master
and its database. This is done via an operational rule:

4 Enter Upload Resource Management Events into the Name field and then click the OK button.

14 From the Model Name dropdown list select the Printer Monitor value and leave all other fields as they are.
16 The operational rule is now configured and must be assigned to the target, i.e. the master.
17 Go to the Assigned Objects->Devices node in the left window pane under your newly created operational rule.
18 Select the Assign Device icon ( ) in the icon bar.
19 A confirmation window appears on the screen. In this window you may define if the device assignment will be
activated according to the default schedule defined in the User Preferences. Click Yes, to activate the
If you want to schedule the rule to execute at regular intervals, click No, and then see Option (a).

21 Go to the All tab and select the master from the list.
22 The master will be added to the table in the right pane with a status of Assignment Waiting.
23 Follow the execution of the operational rule.
24 Once its status is Executed all data are uploaded.

25 To verify this go to the Events->Event Logs node of the master.
26 This node displays the list of all events registered by the event log models for the selected device or device
group.
27 To display the printer events instead of the default software distribution events select Printer Monitor from
the Model Name dropdown list.
28 Then click the Find button.
29 The table below will now display all events that were uploaded and are continued to be uploaded. If you are
monitoring a network printer, you may find some more print jobs in this list than those you printed before.
Step 4: Generate a Print Monitor Report

The easiest and clearest way to monitor the printer activity is via reporting. The out-of-the-box objects include a
report on printer monitoring which we will generate.
2 Select the Resource Monitoring folder and from its members the report called Printer Usage.

5 Click Yes to immediately generate the report.
6 Then select the Edit->View Last Result menu option or the respective icon ( ) in the icon bar.
7 A browser window opens on the screen requesting identification to the agent.
8 Enter admin as the login with no password.
9 The newly generated report is displayed in the window.
10 Don‘t forget to return the Printer discovery delay value to 60 seconds after the exercise or switch the printer
monitor off again if you are not starting to monitor right away.
9.1.2 File System

File System monitoring provides the administrator with information regarding the usage of directories and files
on the local client. It is used to monitor the access of specific files, for example files which contain company
sensitive data, and when and by whom these files are modified. It is recommended to only monitor directories,
which contain really sensitive data. Files that are modified very often, such as log files, may slow down the client
considerably and will cause very heavy traffic on the network connections and thus and even loss of data may
occur.
1 Configure File System Monitoring
2 Locally Monitor the File System Activity
3 File System Monitoring Results
4 Generate a File System Monitor Report
Step 1: Configure File System Monitoring
The first step before the file system activities on a device may be monitored is to activate and configure the
module which, by default, is deactivated. Proceed as follows to do so:
>File System node.
6 Make the following modifications to the available parameters:

Check the Enable file system monitoring parameter.

The Directories to monitor parameter specifies the comma separated list of monitored directories. We will
only monitor one directory in which we will make the modifications, therefore enter c:\temp into this
field.
Specified directories that do not exist on a device will be signalled in the log file. Note that it is not possible
to monitor root directories such as c:\ or directories on mounted network drives. Also it is not
recommended to select directories where many file changes take place, such as c:\Program Files. The
paths are not case sensitive.
Check the Include sub-directories box to also monitor the subdirectories of the above listed directories.
Check the Enable USB Drive Monitoring (Windows 2000 and later) box to also monitor the USB ports of
the master.
Step 2: Locally Monitor the File System Activity

To be able to monitor this activity you need to create, edit or modify some folder/documents in the c:\temp
folder and on the USB ports.
• Create a new folder called test in there, then create a file called test.txt in this folder. Enter some text, save and
close it. Reopen the file, edit and save it again. Then delete the first the file then the directory again.
• Connect a USB stick to one of the ports. Copy files from your hard to the key and vice versa.
Then proceed as follows to see the activity locally on the device:
>File System node.
3 It displays the list of all events logged by the device for the specified folders. Refresh ( ) the page if it is still
empty.

Event Date
The date and time at which the file/folder was accessed.
Connected User Name
The login name of the currently connected user which caused the event.
Modify Type
The type of the action that was executed on the file/folder, possible values are Creation, Deletion,
Modification or Renaming.
File Name
The name of the file which was accessed with its whole directory path.
New File Name
The new name if the file action was Renaming, otherwise the field is empty.
Step 3: File System Monitoring Results

and its database. This is done via an operational rule. In this case, however, we will not create a new one but
expand the rule we created for the printer monitoring upload:
By default these events are uploaded every 24 hours, i.e. at midnight.
1 Go to the Operational Rules->Upload Resource Management Events node in the left window pane.
2 Go to the Steps tab which already displays the step uploading the printer events.
7 Select the step Upload Events again and click the Add ( ) button.
9 From the Model Name dropdown list select the File System Monitor value, which should be preselected
and leave all other fields as they are.
10 Then click OK to confirm the parameters and OK again to confirm the step modification.
11 The operational rule now contains twice the same step with a different parameter value.
12 As the operational rule was modified it must therefore be reassigned to the target, i.e. the master for its
modifications to become effective.
13 Go to the Assigned Objects->Devices node in the left window pane under the operational rule.
14 Select the Edit->Reassign Operational Rule menu item or the respective icon ( ) in the icon bar.
15 The reassignment process of the operational rule will be launched immediately and it will be executed
directly.

group.
19 To display the file system events instead of the default software distribution events select File System
Monitor from the Model Name dropdown list.
21 The table below will now display all events that were uploaded and are continued to be uploaded.
Step 4: Generate a File System Monitor Report

The easiest and clearest way to monitor the file system activity is via reporting. The out-of-the-box objects include
a report on printer monitoring which we will generate.
2 Select the Resource Monitoring folder and from its members the report called File System Usage.

9.1.3 Web History

The Web History monitoring provides the administrator with information regarding the use of the Internet and
the web pages called by the remote client. Be aware that web monitoring is only applicable to the Microsoft
Internet Explorer version 5.0 and later.
1 Configure Web Usage Monitoring
2 Monitor the Web Activity
3 Web Monitoring Results
4 Generate a Web Monitoring Report
Step 1: Configure Web Usage Monitoring
The first step before the web usage activities of a device may be monitored is to activate and configure the module
which, by default, is deactivated. Proceed as follows to do so:
>Web History node.
6 Check the Enable web history monitoring parameter.


Step 2: Monitor the Web Activity

To be able to monitor this activity you need to open Internet Explorer now and access some web pages. Then
proceed as follows to see the activity locally on the device:
>Web History node.
3 It displays the list of web sites that you just visited. Refresh ( ) the page if it is still empty.

Event Date
The date and time at which the web site was accessed.
User Name
The name of the user which accessed the Internet, this may either be the SYSTEM, or the user currently logged
on to the device.
URL
The complete URL of the site that was accessed on the Internet.
URL Visit Count
The number of times the site was accessed.
Date
The date and time at which the site was last accessed.
Step 3: Web Monitoring Results

and its database. Again, we will expand the rule we created for the printer monitoring upload:
By default these events are uploaded every 24 hours, i.e. at midnight.
1 Go to the Operational Rules->Upload Resource Management Events node in the left window pane.
2 Go to the Steps tab which already displays the step uploading the printer events.
7 Select the step Upload Events again and click the Add ( ) button.
9 From the Model Name dropdown list select the Web History Monitor value and leave all other fields as they
are.
10 Then click OK to confirm the parameters and OK again to confirm the step modification.
11 As the operational rule was modified it must therefore be reassigned again to the target, i.e. the master for its
modifications to become effective.
12 Go to the Assigned Objects->Devices node in the left window pane under the operational rule.
14 The reassignment process of the operational rule will be launched immediately.
group.
18 To display the web history events instead of the default software distribution events select Web History
Monitor from the Model Name dropdown list.
Step 4: Generate a Web Monitoring Report

The easiest and clearest way to monitor the web activity is via reporting. The out-of-the-box objects include a
report on web monitoring which we will generate.
2 Select the Resource Monitoring folder and from its members the report called Internet Usage.

10 The second graphic displays the list of web pages accessed in form of a bar chart with labels. Depending on the
length of the individual links the chart may be „moved“ to the left, and thus be displayed incomplete. To
rectify this you may modify the settings of this chart:
11 Select the report in left window pane and the go to its Subreports->Subreport 2 node.
12 There select the tab Format.
13 Select the line Chart Width and then the Edit->Properties menu item or the respective icon ( ) in the icon
bar.
14 The Properties window appears on the screen with the value for Chart Width preselected.
15 Enter a larger value, the default value is 400, try with double the size as is the case for the example image
above.
16 Then regenerate the report and display it again. Keep modifying this value until it is satisfactory.
9.2 Monitoring Options

The following paragraphs will provide you with a number of options that may be used to modify the resource
monitoring functionality.
(a) Assign the Event Upload Rule with a Specific Schedule
By default the events are uploaded by the local agents to the master database once a day at midnight or at agent
startup if the agent was not running at that time. The operational rule we created to have the events available
directly for reporting was only executed once. To have this rule execute every day at 7 am to have the newest data
ready for inspection or for a report generation proceed as follows:
1 At Point 19 (page 214) answer No.
2 After Step 3 point 6 proceed as follows:
3 Select the master in the table in the right window pane.
5 The Properties window will open on the screen.
10 Leave the By Schedule radio button checked.
11 In the By Schedule select the Day of the Week radio button.
12 The options in the panel below are available now.
13 Uncheck the options for Saturday and Sunday.
15 In the field below select the time at which to execute the inventory collection, e.g., 07:00.
17 The status will still display Update Paused, which means you need to activate the modified schedule.
18 Reselect the master in the table and then activate it by selecting the Activate Operational Rule icon ( ) in
the icon bar.
19 The status will change to Update Waiting and then all other status values until it arrives at Updated, to
indicate that the rule was updated on the device an is ready for execution again.
(b) AMP Database Cleaning
By default the data for persistent events is stored 1 year (365 days) in the master database. You may configure your
database to store the data for a different period of time or even to delete all currently existing entries. To do so
proceed as follows:
1 Open the Global Settings->System Variables node in the console.
2 Select the Event Management tab.
3 This tab defines the default settings for the event logging functions of you system.
4 Select an entry in the table to the right.

5 Then click the Edit->Properties menu item or the respective icon ( ) in the icon bar.
6 The Properties window appears on the screen to define the following parameters:
Maximum Events
This entry defines the maximum number of all events logged into the database. Once this number is reached
and a new event is generated, the new event will replace the ’oldest’ event currently logged in the database.
The default value for this number is 10000.
TTL Persistent Events

Defines the maximum time in days that persistent events stay logged in the database. The default value is 365
days. To clear the database and delete all logged events enter 0.
(c) Cleaning the Local Database
The local agent database is cleaned via an operational rule which is to be sent to all devices whose database needs
cleaning. Proceed as follows:
This rule is created and assigned via the Operational Rule Creation and Operational Rule Distribution wizards.
Step 1: Operational Rule
1 Enter Persistent Event Cleaning (or any other desired name) into the Name field.
for this rule.
Step 2: Steps
window we will select three times the same step. Each of these steps will delete all event entries in the local
database for its specified event log model:
3 Expand the item Event Log Manager and select the step Delete Events.

6 Leave all preselected options checked and then click OK to add the step to the list and close the window.
7 Select the step Delete Events again.
10 This time select the value Printer Monitor from the Model Name dropdown list.
12 Select the step Delete Events again.
15 This time select the value Web History Monitor from the Model Name dropdown list.
17 Now the event deletion is specified for all three resource monitoring models.
18 Click the Finish button to confirm the settings of the new operational rule.

In the first window of the Operational Rule Distribution Wizard you define which
rule to distribute as well as some distribution options:
created.
master.
Step 4: Assigned Devices

relay.
1 Click the Assigned Objects, then Devices node in the left window pane under your newly created operational
rule. The right window pane is empty since no devices have been assigned yet.
2 A confirmation window appears on the screen. Click Yes to automatically launch the rule.
6 The device will be added to the list in the table in the right pane with a status of Assignment Waiting,
indicating that the order for the device assignment was created and is waiting to execute.
Step 5: Schedule
The schedule of operational rules is defined via the Scheduler window which has three tabs with different
scheduling options. We will execute the rule with the default schedule therefore leave all preselections as they are
and click theFinish button.
2 The synchronisation between the master list and the list on the client is finished when the value in the Status
field has changed to Executed.
The last option provided by the wizard is to go directly to one of the objects,
i.e. the operational rule or the task, if one was created. for our example we
will directly activate the rule and change to focus to it, therefore check the
Go to Operational Rule box and click Yes, to directly activate the rule.
10
Application Management Step-by-Step
Application managing provides administrators with visibility on installed applications and link them to the
business cycle. It allows for the correlation of software inventory data between purchased software to installed
software and used software.
The main objects of Application Management are:
• Application Catalogue
The Application Catalogue is a container for all applications which are to be managed on the devices of your
infrastructure, that is to say they are to be either monitored for performance, restricted in their execution and/
or defined for selfhealing.
• Schedule Templates
A schedule template is a planning that defines the times via hourly time-slots at which the application usage
may be denied or allowed or monitored. As its name indicates this is a template and may be assigned to and
used by more than one application list.
• Application Lists
Application Lists are containers in which applications are collected that are managed in a specific way in your
network, e.g. applications of which the usage is monitored for licensing reasons, applications that may not be
executed on specific or all devices, et. The following different types of application lists are available:
monitoring applications, i.e. monitor when, where and for how long applications are executing,
prohibiting applications, i.e. prohibit them from launching on specific devices and
protecting applications, i.e. to provide applications with the possibility to heal themselves if they get
corrupted in any way.
• Managed Application Examples
• Application Management Reporting
• Application Management Options
Prerequisites
NAMP console and its workings to execute some of the options in the second part of the chapter.
10.1 Managed Application Examples

This chapter will provide you with guide you through a number of examples with different options for each of the
three types of managed applications. These example will also introduce you to the different ways of creating these
managed applications, i.e. the manual creation as well as the creation via the wizard. However, before
applications may be monitored, prohibited or protected, they should be declared as managed applications by
being added to the Application Catalogue. This procedure is the same for all three types of management.
Step 1: Define an Application for Application Management

Applications may be defined as managed applications in a number of ways from different locations in the
console. For our first step we select the easiest method, i.e. adding the application from the Software Inventory to
the Application Catalogue.
For information on how to add a software from the Direct Access to the Application Catalogue see Option (a).
For information on how to add a software as a user defined application to the Application Catalogue node see
Option (c).
For information on how to add a software directly from a device or device group to the Application Catalogue
node see Option (d).
Only applications which contain all required information to be managed can be added. If an application listed in
the software inventory does not provide all necessary information, this option will not be available.
1 Go to the Device Topology node and find the device which contains all the software applications you want to
declare as defined applications, for example the master server.
2 Select the device’s Inventory->Software Inventory->Applications node.
3 Find in the table in the right window pane the software application to be managed, for example Adobe Reader,
and select it. Make sure not to select an application of type Add/Remove Program or MSI, these types may be
added to the application catalogue but they may not be managed as vital information is missing.
4 Then either select the Edit->Add as Managed Application menu item or the respective icon ( ) in the icon
bar.
6 In this window you may define the folder into which the application is to be added. By default it will be added
directly under the main Application Catalogue node as we will do now.
To add the application to another folder that may or may not yet exist see Option (f) now.
7 Click the OK button to confirm and to close the window.

Chapter 10 - Application Management Step-by-Step - 231
8 An Information window will now appear in which you may also directly add the selected application to an
existing application list. Click No to only add the application to the Application Catalogue as we do not yet
have created an application list.
9 The selected application will directly be added to the list under the Application Management->Application
Catalogue node.
10 Go now to the Application Catalogue node and you will find an entry for Adobe Reader in the list. If this is not
the case yet refresh ( ) the view.
11 Repeat steps 3 and 4 for some more applications for the examples to follow, e.g. add Chilli Interpreter, and the
Pinball game to the list.
10.1.1 Application Lists

Application lists group a number of applications that are to be managed in a specific way on some or all devices in
your network. An application list may only manage its members in one specific way, i.e. its members may either
be monitored, prohibited or protected but not all at the same time.
The following paratroops will provide one example each for all three different types of application management:
• Monitoring Adobe Reader
• Prohibit Pinball
• Protect Chilli Interpreter
Application 1: Monitoring Adobe Reader

A monitored application enables customers to query the actual usage of applications on the managed devices. In
this node you may define the applications which are to be monitored and on which clients in your network. The
actual monitoring will be done by the local agent according to the definitions set up in the respective Monitored
Application Model. The agent stores the logged data, the date and time the application was started and ended as
well as the duration of the usage, in the local database and uploads these periodically to the master database.
This part of the chapter guides you step-by-step through the procedure of creating the application list manually,
adding the Adobe Reader software as a member to be monitored and how to interpret the results.
Monitoring Adobe Reader consists of the following steps:
1 Define an Application for Application Management (as explained under chapter Step 1: above)
2 Create a Monitored Application List with Adobe Reader as a Member
3 Assign Adobe Reader to the Target Device
4 Monitor Adobe Reader Execution
Step 2: Create a Monitored Application List with Adobe Reader as a Member

To create an application list and add Adobe Reader as a member to be monitored proceed as follows:
5 Select the Application Lists node.
6 Select the Edit->Create Application List menu item or the respective icon ( ) in the icon bar.
8 Enter the name into the respective field, e.g. Monitoring Adobe Reader.
9 The required type of the application list, Monitored Application, is already preselected.
10 Click the OK button at the bottom of the window to confirm the data for the new application list.
11 Now double-click the newly created list and select the Applications tab in the right window pane.
12 Here we now need to all the application(s) to be monitored. This may be done in a number of different ways,
but, as we have already added our application to the catalogue, we will add it here from the Application
Catalogue.
To add the application from the software inventory see Option (b) now.
To add the application as a user defined application see Option (c) now.
To add the application directly from a device or device group see Option (d) now.
13 Select the Edit->Add an Application from the Catalogue menu item or the respective icon ( ) in the icon
bar.
14 The Add an Application from the Catalogue dialog box appears on the screen providing the list of
applications.
15 Select the Adobe Reader in the list.

16 Click the OK button at the bottom of the window to confirm and to close the window.
17 Adobe Reader is now defined as an application which will be monitored.
Step 3: Assign Adobe Reader to the Target Device

For an application to be monitored, it must also be defined on which device it is to be monitored. To do so it must
be assigned to this device:
1 Click the Assigned Objects, then Devices node in the left window pane under the Monitoring Adobe Reader
entry. The right window pane is empty since no devices have been assigned yet.
2 To do so select the Assign Device icon ( ) in the icon bar.
3 A pop-up window appears on the screen in which you can define if the device assignment will be
automatically activated with the default schedule. If you select No here, the object must be specifically
activated afterwards, therefore click Yes.
If you select No here to not automatically activate the new application list, see Option (g) on how to activate
it later manually.

6 The master will be added to the table in the right pane with a status of Assignment Waiting and change to
Assigned as soon as the local agent has received the assignment order.
7 From now on, every time Adobe Reader is used on the local device an event will be logged after the
application was closed or has been running for more than 24 hours.
To create and assign a monitoring schedule to the monitored application list see Option (h) now.
Step 4: Monitor Adobe Reader Execution

Numara Asset Management Platform provides two locations at which the actual monitoring of applications may
be done:
• under the Agent Configuration of the respective device,
• under the Event Logs subnode of the All Events node of the device, for our example the master.
To view the monitored application events under this node or in a report see paragraph Upload Application
Management Events to Master Database in the reporting section of this chapter.
To see how the monitoring works, open and close the Adobe Reader application a number of times before you
execute the following procedure. Leave the reader open at the end.
1 Open the Device Topology->master->Agent Configuration->Module Configuration->Managed Applications
node.
2 Select the List tab. It displays all applications that have been selected for managing on the local client,
monitored as well as prohibited applications. For the moment you will only see the Adobe Reader entry.
3 Now go to the Monitored Application Usage Details tab.

4 This table displays the details on the monitoring of Adobe Reader. You will see that there are as many entries
in the table as you have effected opening and closings of the application. The last opening is not yet counted as
the application has neither yet been closed nor has it been open for more than 24 hours.
5 Close Acrobat now.

6 Refresh ( ) the view.
7 Another entry will have been added to the list.
8 In these entries you can see amongst others when the event regarding the monitored application was logged
(Event Date), when the application was launched (Start Time) and when it was closed (End Time) as well as
the total time the application was used (Duration), this value is provided in seconds, as well as the name of the
user who was connected at the time and his domain.
Application 2: Prohibit Pinball

A prohibited application list allows the administrator to disable the launching of specific applications on a
managed device using the criteria defined through the Prohibited Application Model. It allows the denial of certain
application launches, both on online as well as off-line devices. Renamed executables and applications will be
accurately identified regardless of whether they are run from remote shares and/or removable devices. The agent
stores data regarding these application, the date and time the application was found starting, in the local database
and uploads these periodically to the master database. When a prohibited application is started at the remote
client, the NAMP agent will immediately stop its execution and may - depending on the module settings - display
a warning message window including the name and version of the application. If another application is stopped
while the message window is still present, the name and version of the newly stopped application will be added
to the existing window.
This part of the chapter guides you step-by-step through the procedure of defining an application, the Pinball
game, as an application prohibited from execution during working hours via the wizard and explains how to
interpret the results.
Prohibiting Pinball via the wizard consists of the following steps:
2 Application Management Wizard
3 Monitor Pinball Execution
Step 2: Application Management Wizard

Prohibiting the execution of Pinball consists of several steps, that may all be executed directly within the
Application Management Wizard.
Proceed as follows:
1 Select the Application Lists node in the left window pane.
2 Select the Wizards->Application Management menu item or the respective icon ( ) in the icon bar.
3 The Application Management Wizard appears on the screen.
4 In this window you can see all steps of this wizard in the left window pane, the currently selected step is
highlighted in bold, all steps which are not applicable to the selections will be greyed out. For our example this
concerns the schedule steps, as no schedule can be assigned to protected applications, they are protected at all
times.
Step 2a: Application List

In this first wizard step the application list to be created must be create by defining the following parameters:
1 Enter the name into the respective field, e.g. Prohibiting Pinball.
2 From the dropdown list of the Type field select the Prohibited Application option.
To create the new application list in a specific folder see Option (f) now.
3 Click the Next button at the bottom of the window to continue with the next step.
Step 2b: Applications

In the Applications window you need to select all the application(s) to be protected. This may be done in a
number of different ways, but, as we have already added our application to the catalogue, we will add it here from
1 Select the Edit->Add an Application from the Catalogue menu item or the respective icon ( ) in the icon
bar.
applications.
3 Select the Pinball application in the list displayed in the window.

5 Pinball is now defined as an application which will be prohibited from execution and displayed as such in the
list field.
6 Click the Next button at the bottom of the window to continue with the next step.
Step 2c: Schedule Template

Numara Asset Management Platform provides you with the possibility to define the times at which an application
may be used or is forbidden. This is done via a Schedule Template. This is a planning that defines the time-slots
in which the applications in the assigned application list are managed according to their specified type. As then
name indicates this is a template that may be assigned and used by more than one list once created here. For our
example we will create a new template, as there are none yet existing. Proceed as explained below:
1 Check the Create a new schedule template option.
2 Click the Next button at the bottom of the window to continue.
Step 2d: Schedule Template Configuration

In this window the new schedule template must be configured:
1 Enter the name into the respective field, e.g. No Working Hours. For prohibiting of applications this indicates
that they cannot be launched during working hours, for monitoring this would mean that no application
monitoring is done during the working hours.
To create the new schedule template in a specific folder see Option (f) now.
2 The current planning displayed in the field below prohibits the execution at all times, indicated by red crosses
( ) in all fields.
3 To allow the execution for non-working hours mark the fields Mon-Fri 5:00-7:59 by clicking the first field
(Mon 5:00) and dragging the mouse key to the last field (Fri 7:00).
4 Then choose the Allow Time-slot icon ( ) to allow the application to execute in this time range.
5 The red x icon ( ) will change to the green check ( ) to indicate allow.
6 Repeat points 3 and 4 for the timeslots Mon-Fri 12:00-13:59 and Mon-Fri 18:00-20:59.
Step 2e: Assigned Devices

For an application to be prohibited, it must also be defined on which device it is to be prohibited which is done in
the last wizard window.
1 To do so select the Add Device icon ( ) on top of the list field.

5 The master will be added to the list of assigned devices in the list field.
Step 2f: Object Selection

The last option provided by the wizard is to go directly to the application list
and to activate it. For our example we will not change the focus but activate the
list. Therefore click Yes, to immediately activate the application list.
To activate the prohibited application list later on, if you select No here see Option (g) now.
The new prohibited application list is now added to the list of applications.
Step 3: Monitor Pinball Execution

Numara Asset Management Platform provides two locations at which the actual monitoring of prohibited
applications may be done:
• under the Agent Configuration of the respective device, or
To view the prohibited application events under this node or in a report see paragraph Upload Application
1 Open the Device Topology->master->Agent Configuration->Module Configuration->Managed Applications

node.
monitored as well as prohibited applications. Here you will see now the monitored application Adobe Reader
as well as the new prohibited Pinball. If this is not the case refresh ( ) the view.
3 Launch Pinball.
4 An Information window will appear on the screen telling you that Pinball was prohibited from execution.
Click Ok to close the message box.
If Pinball is started instead of displaying the message you may be in one of the timeframes in which
the execution is allowed, e.g. it might be lunch time.
5 Now go to the Prohibited Application Usage Details tab.

6 This table displays the details on the monitoring of Pinball execution.
7 Here you will see that there is an entry in the table. If this is not the case refresh ( ) the view.
8 Such an entry or event will be generated each time Pinball is tried to start. In this entry you can see amongst
others when the event regarding the prohibited application was logged (Event Date) and when the application
was launched (Detection Time), as well as the name of the user who was connected at the time and his
domain.
Application 3: Protect Chilli Interpreter

The Selfhealing feature of Numara Asset Management Platform is based on a list of selfhealing applications. Each
protected application has a definition that contains all the information necessary to protect that application, that
is the list of files which are part of the application, the date and time the file was found belonging to the
application as well as its size and checksum at that time. All this information is gathered by the local agent and
stored in its database. The agent will then check the file time and size at regular intervals, currently set to 5
minutes. If the time and/or size of the file has changed the agent will then verify the checksum. If all three values
have changed the agent will recover a copy of the original file either from a backup located on the local device or
from a copy by another agent with the same file protection scheme.
Make sure to deactivate the selfhealing option for any protected application before updating or upgrading it, as these
modifications will also be seen as ’destructive’. After you have made any necessary modifications to the software you can
reactivate the selfhealing process for the respective software again.
This part of the chapter guides you step-by-step through the procedure of defining an application, the Chilli
programming language, as a protected application via the wizard and how to interpret the results.
Protecting Chilli Interpreter consists of the following steps:
2 Create a Protected Application List and Assign it to the Target via the Application Management Wizard
3 Monitor Chilli Interpreter Selfhealing
Step 2: Create a Protected Application List and Assign it to the Target via the
Application Management Wizard
To create an application list and add Chilli Interpreter as a member to be protected, i.e. defined as selfhealing in
case of file corruption, proceed as follows:
1 Select the Application Lists node in the left window pane.
2 Select the Wizards->Application Management menu item or the respective icon ( ) in the icon bar.
3 The Application Management Wizard window appears on the screen with its first window, Application List.
4 In this window you can see all steps of this wizard in the left window pane, the currently selected step is
highlighted in bold, all steps which are not applicable to the selections will be greyed out. For our example this
concerns the schedule steps, as no schedule can be assigned to protected applications, they are protected at all
times.
Step 2a: Application List

1 Enter the name into the respective field, e.g. Protecting Chilli Interpreter.
2 From the dropdown list of the Type field select the Protected Application option.
3 Click the Next button at the bottom of the window to continue to the next window.
Step 2b: Applications

In the Applications window you need to select all the application(s) to be protected. This may be done in a
number of different ways, but, as we have already added our application to the catalogue, we will add it here from
1 Select the Add an Application from the Catalogue icon ( ) above the list field.
applications.
3 Select Chilli Interpreter.
4 Click the OK button at the bottom of the window to confirm the new protected application.
5 The application is now added to the list and appears in the list window.
You can see here that a number of attributes may be defined for protected applications. To do so see now refer to
Option (i) now.
Step 2c: Assigned Devices

For an application to be protected, it must also be defined on which device it is to be protected. To do so it must be
assigned to this device:
1 To do so select the Add Device icon ( ) on top of the list field.
2 Then click the OK button to confirm and close the window.
3 The master will be added to the table in the right pane.
4 All options of the protected application list are now defined, so click the Finish button to confirm.
5 The last option provided by the wizard is to directly activate the newly
created application list and to go directly to it. Click Yes, to immediately
activate the application list without changing the focus.
Refer to Option (g) to only create and then manually activate the created
application list later.
Step 3: Monitor Chilli Interpreter Selfhealing

Numara Asset Management Platform provides two locations at which the actual monitoring of application
selfhealing may be viewed:
• under the Agent Configuration/Selfhealing of the respective device, or
To view the selfhealing events under this node or in a report see paragraph Upload Application
Once the selfhealing process is activated you may do the following to verify how it works:
Be aware that for most cases this only protects the directory in which the executable file of the software is found, in
most cases the \bin directory.
1 Open the Windows Explorer.

2 Go to the Chilli Interpreter installation directory and its bin folder (C:\Program Files\Numara
Software\Numara Asset Management Platform\Master\bin).
3 Select the chilli.exe file and delete it.
4 Now wait at least 30 seconds or click F5 or the refresh button. 30 seconds is the default timer for the
selfhealing check.
5 The deleted file should be restored to the directory.
Selfhealing Events
1 Open the Device Topology->Master->Agent Configuration->Module Configuration->Selfhealing node.
monitored as well as prohibited applications. Here you will see now the protected application Chilli
Interpreter. If this is not the case refresh ( ) the view.
3 Now go to the Protected Application Fix Details tab.

4 This table displays the details on the fixing of Chilli Interpreter.
5 Such an entry or event will be generated each time Chilli Interpreter is repaired. In this entry you can see
amongst others when the event regarding the protected application was logged (Event Date), the date and time
at which the application was fixed (Fixing Time), which file was fixed (Fixed File), as well as the name of the
user who was connected at the time and his domain.
10.2 Application Management Reporting

Up to now the event data regarding application management are only available locally on the agent. However, to
be able to generate reports on this topic and to view them in the console together with other data these events
must be specifically uploaded to the master and its database. Once data is available on application management,
you may generate different reports to summarise the general situation or detail specific events. The following
chapter will guide you through some of these possibilities. The general information on reports you will find in the
Reporting chapter earlier in this manual. You may also create your own style-based reports as explained in the
Report chapter earlier in this manual.
Step 1: Upload Application Management Events to Master Database
The event data of all types of application management may be uploaded to the master database via an operational
rule. The operational rule will contain three steps, i.e. one step per application event type to be uploaded.

4 Enter Upload Application Management Events into the Name field and then click the OK button.

14 From the Model Name dropdown list select the Monitored Applications value and leave all other fields as
they are.
15 Then click OK to confirm the parameters.
16 Reselect the step Upload Events and click the Add ( ) button.
18 From the Model Name dropdown list select the Protected Application value and leave all other fields as
they are.
19 Then click OK to confirm the parameters.
20 Reselect the step Upload Events again and click the Add ( ) button.
22 From the Model Name dropdown list select this time the Prohibited Application value.
24 The operational rule is now configured and must be assigned to the target, i.e. all devices, since we executed
software installations on the master as well as the clients.
25 Go to the Assigned Objects->Devices node in the left window pane under your newly created operational rule.
26 Select the Assign Device icon ( ) in the icon bar.
27 A confirmation window appears on the screen. In this window you may define if the device group assignment
will be activated according to the default schedule defined in the User Preferences. Click Yes, to activate the

29 Select the All button to the left.
30 Select the master from the list.
31 The master will be added to the table in the right pane with a status of Assignment Waiting.
33 To verify this go to the All Events->Event Logs node of the master.
34 This node displays the list of all events registered by the event log models for the selected device.
35 Select the Monitored Applications value from the dropdown list of the Model Name field.
37 The table below will now display all application management events of type monitoring that were uploaded.
38 Check the events for prohibited and protected applications as well.

Step 2: Generate Reports

The Numara Asset Management Platform provides a number of predefined reports for the application
management with its out-of-the-box objects, style-based reports as well as template-based ones. They are all
collected in the Application Usage folder. Proceed as follows to generate a report:
Report 1: Prohibited Application Usage by Day of the Week
This report is a style-based report, already created via the out-of-the-box objects and ready to be generated.
Proceed as follows:
1 Open the Reports->Application Usage folder in the left window pane.
2 Select a report, for example Prohibited Application Usage by Day of the Week.
This report has two subreports each displaying a bar chart, the first for the number of times an application was
started and the second for the average amount of time the application was running on the devices.
Report 2: Monitored Application Summary by Application Lists

One report per template-based report is also already created via the out-of-the-box objects, ready to be assigned to
a target and to be generated. Proceed as follows:
1 Open the Reports->Application Usage folder in the left window pane.
2 Select the report Monitored Application Summary by Application Lists.
To restrict the data processed for this report to a certain time range see Option (k) now.

4 Either choose the Edit->Assign Device Group menu item or click the respective icon ( ) in the icon bar.

9 The go back to the Monitored Application Summary by Application Lists report node in the left window
pane.
10.3 Application Management Options

The following paragraphs will provide you with a number of options that may be used to modify the application
of managed software programs.
(a) Define Managed Applications from Direct Access
To define an application as user defined and make it available for application management proceed as follows. Be
aware, that an application which does not provide all information required for a managed application cannot be
added as such, in this case the menu option will not be accessible.
1 Open the Device Topology->master->Direct Access->File System node.
2 In the right window pane go down into the hierarchy to the storage location of your software applications, in
general Program Files and go to the Adobe Adobe Reader installation directory and select the executable file
(AcroRd32.exe).
3 Select the Edit->Add User Defined Application menu item or the respective icon ( ) in the icon bar.
4 The Add User Defined Application dialog box appears on the screen.
5 It provides all the data it can find on the selected executable.
6 Click the OK button at the bottom of the window.

directly under the main Application Catalogue node. To add it to another folder click the icon to the right of
the field (...). The Select Folder window appears on the screen displaying the folder hierarchy. If the desired
target folder does not yet exist you can also create new folders. To do so first select the parent folder of the new
one and then select click the New Folder icon ( ) below the hierarchy. The Properties dialog box appears on
the screen. Enter the desired data into the respective fields and then click the OK button at the bottom of the
window to confirm the new application list folder. Select the target folder and click the OK button to confirm
and to close the window.
existing application list. Click Yes to do so, No to only add the application to the Application Catalogue.
10 If you selected Yes the Assign an Application List dialog box appears on the screen providing the list of
existing application lists.
11 Select the desired application list from one of the lists available in the window.
12 Click the OK button at the bottom of the window to confirm.
13 If the application list is already assigned to a device or group a Confirmation window appears in which you
may define to directly reactivate the application list for its assigned objects.
14 The Adobe Reader application will now be automatically added to the list of applications.
(b) Add from Software Inventory

Applications may be added to the list of managed applications via the list of installed software generated by the
software inventory. Software applications which do not provide all information required for a managed
application will in this case not appear in the list here. To add an application to the list of managed applications
from the general software inventory list under the Application Management node proceed as follows:
1 Open the Application Management->Application Catalogue node in the left window pane.
2 Select the Edit->Add from Software Inventory menu item or the respective icon ( ) in the icon bar.
If you are in the wizard select proceed as follows:
2 Select the Add from Software Inventory icon ( ) on top of the list field.
Then the procedure continues for both locations as follows:
3 The Add Applications from Software Inventory window appears on the screen. This window displays the
filtered list of applications found in the software inventory that may be used for the managing of applications,
i.e., those of type Application or Browser.
4 Find the Acrobat Distiller application, for example, and select it.
5 Click OK at the bottom of the window to directly add the selected software.
(c) Add User Defined Application
To add a user defined application to the list of managed applications from directly under the Application
Management node proceed as follows:
1 Open the Application Management->Application Catalogue node in the left window pane.
2 Select the Edit->Add User Defined Application menu item or the respective icon ( ) in the icon bar.
3 The Add User Defined Application dialog box appears on the screen.
Name: Adobe Reader 8
Version: 8.1.0.2007051100
File Name: AcroRd32.exe
Make very sure that you enter the name and version number exactly as it was found
under the Software Inventory, otherwise the application will be added to the list of
managed applications, but neither monitoring, prohibiting nor protecting it will
work.
5 Click the OK button at the bottom of the window to confirm the data for the new
managed application.
(d) Add Application from Device

To add an application via an executable file of a specific device proceed as described below. Be aware, that an
application which does not provide all information required for a managed application cannot be added as such,
in this case the following menu option will not be accessible.
1 Select the Edit->Add Application from Device menu item or the respective icon ( ) in the icon bar.
If you are in the wizard select proceed as follows:
1 Select the Add from Software Inventory icon ( ) on top of the list field.
Then the procedure continues for both locations as follows:
2 The Select a Device window opens on the screen.
3 Select from one of the proposed lists the device on which the desired executable file is located. Be aware that
you must provide access rights to this device if you have not yet done so via another of the console‘s
functionalities.
4 Click the OK button at the bottom of the window to confirm the device.
5 Now the Select Executable File window appears on the screen displaying the directory structure of the
selected device.
6 Find the executable file in the hierarchy and select it, then click the OK button.
7 The Add User Defined Application window appears on the screen.
8 It provides all the data it can find on the selected executable apart from a name, and provides the following
fields:
Name
Define a name for the new managed application, such as My Word Processing Application.
Version
The version number found for this application. If the field is empty the application has no version. You may
enter/modify here the version number using wildcard characters * and ? to include for example all minor
versions of a software, e.g. 7.* for all different flavours of version 7. If the field is empty the version
attribute is ignored and all versions of the executable are included.
File Name
The name of the executable file of the application. This value is not editable.
File Checksum
This field contains the checksum of the executable file. It may be removed to not limit the matching criteria
to a very specific file version.
File Size
Displays the size of the application. This value may also be removed to not limit the matching criteria to a
very specific file version.
10 A confirmation window appears on the screen if the selected application does not yet exist in the application
catalogue to which it will automatically be added as well.
12 If you are not in the wizard and the application list is already assigned to a device or group another
Confirmation window appears in which you may define to directly reactivate the application list for its
assigned objects.
(e) Add an Application to an Application Catalogue Folder

When adding an application to an application catalogue folder from both the software inventory as well as the
direct access nodes, it is possible to directly put the new application in a specific folder. To do so proceed as
follows for both options:
1 After having selected and confirmed the application to add click the OK button at the bottom of the window.
existing application list. Click Yes to do so, No to only add the application to the Application Catalogue.
5 If you selected Yes the Assign an Application List dialog box appears on the screen providing the list of
existing application lists.
6 Select the desired application list from one of the lists available in the window.
8 If the application list is already assigned to a device or group a Confirmation window appears in which you
may define to directly reactivate the application list for its assigned objects.
(f) Add an Object to a Folder
When adding/creating a new object it may be directly added/created to/in a folder, e.g., an application to an
application catalogue folder, an application list to an application list folder or a schedule template to a schedule
template folder. To do so proceed as follows:
1 In the window you may define the folder into which the object is to be added. By default it will be added
directly under the main Application Catalogue node.
2 To add it to another folder click the icon to the right of the field (...).
the hierarchy.
to confirm the new application list folder.
window.
(g) Activate/Deactivate Application Lists
If the application list was not automatically activated during its assignment it must be done manually to start the
actual managing of the applications of the list. This applies to all three list types.
The assignment of application list and target, i.e., the assigned device or group may be done in the following
different locations, all of which are found under the respective Assigned Objects node:
• Application Lists of the assigned device
• Application Lists of the assigned device group
• Devices of the assigned application list
• Device Groups of the assigned application list
To activate the application list management proceed as follows:
Devices/Device Groups
1 Device/Device Group->Assigned Objects->Application Lists node in the left window pane.
2 Select the entry which is to be activated in the table in the right window pane.
Devices/Device Groups
1 Application list->Assigned Objects->Devices/Device Groups node in the left window pane.
2 Select the entry which is to be activated in the table in the right window pane.
The following steps of the procedure are applicable to both locations:
3 Select the Edit->Activate Application List menu item or the respective icon ( ) in the icon bar.
4 The application list will be immediately activated.
5 You can follow the activation process via the Status column of the table in the right window pane.
(h) Schedule Templates
Schedule templates are specific schedules which are defined to regulate the use of monitored and prohibited
applications. As the name template indicates this a planning which may be used for a number of applications
which have certain criteria of use in common, such as personal software, which, for example may be forbidden to
be used during regular working hours, but allowed before and after and during lunch time.
The Planning tab of these templates allows to define time-slots for prohibited applications. The hourly slots are
represented in the visual form of a spreadsheet and display each if at this time the assigned prohibited
applications are allowed to be used or denied.
These templates may also be created and assigned manually instead of via the assistant as shown in the main
example. For this proceed as follows:
Step 1: Create a Schedule Template
To add a new schedule template to restrict the monitoring of the application list to the working hours proceed as
follows:
1 Select the Schedule Templates node in the left window pane of the prohibited application.
2 Select the Edit->Create Schedule Template menu item or the respective icon ( ) in the icon bar.
4 Enter Working Hours into the Name field.
5 Click the OK button.
6 Now select the new schedule in the left window pane and go to its Planning tab.
7 Drag you mouse button from the Mon 7:00 field to the Fri 18:00 field.
8 The click the Edit->Allow Time-slot menu item or icon ( ) to allow the application to execute in the selected
time range.
Step 2: Assign Schedule Template to Monitored Application List

For this example we will assume that the Adobe Reader execution is only to be motored during working hours and
instead of all the time, as is the default without schedule template:
1 Select the Application Lists node in the left window pane and the Monitoring Adobe Reader list that we
created in the example.
2 Then go to the Assigned Objects->Schedule Templates node in the left window pane.
3 Select the Edit->Assign Schedule Template menu item or the respective icon ( ) in the icon bar.
4 The Assign a Schedule Template dialog box appears on the screen providing the list of defined Schedule
templates.
5 Select the Working Hours template from the list field.

7 A pop-up window appears on the screen in which you can define if the device assignment will be
automatically activated with the default schedule. If you select No here, the object must be specifically
activated afterwards.
8 Click Yes to confirm the activation.
9 The newly assigned schedule template is now assigned and displayed in the table to the right.
(i) Protected Application Parameters

Protected applications have a number of parameters that may specifically defined for the individual applications:
may also be protected without a local backup copy. This is considerable for applications which are installed with
the same version on quite a large number of your devices, such as for the NAMP agent for example.
To protect without a local backup copy proceed as follows:
1 In Step 2b: Point 5 (page 242) select the entry in the list field.
2 Select the Edit->Properties ( ) menu item or icon.
3 The Properties window appears on the screen providing the following options:
Local Backup Copy
Displays if a copy of the protected application is to be stored on the local device.
If you do not make local copies for a protected application for all devices, make sure that at least one device in
the neighbourhood of the backupless devices has such a backup copy, i.e. a neighbour device which can be
found in the backupless device’s autodiscovery list.
Protect Sub-directories
This value defines if the protection scheme includes the sub-directories of the application directory. This may
be applicable for larger applications having sub-directories with do not only contain user created but
application data, such as libraries or filters.
Include File Types
By default all files in the main directory as well as the sub-directories if specified are included. If you do not
want to include all files enter into this field the list of file extension which are to be included in the selfhealing
package. The files are a comma separated list with wildcard characters, such as *.exe,*.dll,*.bat, etc. If
you are limiting the files to be protected they should not include any type of file that is user created, such as
*.doc,*.txt, etc., as newer files may be erased by older ones in case of a selfhealing operation. You may also
exclude these via the next parameter.
Exclude File Types
By default all file types are included for protection and selfhealing. In this field you may specify a list of file
types which are not to be protected and thus included in the selfhealing package. The files are a comma
separated list with wildcard characters, such as *.txt,*.doc,*.tmp, etc. In this field you may limit for
example any type of file that is user created, such as Word documents, Excel spreadsheet, etc., as newer files
may be erased by older ones in case of a selfhealing operation.
5 Then continue with the wizard.
(j) Defining the Integrity Check Interval
You may define at which interval the agent checks the integrity of the protected applications. This is done via a
parameter of the selfhealing module and the value will be applicable for all defined protected applications. The
default value for the integrity check is defined at 30 seconds. To now increase this value for example to 5 minutes
you have the following possibilities:
Modify the Parameter for a Single Device:
1 In the console
a Open the node Device Topology->Device->Agent Configuration->Module Configuration->Selfhealing.
b Select the entry in the table.
c Select the Properties icon( ) in the displayed tab.
d The Properties window appears on the screen. Modify the parameter to 300 seconds.
e Then click the OK button to confirm the modification. The new parameter value will directly be taken into
account.
2 Via the Agent Interface
a Double-click the SysTray symbol to open the agent interface in a browser window.
b The select the button Identification in the top right corner of the browser window and log on to the
interface with a local login with administrator permissions.
c The browser will now display the extended version of the agent interface.
d Select the tab Advanced and from its list in the left column the option Selfhealing.
e The browser window now displays the Selfhealing Module Parameters page.
f Click the Modify... button.
g The browser now displays a page in which the value of the parameter may be modified. Enter 300 instead
of the existing 30 seconds.
h Then click the Update button.The new parameter value will directly be taken into account.
3 In the Configuration file
a Go to directory <InstallationDirectory>/Client/config.
b Open the file SelfHealing.ini in a text editor.
c Modify the value of parameter CheckInterval from 30 to 300 seconds. The new parameter value will
directly be taken into account.
Modify the Parameter for Several Devices:
To modify the parameter value for several devices, we will first create an operational rule with the new value, and
then assign it to the target devices, either directly to the individual devices or via a device group, such as for
example group All Devices, to be executed. To do so proceed as follows:
1 Create an operational rule with step Selfhealing Module Setup. You define the value for this step to 300
seconds.
2 Assign the rule to device group All Devices and directly activate it.
3 Open the following console node on one of the target devices Device Topology->Device->Assigned Objects-
>Assigned Operational Rules.
4 Once the status Executed is displayed for the assigned operational rule, the modification was done.
5 To verify this open node Agent Configuration->Module Configuration->Protected Applications of the device.
There you will now find the new value.
(k) Reporting on Specific Time Range
To only use the data of a specific time range for the report to be generated, proceed as follows:
1 At Report 2: Point 2 (page 248) of the general procedure select the Options tab of the report.
2 Since no options have yet been specified for this report the table in this view is still empty.
3 To add a time frame select the Edit->Properties ( ) menu item or icon.
5 Check both boxes to activate the calendar fields.
6 Then open the calendar for each of the fields and select a start and an end date.
8 The time option is now active for the report.
9 Continue with the general procedure with Point 3 (page 248).
11
Power Management Step-by-Step
The new functionalities of the Numara Power Manager allow you to follow the overall energy usage of your
devices of specific periods of time, to calculate you energy costs and CO2 emissions as well as to measure the
progress regarding the application of energy consumption policies.
The Power Management functionality is NOT applicable to Linux, Mac OS and Solaris; it is only applicable to Windows,
version 2000 and later.

• Power Management Procedures
• Power Management Reporting
• Options
Prerequisites
11.1 Power Management Procedures

The following paragraphs explain the different elements of power management and guide you through the
generation, monitoring and interpretation of the power management data. This is done via the following steps:
1 Configuring Devices for Power Management
2 Power Management Inventory
3 Event Monitoring
Step 1: Configuring Devices for Power Management
The Power Management module is loaded by default at installation time, now it only needs to be configured. We
will do so in this example via an operational rule using the wizards for all devices of your test environment:
3 The left pane of the wizard window displays all available steps of this wizard.
Step 1a: Definition
1 Enter Power Management Configuration (or any other desired name) into the Name field.
for this rule.
260 - Numara Power Manager

Step 1b: Steps
In this window we need to define the operations necessary to configure the power management which is done all
in one single step:
3 Open the Agent Configuration folder and select the Power Management Module Setup step.
6 Make the following modification to the available parameters:

Check the Log Events option. This will make sure that the events generated for the power management are
logged in the local database.
This step configures the event generation for the module, as we have just done, as well as the default inventory
update and upload. By default it is generated and uploaded to the master database every 24 hours. If you want
to define a different schedule see Option (a).
Chapter 11 - Power Management Step-by-Step - 261
Step 1c: Operational Rule
created.

Step 1d: Assigned Devices
relay.

5 The device will be added to the list window.
6 Click Finish to confirm all choices and launch the assignment and configuration
process.
7 The last option provided by the wizard is to go directly to one of the objects, i.e.
the operational rule or the task, if one was created. for our example we will
directly activate the rule and change to focus to it, therefore check the Go to
Operational Rule box and click Yes, to directly activate the rule.
Step 2: Power Management Inventory

Similar to the Patch Inventory the Power Management Inventory must be generated specifically. This is done via
an operational rule executed on your target devices. The first action to take is to create the operational rule, this
time manually.
Step 2a: Create Operational Rule

1 To do so select the Operational Rules top node in the left window pane.
2 Click the Edit->Create Operational Rule menu item or the respective icon ( ) in the icon bar.
4 Enter Power Management Inventory into the Name field and then click the OK button.
6 Go to the Steps tab.
7 Click the Add Step icon ( ) in the icon bar.
9 Double-click the Inventory Management folder and select the Update Power Management Inventory step of
this group.
10 Click the Add button ( ) to add the step to the list of Selected Objects.
11 The Properties dialog box will appear on the screen displaying the parameters to be defined.
12 Check the remaining options: Upload after update, Force Upload, Bypass Transfer Window.
13 Then click OK to close the window.

14 Click OK to add the step to the operational rule and close the Select a Step popup window.
15 The operational rule is now configured.
Step 2b: Assign and Execute the Operational Rule Immediately

The operational rule is now created and must be assigned the target devices, for our example here we will assign
it to the group All Devices again.
1 Return to the Power Management Inventory rule click the Assigned Objects and then the Device Groups
node.
2 To assign the group select the Assign Device Group icon ( ) in the icon bar.
3 A confirmation window appears on the screen. Click Yes, to activate the operational rule directly.
To schedule the inventory generation at regular intervals, click No and see Option (b) once the device group is
assigned.
6 Then click OK to add it and close the window.

7 If you answered Yes to Would you like to automatically activate...? (see point 3 above), the inventory process is
started directly!
Step 2c: Monitor Rule Execution Progress

In the right window pane of the Device Groups node you can follow the execution of the rule execution via the
different status the process passes for the individual devices. You should see the following successive status if
everything went well:
• Assignment Waiting
• Assignment Sent
• Assigned
• Ready to run
• Executed
One of the following status values may be shown if the execution failed:
• Verification Failed - this status may appear, of for example the operating system of the target is of an
unsupported type, e.g. Linux or Solaris.
Step 2d: Verify Power Management Inventory

Once the rule has successfully executed you can take a first look on the inventory on the first device.
1 Open node All Devices->Device->Inventory->Power Management Inventory.

2 This node displays its information in three different subnodes. We will for the moment only concern ourselves
with the Global Policies node.
3 This node displays the name of the currently activated power scheme and its parameter values.
To learn how to change the active power scheme see Option (e).
To learn how to create new power schemes or modify existing power schemes see Option (d).
Step 3: Event Monitoring

Events may be monitored locally and centrally once the data is uploaded to the NAMP database, and they may be
monitored individually for single device or for all the members of the group.
• Local Event Monitoring
• Monitoring Events on the Master
Step 3a: Local Event Monitoring

You can monitor what is happening concerning power management locally on each of the devices of your group.
To cause some events to be generated you can for example modify your screen saver settings to a very short time
of inactivity, e.g. 1 minute. Wait until the screen saver comes on and then unlock your screen again as shown in
the screen shot of this example. You may also configure the device to go into Standby modus after 1 minute, wait
and then reactivate the device again.
1 Go to the All Devices->Device (Master?)->Agent Configuration->Power Management node.
3 It displays the list of events that occurred on the local device.
4 Refresh ( ) the page if it is still empty.

Event Date
The date and time at which the power management action, the activation of the screensaver, was executed.
Type
This field displays the type of event that occurred, i.e., the screen saver was activated, the device was put in
hibernation, etc.
Step 3b: Monitoring Events on the Master

and its database. This is done via an operational rule:

4 Enter Upload Power Management Events into the Name field and then click the OK button.

13 From the Model Name dropdown list select the Power Management value and leave all other fields as they
are.
15 The operational rule is now configured and must be assigned to the target, i.e. all devices in our test
environment.
operational rule.
18 A confirmation window appears on the screen. In this window you may define if the device assignment will be
activated according to the default schedule defined in the User Preferences. Click Yes, to activate the
By default the events, if activated, will be uploaded to the master database once a day at midnight. If you need
a more frequent upload click No, and then see Option (c) once this step is finished.
20 Select the group All Devices from the list.
21 The group will be added to the table in the right pane with a status of Activated.
22 Select the subnode All Devices and follow the execution of the operational rule for the group members.
24 To verify this go to the Events->Event Logs node of the All Devices group.
26 To display the power management events instead of the default software distribution events select Power
Management from the Model Name dropdown list.
29 Now all data are uploaded and ready and reports may be generated.
11.2 Power Management Reporting

The easiest and clearest way to monitor the power management activity is via reporting. The NAMP console
provides a template-based report for this. However, contrary to other modules, there is only one template with a
number of different options to display the different aspects of the topic.
• All reports that can be generated with this template according to its different units and groupings can either be
shown as a summary for all devices or with the same details displayed for each device that is included in the
report.
• The report details may be grouped by Status, Weekly Hours, Day, Month, Week or Year
• The units according to which the data may be displayed are Percentage, Hours, Energy, Price and CO2
Emission.
• The reports may be generated for a specific period of time.
• As usual all these reports may be generated and displayed in HTML, PDF and XML format.
The following section will provides some examples of these possibilities, mostly as a summary. You will find
detailed information on each of the possible contents in the Power Management Report Templates on page 47 of
the Power Management manual.
For our examples here we will only create one report which we will modify each time to see the different
possibilities. However, you may also create a new report for each example, but this will not be explained
specifically.
Report 1: Power Management Reporting - Summary
We will generate this report via the wizard, which is available from everywhere in the console.
Step 1: Report
The first window of the wizard, Report, appears on the screen. It defines the base information of the report:
1 Enter Summary as the name into the Name field.
2 Enter Power Management Summary as the name into the Report Title field.
3 In the Report Type field select Template-based from the dropdown list.
4 In the Report Template field select Power Management Status from the dropdown list.
5 Power management only provides one report which however provides you with several options.
6 Leave all other values as they are.
Step 2: Options
In the Options window the criteria for the report are defined, e.g. if it is to be a summary, if it is generated for a
specific period of time, for a specific group, etc. For our example we will first generate the basic report, a status
summary. Therefore leave all values as they are and click Next to continue.
Step 3: Publication and Mail

This step allows you to make the generated reports accessible to other associates within your department or
company and/or to send it by mail to specific associates. For this example we will make this a public report and
send it to our own e-mail account in HTML format. To do so proceed as follows:
1 Enter a name. i.e. a title for the report into the Name field, e.g., Power Management Summary.
2 Then check the Public Report box.
For more information regarding public reports on the Report Portal see Option (g) in the Reporting chapter.
3 Go down to the second panel and select the Add e-mail icon ( ).
4 The Define Mail dialog box appears on the screen. To specify the recipients as direct recipients, copy
recipients and blind copy recipients, you proceed in the same way.
To enter recipients click the To.../CC.../BCC... button and the Select an Address dialog box appears on the
screen.
To select an administrator or administrator group from the list click the Select from List radio button and
then select the recipient(s) below. You may specify an administrator group as the recipient, in this case the
mail will be sent to all members of this group that have a valid e-mail address entered into their general
data tab.
Or you may click the Select Manually radio button and enter any valid e-mail address into the field below.
You may also enter more than one address by separating these with a semi-colon, for example,
scotty@enterprise.com;kirk@enterprise.com.
5 Then enter Power Management Summary Report as the Subject of the mail.
6 Click OK to confirm the mail and add it to the list.
Step 4: Assigned Objects

In this step of the wizard the objects on which the report is to be generated are to be defined. In our example we
will assign it to our group All Devices for which we generated the power management events. Proceed as follows:
1 Select the Assign Device Group icon ( ).
3 Select the device group All Devices from the window.
Step 5: Schedule
The last step in the wizard is the definition of its generation schedule. Our first report we will generate
immediately to be able to examine it right away:
2 Then check the Immediately generate the report box at the bottom of the window.
3 Then click the Finish button to confirm the new report and generate it.
4 As usual a confirmation window appears which allows you to move the focus of the
console to the newly created report.
5 Click the Yes button to do so.
Step 6: Report Analysis

Once the report is created and generated it will be displayed in a browser window. To display it proceed as
follows:
1 The focus of the console was moved to the main view of the newly created report.
2 In this window select the Edit->View Last Result menu option or the respective icon ( ) in the icon bar.

The first part of this summary, the introduction provides you with the following information, which will be the
same for all different types of reports we will generate:
• A general description of the contents of this report
• Time Range displays the timeframe for which the report was generated. If you have not selected a timeframe
as we did, the dates indicated are the date of the first uploaded event as the start date and the date of the last
uploaded event as the end date.
• Group by indicates the distribution of the charts, All in this case meaning that all devices are cumulated in
one single graph.
• Unit indicates in this case that the values provided in the graph are in percent.
• Number of devices displays the total number of members of the group that is assigned to the report.
• Number of devices used for reporting displays the number of devices that uploaded events usable for this
type of report. For the above shown example this indicates that only 2 out of the 8 group members show power
management actions.
The second part of this report is the summary of all data displayed in form of a pie chart with the colour
explanations below.
• The differently coloured pie parts represent the different types of events generated.
• The percentage indicates the representation in percent of the respective event (= power state of the device).
• The displayed graph shows that one those two devices were only 2/3 of the time someone was working, for
almost 1/3 of the time the screen saver was running, at they were shut down for only 5% of the time.
• It also shows that at all times someone was logged on to both devices.
• In this graph it is not possible to know the active/inactive time distribution between the two devices, for this a
report needs to be generated that distinguishes between the devices.
Report 2: Power Management Reporting - Usage per Device
To display the same report with details on each of the devices of the device group in addition to the group
summary modify the report as follows:
1 Select the report in the left window pane.
To know more about the general options and possibilities of reports refer to the general report chapter of this
manual or the Console manual.
2 In the right pane select the Options tab.

3 This tab displays the currently selected report options.
4 To modify these either double-click the table entry or select the Properties... icon ( ) in the icon bar.
6 In this window now check the Details by Device option. This will display the same information individually
for each device of the assigned device group.

8 The report is now reconfigured and must be regenerated.
9 Now select the Edit->Generate Report menu item or the respective icon ( ) in the icon bar.
10 The Select Generation Formats window appears on the screen, click the OK button to confirm the preselected
choice.
11 The report is now generated.
12 Now go to the Report Results->All Devices node below the report.
13 In this view all generated reports are listed in their respective format with their generation status.
14 Once the status Available is displayed the report is ready for display.
15 Select the report entry in the table and click the Edit->View menu option or the respective icon ( ) in the
icon bar.
16 A new tab or window of the browser is opened displaying this new report.
This report now shows a graph for each device providing data for the report, in this case two. The two graphics
above display now - compared to the general summary generated before - the activity/inactivity and usage of the
two devices.
Report 3: Power Management Reporting - Distribution by Weekly Hours
The created report may be modified to display more detailed aspects of the defined power management. Proceed
as follows:

6 Uncheck the Details by Device option.
If you leave the option checked the report will provide the same information but per device, i.e., all charts will
exists for each device.
7 In the Group by dropdown list select the value Weekly Hours.

choice.
13 Click the Edit->View Last Result menu option or the respective icon ( ) in the icon bar.
14 The Select a Group window opens on the screen.
15 Click OK to confirm.
17 This report is of course only really interesting if your test environment has already run for at least one week to
provide data for each day of the week. In our example the report will only show data for one day, but you will
still see, how the report may look.
The report is divided into three different chart types:

1 The first pie chart displays the overall summary, the same as in the first report we generated.
2 The second part consists of a bar chart with one bar for each day of the week. The bars are summarising the
power consumption, i.e. the power states of all devices per day.
3 The third part, displayed below, shows a bar chart for each day of the week and each hour of these days and
the energy states for these hours.
If you generated the report by device, the above explained parts will be repeated for each of the devices delivering
data, i.e. having uploaded events to the master database.
Report 4: Energy Costs by Weekly Hours

This report displays the energy costs for each of the hours of the week. To define this report proceed as follows:

7 In the Unit dropdown list select the value Price.

8 In the Device Consumption field enter the medium consumption of a device. The average consumption for a
current device is between 300 and 500 watts depending its equipment.
9 In the Kilowatt Hour Rate field enter the price you pay for a kilowatt hour. This rate varies depending on your
country, e.g. 0.11€ as a medium value in France.
10 In the Currency field list currency, in which the kilowatt rate is entered above, e.g. Euros or €. The currency
will be displayed in the report in the format you enter it here.

choice.
provide data for each day of the week, as do the screenshots below to provide you with an idea on how this
may look.
The report is divided into three different chart types:

1 The first bar chart displays the overall cost summary per occurred device state.
2 The second part consists of a bar chart with one bar for each day of the week. The bars are summarising the
power costs per power states of all devices per day.
3 The third part, displayed below, shows a bar chart for each day of the week and each hour of these days and
the energy costs for these hours.
Report 5: CO2 Emissions by Week

This report displays the CO2 emission per month. To define this report proceed as follows:

7 In the Unit dropdown list select the value CO2 Emission.

8 In the Group by dropdown list select the value Week.

9 Leave the value in the Device Consumption field.
10 In the CO2 Emission (g/kWh) field enter the amount of CO2 that is emitted into the atmosphere in average for
a kWh. This value also varies according to the countries, in France for example it is ~ 120 grams of CO2 per
kWh, the European average is 340 grams.

choice.
provide data for each day of the week, as do the screenshots below to provide you with an idea on how this
may look.
This report only has one chart, a bar chart that displays the weekly consumption per device status in their
different colours.
11.3 Options
The following paragraphs will provide you with a number of options that may be used with the power
management.
(a) Power Management Inventory Upload Schedule
To define the upload schedule of the Power Management Inventory you have two possibilities:
• Modify the default inventory parameters of the Power Management module
• Define a different schedule via an operational rule and assign it to the targets.
The following paragraph explains the first option, as creating a specific schedule has already been detailed in the
preceding chapters, e.g. in the options of the Configuration Management Step-by-Step chapter. We will change the
basic schedule for all devices not only for one, therefore we will do this via the power management configuration
rule that we created before:
1 Open the Operational Rules top node in the left window pane.
2 Select the Power Management Configuration rule among its children.
3 Select the Steps tab in the right window pane.
4 Select the entry in the table to the right and double-click it.
6 It displays the following parameters which are available for the inventory management:
Upload on Startup
This checkbox defines if the inventory is uploaded to the master after being updated the first time on agent
startup. It is recommended to activate this option to ensure that the inventory is updated at least at every
startup of the agent.
Differential Upload
This checkbox specifies if the inventory is to be completely replaced which each upload when differences are
detected or only with the delta, i.e., the modifications of the inventory. By default this value is checked to only
upload the delta.
Upload Interval
This value defines the upload period for the inventory in seconds. If it is set to 0, no uploads are configured by
the module, but they can still be managed through operational rules. The setting only configures the upload of
existing data, it does not include an update of the inventory. The default value is 86400 seconds or 24 hours.
Minimum Gap Between Two Uploads
This parameter defines the minimum time interval between inventory uploads in seconds. If the value is set to
0 this option is deactivated and there is no minimum interval.
7 Make the desired modifications, then click OK to confirm the modifications and again OK to confirm the step.
8 If modifications have been made to an operational rule it must be reassigned to its targets to notify the local
agents of these.
9 Therefore open the Assigned Objects->Device Groups node of the rule.
10 Select the entry in the table to the right.
12 The reassignment process of the operational rule will be launched.
13 You can follow its execution under the Devices node below.
14 Once the status Updated is displayed for all devices, the local agents are aware of the modifications and will
from now on manage the inventory upload according to this schedule.
(b) Regularly Generate (Update) the Inventory
For our example it may be useful to run the inventory rule at regular intervals, such as once a week to make sure
all devices are still on their assigned power schemes and the users have not modified these. To do so proceed as
follows:
1 After the device group has been assigned go to the Power Management Inventory->Assigned Objects-
>Device Groups node.
2 Select the All Devices entry in the table in the right window pane.
3 To define the schedule either double-click the table entry or select the Properties... icon ( ) in the icon bar.

9 Check the Day of the Week radio button.
10 The checkboxes for the individual weekdays become available which are all checked.
11 Uncheck all boxes apart from Sunday to make sure the devices start their work week with the right scheme.
12 In the Period drop-down field to the right select the value Once Only.
15 The status currently displays Assignment Paused, which means you need to activate the new schedule.
If the rule was already executed before and the schedule modified afterwards the status will display Update
Paused.
16 Reselect the All Devices entry in the table and then activate it by selecting the Activate Operational Rule
If the rule was already executed it must now be reassigned instead of activated, therefore select the Reassign
Operational Rule icon ( ).
17 A confirmation window appears on the screen. Click Yes.

18 The group status will change to Activated.
19 To follow the assignment of the group members select the All Devices subnode and follow the different status
values in the table to the right.
(c) Regularly Upload Events
By default the events are uploaded to the master database once every day at midnight. If the device is offline at
that time, the events are uploaded at agent startup. If this schedule does not fit your requirements you may
change it.
once. For our example we will schedule the upload to take place every morning at 7, just in time for you to
generate a daily report about the activities of the last 24 hours.
1 If you have unchecked the Default Schedule option in the first window, the last step of the wizard will be the
Schedule window.
3 Go to the Termination box below, click the Run Forever radio button.
5 Leave the By Schedule and the Run Every Day radio buttons checked.
7 In the field below select the time at which to execute the upload, e.g., 07:00. To modify the minute value just
click in the field with the selected value and change the value, e.g. to 07:30.
8 Click the Finish to confirm the schedule and terminate the wizard.
(d) Create/Modify Power Scheme
Creating new power schemes or modifying existing ones is done via operational rules and its step. The step is the
same for both operations:
Step 1: Definition
1 Enter Change Power Scheme (or any other desired name) into the Name field.
for this rule.
Step 2: Steps
Only one step is required for this operation:
3 Expand the item Power Management and select the step Create/Modify Power Scheme.
6 Enter a name for the new power scheme in the respective field.
If you are modifying an existing scheme make sure you enter the name of the scheme to be modified exactly as
it is saved in Windows. Otherwise a new one will be generated.
7 Check the box Active Power Scheme to make the new scheme the active scheme right away.
8 Enter the following values for testing purposes in the fields labelled with (AC). This signifies that the
parameter applies to devices with a constant source of alimentation, such as a desktop or a laptop connected to
an electrical plug:
Monitor Off: 1 Minute.
Hard Disc Drive Off: 2 Minutes
System Suspend: 3 Minutes
Hibernate System: 5 Minutes
9 Leave all other values as they are.
10 Click OK to confirm the step.

12 Click Finish to confirm all choices and create the rule.


rule to distribute as well as some distribution options.
created.

The operational rule is now created and must be assigned to the devices on which to execute, in our example we
will assign the new power scheme to the group Client Devices.
1 To do so select the Assign Device Group icon ( ) on top of the list field.
4 Select the Client Devices group.
6 The device group will be added to the list.
7 Click Finish to terminate the wizard.
8 The last option of the wizard is, as usual, the choice to go directly to one the
objects. Check the Go to Operational Rule box and click Yes, to directly activate
the rule.
Step 5: Verify Power Scheme Application

Once the operational rule is executed on all devices you may verify if it works by continued inactivity on all your
client devices. After 5 minutes all devices should be in hibernation.
You may also regenerate a new power inventory by reexecuting (reassigning) the respective operational rule to
display the active power scheme and its parameters.
(e) Change Active Power Scheme
The easiest way to change the active power scheme on a group of devices is again by operational rule:
Step 1: Definition
1 Enter Change Power Scheme (or any other desired name) into the Name field.
for this rule.
Step 2: Steps
In this window we need to specify the scheme modification operation:
3 Open the Power Management folder and select the Define Power Scheme step.
Enter the name of the scheme to make the active scheme into the Replacement Power Scheme field.
Make sure you enter it exactly as it is defined in Windows. You may find the exact name either in the console in
the previous inventory, or in the inventory‘s tab, or in the Power Scheme window of Windows.

rule to distribute as well as some distribution options:
created.

group Client Devices.
3 Select the Client Devices group.
5 The device group will be added to the list window.
process.
7 The last option provided by the wizard is again the choice to go directly to the
operational rule. Check the Go to Operational Rule box and click Yes, to directly
activate the rule.
Step 5: Verify Power Scheme Application

Once the operational rule is executed on all devices you may verify if it properly assigned the new scheme by
regenerating the power inventory again. Do so by reexecuting (reassigning) the respective operational rule.
12
Peripheral Device and Data Control - Step by Step
Windows Device Management in the Numara Asset Management Platform is concerned with peripheral devices
and allows you to control the usage of these as well as the connected movement of data, especially all data that
leaves the company. This is done by enabling or disabling specific peripheral devices in your network, e.g. USB
storage, printers, modems, etc.
The Windows Device Management functionality is, as its name indicates, only applicable to Windows, version 2000 and
later.
It is strongly recommended to only create one single rule per peripheral device class. Multiple rules may contradict
themselves and thus result in not applying the desired rules in the network. It is however possible to have different rules
for the different peripheral classes, e.g. one rule for all USB storage devices, one rule for all CD/DVD burners, another one
for all modems, etc.

• Device Management Procedures
• Options
Prerequisites
• you have different USB storage devices available.
12.1 Device Management Procedures

The following paragraphs explain the different elements of Windows device management and guide you through
the generation, monitoring and interpretation of the generated events and data. This is done via the following
steps:
1 Configuring Windows Devices for Device Management.
2 Controlling the Data via USB Storage Devices.
3 Device Control Event Monitoring
12.1.1 Configuring Windows Devices for Device Management

The first step when managing the peripherals of Windows devices it to configure the local device management
module and make sure it is loaded on all Windows devices. This is composed of the following steps:
1 Load and Configure Device Management Module
2 Assign and Execute the Operational Rule
Step 1: Load and Configure Device Management Module
2 Select the Edit->Create Operational Rule menu item or the respective icon ( ) in the icon bar.
(a) now.
4 Enter Device Management Configuration (or any other desired name) into the Name field and click OK to
confirm.
5 Select the newly created rule and go to the Steps tab.
7 The Select a Step popup window will appear on the screen.
8 Expand the item Agent Configuration and select step Load/Unload Module.
11 From the dropdown list of the Module Names field select the Windows Device Management option.
14 Now select the step Windows Device Management Module Setup.
17 Check the Log Events box.
19 Now click the OK button again to confirm the list of defined steps for the operational rule and to close the
window.
Step 2: Assign and Execute the Operational Rule

The operational rule is now created and must be assigned to the devices on which to execute, in our example we
will select the group All Devices.
1 Click the Assigned Objects, then Device Groups node in the left window pane under your newly created
operational rule.
5 Select the group All Device.
6 The device group will be added to the table in the right pane with the status Activated.
7 Once the status of all its members, that you can see under the subnode All Devices is displayed as Executed
the devices are ready for device management.
12.1.2 Controlling the Data via USB Storage Devices

In this example we will create an operational rule which controls the USB storage devices. That means we will
define which storage units are allowed to connect to the network devices via USB and refusing all others. The rule
will therefore have the following steps:
• Reset Device Management Rule to make all previous USB storage device rules invalid.
• Create Device Management Rule allowing the respective device.
• Create Device Management Rule forbidding all other USB storage devices.
Step 1: Create USB Storage Device Control Rule
This rule is to allow the usage of one very specific USB storage device type, that has been distributed to all
employees that are allowed to exchange and transfer data via USB storages. All other USB storages will be
forbidden.
Chapter 12 - Peripheral Device and Data Control - Step by Step - 291

1 Enter USB Storage Device Control (or any other desired name) into the Name field.
(a) now.
for this rule.

Step 1b: Steps
In this window we need to define the operations necessary to configure the device management which is done via
three separate steps:
3 Expand the item Windows Device Management and select step Reset Device Management Rule.
A rule defining the management of a specify device class should always use the Reset Device Management Rule
as its first step. This is to make sure there are no other rules that are already assigned or used and that may
interfere with this new rule.

5 Leave all values as they are, as the USB Storage Devices is already preselected in the Class Type field.
6 Click the OK button to confirm and add this step to the list of Selected Objects.
7 Then select step Create Device Management Rule.
10 The USB Storage Devices option is already preselected.
11 Check the box Authorise. This will allow the usage of the USB storage defined below.
12 In the Filter Type field select the option Exact Match.
13 Into the field Device Description Filter enter the exact name of the USB storage to allow. If the name is not
correct, the storage will not be recognised when it is connected.
If you are not sure about the exact name see Option (c) now to find out.
To allow all USB keys of a specific manufacturer or type see Option (b) now.
14 Click the OK button to confirm and add this step to the list of Selected Objects.
15 Then select step Create Device Management Rule again.

18 The USB Storage Devices option is already preselected.
19 Leave the box Active unchecked. This will prohibit the usage of all other USB storages.
20 In the Filter Type field select the option Pattern.
21 Into the field Device Description Filter enter the wildcard character asterisks (*).
When creating a list of conditions always start with the most restrictive condition and work your way down to the
most general. A step prohibiting or allowing „the rest“ or „all others“ should always be the last in the rule.
Step 2: Assign the Operational Rule to the Targets

The assignment is directly continued from the creation process via the Operational Rule Distribution Wizard
that appears on the screen:
created.

group All Devices.
3 Select the group All Devices.
5 The device group will be added to the list window.
process.
7 The last option provided by the wizard is to go directly to one of the objects, i.e.
the operational rule or the task, if one was created. for our example we will
directly activate the rule and change to focus to it, therefore check the Go to
Operational Rule box and click Yes, to directly activate the rule.
8 The device group will be added to the table in the right pane with a status
Activated.
9 To follow the assignment process select the All Devices subnode below and follow the status in the right
window pane for the group members.
12.1.3 Device Control Event Monitoring

Events may be monitored locally and centrally once the data is uploaded to the NAMP database, and they may be
monitored individually for single device or for all the members of the group.
• Local Event Monitoring
• Monitoring the Results on the Master
Step 1: Local Event Monitoring
Once the status for the device group members displays Executed the rule was received on the target and the
specified peripheral device control is activated. You can now monitor what is happening concerning device
management locally on each of the devices of your group. For this some device management activities need to be
carried out on one of the devices, i.e. the master.
Once some power management activities are carried out on one of the devices you can monitor these as follows
locally:
1 Open the node Device Topology->Master->Agent Configuration->Module Configuration->Windows Device
Management.
2 This node displays in its first tab the configuration parameter concerning the event logging which was
activated via the first operational rule.
3 Select the next tab, Rule List. Here you will find the list of all steps of the device rules that are assigned to the
currently selected device. In our example there is only one rule yet, consisting of two steps. The first step, the
rule reset step, will never appear in this list.
4 Now select the tab Events.
5 As we have activated event logging, every time a USB storage is connected to the device an event is logged in
this table.
6 Connect the USB storage device to the master that was admitted in the second step. Execute some operations
on it, copying, creating, deleting, etc.
7 Now connect another USB storage device to the master. The master will recognise the new hardware, it will be
displayed in the Windows Device Manager window but not in the Windows Explorer, as it is unusable.
Depending on the operating systems of the master, an error message might appear in the SysTray that an error
occurred with the newly found device.
8 In addition an event is logged by the NAMP agent and displayed in the tab.
Step 2: Monitoring the Results on the Master

and to view them in the console these events must be specifically uploaded to the master and its database. This is
done via an operational rule:
By default these events are configured to be uploaded every 24 hours, i.e. at midnight to the master database. If
the agent is not running at this time the events will be uploaded at agent startup. If this schedule does not
correspond to your requirements you may assign it a different schedule. Information on how to you will find in the
Configuration Management chapter earlier in this manual.

4 Enter Upload Resource Management Events into the Name field and then click the OK button.
7 Go to the Steps tab.

14 From the Model Name dropdown list select the Windows Devices value and leave all other fields as they are.
16 The operational rule is now configured and must be assigned to the target, i.e. the group All Devices.
operational rule.
19 A confirmation window appears on the screen. Click Yes, to activate the operational rule automatically.
21 Select the group All Devices from the list.
22 Click OK to confirm the assignment.

23 Follow the execution of the operational rule under the assigned group.
24 Once the status is Executed for all members of the all data are uploaded.
27 To display the device management events instead of the default software distribution events select Windows
Devices from the Model Name dropdown list.
30 Now all data are uploaded and ready and reports may be generated.
31 For more information on how to create and generate reports see chapter Reports Step-by-Step.
12.2 Options
The following paragraphs will provide you with a number of options that may be used to modify the operational
rule application.
(a) Creating a Rule in a Specific Folder
When creating a new operational rule it may be directly created in a folder instead of under the Operational Rules
the hierarchy.
window.
(b) Allow all Devices of a Specific Manufacturer
Instead of limiting the usage to one specific USB key you may also limit the usage to all keys of a specific
manufacturer, for example to those that your company provided to all those employees needing to exchange data.
For this proceed as follows:
1 In the Properties dialog box enter the following values:
2 In the Filter Type field select the option Pattern.
3 Into the field Device Description Filter enter the part name of the USB key that is common to all keys of the
manufacturer preceded if necessary and/or followed by the asterisks (*) wildcard character, e.g. *Cruzer*.
This will allow all USB storages who‘s name includes Cruzer to be used on the managed devices.
4 Proceed with Point 14 (page 292) of the general procedure.
(c) Correct Device Name

When specifically allowing or forbidding the usage of a certain device peripheral the correct name under which
the device will be registered in the Device Manager must be used. You can find the correct name thus:
1 Connect the device peripheral in question to a device.
2 Open the Computer Management window
3 Open the Computer Management (local)->System->Device Manager node in the left window pane.
4 In the right window pane the local device will now be displayed with all its parameters.
5 Open the node Disk Drives.
6 Under this node you should find all hard disks of the device as well as any removable peripheral devices.
7 Copy the name that you find here for the desired peripheral exactly to the field Device Description Filter of
the step.
13
Patch Management Step-by-Step
Today, network administrators everywhere are scrambling to secure their networks. One of the most potentially
destructive security threats is unpatched computers. Keeping security patches up to date is one of the most
effective solutions available. The Patch Management functionality of Numara Asset Management Platform, the
Numara Patch Manager, is completely automated to make patching painless: it scans, remediates and reports on
your whole network, all while at the comfort of your own computer.
As shown in the graphic below, the patching process consists of the following individual steps:
1 Update the patch description file on the master and the clients
2 Create and execute the Patch Situation Analysis operational rule on the target device
3 Upload the patch inventory for the client population
4 Download missing patches from the Internet
5 Create the patch packages
6 Create the patch groups and have them send the missing patches to the target devices and install the patches.
Master Internet
1 ConfigFiles
4 Patches
ConfigFiles.cst Patch Packages
1 5
ConfigFiles.cst 1
Patch Situation 2b
3 Patch Inventory
Patch Manager Patch Group 6 Target Client
By default the devices in the network are configured in such a way that the master will automatically update its
patch description file every two days and the client agents will verify with the master at each startup if they are
up-to-date. In case they are not, the master will then directly provide them with the newest patch description file.
If these settings are not adapted to your needs, you will find the detailed procedure on how to modify these values
at the end of this chapter. Our example procedure in this chapter is based on the assumption that both master and
clients are up-to-date.
• Patching Your System
• Patch Reporting
• Patch Management Options
300 - Numara Patch Manager
Prerequisites
• the Microsoft XML parser MSXML 3.0 must be installed on all devices to be patched, i.e. on the master and
any other target devices. For Windows XP and later it is already preinstalled.
• the master has access to the Internet
• the master is the Patch Manager
• you have done the exercises in the chapters of Section I and are familiar with the general concepts of the AMP
console and its workings.
13.1 Patching Your System

Making sure your system is up-to-date concerning the available patches requires the following steps:
1 Update ConfigFiles on master and client
2 Create patch inventory operational rule
3 Assign operational rule to target
4 Monitor rule execution progress
5 Verify patch situation via the patch inventory
6 Execute Patch - Service Pack Distribution
7 Monitor Patch Application
8 Patch Reporting
In our main example in this chapter we will make sure that your master is correctly patched.
If the master device is installed on a Windows operating system it is by default also the Patch Manager, if the master is
installed on any other operating system no Patch Manager is defined by default. In this case you need to define a Patch
Manager as explained in Option (d) before starting on the procedure described below.
Step 1: Update ConfigFiles

Before any patch management should be undertaken make sure that the patch description group of files,
ConfigFiles, is of the latest version. If you have left the standard settings of the Patch Management module this
should be the case. However you may verify by proceeding as follows:
1 Open the Patch Management->Patch Manager->Patch Manager (master)->Configuration->Update node in
the left window pane.
If you want to define another device as the Patch Manager please see Option (d).
To differently configure the Patch Manager update process see Option (h).
If you do not have an Internet connection on the master and need to manually update the Patch Manager see Option
(i) now.
2 Select the ConfigFiles entry in the table in the right pane.

3 Select the Edit->Update ConfigFiles menu item or the respective icon ( ) in the icon bar.
4 A link with the web site will be established to download the newest version of the file.
5 It will then be parsed and the list of currently existing bulletins extracted, put into the tables of the respective
nodes and create a custom package containing all the necessary information for the clients which will be
published to the master.
Chapter 13 - Patch Management Step-by-Step - 301
6 You can follow these steps via the Status column which will indicate the currently executing step.
7 Click the Refresh button ( ) repeatedly to see the status values changing, as this page does not refresh
automatically.
8 The update process is finished when the Status column displays the status Database Up To Date.
9 Once the package has arrived on the master it will be sent to all devices according to the settings in the
module.
10 If you have switched off this option you must manually create an operational rule and send the package to all
the targets for which the patch inventory is to be established.
Step 2: Create Patch Inventory Operational Rule

The next step of patch management is to verify the patch situation of the individual devices in your network by
establishing an inventory of the patches already installed on the device and those missing. This is done via an
operational rule executed on your target devices. The first action to take is to create the operational rule.
1 To do so select the Operational Rules top node in the left window pane.
2 Click the Edit->Create Operational Rule menu item or the respective icon ( ) in the icon bar.
4 Enter Patch Situation into the Name field and then click the OK button.
6 Go to the Packages tab.
7 Either choose the Edit->Add Package menu item or click the respective icon ( ) in the icon bar.
Before the patch situation is evaluated on a client it is recommended to always make sure that the client has
the latest version of the ConfigFiles package is installed. This group of files are the base on which the patch
inventory is established. If you establish an inventory with an obsolete ConfigFiles you might miss newly
released important patches.
8 The Select a Package dialog box opens on the screen. It displays the list of available packages in its display
window.
9 Select the ConfigFiles.cst package and click OK to add it to the operational rule and close the window.
10 Go back to the Steps tab. You will see that two steps were automatically added to the rule.
When a package is added to an operational rule the necessary steps are automatically added to the rule as
well, i.e. a step to verify if the target has the right operating system on which the package is to be installed and
the step to install the package itself.
11 Select the Install Package step in the table.

12 Then click the Edit->Properties icon ( ) in the icon bar.
13 The Properties dialog box opens on the screen.
14 Select the option Stop on failed step for field Stop Condition.
15 Then click OK.
16 Now click the Add Step icon ( ) in the icon bar.
18 Double-click the Patch Management folder and select the Analyse Patch Situation step of this group.
19 Click the Add button ( ) to add the step to the list of Selected Objects.
20 The Properties dialog box will appear on the screen displaying the parameters to be defined.
21 Check the remaining options: Force Upload, Bypass Transfer Window.
22 Then click OK to close the window.

23 Click OK to add the step to the operational rule and close the Select a Step popup window.
24 The operational rule is now configured.
Step 3: Assign and Execute the Operational Rule Immediately

The operational rule is now created and must be assigned the target devices, for our example here we will assign
it to the group All Devices.
25 To assign the group select the Assign Device Group icon ( ) in the icon bar.
26 A confirmation window appears on the screen. Click Yes, to activate the operational rule directly.
If you want to schedule the execution of this rule at regular intervals, click No and see Option (b).

30 The patch process is started directly!
Step 4: Monitor Rule Execution Progress

In the right window pane of the Device Groups->Assigned Objects node you can see the entry for the assigned
group with its status Activated. To follow the execution of the rule via the different status the process passes
select the All Client Devices without Firefox subnode. In the table to the right you should see all members of the
group with the following successive status values:
• Assignment Waiting
• Assignment Sent
• Assigned
• Ready to run
• Executed
One of the following status values may be shown if the execution failed:
• Verification Failed - this status may appear, if for example the operating system of the target is of an
unsupported type, e.g. Linux or Solaris.
For more locations where you can monitor the patch distribution and location refer to Option (e).
Step 5: Verify Patch Situation via the Patch Inventory

Once the rule has successfully executed you can verify in the inventory which patches need to be applied. To do
1 Open node Device Topology->Relay->Inventory->Patch Inventory->Missing Patches.
2 Under this node all patch bulletins that are available for the master’s operating system but have not been
applied are displayed.
Step 6: Execute Patch - Service Pack Distribution

Once the patch inventory has identified the patches which are missing, they must be downloaded and applied.
Patch Management is generally done via the concept of patch group, for more information on this please refer to
the Numara Patch Manager manual.
Patch management offers a wizard via which the patch situation of a device may be directly remedied. In our
example here we will use the Patch - Service Pack Distribution directly from the Patch Inventory/Missing Patches
node of our Master.
The patch wizard is directly accessible from the main menu and other locations in the console as well: from the
patch inventory of a device and a device group and as well from individual bulletins in the Patch Management
node. Depending on the location from which you launch the wizard its window content and the window order
might be different than the one explained below.
1 Select a missing bulletin for the master in the table of the node Device Topology->Master->Inventory->Patch
Inventory->Missing Patches.
Please do not choose an MS Office patch for this first patch process! These patches require quite some
additional information and configuring. You will find an example for an MS Office patch installation in the
options.
You can verify what type of patch it is by checking the respective entry in the Affected Product column.
2 Then select the Edit->Fix menu item ( ) in the menu bar.

3 If you have selected a patch that has been replaced with a more recent patch than the selected one the
Superseded Patches window appears on the screen. It lists all patches in the inventory which have more
recent versions. You have the choice here to either just continue, then the initial patch as well as the
superseding patch will be installed or you can cancel and restart the fixing process by selecting the more
recent patch version.
Step 6a: Fix Selection

The patch wizard appears on the screen with its first window. Here you need to define which type of wizard you
want to use.
1 We will do the whole patching process therefore check the option Download and Apply Patches.
Step 6b: Patch Manager

In the next step the Patch Manager must be selected. Click Next as we only have one patch manager which is
already preselected.
Step 6c: Patch Group

The following window is concerned with the patch groups. Patch application and installation in NAMP is
executed via the concept of patch groups. These contain all necessary information of the respective bulletins and
the patch executables. As currently no patch groups exists yet, the list in the window is empty and we must create
one. Leave the preselected option and click Next to continue.
Step 6d: Patch Group Configuration

In the next step the new patch group must be configured. To do so proceed as follows:
1 Enter a name into the Name field, e.g. Relay Patches.
To create the new patch group in a specific folder refer to Option (g) now.

Step 6e: Patch Languages

The following step specifies the language of the patch to apply. Check the language of the operating system of
your master, most probably English in our case. Click Next to continue.
Step 6f: Installation Parameters

In the next step of the wizard the patch group will be configured, i.e. the way the patches are installed. Make the
following choices in this window:
In the Reboot Type box select the value Reboot after deployment. Be aware that if you do not reboot after
installation when a reboot is expected by one of the patches installed, this patch will still be seen as
missing even if you force a scan after install by the option below.
A reboot may not be necessary, but to be sure it is always recommendable to do so anyway. If the reboot is
required by the patch and you have not selected this option, the patch will not be completely installed until
the device is rebooted. Also if no reboot is done, the patch inventory is not updated.
Check the Force patch inventory scan after install and Force patch inventory upload after install boxes.
This will automatically reschedule the patch inventory generation, so you can verify if the patch was
properly installed.
Under the Office Installation Parameters select No Office Patch Installation from the Office Install
Type drop-down list.
If you are applying and installing an MS Office patch please see Option (a) now.
Then click Next to continue.
Step 6g: Reboot Options

As we have selected to reboot the affected device after the patch installation we need to define the parameters for
the safe reboot in the next window.
1 Make the following additional choices and modifications:
Check the fields Reboot after Disconnection and Cancel Reboot.
Enter the value 1 in both fields Countdown Timer Incrementation Value and Initial Countdown Timer.
Enter 3 into the Countdown Timer Maximum Extension field.
2 Then click Next.
Step 6h: Schedule

The last step of the wizard concerns the scheduling of the patch installation on the target. As we want to start the
patching process immediately, leave all values untouched and click Finish to confirm all defined options.
If you want to schedule the patching process at a specific later time see Option (c) now.
Step 6i: Activation

The last step is to directly activate the patch group and thus launch the patching process via the appearing
window. If you do not directly activate you must go to the respective patch group and manually activate it at the
desired time.
1 To directly go to the patch group selected or created in the wizard after the window has closed check the Go to
Patch Group box. For our first test run we will click Yes to directly activate the patch group and check it to go
to it.
2 The patch application will now be launched and the installation is started.
3 The focus of the console will switch to the Master Patches patch group under the Patch Management node.
Step 7: Monitor Patch Application

Patch installation may be monitored via a number of different views. But first you need to give the devices in your
group some time to receive the patches, install, reboot and execute a new patch inventory.
To receive more information on the different locations for monitoring the patch application refer to Option (e).
We are currently on the Relay Patches patch group under the Patch Management node from where we may
follow the execution of the actual patch installation with its different stages.
1 Go to the Downloading Patches tab.
2 As long as the patch is listed in this window it is not yet assigned to the patch group. Once it has finished
downloading it disappears here and is listed in the Patches tab.
3 Now go to the Assigned Objects->Devices node.
4 In the table to the right you will find the entry for the relay and you may follow the patching process in the
view’s schedule Status column. The initial status is Affected and the final stage should be as shown in the
graphic below Patch group successfully installed.
5 Once this status appears we may go to the History tab of the Patch Inventory node of the master (Device
Topology->Master->Inventory->Patch Inventory). This tab displays a sort of a log of everything that
happened to the inventory entries. For the patch inventory this means, that once a patch has been fixed it will
move from the Missing Patches node to this tab.
6 If this view is still empty, this means that the patch inventoring process is not yet finished. Keep refreshing
( ) the view.
7 Once the inventory is finished this view will display the entry we selected to be patched from the initial
inventory.
13.2 Patch Reporting

Once data on the patch situation on individual devices and the network in general is available it may be
summarised or detailed by reports. The NAMP console provides a number of report templates specifically for
patch management, which will be explained in the following paragraphs.
We will create and generate some examples of the available templates. Depending on the content these reports
may either be assigned to a device group or to a patch group. You may also create your own style-based reports as
explained in the Report chapter earlier in this manual. For a detailed explanation on all available templates refer
to chapter Numara Patch Manager Report Templates op page 159 of the Numara Patch Manager manual.
Report 1: Patch Deployment Status by Device
This report is already created via the out-of-the-box objects, ready to be assigned to a target and to be generated.
Proceed as follows:
1 Open the Patches folder under the Reports node in the left window pane and select the report Patch
Deployment Status by Device.
3 Either choose the Edit->Assign Device Group menu item or click the respective icon ( ) in the icon bar.

8 Then go back to the Patch Deployment Status by Device report node in the left window pane.
11 The report will be created immediately using the current data in the database concerning the assigned device
group.
means it will be available under the Report Results node of the report, as well as under that of the device
group it is assigned to.
13 The generation of this type of report may take a little while, reselect therefore the icon until the report appears.
This report displays an overview of the patch deployment situation per device of a device group including the
following information:
Report 2: Patch Management Executive Summary

The next report needs to be created first before it can be generated. Proceed as follows:
1 Select the Patch Management Executive Summary in the left window pane.
2 Go to its Assigned Objects->Patch Groups node.
3 Either choose the Edit->Assign Patch Group menu item or click the respective icon ( ) in the icon bar.
4 The Assign a Patch Group popup windows will appear on the screen.
5 Select the patch group that you created in the wizard from the window.

7 The patch group will be added to the table of assigned patch groups.
8 Then go back to the Patch Management Executive Summary report in the left window pane.
11 The report will be created immediately using the current data in the database concerning the assigned patch
group.
This report provides an overview over different aspects of a specific patch group in form of a number of charts on
the following different topics:
• Patch Severity Status
• Top 10 Vulnerable Devices
• Top 10 Missing Bulletins
• Top 10 Affected Product Families
• Top 10 Affected Products
Patch Severity Status
This first pie chart displays the classification according to their severity of the distributed patches.
Top 10 Vulnerable Devices

This bar chart displays a list of the 10 group members on which the most vulnerabilities were found with their
respective count.
Top 10 Missing Bulletins

This bar chart displays the 10 bulletins which are missing most often on the group members and show on how
many each.
Top 10 Affected Product Families

This pie chart shows the distribution of the product families, the 10 most affected regarding the group members.
Top 10 Affected Products

This pie chart shows the distribution of the products, the 10 most affected regarding the group members.
13.3 Patch Management Options

The following paragraphs will provide you with a number of options that may be used to modify the patching
processes.
(a) Install MS Office Patch
Microsoft Office patches require some very specific information to be entered in the patching wizard:
1 At Step 6: Point Step 6f: (page 308) select Full File Installation from the Office Install Type drop down
box.
2 The fields below the drop down list become available now.
3 Enter the following values:
Path
Enter into this field the location of the MS Office Installation CD. This may be a local path, e.g.
C:\patchex\MS\office\office2000 or it may be a network share, such as
192.155.1.24\CDSERVER\MSOFFICE2000.
User Name
If the CD location is on a device\share that requires identification you must enter here a user name with
which it may be accessed. Otherwise you can leave the field empty.
Password
If identification is required enter here the password for the login specified above.
Product Name
This field needs to contain the exact name of the product to patch. To find the correct name check the
respective entry in the Affected Product column of the patch inventory. Then click the Find button to the right
and the Product List window opens on the screen. In this window choose the product name as mentioned in
the Affected Product column. Click OK.
4 Then continue the process as described in the main procedure.

(b) Schedule the Patch Inventory Update Rule at Regular Intervals
Not automatically activating an assignment is of interest if a schedule other than the default schedule is to be
used, or if the operational rule is to be advertised rather than assigned to a specific device or user. Advertising in
this case means, that the operational rule will be available on the browser agent interface locally for further use.
For our example of the Inventory Management rule it may be useful to run this rule at regular intervals, such as
every day at start up, to have a most accurate view of the device’s situation. To do so proceed as follows:
1 At Step 3: Point 26 (page 303) answer No.
2 After Step 3: Point 29 (page 303) proceed as follows:
3 Select the master in the table in the right window pane.
10 In the Period drop down field leave the value Once Only.
11 In the field appearing below select the time at which to execute the inventory collection, e.g., 03:00. To
modify the minute value just click in the field with the selected value and change the value, e.g. to 03:30.
Inventory collection might be quite resource consuming, thus it is recommendable to run these rules when the
network load is low, i.e. during the night, if the devices are not shut down.
12 Leave all other fields as they are.

14 The status will still display Assignment Paused, which means you need to activate the modified schedule.
15 Reselect the Inventory Management rule in the table and then activate it by selecting the Activate
Operational Rule icon ( ) in the icon bar.
16 The status will change to Update Waiting.
(c) Schedule Patching Process at a Specific Time

To launch the patch assignment and/or installation and application not immediately as done in our main example
but at some other time proceed as follows:
1 At Step 6: Point (page 310) modify your choices in the wizard window.
a For example to still immediately execute the patch group on the targets but assign it at a less busy time,
such as lunch time mark the following:
Assigning a patch group signifies that the patch packages will be sent to all targets. If the patch group
contains several packages and maybe even large ones, it may be advisable to assign the group at a low
network time, such as lunch time, during the night or even weekends.
In the Select Assignment Date box check the Deferred to radio button and select Today from the drop-
down field and then select 12:00 from the drop-down list in the at field.
Leave the Immediately radio button selected in the Select Execution Date box.
b To assign the patch group during the night from Friday to Saturday and launch the installation at the next
agent start up make the following selections:
In the Select Assignment Date box check the Deferred to radio button and select the date of the next
Saturday from the calendar, that appears when you click the little down arrow of the field. Then select
03:00 from the drop-down list in the at field.
In the Select Execution Date box select the Next Startup radio button.
2 Then click the Finish button and continue with the next point of Step 6: of the main procedure.
(d) Define a Different Patch Manager
To be able to manage patches a device must be a Patch Manager. Any device may be a Patch Manager, it only must
be defined as such. This may either be done in the properties of the device or in the Patch Management node. To
add a device to the Patch Management as a Patch Manager proceed as follows:
1 Select the Patch Management->Patch Manager node in the left window pane.
2 Then either choose the Edit->Add Device menu item or click the respective icon ( ) in the icon bar.
3 The Add a new Patch Manager popup window will appear on the screen.
4 Select the All button ( ) in the left window bar and select the new device which is to be a Patch Manager
from the list.

6 The device will be added to the table of Patch Managers and its configuration parameter will be updated
accordingly.
(e) Monitor Patch Application

Patch installation may be monitored via a number of different views. But first you need to give the devices in your
group some time to receive the patches, install, reboot and execute a new patch inventory. Monitoring may be
done via:
• The Assigned Operational Rules node of the device group or individual devices
• The Assigned Device Groups/Devices nodes of the patch group
• The Assigned Device Groups/Devices nodes of the packages contained in the patch group
Under these nodes you may follow the execution of the actual patch installation with its different stages in the
Status columns.
• The All Bulletins and Applied Bulletins tab of the respective bulletins
• The Affected Devices tab of the respective bulletins
• The Bulletins by Year and Bulletins by Product node
Under these tabs and node you may see the number of affected devices regarding the product family/patch
bulletin decrease as the patch installs on the targets and is thus no longer needed.
(f) Patch Inventory of a Device Group

Same as for individual devices, the patch inventory also exists for device groups. It is accessed via the same nodes
as for an individual device. In our primary example we already generated the inventory for the group called
Clients and Relays:
1 Select the Inventory->Patch Inventory->Missing Patches of the device group.
2 Under this node all patch bulletins that need to be applied to the currently selected device are displayed.
3 Then select the Missing Service Packs node.

4 The nodes of this view display all the service packs which are missing for at least one member device of the
selected device group.
(g) Creating a Patch Group in a specific Folder

When creating a new patch group it may be directly created in a folder instead of under the Patch Management
the hierarchy.
window.
(h) Automatic ConfigFiles Update
The ConfigFiles patch description file is a group of files that contains all information against which the patch
situation of the local targets is compared. If this file is not up-to-date you may miss important new patches
required by your devices. Updating the file includes downloading it, parsing the file, and creating a new custom
package, ConfigFiles.cst, directly under the main Packages node. This package is required by the target clients
to know which security updates they need to install.
You may configure the Numara Patch Manager in such a way as to regularly and automatically update this file on
the master as well as the clients. This configuration is divided into the following operations:
Step 1: Patch Manager Configuration
The first step is to configure the master in such a way as to maintain its ConfigFiles file and the custom package
constantly up-to-date. To do so proceed as follows:
1 Go to the Agent Configuration->Module Configuration node on the master and select the Patch Management
node.
2 Fill in the following parameter:
Configuration Files Internet Download Delay
This value defines the delay in seconds at which the ConfigFiles will be automatically downloaded and
updated to a Patch Manager. This value is only applicable to the Patch Manager, for all other devices this value
should be set to 0 to deactivate the option. The ConfigFiles will only be downloaded if it is of a newer version
than the version currently available on the Patch Manager or if the Force Parse parameter is activated. The
default value is 0. Adapt this value to your requirements.
Step 2: Client Configuration

The next step is to define if and when the clients are to be automatically updated with the ConfigFiles package.
You may either modify these values individually per client or you may create an operational rule to do so:
1 The first step here is to create the target group for the operational rule. For this we create the query collecting
the targets. To do so to the Queries node and create a new query.
3 Enter the desired data into the following two fields and leave all others untouched.
Name
Enter the name of the new query into this field, use Patch Targets for this case.
4 Go to the Criteria tab of the new query.
6 The Select Criterion popup window will appear on the screen. It displays the list of available criteria.
7 Select the criterion Patch Manager and then check the Value box in the Criterion Description box.
8 Then click the Add ( ) button, to add the criterion to the list.
9 Now select the criterion Topology Type from the list and click the Search button in Criterion Description box.
10 The Search Criteria window appears on the screen. It displays all existing topology types.
11 Select the option Master and click OK.
12 The selected option will now be displayed in the Value field of the Criterion Description box.
13 Click the Add ( ) button, to add the criterion to the query.
14 Then click OK, to confirm the content of the new query and to close the window.
15 In the table in the right window pane you can now see all the defined criteria.
16 Activate the query.
17 Reselect the new query in the tree hierarchy in the left window pane.
18 Then either select the Edit->Create Device Group or select the respective icon ( ) in the toolbar.
19 If you go now to the Device Groups node you will find the new group called Patch Targets directly under it
with the population defined by the query.
20 Now the operational rule must be created. To do so go to the Operational Rules node in the left window pane.
21 Click on the Create Operational Rule icon ( ) in the icon bar. The Properties dialog box appears on the
screen.
22 Enter a descriptive name in the Name field, for example, ConfigFiles Update.
23 Go to the new rule’s Steps tab.
24 Click the Add Step icon ( ) in the icon bar. The Select a Step popup windows will appear on the screen.
25 Select the Agent Configuration folder and select below the step called Patch Management Module Setup and
click the to-the-right button ( ).
26 The Properties window appears on the screen displaying all available parameters.
27 Modify the following values to your requirements:
Update Configuration Files at Startup
This parameter defines if the local agent will verify with the master if its ConfigFiles are up-to-date at agent
startup and if not receive them. By default this option is set to Yes, verify and update.
Interval Before Patch Inventory Update
This value defines the delay in seconds to wait for a possible update to arrive before any operations, such as
a patch inventory or a patch installation, are executed. The default value is 300 seconds or 5 minutes.
28 Click the OK button to confirm the modifications.
29 Then assign the operational rule to the group Patch Targets via the Device Groups under the Assigned Objects
node.
30 Once the operational rule is executed on all devices the new settings will become valid.
(i) Manual ConfigFiles Update
The ConfigFiles patch description file is a group of files that contains all information against which the patch
situation of the local targets is compared. If this file is not up-to-date you may miss important new patches
required by your devices. Updating the file includes downloading it, parsing the file, and creating a new custom
package, ConfigFiles.cst, directly under the main Packages node. This package is required by the target clients
to know which security updates they need to install.
If your Patch Manager does not have a permanent Internet connection it cannot use the automatic update
procedure detailed in the previous paragraph, instead it must be updated manually periodically. To be able to
update at least one device within your network must have at least a temporary Internet connection to download
the newest ConfigFiles update file with which to bring your Patch Manager and all clients up-to-date. To manually
update proceed as follows:
Step 1: Patch Manager Configuration
The first step is to configure the Patch Manager that it allows for the manual update procedure. To do so proceed
as follows:
1 Go to the Patch Management -><Patch Manager> ->Configuration ->Update node.
4 Select the Local Update radio button in the Update Type box.
5 Click OK to confirm the modification and to close the window.
Step 2: Manually Download ConfigFiles

Now the ConfigFiles need to be downloaded from the Internet and saved on the Patch Manager device:
1 On the Patch Manager device verify that the following directory exists, if this is not the case create it:
<InstallDirectory>\data\PatchManagementPremium\update
2 Now you need to download the following files from the Shavlik web site and save them in the directory listed
above:
http://xml.shavlik.com/data/hfnetchk5.cab
http://xml.shavlik.com/data/hfnetchk6b.cab
http://xml.shavlik.com/data/PD5.cab
http://xml.shavlik.com/data/CL5.cab
Step 3: Update Patch Manager

Now that the new versions of the ConfigFiles are locally available Patch Manager must be updated:
1 Go again to the Patch Management -><Patch Manager> ->Configuration ->Update node.
2 Select the Edit->Update ConfigFiles menu item or the respective icon ( ) in the icon bar.
3 The update process will now search the new ConfigFiles in the local update directory. It will then parse these
files and the list of currently existing bulletins will be extracted, put into the tables of the respective nodes and
create a custom package containing all the necessary information for the clients which will be published to the
master.
4 You can follow these steps via the Status column which will indicate the currently executing step.
5 Click the Refresh button ( ) repeatedly to see the status values changing, as this page does not refresh
automatically.
6 The update process is finished when the Status column displays the status Database Up To Date.
7 Once the package has arrived on the master it will be sent to all devices according to the settings in the
module.
8 If you have switched off this option you must manually create an operational rule and send the package to all
the targets for which the patch inventory is to be established as explained in the option above.
14
Vulnerability Management Step-by-Step
Faced with the exponential growth in the number of security vulnerabilities, and the increasing complexity of
information systems, an automatic analytical solution is essential for effective operational risk management. The
Numara Vulnerability Manager is a non-intrusive vulnerability scanner that is able to scan all devices with an IP
address. It then uploads all collected information to the database and makes it available via the NAMP console.
As shown in the graphic below, the vulnerability process consists of the following individual steps:
1 Update the master and scanner with the latest vulnerability version via the VM Updater
2 Create and launch scan on target and upload the collected information to the database and display in the
inventory and vulnerability groups
3 Create the vulnerability groups
4 Fix vulnerabilities via existing patches or other fixes:
a Download available patches
b Apply patches to the targets
1 Update
Master
3 Vulnerability Group
VM Updater
4b Patches
1
4a Update
2b
Patches Scan Inventory
Target Client
Internet
2a Device Scan
Scanner
Vulnerability scans may be executed on any device, it is not necessary that the scanned device has the NAMP
agent installed.
To be able to remedy the vulnerability situation via the installing of patches, as explained in the second part of this
chapter you also need the Numara Patch Management license. For trial purposes this license is included in the temporary
license.

• Making Your System Secure
• Vulnerability Reporting
• Vulnerability Management Options
Prerequisites
326 - Numara Vulnerability Manager
• that you have the Patch Management License as well as the Vulnerability Management license. The PM license
is required for resolving vulnerabilities of which the fix is provided by a Microsoft bulletin,
• the operating system of the scanner device is
Windows 2000 (minimum Service Pack 4), Windows XP, Windows 2003, Windows Vista, Windows 2008 or
Linux RHEL 3, 4 and 5, SUSE 10, CentOS 4.3, Debian 4.0 or later versions
• the master/scanner has an internet connection,
• the master/scanner is connected via Ethernet, it MUST NOT use a wireless connection,
• You have also already familiarised yourself with the Numara Patch Management in the preceding chapter as
this is an integral part of vulnerability remediation.
14.1 Making Your System Secure

In our base example we will scan a number of devices with the NAMP agent installed and repair one of these XP
clients installed in our network. Contrary to the patch management we are not scanning our master, as this is not
possible - the master is currently our scanner and the scanner cannot scan itself.
1 Update Vulnerability Database on the master and scanner
2 Create scan via the Vulnerability Scan wizard
3 Monitor scan progress
4 Verify vulnerability situation via the vulnerability inventory
5 Fix a Microsoft vulnerability
6 Monitor vulnerability/patch application
14.1.1 Update Master and Scanner with latest Vulnerability Version

The first step when scanning your network is to configure the update process and launch it. It is important that
the base for the vulnerability testing is always as up-to-date as possible, otherwise the scan might not find the
newest know vulnerabilities, which may be critical to your environment.
The master is by default defined as a scanner. Refer to Option (h) to define another device as the scanner.
This step may be automated via the configuration options. For information on how to do so proceed to Option (k).
To update the master and scanner proceed as follows:

1 Open the Vulnerability Management->Configuration->Update node in the left window pane.
2 The Status tab in the right window pane displays in its columns Status and Version that the master and
scanner are not up to date, indicated by the status To Be Checked and an empty version number field.
3 Also the scanners listed in the bottom half of the window will show a yellow flag with status Requested, to
indicate that they are not up to date.
Chapter 14 - Vulnerability Management Step-by-Step - 327
4 Select an entry and then chose the Edit->Check for Update menu item or the respective icon ( ) in the icon
bar.
5 The field Update Status will now indicate if the vulnerability base files need updating (status Out of Date)
and the field Available Version displays the number of the currently latest version of the respective file.
6 Now select the Edit->Update Now menu item or the respective icon ( ) in the icon bar.
7 A link with the Update Server will be established to download the newest available version.
8 All necessary information has been recovered by the master and is then downloaded to all defined scanners
when the status displays Up to Date and the overall status displays a green flag.
14.1.2 Create a Vulnerability Scan

Now that all information required to execute a scan has arrived on the scanner the scanning operation of a device
may be launched. This is done via the Vulnerability Detection.
Numara Vulnerability Manager has several wizards which are available from a number of locations, such as the
Vulnerability Detection is accessible everywhere from the Wizard menu, but also from the Assigned Scans node
under the scanner.
1 From anywhere in the console select the Wizards->Vulnerability Detection ( ) menu item.
2 The wizard appears on the screen with its first window.
Step 1: Vulnerability Detection Wizard
In the first window the scanner must be selected. In our case we have only one scanner defined which is
preselected in this window. Therefore just click Next.
Step 2: Scan
In the second wizard window you can give a unique descriptive name to the scan. To do so enter Test Scan into
the Name field in the Scan box.
To create the new scan in a specific folder refer to Option (j) now.
Click Next.
Step 3: Scan Configuration Selection

The Scan Configuration Selection window appears on the screen. In this window you may either select an
already existing scan configuration or specify to create a new one. As there are currently no configurations
defined yet, leave the selection as it is and click Next to continue with the definition of the configuration.
Step 4: Scan Configuration

Next the new scan configuration must be defined in the Scan Configuration box:
1 Enter a name into the Name field: Test Scan.
To create the new scan configuration in a specific folder refer to Option (j) now.
2 Click Next.
Step 5: Protocols and Phases

This step defines the protocols to verify and phases to execute. It is not absolutely required to specify a set of
credentials, however, for an authenticated scan it is recommended and will also provide more extensive results.
1 Select the SMB protocol and click the Add Credentials button to the right.
2 The Credentials box is displayed in the wizard window.
3 To add a new user identification click the Add button at the bottom.
4 A Properties window appears on the screen.
5 Enter the login name, corresponding password in the respective fields and re-enter the password for
confirmation.
6 To view the passwords you may also uncheck the Hide Passwords checkbox. Both password fields will now be
displayed in clear text format.
7 To confirm the new user account click the OK button at the bottom of the window.
8 The account will be added to the list in the right window part.
9 The default settings in this window are specified to execute a complete vulnerability assessment scan.
Therefore leave all options as they are in the Phases box below.
10 Click Next.
Step 6: Port List

The next step defines which ports are to be scanned. A number of predefined port lists are delivered with the
software and installed by default, we may therefore use one of those.
To create a new port list refer to Option (i) now.
1 Select the Use existing port list radio button.

2 The list below displaying all existing port lists becomes available.
3 As we are only scanning one device we may select the option Ports referenced by Numara Software for TCP.
You may select to check for TCP and UDP ports, however, UDP port checking takes a relatively long time.
Click the TCP checkbox next to the field in the first line then click Next.
Step 7: Target List

In the next window, the Target List is defined that are to be scanned. Here you may specify if an existing target list
is to be used or a new should be created. As there are currently no target lists yet defined, leave the preselected
value and click Next to continue with the target list configuration.

This step defines the target device to scan. First enter a name again, e.g. Test Scan Targets. To select the target
devices there are several methods available. As we are scanning devices which have the NAMP agent installed we
will use the general device selection method.
To scan a device or devices on which no NAMP agent is installed yet, refer to Option (b) now.
To create the new target list in a specific folder refer to Option (j) now.
1 Therefore select the Add Existing Device menu item or the respective icon ( ).
2 The Select a Device window opens which provides you with the different methods to choose the target device.
4 The box displays now the list of all devices which are currently part of your Numara network. Select the
device to be scanned, e.g., the relay, and click OK to add them to the target list.
5 Click Next to go to the next step.
Step 9: Schedule
The next step is concerned with the scheduling of the scan. Leave the window as it and click Finish to confirm all
scan definitions.
To schedule the scan at regular intervals refer to Option (g) now.

2 Check the Go to Scan box to move the focus of the console to the scan you just created for monitoring its
progress and click Yes to confirm the immediate activation of the scan.
3 The focus of the console is moved to the newly created scan.
14.1.3 Monitor the Scan Process

The scanning process is now under way and may be monitored under the Scanners node.
1 Select the Vulnerability Management->Scanners->Master->Assigned Scans node.
2 In the table to the right you will find the entry of the scan we just created via the wizard.
3 Select the Scan Information tab.
4 You can follow the execution process of this scan via the Status column, which starts with Assignment
Waiting. Then it will go through all the respective stages and will display Executed once the scan of the
target device is finished.
5 Once the scan status is Execution Scheduled you may also double-click the scan entry and then select its
Sessions tab, in which you may see a few more information regarding the scan details.
In this view you can see the following information regarding the executing scan:
Target
The fields of this column display the names of the device targets. There will be an entry for each target of each
currently executing scan, no matter its status.
Status
These fields display the status of the respective target. For more information on the possible states refer to
chapter Status Reference of the Numara® Asset Management Platform Reference.
Stage
This field indicates which phase of the scan tests the session is currently executing. Depending on this value
other values of this table are filled in.
Information
The number of information items the scan has retrieved. This number starts increasing as soon as the phase
Initialisation has finished.
Pending Actions
This is the number of actions which are waiting to execute. An action may be pending because it has not yet
received information it requires, such as for example the host name which is delivered by the preceding
action, or because the maximum number of simultaneously executing actions is currently reached.
Executing Actions
This is the number of currently running scanning actions.
Vulnerabilities
This number displays the number of vulnerabilities the scan finds. It will only start increasing once the
execution stage arrived at Vulnerability Detection.
Start Time
The date and time at which the scanning session was started on the target client.
End Time
The date and time at which the session finished.
Duration
The the total time the session needed to execute in the regular time format hh:mm:ss.
14.1.4 Verify Vulnerability Situation via the Vulnerability Inventory

Once the scan is finished the results found by the scan must be interpreted before taking measures to button up
the security holes. There are several locations to verify the situation of a device, a group of devices or even your
whole network. For our first example we will do so via the Vulnerability Inventory of one of the scanned devices.
The Vulnerability situation may also be investigated via the vulnerability inventory of a device group, the
Vulnerability Groups node of the Numara Vulnerability Manager and the Last Results node under the Assigned
Scans. See Option (d) for more details.
1 Open the node Device Topology->...-><Device>->Inventory->Vulnerability Inventory->Vulnerabilities.

2 Under this node all vulnerabilities that were found for the device are listed.
3 For more information on the presented information refer to the Numara Vulnerability Manager manual.
14.1.5 Fix Vulnerabilities

Vulnerability fixing in NAMP is done via the Fix Vulnerability wizard, which is available from all locations at
which the vulnerability situation of an object is detailed. For our first example here we will fix a Microsoft
vulnerability that has a bulletin available.
Available Microsoft Patches are listed in the Vendor ID column and have the format MS<Year>-
<BulletinNumber>.
Do NOT use a patch applicable to MS Office, these require specific parameters which are explained under Option
(a) of the Patch Step-by-Step chapter. You can see if a patch is applicable to MS Office in the Title of the
vulnerability.
To fix a vulnerability without an available Bulletin or Vendor ID refer to Option (c) now.
To fix a vulnerability from the inventory node of a device proceed as follows:
Vulnerabilities may also be fixed via the Vulnerability Groups node of the Numara Vulnerability Manager. See
Option (e) for more details.
1 In the table of the Vulnerabilities node select a vulnerability for which a Microsoft bulletin is available in the
table in the right window pane.
2 Select the Edit->Fix Vulnerability menu item or the respective icon ( ) in the icon bar.
3 The Fix Vulnerability Wizard opens on the screen.
Step 1: Fix Selection
In the first window of the wizard you define how you want to fix the selected vulnerabilities. Check the
Download and Apply Patches option.
Contrary to the Vulnerability Detection wizard this wizard does not have the vulnerability-red side bar. This is
due to the fact that the actual vulnerability remediation is executed by the patching process therefore also by
the patch wizard which is PM-blue.
For more information on the Download Patches wizard refer to chapter Patch Management step-by-step where
the wizard is explained in detail.
If you have selected a patch that has been replaced with a more recent patch than the selected one the
Superseded Patches window appears on the screen. It lists all patches in the inventory which have more recent
versions. You have the choice here to either just continue, then the initial patch as well as the superseding patch
will be installed or you can cancel and restart the fixing process by selecting the more recent patch version.
Step 2: Patch Manager

The first window of the actual patching wizard is the Patch Manager window. In this step you select the Patch
Manager which is to manage the patching process for the selected patches. If you have not yet done the optional
exercises of the patch management chapter this window will only display the predefined and selected master,
otherwise you will find your list of patch managers here. Select the master.
Click Next to go to the next window.
Step 3: Patch Group

In this step the patch group must be defined via which the patching of the target devices is to be done. For our
example we will create a new patch group. Leave the preselected option and click Next to continue.
Step 4: Patch Group Configuration

In the next step the new patch group must be configured. To do so proceed as follows:
1 Enter the name Vulnerability Patch Group (Test Scan) in the Name field.
To create the new patch group in a specific folder refer to Option (j) now.
Step 5: Patch Parameters

In the next window the Patch Parameters are defined. Leave all values as they are.
Step 6: Patch Languages

The following window defines the languages in which the patch is to be downloaded and applied. This language
choice depends on the language of your operating system, if it is English or any language not available in the
displayed list check the box next to English, otherwise select the language of your OS.
Then click Next.
Step 7: Patch Installation Parameters

The next wizard window is concerned with the Patch Installation Parameters.
1 Make the following choices in this window:
In the Reboot Type box select the value Reboot after deployment. Be aware that if you do not reboot after
installation when a reboot is expected by one of the patches installed, this patch will still be seen as
missing even if you force a scan after install by the option below.
Check the Force patch inventory scan after install and Force patch inventory upload after install boxes.
This will automatically reschedule the patch inventory generation, so you can verify if the patch was
properly installed.
Under the Office Installation Parameters select No Office Patch Installation from the Office Install
Type drop-down list.
2 Then click Next.
Step 8: Reboot Options

As we have selected to reboot the affected device after the patch installation we need to define the parameters for
the safe reboot in the next window.
1 Make the following additional choices and modifications:
Check the fields Reboot after Disconnection and Cancel Reboot.
Enter the value 1 in both fields Countdown Timer Incrementation Value and Initial Countdown Timer.
Enter 3 into the Countdown Timer Maximum Extension field.
This value defines the maximum interval the countdown timer may be extended. If for example the initial
value is 2 minutes, the user may each time extend it by 2 minutes as well, and this value is set to 5 minutes,
the user may extend the countdown once, 2 min initial 2*2 min extension makes 6 minutes which is higher
than the defined 5 minutes. The default value of this option is 5 minutes.
2 Then click Next.
Step 9: Schedule
The final window of the wizard concerns the scheduling of the assignment and execution of the patch
application. Leave all values as they are and click the Finish button to confirm all choices.
Step 10: Confirmation

The last option provided by the vulnerability fixing wizard is to directly activate
patch group and thus launch the patching process. If you do not directly activate you
must go to the respective patch group and manually activate it at the desired time.
For our first test run we will check the option Go to Patch Group and click Yes to
directly activate the patch group and start the patch installation procedure.
14.1.6 Monitor Vulnerability/Patch Application

Patch installation for vulnerabilities may be monitored via a number of different views. But first you need to give
the device some time to receive the patch, install and reboot. For our example here we will be monitoring the
installation via the patch group.
Since we have checked the option Go to Patch Group our focus in the console is now under the Patch
Management node at the Vulnerability Patch Group (Test Scan) from where we may follow the execution of the
actual patch installation with its different stages in the Status columns.
1 Go to the Assigned Objects->Devices node.
2 In the table to the right you will find the entry for the master and you may follow the patching process in the
view’s Status column. The initial status, as with all operational rules is Assignment Waiting and the final
stage should be as shown in the graphic below Patch group successfully installed.
3 Once this status appears we may go to the History tab of the Patch Inventory node of the device. This tab
displays a sort of a log of everything that happened to the inventory entries. For the patch inventory this
means, that once a patch has been fixed it will move from the Patch Management node to this tab.
4 If this view is still empty, this means that the patch inventoring process is not yet finished. Keep refreshing
( ) the view.
If the remedied bulletin does not appear in this tab, it may be due to the fact that the patch inventory process
has not found this patch missing contrary to the vulnerability scan. Therefore it was not included in the patch
inventory and cannot be displayed as being removed now, because not missing any longer.
5 Once the inventory is finished this view will display the entry we selected to be patched from the initial
inventory.
The remedied situation is also visible under the Vulnerability Inventory node of the device.
1 To display the remedied situation you first need to rerun the scan, as this is - contrary to the patch
management - not automatically re-launched by option.
2 To do so go to the Vulnerability Management->Scanners-><Scanner>->Assigned Scans node.
3 Select the Test Scan entry in the table to the right.
4 Select the Edit->Reassign Scan menu item or the respective icon ( ) in the icon bar.
5 The status of the scan will turn to Reassignment Waiting to indicate that the scan is now being reassigned
and it will execute according to the defined schedule.
6 Continue with Step 3 to monitor the scanning process again.
7 Once the scan is finished and has uploaded its information go to Vulnerability Inventory->Vulnerabilities
node of the device.
8 There check the inventory listed. You will NOT find the installed patch in this list anymore.
14.1.7 Vulnerability Reporting

Once data on the vulnerability situation on individual devices and the network in general is available it may be
vulnerability management, which will be explained in the following paragraphs.
We will create and generate some examples of the available templates. You may also create your own style-based
reports as explained in the Report chapter earlier in this manual. For a detailed explanation on all available
templates refer to chapter Numara Vulnerability Manager Report Templates op page 223 of the Numara
Vulnerability Manager manual.
Report 1: Situation by Vulnerability
The first report was already created in the Reports chapter, it only remains to be generated. Proceed as follows:
1 Open the main Reports node in the left pane and select the Situation by Vulnerability report below.
2 Go to its Assigned Objects->Vulnerability Groups node.
3 Either choose the Edit->Assign Vulnerability Group menu item or click the respective icon ( ) in the icon
bar.
4 The Assign a Vulnerability Group popup windows will appear on the screen.
5 Select the Test Scan group from the window.

7 The vulnerability group will be added to the table of assigned vulnerability groups.
8 The go back to the Situation by Vulnerability report in the left window pane.
11 The report will be created immediately using the current data in the database concerning the assigned
vulnerability group.
means it will be available under the Report Results node of the report, as well as under that of the
vulnerability group it is assigned to.
12To view the report select the Edit->View Last Result menu item or the respective icon ( ) in the icon bar.
13The generation of this type of report may take a little while, reselect therefore the icon until the report appears.
14Enter again your login in the appearing window.
15A new browser window or tab opens and displays the report. This report displays the situation of a part of
your network by vulnerability. The target group for the vulnerability analysis was defined via the target list,
which also defines the members of the vulnerability group.
This report displays all vulnerabilities by vulnerability group. It is divided into the following parts:
Group Details
This first section displays the settings and parameter values defined for the vulnerability group.
Device List
This section is represented in form of a table which lists all devices that are part of the respective vulnerability
group.
Vulnerability List
This section displays the list of vulnerabilities found on at least one target of the respective vulnerability group
with some additional information on the vulnerability.
Details regarding the identified vulnerabitities

This last part of the report displays a two tables for each vulnerability found on the device. The information
displayed in these tables is the same as in the advisories of the respective vulnerability.
16
your network. See Option (d) of the Reports chapter.
Report 2: Display by Device

This report is also already created via the out-of-the-box objects, ready to be assigned to a target and to be
generated. Proceed as follows:
1 Open the Vulnerability folder under the Reports node in the left window pane and select the report Display by
Device.
2 Go to its Assigned Objects->Vulnerability Groups node.
3 Either choose the Edit->Assign Vulnerability Group menu item or click the respective icon ( ) in the icon
bar.
4 The Assign a Vulnerability Group popup windows will appear on the screen.
5 Select the Test Scan group from the window.

7 The vulnerability group will be added to the table of assigned vulnerability groups.
8 The go back to the Display by Device report in the left window pane.
vulnerability group.
15 A new browser window or tab opens and displays the report. This report displays the situation of a part of
your network by vulnerability. The target group for the vulnerability analysis was defined via the target list,
which also defines the members of the vulnerability group.
This report shows a technical summary by device and allows you to quickly see all information of all devices that
are member of our test scan vulnerability group.
Device List
This section is represented in form of a table which lists all devices that are part of the respective vulnerability
group.
Device Details
This second part provides more detailed information on the devices via the following different tables per device:
• Device Details - this table shows all the general information on the device on the device itself, regarding its
vulnerability situation and group membership.
• Open Ports - this table lists all the ports which were found open on the device with some additional
information on the ports.
• List of Identified Vulnerabilities -this third table displays the list of vulnerabilities that were found on the
device with some additional information on these.
• List of all Possible Vulnerabilities - this last table provides the list of vulnerabilities which were found on the
device but may actually not be vulnerabilities.
Details regarding the identified vulnerabitities

This last part of the report displays a two tables for each vulnerability found on the device. The information
displayed in these tables is the same as in the advisories of the respective vulnerability.
14.2 Vulnerability Management Options

The following paragraphs will provide you with a number of options that may be used to modify the vulnerability
and patching processes.
(a) Add Target Devices without NAMP Agent to Scan
If you have already created your scan and would now like to add another device to the scan’s target list before
rescheduling proceed as follows:
1 Open the node Vulnerability Management->Configuration->Targets->Test Scan Targets.
2 Go to its Members tab.
3 Select the Edit->Add Members menu item or the respective ( ) icon.
4 The Add an Address Range window opens on the screen.
5 Enter the IP address of a device without a NAMP agent installed into the field.
6 Click OK to add the device to the target list.
7 Now that the target list has been updated the scan must be reassigned to apply the modifications to the
assigned scan.
8 Go to the Vulnerability Management->Scanners-><Scanner>->Assigned Scans->Test Scan node.
9 Select the Assigned Schedule tab in the right window pane.
10 Select the scan entry in the view.

11 Select the Edit->Reassign Scan menu item or the respective icon ( ) in the icon bar.
12 The status of the scan will turn to Reassignment Waiting to indicate that the scan is now being reassigned
and it will execute according to the defined schedule.
13 Continue with Point 14.1.3 (page 334) to monitor the scanning process again.
(b) Verifying and Patching Systems without the NAMP Agent Installed
The Numara Vulnerability Scanner may scan all devices of your network, also those that do not have a NAMP
agent installed same as any device with a NAMP agent:
1 At Point 14.1.2 (page 327) Step 8: (page 332), select the Add Members ( ) icon in the Target List
Configuration window of the wizard.
2 The Add an Address Range window opens on the screen.
3 Enter the IP address of a device without a NAMP agent installed into the field.
4 Click OK to add the device to the target list.
5 Continue with Point 14.1.2 (page 327) Step 9: (page 333) of the main procedure.
The inventory and fixing process however is different for these devices it is only possible via Vulnerability
Groups, for this refer to Option (e).
(c) Fix Vulnerability without Vendor ID
There are a number of different possibilities on how to fix vulnerabilities, such as patch bulletins for Microsoft
vulnerabilities, manual solutions that need to be applied directly at the respective device, such as the
modification of login and password, etc.
To fix the vulnerabilities for which no Microsoft Vendor ID or bulletin exists you have two choices:
• Send an e-mail to the team member in charge of resolving such vulnerabilities
• Create a task for this team member in the NAMP console.
1 At Point 14.1.5 (page 336) select a vulnerability without Vendor ID.
2 To fix the problem select the Fix Vulnerability icon ( ).
3 This will call the Fix Vulnerability wizard on the screen.
4 In this case the wizard will offer you only one window in which you need to choose
to either send an e-mail to the team member concerned with the vulnerability fixing process to inform them
of the new vulnerability that was found,
or to create a task in the console for the same purpose.
Be aware that for either of these options the mail system information must be set up in the console, as
explained in paragraph User Preferences op page 17 in the preceding chapter First Steps in the Console.
4a To send the mail leave the preselected option and enter the following data:
To
Enter into this field the e-mail address of the respective personnel.
Subject
Modify the subject text to “Vulnerability Test Fixing”. It is not needed to specifically add the vulnerability
number, etc., as the mail that is sent will contain all information available on the vulnerability(ies).
Priority
In this drop-down box you may select the priority of the vulnerability and its resolution, possible values are
Minimal, Medium and High. This is not the priority of the e-mail as used in the regular e-mail
applications.
Expected Resolution Date
In this window you may select a deadline until which you expect the vulnerability to be resolved.
Additional Comments
Enter into this free text field any additional comments to the recipients for the e-mail, for example any
additional details of the vulnerabilities to be solved or how you want them solved.
Click the Finish button to send the e-mail.
4b To create a task for the vulnerability proceed as follows:

1 Select the Create Task radio button.
2 The window content changes to display the fields required for the task.
3 Enter Vulnerability Test into the Name field.
4 Enter some free text describing the situation into the Description field.
5 Leave all other fields as they are.
6 Click the Finish button to create the task. An e-mail will also automatically be sent to the e-mail account
you entered into the administrator properties.
For more detailed information on the Tasks please refer to the Tasks manual.
(d) Verifying the Vulnerability Situation

In addition to the Vulnerability Inventory of a device the current situation may also be viewed at the following
other locations in the console:
• Last Results node under the Assigned Scans node, where the scan execution is detailed.
• Vulnerability Inventory of a device group
• Vulnerability Groups node
Last Results of Assigned Scans
Once a scan has finished its execution on a device the Last Results node below the executing scan will display
this device. The node has two tabs: The Online Targets tab displays all devices which could be contacted and the
scan was executed, the Offline Targets tab displays the list of scan targets that were unreachable and thus could
not be scanned. No devices for which the scan is still executing are displayed.
Under the Last Results node a node is displayed for each scanned device that has several tabs which show
different types of information on the device and the vulnerabilities found on it.
Vulnerability Inventory of a Device Group

The vulnerabilities found for the members of a group are displayed under the respective node of the device group:
Inventory->Vulnerability Inventory->Vulnerabilities. This inventory will not display any details on the
vulnerabilities found on the devices, it will only display a list of vulnerability attributes such as vulnerabilities
sorted by ID, by CVSS, etc., and the respective count for the group.
Vulnerability Groups
Vulnerability groups are the objects in the Numara Vulnerability Manager via which the security situation on the
target devices is resolved. From here you have an overview over the general security situation of a specific part of
your environment, you may follow how its security status evolves via graphics in the console and via reports
specifically generated for them. And you may launch the fixing process for the group’s vulnerabilities. Here we
will create a group for the devices we have scanned:
1 Open the Vulnerability Management->Vulnerability Groups node.
2 To create the new group select the Edit->Create Vulnerability Group or select the respective icon ( ) in the
toolbar.
4 Enter Test Scan as its name into the name field.
6 The new group will automatically be created and be displayed in the right window pane.
7 Select it. You can see that this node offers quite a number of different nodes and tabs, however in this example
we will only use its Options tab and All Vulnerabilities node. For more information on all other available
information refer to the Vulnerability Manual.
8 Go to the Options tab.
9 In the Options tab you configure which part of your network you want to access and visualise via this group.
10 In the CVSS box check all boxes.
1 In the Target Lists box select the Add Target List icon ( ).
2 The Assign a Target List window opens on the screen.
3 From the Available Objects list displayed in the window select the Test Scan Targets list.
4 Then click the OK button at the bottom of the window to confirm and close the window.
5 Then click the Save icon ( ) to save these group settings.
6 Now go to the All Vulnerabilities node.
7 It displays the list of all vulnerabilities found on all devices of the target list.
(e) Remediation via Vulnerability Groups

In the main procedure the vulnerability situation was investigated and resolved via the scanned device’s
inventory. The same procedure applies to resolving the situation of device groups via the group’s inventory.
Another possibility to take care of the security situation is via the concept of vulnerability groups. Contrary to
device groups, vulnerability groups may contain devices on which no NAMP agent is installed, thus their
situation may be viewed and resolved as well.
A vulnerability group provides you with an overview over the general security situation of a specific part of your
environment, you may follow how its security status evolves via graphics in the console and via reports
specifically generated for them. Here we will create a group for the devices we have scanned
1 Open the Vulnerability Management->Vulnerability Groups node.
2 To create the new group select the Edit->Create Vulnerability Group or select the respective icon ( ) in the
toolbar.
4 Enter Test Scan as its name into the name field.
6 The new group will automatically be created and be displayed in the right window pane.
7 Select it. You can see that this node offers quite a number of different nodes and tabs, however in this example
we will only use its Options tab and All Vulnerabilities node. For more information on all other available
information refer to the Vulnerability Manual.
8 Go to the Options tab.
9 In the Options tab you configure which part of your network you want to access and visualise via this group.
10 In the CVSS box check all boxes.
1 In the Target Lists box select the Add Target List icon ( ).
2 The Assign a Target List window opens on the screen.
3 From the Available Objects list displayed in the window select the Test Scan Targets list.
4 Then click the OK button at the bottom of the window to confirm and close the window.
5 Then click the Save icon ( ) to save these group settings.
6 Now go to the All Vulnerabilities node.
7 It displays the list of all vulnerabilities found on all devices of the target list.
1 Select the All Vulnerabilities node under the newly created Test Scan vulnerability group.
2 From here you may proceed to fix a vulnerability that has a Microsoft bulletin as described in the general
procedure from Point 14.1.5 (page 336) onwards.
3 To fix a vulnerability without Vendor ID follow the instructions of Option (c).
4 To remedy the situation on a device without a NAMP agent see Option (f).
(f) Remedy Vulnerabilities on Device without NAMP Agent
As we have already seen, the vulnerability inventory for devices without a NAMP agent is included in the
vulnerability group the respective device is a member of. To fix a vulnerability for such a device you have the
following choices:
1 Send an e-mail to the member(s) of your team responsible for the devices without agent to inform them of the
vulnerability that needs fixing. The operations necessary for this are the same as explained under Option (c).
2 Create a task for the vulnerability in the console. The operations necessary for this are the same as explained
under Option (c).
3 Install the agent on the device and re-execute the general procedure for this device.
(g) Schedule the Scan at Regular Intervals
For our example of the scan it may be useful to run it at regular intervals, such as every day to have a most
accurate view of the device’s situation and how the vulnerability resolving process advances. To do so proceed as
follows:
1 At Point 14.1.2 (page 327) Step 9: (page 333) make the following selections in the Execution Mode wizard
window:
In the Termination box select the Run Forever radio button.
2 Click Next.
3 In the Schedule wizard window make the following selections:
Select the Run Every Day radio button. More options will become accessible in the window.
In the Period field select the value Once Only from the drop-down box.
In the field at define the time of the day when to run the scan, for example during lunch time at 12:30.
The months to run are already all pre-checked so leave them unchanged.
4 Click Finish and continue with Point 14.1.2 (page 327) Step 9: (page 333) of the general procedure
Scanning might be quite resource consuming, thus it is recommendable to run scan when the network load is
low, i.e. during the night, if the devices are not shut down or at lunch time.
(h) Define a Different Scanner

To be able to scan for vulnerabilities a device must be a Scanner. Any device may be a Scanner, it only must be
defined as such. This may either be done in the properties of the device or in the Vulnerability Management
node. To add a device to the Vulnerability Management as a Scanner proceed as follows:
1 Select the Vulnerability Management node in the left window pane.
2 If you have a limited scanner license you may have to remove the existing scanner before you may add another
one. If this is not the case continue directly with point 7.
3 To remove a scanner select it in the table of the right window pane.
4 Then select the Edit->Remove Device menu item or click the respective icon ( ) in the icon bar.
5 A confirmation window appears on the screen. Click Yes to confirm.
6 The scanner will be removed from the list of scanning devices.
7 To add a new scanner now either choose the Edit->Add Device menu item or click the respective icon ( ) in
the icon bar.
If you only have an evaluation license, only one scanner can be defined. To define another device as a scanner
for this example you must therefore first remove the existing scanner before you can define another device as
the scanner.
8 The Add a Scanner popup window will appear on the screen.

9 Select the All button ( ) in the left window bar and select the new device which is to be a Scanner from the
list. In this list only those devices which, by their operating system may be a scanner, are listed.

11 The device will be added to the list of Scanners and its configuration parameters will be updated accordingly.
(i) Create a New Port List

If none of the predefined lists fulfil your requirements you may add your own lists of ports to be scanned. To add
a new custom port list proceed as follows:
1 Select the Port Lists node in the left window pane.
2 Select the Edit->Create Port List menu item or the respective icon ( ) in the icon bar.
4 Enter the name for the new list into the Name field.
5 Then enter the port numbers to be scanned through this list into the Port Range field. A port list is defined by
using a semicolon (;) as the separator and a dash (-) as an operator defining port ranges. For example: 1;4-
7;10 specifies ports 1 and 10 and ports between 4 and 7 included.
6 Click the OK button at the bottom to save the new list.
(j) Add a new Object directly to a Folder
When adding/creating a new object it may be directly added/created to/in a folder, e.g., a scan configuration to an
scan configuration folder, a port list to a port list folder, etc. To do so proceed as follows:
1 In the window you may define the folder into which the object is to be added. By default it will be added
directly under the respective object‘s top node, e.g., the Port Lists node under the Configuration node.
2 To add it to another folder click the icon to the right of the field (...).
the hierarchy.
to confirm the new folder.
window.
(k) Define Automatic Vulnerability Update
By default, when you install the software, vulnerability update is not defined to automatically update before you
schedule a scan. You may change those base settings to make sure your system is always as up to date as possible
to have your IT at the most secure state. To automate the update process proceed as follows:
Make sure that the parameter UpgradeWinPcap, located in the Numara Vulnerability Manager configuration file
VulnerabilityManager.ini, is activated (set to true). If this is not the case the manual vulnerability update can
not be completely executed. By default this parameter is activated.
1 Open the Vulnerability Management->Configuration->Update node in the left window pane and go to tab
Options.
2 Select one of the lines and then select the Edit->Properties menu item or the icon ( ) in the icon bar.
3 The Properties window appears on the screen. You have the following options you may define regarding the
automatic update.
Automatic Verification
This value defines if VM will automatically check for available updates. By default this option is deactivated.
Check the box to activate the auto-update. The master will then check with the VM Update service if an update
is available.
Verification Frequency
The value in this field defines the interval in seconds at which the automatic verification process, if selected,
is executed. The default value is 3600 seconds or every hour. You may modify this value to your own
requirements. However it is not recommended to go below one hour to not overload the network.
Automatic Installation
This option must be activated if the update process it to be completely automatic. If it is not selected, the
scanner will receive all updated files and store them, but it will not install the respective files, i.e. it will not be
up-to-date.
Internet Update
This option defines if the master is to check via Internet with the VM Updater of the Numara site if updated
files are available. This option is activated by default.
Local Update
If this option is activated the master checks locally, i.e. on its disk if it can find an update to install. This option
is activated by default. This option is applicable if the master server does not have a permanent Internet
connection. In this case you must check via another device with an Internet connection with the VM Updater
if a new update is available, download the update and store it locally on the master.
User
The user login to access the VM update service. The default login VMUPDATE is already filled in.
Password
The password corresponding to the above displayed user name. For security reasons the password is displayed
in the form or asterisks (*). This field is filled in by default with the corresponding password.

5 The automatic update is now configured and will be executed for the first time immediately and then at the
specified frequencies until you change them again.
(l) Manual Vulnerability Update
If the master does not have a permanent Internet connection it cannot use the automatic update procedure
detailed in the previous paragraph, instead it must be updated manually periodically. To be able to update at least
one device within your network must have at least a temporary Internet connection to download the newest
vulnerability update file with which to bring your master and all scanners up-to-date. To manually update
proceed as follows:
Make sure that the parameter UpgradeWinPcap, located in the Numara Vulnerability Manager configuration file
VulnerabilityManager.ini, is activated (set to true). If this is not the case the manual vulnerability update can
not be completely executed. By default this parameter is activated.
1 Open a browser window on a device with an Internet connection and enter the following link:
https://vmupdater.numarasoftware.com/vmupdate/v3/
2 Click the local option of the provided directories.
3 Enter the login name and password to access the requested page. This information was sent to you in an e-mail
from the Numara Support.
4 A new page opens with only one link, the vmupdate_<update date>.upd file.
5 Download the file.

6 Then put the file in the following directory on the master:
<Installation Directory>\Master\upgrade\vulnerabilitymanager
If the directory vulnerabilitymanager does not yet exist create it.
7 Now open a NAMP console.
8 Go to the Vulnerability Management->Configuration->Update node and select the Options tab.
9 Select a line in the table in the right window pane and then the Edit->Properties menu option or the
corresponding icon ( ) in the icon bar.
11 Check the option Local Update.
12 If the scanners are to be updated automatically after the master update also check the option Automatic
Installation. If this option is not checked, the scanners will receive the update information and file, but they
will not update and install, this must be executed manually.
13 Click OK to confirm the modifications and close the window.
14 Then select the Status tab.
15 This window shows the current status of the vulnerability module, i.e. if all required components are up-to-
date or if they require updating.
16 To update the master click the Edit->Update Now menu option or the corresponding icon ( ) in the icon bar.
18 Click OK to continue.
19 You can now follow the update progress in this window via the Status column which is updated every 30
seconds and will displays the different stages of the update process of all vulnerability components.
20 Once the master is updated the scanners will also be updated if you activated the Automatic Installation
option.
21 You can follow the update process of the scanner in the bottom box of the same view where the information
will also be displayed in the respective Status column.
22 Once the value Up to Date is displayed in all Status fields for the components as well as all defined
scanners the update process is completed.
15
Device Compliance Step-by-Step
Device compliance in the Numara Asset Management Platform is executed via the concept of compliance rules of
the Numara Compliance Manager. Compliance rules are made up of a series of criteria that correspond to the
conditions of your compliance policies. Compliance rules may contain only one very specific criterion or a
number of different criteria collected in groups that are put into a certain relation to each other.
However, before any device can be verified for its compliance the base data for compliance verification, i.e. the
inventories collecting this information, must be available.
• Compliance Rule Examples
• Compliance Reporting
• Rule Options
Prerequisites
We assume that:
• you have already done the exercises in the preceding chapters on Patch Management and Vulnerability
Management. As mentioned above the device compliance is based on the data available in the database, which
must have been collected by the respective inventories, before any evaluation may take place.
15.1 Compliance Rule Examples

The following paragraphs provide you with a number of sample compliance rules to execute in your network. As
already mentioned for most of these rules the respective inventories must already exist and we assume that this is
the case, i.e., has been done via the examples in the preceding chapters. If the database does not have the
respective values you may not be able to do some of the following exercises as the options will not be available in
the selection windows.
The compliance rule process consists of the following individual steps:
1 Collect the different types of inventory on the target devices.
2 Create the compliance rule with its criteria and relation.
3 Assign the rule to the targets for compliance evaluation.
4 Evaluate the compliance results on the compliance dashboard.
Specifically we will create the following compliance rules in this section:
1 Firewall Rule: This compliance rule checks if a device has a firewall installed that is active.
2 Patch and Vulnerability Inventory Rule: This compliance rule checks if a device has up-to-date patch and
vulnerability inventories.
3 Antivirus Software Rule: This rule verifies if an antivirus software is installed. It does not have to be one
specific application but must be one out of a list of 3 possible software applications.
4 Critical Patches Rule: This compliance rule will check if the devices listed for compliance verification have
all critical patches installed.
5 NAMP Client Installation Directory Rule: This rule checks that the Numara Asset Management Platform
software is actually installed in its default directory.
Rule 1: Firewall
This compliance rule will verify if the target device has a firewall installed that is active.
A compliance rule defines the criteria to which the target population has to correspond to be considered
compliant. These criteria are collected in groups, the criteria groups, which may contain any number of criteria.
This rule will only have one criteria group containing only one criterion.
Step 1: Create Compliance Rule
To create this compliance rule proceed as follows:
1 Select the Compliance Management top node in the left window pane.
2 Click on the Create Compliance Rule icon ( ) in the icon bar.
4 Enter Firewall into the Name field and then click the OK button.
5 The new compliance rule is added to the list of members in the right pane. Double-click it.
6 In the now displayed General tab you can review the basic information of the compliance rule.
7 To add the compliance criteria select the Criteria tab to the right.
8 Currently the table is still empty.
9 To define the criteria choose the Edit->Add Criteria Group menu item or click the respective icon ( ) in the
icon bar.
10 The Criteria Group popup window will appear on the screen.
11 It provides access to the list of available criteria in the Criteria Group Definition box. The first line of this box
indicates the index number of the criteria group which is about to be defined, i.e. Criteria Group 1 in our case,
as we are only creating the first for this rule.
12 Enter Firewall into the Name field.
13 From the Class drop-down list select the Security Inventory option.
If the Security Inventory entry is not available you have not executed the respective example in the operational
rules chapter. To complete this example go to Rule 1: Inventory Management (page 50) and then complete this
example.
14 Then select the table from which the criteria is to be chosen from the Table field, i.e. in
our case this is the value Installed Firewalls.
15 The Available Criteria box below now displays all criteria available for the selected
class and table. Select the criterion Enabled.
16 Leave the preselected operator Equal to in the Operator drop-down box.
17 Click the Find button ( ) next to the Value field.
18 The Search Criteria window opens.
19 Click the Find button ( ) next to the Value field again.
20 The Results field now displays the possible values, TRUE and FALSE. Select the TRUE
value and click the OK button to close the window.
21 Then click the Add button ( ) to add the defined criterion to the Selected Criteria box.
Chapter 15 - Device Compliance Step-by-Step - 365
22 Then click the OK button to add the criteria group to the compliance rule.
23 Above the table you can also see, that the Status field still displays the value inactive. All compliance rules
are inactive when they are created.
24 To activate the compliance rule select the green coloured option active instead of the currently displayed red
option inactive in the Status drop-down field.
Step 2: Assign the Compliance Rule to the Master and Evaluate

The compliance rule is now created and active and must be assigned to the devices which are to be verified for
compliance, in our example the master. Once the assignment is done, the rule will immediately verify if the
device is compliant to the specified criteria and display the result right away in the table.
To assign the compliance rule to a device group see Option (a) (page 384).
1 Click the Assigned Objects, then Devices node in the left window pane under your newly created compliance
5 The master will be added to the table in the right pane with the immediately calculated compliance result.
6 Click the Refresh icon ( ), if the grey question mark icon remains in the table to update the display.
Step 3: Analyse Result - Compliance Dashboard

You can analyse the details of the compliance results right away in this window, they are available via the
Properties window of the respective device. To view the result proceed as follows:
For results regarding an assigned device group see Option (d) (page 387).
1 Select the device in the right window pane.

2 Then either choose the Edit->Properties menu item or click the respective icon ( ) in the icon bar.
3 The Compliance Results window opens on the screen providing
compliance information on the device.
4 The symbol to the next to the device name indicates if the device
complied to the requested criteria group, a green check mark if this
is the case, a red x if it is not so.
5 The line below displays the operating system and the installed
service pack of the device.
6 The field Criteria Groups Causing Non-compliance offers you to
only display those groups containing the criteria which cause the
non compliance of the device. If the device is compliant this option
is not displayed.
7 The table Criteria Groups displays the following details:
Index
This field displays the index value for the defined criteria group.
Results
These fields indicate if the device complied to the respective
criteria group. Be aware, that a group may be evaluated as
compliant even if the overall compliance is negative or vice versa if the relation equation has the NOT
operator as the final operator.
Name
The fields of this column display the custom defined names of the criteria groups specified for this
compliance rule.
Table
The fields of this column display the names of the database table from which the criteria were chosen for
the criteria group.
8 The field Group Relation below displays the group relation as it was defined when the evaluation took place
for which the result is displayed in this window.
9 The Description box shows the details on the criteria defined for the selected criteria group in the table above.
Rule 2: Patch and Vulnerability Inventory

This compliance rule will verify if the target device has up-to-date patch and vulnerability inventories, i.e. both
are not older than two weeks.
A compliance rule defines the criteria to which the target population has to correspond to be considered
compliant. These criteria are collected in groups, the criteria groups, which may contain any number of criteria.
The rule also specifies in which relation the individual criteria groups stand to each other for compliance
evaluation. This rule will have two criteria groups with two criteria each that are related via the AND operator.
3 Enter Patch and Vulnerability Inventory into the Name field and then click the OK button.
5 To add the compliance criteria select the Criteria tab to the right and select the Edit->Add Criteria Group
7 Enter Patch Inventory into the Name field.

8 In the Class drop-down list leave the Basic option.
9 Then select the Inventory Update table from the Table field.
10 The Available Criteria box below now displays all criteria available for this table. Select
the criterion Inventory Type.
14 It displays the possible values, i.e. the list of all inventory types. Select the Patch
Inventory option and then click the OK button to close the window.
If the Patch Inventory entry is not available you have not executed the respective
example in the operational rules chapter. To complete this example go to Rule 1:
Inventory Management (page 50) and then complete this example.
Be aware, that within a criteria group only criteria of the same class and table may be created. To add criteria of
another class and/or table you must create another criteria group, put the desired criteria in and create the
necessary relation via the Group Relation box.
16 As a second criterion we will add a date criterion: The last inventory update must have taken place no more
than two weeks ago.
17 For this select the Update Date attribute in the Available Criteria box.
18 Leave the operator Greater than or equal in the Operator drop-down box.
19 To enter the dynamic time value of two weeks select the newly appeared Timeframe radio button.
20 Enter then the desired time value into the field next to it, i.e. -2 and select the corresponding unit from the
drop down list to the right, week.
You could also enter the same information with the following criteria values: Select the Less than or
equal Operator together with the time value of 2.
22 The criteria group now has two criteria. i.e. to fulfil the requirements of this group, a device must have a patch
inventory executed and its last update date may not be older than the specified value.
All criteria within a criteria group are connected via the AND operator. To connect criteria with another
operator they must be put into different criteria groups and then be related via the group relation
equation.
24 To now add the second criteria group for the vulnerability inventory select again the Edit->Add Criteria
Group menu item or the respective icon ( ).
25 Enter Vulnerability Inventory into the Name field.
26 From the Class drop-down list select the Basic option.
27 Then select the value Inventory Update from the Table field.
28 Select the criterion Inventory Type from the Available Criteria box.
32 It displays all inventories. Select the Vulnerability Inventory and click the OK button and close the window.
If the Vulnerability Inventory entry is not available you have not executed the respective example in the
vulnerability management chapter. To complete this example go to the respective chapter and Create a
Vulnerability Scan (page 327) and then complete this example.
33 Then click the Add button ( ) to add the criterion to the Selected Criteria box.
34 Then, same as above, select the Update Date attribute in the Available Criteria box.
35 Select the operator Greater than or equal in the Operator drop-down box.
36 To enter the dynamic time value of two weeks select the newly appeared Timeframe radio button.
37 Enter then the desired time value into the field next to it, i.e. -2 and select the corresponding unit from the
drop down list to the right, week.
39 Then click the OK button.
40 The second criteria group is now also added to the compliance rule.
41 In the Group Relation box below you will now find the two groups - listed by their respective index values -
automatically related via the AND operator. This is due to the fact, that we have left the default operator above
the list field for the criteria groups with its standard value. We will leave the pre-entered syntax as it is, as our
devices are to comply to all criteria at the same time.
To create a less strict compliance rule in which the targets must only comply to one or the other of the
defined criteria groups, see Option (f) (page 388).
42 Next to this field above you can also see, that the Status field still displays the value inactive. All compliance
rules are inactive when they are created.
43 To be able to activate a compliance rule with more than one criteria group the syntax of its group relation
equation must be verified to make sure that it is syntactically correct. To do so select the Edit->Verify Relation
44 The syntax entered into the Group Relation field will be verified immediately.
45 If it contains an error, a message box is displayed with an indication as to the error, if the syntax is correct, the
status bar at the bottom of the console window will display Done. which is our case.
46 Now to activate the compliance rule select the green coloured option active instead of the currently
displayed red option inactive in the Status drop-down field.


You can analyse the details of compliance result right away in this window, they are available via the Properties
window of the respective device. To view the result proceed as follows:
For results regarding an assigned device group see Option (d) (page 387).

2 Then either choose the Edit->Properties menu item or click the
4 The symbol to the next to the device name indicates that the device
complied to the requested criteria group via a green check mark.
5 The line below displays the operating system and the installed service
pack of the device.
6 The field Criteria Groups Causing Non-compliance will not be
displayed in this case, as there is no non-compliant criterion.
7 The table Criteria Groups displays the following details:
Index
This field displays the index value for the defined criteria group.
Results
These fields indicate if the device complied to the respective criteria
group. Be aware, that a group may be evaluated as compliant even if
the overall compliance is negative or vice versa if the relation
equation has the NOT operator as the final operator.
Name
The fields of this column display the custom defined names of the
criteria groups specified for this compliance rule.
Table
The fields of this column display the names of the database table from which the criteria were chosen for
the criteria group.
8 The field Group Relation below displays the group relation as it was defined when the evaluation took place
for which the result is displayed in this window.
9 The Description box shows the details on the criteria defined for the selected criteria group in the table above.
Rule 3: Antivirus Software

This compliance rule will verify if the target device has an antivirus software installed. It does not have to be a
specific software but must be one out of the three which are allowed by the company policy. This rule will have
three different groups, one for each of the possible antivirus software applications with one criterion each.
3 Enter Antivirus Software into the Name field and then click the OK button.
7 Here we will create one criteria group per allowed antivirus software. And as the devices do not have to fulfil
all of the three criteria groups but only one of them we will first modify the default operator:
8 From the drop-down field Default Operator select the OR option.
9 Now, to define the criteria groups and their criteria choose the Edit->Add Criteria Group menu item or click
the respective icon ( ) in the icon bar.
11 The first allowed antivirus software in our example is Norton, therefore enter Norton Antivirus into the Name
field.
12 From the Class drop-down list select the Software Inventory option.
13 This class only has one table, Installed Software, that is already preselected.
14 Select the criterion Name from the Available Criteria box below.
15 Leave the preselected Equal to operator in the Operator drop-down box.
18 Select the Contains operator from the drop-down field. If you know the exact name as it
is stored in the software inventory, you can leave the Equal to operator.
19 Enter part of the name into the Value field, i.e. Norton, otherwise you will get the
complete list of installed software applications in your network.
21 The Results field now displays the list of software applications found in the database
that correspond to your value entry. Select the Norton entry and click the OK button to
close the window.
23 Click to add the criteria group to the compliance rule.
24 To now add the second and third criteria group for the McAfee and Trendmicro Antivirus
software programs repeat steps 9 to 23 by entering the respective values.
To add more criteria to the specified criteria groups see Option (c) (page 386).
25 In the Group Relation box below you will now find the three groups - listed by their respective index values -
automatically related via the OR operator, as this was chosen for the default operator. We will leave the pre-
entered syntax as it is, as our devices must only comply to one of the three listed criteria. However, the device
will also be compliant if more than one of the required antivirus applications are installed.
See Option (g) (page 389) to create a group relation on which a device is compliant if only ONE of the
listed antivirus applications is installed, but one obligatorily.
26 Now verify the group relation by selecting the Edit->Verify Relation menu item or the respective icon ( ) in
the icon bar.
27 The syntax entered into the Group Relation field will be verified immediately and the status bar at the bottom
of the console window should display Done.
28 Activate the compliance rule by selecting the green coloured option active instead of the currently displayed
red option inactive in the Status drop-down field.


You can analyse the details of the compliance results right away in this
window, they are available via the Properties window of the respective
device. To view the result proceed as follows:
For results regarding an assigned device group see Option (d) (page
387).

4 In the screenshot to the right you can see that the example device is
compliant, it complied to one of the requested criteria groups, as it has
the Norton Antivirus software installed.
Rule 4: Critical Patches

This compliance rule will check if the devices listed for compliance
verification have critical patches installed. This compliance rule again has only one group with one criterion.
3 Enter Critical Patches into the Name field and then click the OK button.
5 To add the compliance criteria select the Criteria tab to the right and select the Edit->Add Criteria Group
7 Enter Critical Patches into the Name field.

8 In the Class drop-down list select Patch Inventory option.
If the Patch Inventory entry is not available you have not executed the respective example in the operational
rules chapter. To complete this example go to Rule 1: Inventory Management (page 50) and then complete
this example.
9 Leave the preselected Missing Patches table.

10 Select the criterion Severity from the Available Criteria box below.
14 It displays the possible values, i.e. the list of all grades of severity. Select the Critical
option and then click the OK button to close the window.
15 The selected option now appears in the Value field to the left.
17 Click OK to add the criteria group to the rule.
This criterion will check the patches for all available applications and operating
systems. To limit this to the Windows operating systems see Option (h) (page 389).
To limit this to Microsoft patches including those which are important see Option (h)
(page 389).
18 In the Group Relation box below 1 is entered, the index value for the specified group. To
check now that all critical patches are installed, we must make sure that the inventory of missing patches does
NOT contain any patches with this severity, therefore the following relation equation must be entered:
NOT 1
19 Now verify the group relation by selecting the Edit->Verify Relation menu item or the respective icon ( ) in
the icon bar.
20 The syntax entered into the Group Relation field will be verified immediately and the status bar at the bottom
of the console window should display Done.
21 Activate the compliance rule by selecting the green coloured option active instead of the currently displayed
red option inactive in the Status drop-down field.


You can analyse the details of the compliance results right away in this
window, they are available via the Properties window of the respective
device. To view the result proceed as follows:
For results regarding an assigned device group see Option (d) (page
387).

4 In the screenshot to the right you can see that the example device is not
compliant, indicated by the large red X.
5 However, in the criteria groups box below, the one criteria group itself
is marked as compliant. This group looks for critical patches in the
missing patch inventory and the device has at least one.
The non-compliance in this case is caused by the relation, which is
shown in the Group Relation box below, it is defines as NOT 1. This
means, that if group 1 is compliant, the overall compliance is NOT
compliant, if group 1 were not compliant, the overall compliance
would be evaluated as yes, it is compliant.
Rule 5: NAMP Client Installation Directory

This compliance rule checks that the NAMP client is installed in its default directory and it also finds all devices
from which the software was removed.
This rule will use a constant instead of entering a value or selecting it from the lists provided by the search
functionality. This rule will have two criteria groups.
Step 1: Create Compliance Constant
Compliance constants can be used in criteria as placeholders for values. The constants defined here may be used
in any compliance rule to be defined. To create the constant that represents the Numara Asset Management
Platform installation directory proceed as follows:
1 Select the Configuration node and its Constants tab.
2 Select select the Edit->Create Constant or select the respective icon ( ) in the toolbar.

4 Enter the following data into the respective fields.
Name
Enter PATH NAMP Client as the constant name.
Type
Select the String value from the dropdown list as the constant‘s type.
Value
Enter C:\Program Files\Numara Software\Numara AMP as the value that the constant represents.
5 Click the OK button at the bottom of the window to confirm the data for the new constant or click Cancel to
abandon without modifications and to close the window.
6 The constant is now added to the table in the right window pane.

The next step is to create the compliance rule:
4 Enter NAMP Client Installation Directory into the Name field and then click the OK button.
6 In the now displayed General tab you can review the basic information of the compliance rule.
9 As the first step change the Default Operator to OR, as this rule is to find those devices on which the client is
installed in a wrong directory OR not installed at all. If we leave the operator at AND, both conditions have to
be true which is not possible.
10 To define the criteria choose the Edit->Add Criteria Group menu item or click the respective icon ( ) in the
icon bar.
12 Enter Client Path into the Name field. This group will find all devices on which the client is installed in the
specified directory.
14 Then select the table from which the criteria is to be chosen from the
Table field, i.e. in our case this is the value Installed Software.
15 The Available Criteria box below now displays all criteria available for
the selected class and table. Select the criterion Installation Directory.
16 Leave the preselected operator Equal to in the Operator drop-down
box.
17 Click the Constant button ( ) next to the Value field.
18 The Constants window opens displaying all defined constants.
19 Select the PATH NAMP Client value and click the OK button to close
the window.
20 Then click the Add button ( ) to add the defined criterion to the
Selected Criteria box.
21 Now select the criterion Name from the list of Available Criteria.
24 Select the value Starts with from the Operator dropdown list and enter n into the Value field.
26 The Results field now displays the possible values, i.e. the list of all installed software applications that start
with the letter „n“. Select the Numara Asset Management Platform Agent option and then click the OK
button to close the window.
31 To add a second criteria group that will find all devices on which the NAMP Client is installed click the Edit-
>Add Criteria Group menu item or icon ( ) again.
33 Enter Client Installed into the Name field. This group will find all devices on which the client is installed in
the specified directory.
35 Then select the table from which the criteria is to be chosen from the Table field, i.e. in our case this is the
value Installed Software.
36 The Available Criteria box below now displays all criteria available for the selected class and table.
37 Select the criterion Name from the list of Available Criteria.
40 Select the value Starts with from the Operator dropdown list and enter n into the Value field.
42 The Results field displays the same list again, select the Numara Asset Management Platform Agent option
again and then click the OK button to close the window.
46 The table to the right now displays both criteria groups.
47 To activate the compliance rule select the green coloured option active instead of the currently displayed red
option inactive in the Status drop-down field.
Step 3: Assign the Compliance Rule to a Group and Evaluate

compliance, in our example the group Clients and Relays. We cannot use the group All Devices as this one
includes the master, which, of course, does not have the NAMP client installed and therefore would always make
the group non-compliant. Once the group assignment is done, the rule will immediately verify if the devices are
compliant to the specified criteria and display the result right away in the table.
1 Click the Assigned Objects, then Device Groups node in the left window pane under your newly created
compliance rule. The right window pane is empty since no devices have been assigned yet.
2 To do so select the Assign Device Group icon ( ) in the icon bar.
4 Select the group Clients and Relays from the list.
5 The Clients and Relays group will be added to the table in the right pane with the immediately calculated
compliance result.
6 Double-click the group to display the members in the table.

7 Click the Refresh icon ( ), if the grey question mark icons remain in the table to update the display.
8 This view shows all member devices with their individual evaluation result.
9 Now select the Results tab.

10 This displays in form of a pie chart the overall result of the group.
15.1 Compliance Reporting

Once data on the compliance situation on individual devices and the network in general is available it may be
compliance management, which will be explained in the following paragraphs.
We will create and generate some examples of the available templates. You may also create your own style-based
reports as explained in the Report chapter earlier in this manual. For a detailed explanation on all available
templates refer to chapter Compliance Report Templates op page 55 of the Device Compliance manual.
Report 1: Executive Compliance Summary
This report is already created via the out-of-the-box objects, ready to be assigned to a target and to be generated.
Proceed as follows:
1 Open the Compliance folder under the Reports node in the left window pane and select the report Executive
Compliance Summary.
2 Go to its Assigned Objects->Compliance Rules node.
3 Either choose the Edit->Assign Compliance Rule menu item or click the respective icon ( ) in the icon bar.
4 The Assign a Compliance Rule popup windows will appear on the screen.
5 Select the Patch and Vulnerability Inventory rule from the window.

7 The compliance rule will be added to the table of assigned compliance rules.
8 The go back to the Executive Compliance Summary report node in the left window pane.
This window allows you to select the format in which the report will be generated. By default this is HTML.
Here you may define to also/or generate the report in PDF and/or XML by checking the respective boxes.
compliance rule.
means it will be available under the Report Results node of the report, as well as under that of the compliance
rule it is assigned to.
This report displays the compliance rule executive summary.
• Overall Information
• Compliance Rule Summary
Overall Information
The table regarding the overall information displays the contents of the compliance rule by criteria group, i.e. it
list the criteria groups and their relation as well as their criteria and all their connected data and the number of
devices that are assigned to the rule.
Compliance Rule Summary

The summary is presented in form of a pie chart displaying the overall compliance situation of all evaluated
devices via its red, green, blue and grey parts.
Report 2: Compliance by Device

Also this report is already created via the predefined out-of-the-box objects and only requires generation:
1 Select the Compliance by Device in the left window pane.
2 Go to its Assigned Objects->Compliance Rules node.
3 Either choose the Edit->Assign Compliance Rule menu item or click the respective icon ( ) in the icon bar.
4 The Assign a Compliance Rule popup windows will appear on the screen.
5 Select the Patch and Vulnerability Inventory rule from the window.
7 The compliance rule will be added to the table of assigned compliance rules.
8 The go back to the Compliance by Device report in the left window pane.
compliance rule.
This report displays the criteria compliance for each device.
• Overall Information
• Devices
Overall Information
The table regarding the overall information displays the contents of the compliance rule by criteria group, i.e. it
list the criteria groups and their relation as well as their criteria and all their connected data.
Devices
This part shows the compliance situation per device via a table providing more information on the individual
device.
15.2 Rule Options

The following paragraphs will provide you with a number of options that may be used to modify the compliance
rule application.
(a) Assign a Compliance Rule to a Device Group
Instead of assigning a compliance rule to an individual or a number of individual devices for compliance
evaluation you may assign it to a group, preferably dynamic.
Dynamic groups are maintained either via a directory server or a query and their members are updated regular.
For more information refer to chapter Queries and Device Groups Step-by-Step earlier in this manual. You will
also find the guidelines there on how to create the group we will be using for the rule assignment in this example.
Assigning an operational rule such as the inventory collection will ensure that all devices fulfilling specified
requirements will apply this rule, without you having to specifically telling them so.
Proceed as follows to assign the Critical Patches rule (Rule 4) to a group containing All Devices of your network:
1 At Step 2: open the node Compliance Rules->Critical Patches->Assigned Objects->Device Groups.
2 Select the Edit->Assign Device Group menu item or click the respective icon ( ) in the icon bar.
3 The Assign to Device Group popup window appears on the screen.
4 Select the All Devices group from the list in the Available Objects box.

6 In the right window pane you can now see the device group to which the rule was assigned.
7 If you double-click the group entry it will open in the left window pane and display the list of all devices
which are a member of the selected group and their compliance status.
(b) Create Device Groups based on a Compliance Rule

You can create dynamic device groups based on the results of a compliance rule:
• a device group collecting all devices assigned to the compliance rule that are compliant,
• a device group collecting all devices assigned to the compliance rule that are not compliant,
• a device group collecting all devices assigned to the compliance rule that could not be evaluated, as the
required data is missing in the database.
Once such a group is created its members are updated each time the compliance rule is evaluated. All the possible
groups listed above are created in the same way as described below in the example for a device group with
compliant devices:
1 Go to the Compliance Management top node in the console.
2 Select the compliance rule for which you want to create a new device group in the right window pane.
3 Either select the Edit->Create Device Group - Compliant or select the respective icon ( ) in the toolbar.
4 The new group will be automatically created directly under the main Device Groups node with the same name
as that of the compliance rule followed by the suffix (Compliant) to be able to distinguish it, if a non
compliant and/or not evaluated group is created as well. The non compliant group will have the suffix (Not
Compliant) and the group for which the evaluation was impossible (Evaluation Impossible).
5 Now go to the main Device Groups node.
6 You will find the newly created group directly under the main node.
7 If the compliance rule is renamed, the device group will automatically also be renamed.
8 You may rename the device group if necessary and as long as you do not unassign the group from the
compliance rule the group membership will still be updated with each rule evaluation. However, if the
compliance rule is rename, the new custom defined device group name remains.
(c) Add More Criteria to a Compliance Rule
Once a compliance rule is created and the devices were evaluated you might find that it is missing some criteria
or might be made more efficient using some more or others. When modifying a rule the following steps need to be
executed:
1 Modify the contents of the Antivirus Software rule (Rule 3:)
2 Re-evaluate the rule for the assigned target.
Step 1: Modify the Contents of the Antivirus Software Rule
For our example we will modify the Antivirus Software rule by adding a specific version number to each of the
antivirus applications:
To do so proceed as follows:
1 Open the node Compliance Rules->Antivirus Software and go to the Criteria tab.
2 In the right window pane you can see all the criteria groups which are currently defined for this rule.
3 Select the first criteria group in the table, i.e. the Norton Antivirus group.
4 Now select the Edit->Properties icon ( ).
5 The Criteria Group popup window will

appear on the screen containing the
already defined criterion in the list field to
the right.
6 The Name and Class fields are already
preselected and may not be changed, as
within a criteria group only criteria of one
table may be selected.
7 Select the criterion Version from the
Available Criteria box.
8 Leave the preselected Equal to operator
in the Operator drop-down box.
9 Below in the Value field enter the required
version number or search for it and add it
via the Search Criteria window.
10 Then click the Add button ( ) to add the
defined criterion to the Selected Criteria box.
11 Now click the OK button to close the window and confirm the modifications to the criteria group of the
compliance rule.
12 Now select the next criteria group in the table and repeat steps 4 to 11 for both other groups.
Step 2: Re-evaluate Targets

Whenever a compliance rule was modified in any way, i.e. its contents have changed, the targets assigned to the
rule must be re-evaluated. To do so proceed as follows:
1 Click the Assigned Objects, then Devices node in the left window pane under the Antivirus Software rule.
2 Select the already assigned master in the table.
3 Then click the Evaluate icon ( ) in the icon bar.
4 The selected device will immediately be re-evaluated with the newly defined criteria and the result be
displayed in this view.
(d) Device Group Results
Device group results are best viewed in the Results tab of the compliance rule. It displays the result of the
compliance test of all assigned objects, i.e. devices and/or groups in form of a pie chart with some additional
information. The pie chart is displayed in red, green, blue and grey, green representing all devices which are
compliant, red all non-compliant devices, blue all devices that could not be evaluated due to missing data and
grey those that have not yet been evaluated.
Number of devices
This field displays the total number of devices assigned to the rule.
Compliant
The percentage value of all assigned devices which are compliant.
Not Compliant
The percentage value of all assigned devices which are not compliant.
Evaluation Impossible
The percentage value of all assigned devices which could not be evaluated, as the required data are not yet
available in the database. This applies only to inventories which are not yet generated. Inventories that are
empty, such as patch or vulnerability, because the device has not patches missing and no existing
vulnerabilities, will be evaluated compliant or not compliant.
Not Evaluated
This value displays the number of devices as a percentage value that were not yet evaluated on their
compliance.
Last Evaluation Date
This field displays the date and time of the last evaluation of the compliance rule.
This same view is also available if only an individual device is evaluated, however, the graphic in this case is not
really interesting.
(e) Evaluate
It is possible at any time to launch a manual reevaluation of the complete population assigned to a compliance
rule. To do so proceed as follows:
1 Either choose the Edit->Evaluate menu item or click the respective icon ( ) in the icon bar.
2 The scores will now be reevaluation for all assigned devices and the display will be updated.
(f) OR Operator
To define a group relation that defines that a device is compliant if it is fulfils one out of the two criteria groups
enter the following equation in the Group Relation field:
1 OR 2
In this example this indicates that a device on which the inventory of missing patches was executed no longer
than two weeks ago is compliant even if no vulnerability scan was ever executed on it or vice versa.
(g) Exclusive OR
To define a group relation that defines that a device is compliant if it has one, but ONLY one of the listed software
applications installed enter the following equation in the Group Relation field:
(1 OR 2 OR 3) AND ((1 AND NOT 2 AND NOT 3) OR (2 AND NOT 1 AND NOT 3) OR (3 AND NOT 1 AND NOT 2))
If this group relation equation is used for the example then any device on which none of the listed 3 antivirus
applications is installed is not compliant, even if it has another antivirus installed, such as AVG. Neither are
devices compliant, which have more than one antivirus of the 3 listed applications installed, e.g. a device on
which McAfee and Trendmicro are installed is not compliant, however a device on which Trendmicro and AVG
are installed is compliant, as AVG is not part of the requirements.
(h) Critical Patches for Windows
To limit the verification of Rule 4: to all Windows operating systems another criterion must be added to the rule
and its existing criteria group.
1 Before Point 17 (page 375) the following second criterion must be added to the group:
2 In the Available Criteria box select the criterion Product Family.
3 Select the operator Contains in the Operator drop-down box.
4 Enter the value Windows into the Value field. Thus the rule will verify only those patches that concern any
type of Windows operating system.
6 Continue with step 17.
(i) Critical and Important Patches for IE
To limit the verification of Rule 4: to the Microsoft Internet Explorer and also add the important patches as a
requirement some more criteria groups must be added to the rule.
1 After Point 17 (page 375) the following criteria groups must be added to the rule:
2 Another group of the same type must be created for the severity Important.
3 Select the Edit->Add Criteria Group menu item or click the respective icon ( ) in the icon bar.
4 The Criteria Group popup window will appear again on the screen.
5 Enter Important Patches into the Name field.
7 Select the criterion Severity.
11 The Results field now displays the possible values, i.e. the list of all grades of severity. Select the Important
option and then click the OK button to close the window.
14 To add the criterion for the Internet Explorer select the Edit->Add Criteria Group menu item or click the
15 The Criteria Group popup window will appear again on the screen.
16 Enter Internet Explorer into the Name field.
18 Then in the Available Criteria box select the criterion Product Family.
22 The Results field now displays the possible product families. Select the Internet Explorer option and then
click the OK button to close the window.
25 Now in the Group Relation box enter the following equation:

NOT ((1 AND 3) AND (2 AND 3))
1 being the critical patches, 2 the important ones and 3 Internet Explorer.
26 Continue with step 17.
16
Setting Up Security
Security in the Numara Asset Management Platform must be set up on two different levels: on the clients and on
the console.
16.1 Capabilities and Access Rights

The security of the console is enforced through the administrators and administrator groups registered in the
Numara Asset Management Platform database.
Each administrator and administrator group has a CCL (Capability Control List) which dictates what it can do.
The administrators and administrator groups nodes and their capability definitions specify the access to the
console in general, i.e. who may interrogate or manipulate the database and its contents.
The access of administrators to objects is restricted by an ACL (Access Control List) that includes the following
possibilities: READ/WRITE/ASSIGN. The Security Profile node or the Security tab define these access rights for
specific objects.
When you log on to the console for the first time and go to the Administrators node under the Global Settings
node you will find two administrators have already been created:
admin
The admin user is equipped with all permissions and capabilities, i.e. it has full access rights on all objects in
the database. It may not be deleted but its password may be modified, however, not its capabilities. It may also
be regarded as the superadministrator.
system
The system user is the login used by the master server itself for all database actions which it executes
automatically, such as those of the data mover or autodiscovery module. None of its settings may be modified.
The icon of this administrator is greyed out to indicate that the account is not activated.
16.2 Security Considerations

Before you start to create administrators and groups you should sketch your system and the people administrating
it as well as establish a list of all tasks to be executed and by whom to define which administrators and groups to
create and which capabilities and access rights to assign to them.
Considerations to be taken into account when defining the access rights to the objects for each administrator are
the following:
1 Capabilities:
Which object types is the administrator or group concerned with?
Which other objects are implicated through the original object, such as when you create or modify queries,
do you also need to be able to see the queries’ object type?
What operations is the administrator or group to execute on the object type: only see it or be able to do
something with it, such as creating new objects of this type, modify existing ones or deleting them, being
able to assign them to object of other types, etc.?
2 Access Rights:
Which top nodes does the administrator need access to, is it easier to provide access via a group and then
populate it accordingly?
For which objects types is it necessary to create queries to make sure any newly created objects of the type
will be accessible by administrators through the dynamic objects?
To which other object types do you need at least read access, e.g.,
for reports you need at least read access to some queries, devices and device groups,
for operational rules and packages you need read access to some device groups and devices.
No general security is specified for the following main nodes: Administrators, Administrator Groups and
Directory Servers, the security is specified via its members. All these nodes are located under the Global
Settings.
16.3 Basic Operation Principles

The following list shows which capability and access types are needed for which basic operation. The capabilities
and access rights listed are the minimum requirements to execute these operations, but, of course the
administrator may have more extensive permissions than those. For example, when specified Write Access Deny,
this means that no write access is necessary to execute this operation, but of course the administrator may be
assigned write access to these objects anyway.
Groups are divided in two different types: those with and those without the capability populate. User and device
groups have the additional capability populate. The capabilities for administrator groups are the same as for
administrators, thus they do not have the capability populate. Vulnerability groups neither have this capability,
these collect their members according to specific criteria. Administrator/vulnerability groups are treated not as
groups but as folders, to learn about their basic operating principles see the explanations concerning folders in the
following paragraphs.
Also, be aware, that to be able to assign or modify access rights for other administrators you also must be assigned
the capability Manage Security.
Create/Delete an Object in a Folder
When you want to create an object within a folder or delete one from a folder you need the following capabilities
and access rights:
• View and manage capabilities of the object type,
• Write access on the object under which the new one is created.
By default the administrator creating the new object has read/write/assign access on this new object.
Example:
To create a new operational rule under a folder called My Operational Rules or to delete it you need:
Capabilities
View Operational Rules
Manage Operational Rules
Access Rights
Read Allow, Write Deny on the Operational Rules top node,
Read Allow and Write Allow on the folder My Operational Rules.
Create/Delete an Object in/from a Group
To create an object within a group or to delete it from there you need the following capabilities and access rights:
• View and populate capabilities on the group.
• Write access on the object itself and its parent.
Example:
To delete a device called MyDevice from the group called AllMyDevices you need:
Capabilities
View Devices and Device Groups
Manage Devices
Chapter 16 - Setting Up Security - 393
Populate Device Groups

Access Rights
Read Allow, Write Deny on the Device Groups top node,
Read Allow and Write Allow on the group AllMyDevices and the device called MyDevice.
Modify an Object
To modify the attributes of an object you need the following capabilities and access rights:
• Read and write access on the object.
Export an Object
To export an object from the console you need the following capabilities and access rights:
• View capability of the object type,
• Read access on the object to be exported.
Import an Object
When you want to import an object you need the following capabilities and access rights:
• Write access on the object under which the new one is imported (created).
By default the administrator importing the object has read/write/assign access on this new object.
Manage Access Rights (Security) of an Object
To be able to modify the security profile of an object you need the following capabilities and access rights:
• View and manage Security Profile capabilities,
• View capability on administrators,
• View capability on the object type,
• Write access on the object for which the access rights are to be modified.
Example:
To modify the access rights administrator France has on a specific device, the MasterServer, you need the
following permissions:
Capabilities
View and manage Security Profile capabilities,
View capability on administrators,
View capability on devices,
Access Rights
Read Allow and Write Allow on the device MasterServer
Add an Object to/Remove an Object from a Folder
To add an object to or remove an object from a folder you need the following capabilities and access rights:
• View and manage capabilities on the object type,
• Read and write access on the parent object to/from which the child object is to be added/removed and Read
access on the child.
Example:
To add a query, AllDevices, to an existing folder, General Queries, you need:
Capabilities
View Queries
Manage Queries
Access Rights
Read Allow, Write Deny on the Queries top node,
Read Allow and Write Allow on the folder General Queries and Read allow on the query AllDevices.
Add an Object to/Remove an Object from a Group

To add an object to or remove it from a group you need the following capabilities and access rights:
• View and populate capabilities on the group (parent object type), and view capability on the member (child
object type),
• Read and write access on the group (parent object) to/from which the member (child object) is to be added, and
read access on the child.
Example:
To add a device, MyDevice, to an existing device group, MyGroup, you need:
Capabilities
View Device Groups
View Devices
Access Rights
Read Allow and Write Allow on the device group MyGroup
and Read Allow the device MyDevice.
Cut and Paste an Object
The cut and paste operation on an object is divided into two different actions: the cut action and the paste action,
as cut objects, depending on their type, may be pasted under more than one parent object.
• View and manage or populate (for device and user groups) capabilities on the object type
• Read and write access on the old and new parent object, read access on the object to be cut and pasted.
Example:
In this example we will cut the My Operational Rule object from its current parent, the My Operational Rules
folder and paste it under a new folder called Test Rules.
Capabilities
View Operational Rules
Manage Operational Rules
Access Rights
Read Allow, Write Deny on the Operational Rules top node,
Read Allow and Write Allow on the objects Test Rules and My Operational Rules,
as well as Read Allow on the My Operational Rule object.
Copy and Paste an Object (Duplication)
Similar to the cut and paste operation the copy and paste also is split in two operations. Only administrators,
devices, users and device and user groups can be copied from one location to another (be duplicated), as they can
be members of more than one group. You may also duplicate members of folders, but in this case the pasted
member must be given a new name.
• View and manage or populate (for device and user groups) capabilities of the object type,
• Read and write access on both, the old and new, and read access on the object to be copied,
A duplicating operation on an object requires the exact same permissions regarding capabilities and access rights
as the copy and paste operation.
Example:
For the following example we want to copy a device, which belongs to a group called HQ Devices to another group
called Servers.
Capabilities
View Device Groups
View Devices
Access Rights
Read and Write Allow on the group HQ Devices as well as Read and Write Allow on the group Servers.
Read Allow on the device.
Synchronise with a Directory Server
All groups, including the administrator groups may be synchronised with a directory server in NAMP. For this
administrator needs the following capabilities and access rights:
• View, manage and populate capabilities on device/user groups (parent), or view and manage capabilities on
administrators (parent),
• View capability on devices/users,
• View and manage capability on directory servers (child)
• Read and Write access on the device/user group (parent), or Read and Assign access on the administrator group
(parent)
• Read access on the administrators/devices/users and
• Read and Write access on the directory server (child), if it populates a device or user group or Read and Assign
access, if it populates an administrator group.
Example 1:
For the following example we synchronise our new device group called MyNewGroup, with an existing directory
server, for example called AllLabClients.
Capabilities
View Device Groups
Manage Device Groups
View Devices
View Directory Servers
Manage Directory Servers
Access Rights
Read Allow, Write Deny, on the Device Groups top node,
Read and Write Allow on the device group, MyNewGroup,
Read and Write Allow on the directory server AllLabClients,
Read Allow on (some) clients of the directory server.
The Manage capability and Write access to the group are necessary, as the group name changes to the name of the
directory server group as soon as it is synchronised with the server. The Manage capability for the devices is not
required, as it is the system which will create the new objects that are added to the group. Therefore you will also
not be able to see these new group members, if you do not have at least Read access to the children of the
synchronised group.
Example 2:
For the following example we synchronise an administrator group called MyNewAdmins, with an existing
directory server, for example called AllLabAdmins.
Capabilities
View Administrators
Manage Administrators
View Directory Servers
Manage Directory Servers
Access Rights
Read and Write Allow on the administrator group, MyNewAdmins,
Read and Write Allow on the directory server AllLabAdmins,
Read Allow on (some) administrators of the directory server.
The Manage capability and Write access to the group are necessary, as the group name changes to the name of the
directory server group as soon as it is synchronised with the server.
Assign/Unassign an Object to/from Another Object

When assigning/unassigning an object to/from an object of another type, two basic concepts must be
distinguished:
• Assign an object to/unassign an object from a group (that causes the contents of the group to change)
• Assign an object to/unassign an object from another object (without content modification)
1 Assign an Object to/Unassign an Object from a Group:
To assign/unassign an object to a group that modifies its content (queries, directory servers and compliance
rules) you need the following capabilities and access rights. Be aware that administrator groups are handled as
usual like folders (see below), not like groups.
View and populate capabilities for group (parent)
if the directory server is to be synchronised as well, not only to be assigned you also need the manage
capability
View capability on the object to be assigned (child),
Read and write access on the parent and read access on the child.
Example:
To assign a query, AllServers to device group AllServersFrance you need the following permissions:
Capabilities
View and populate device groups
View queries
Access Rights
Read Allow and Write Allow on the group AllServersFrance
and Read Allow on query AllServers.
2 Assign/Unassign an Object to another Object
To assign/unassign an object to/from another object, such as operational rules, packages, transfer windows, etc.,
you need the following capabilities and access rights:
View and assign capabilities on the target object (parent),
View and assign capabilities on the object to be assigned (child),
Read access on the parent and read and assign access on the child.
Example:
To assign a transfer window, HighSpeedDownstream to a device ServerFrance you need the following
permissions:
Capabilities
View and assign transfer windows and devices
Access Rights
Read Allow, Write Deny on the Transfer Windows top node,
Read Allow and Assign Allow on the device ServerFrance and Read Allow on transfer window
HighSpeedDownstream.
The following table recapitulates the required capabilities and access rights to manage assignments between the
different non-modifying database objects with the understanding that the view capability as well as read access is
always required on both the parent and child object:
Parent Child Child Capabilities Parent Access Child Access

Compliance Rule Report Assign Report Assign Read
Device Compliance Rule Assign Compliance Rule Assign Read
Device Inventory Filter Assign Filters Assign Read
Device Managed Application Manage Managed Applications Assign Read
Device Monitored Object Assign Monitored Objects Assign Read
Device Operational Rule Assign Operational Rules Assign Read
Parent Child Child Capabilities Parent Access Child Access

Device Package Assign Packages Assign Read
Device Patch Group Assign Patch Groups Assign Read
Device Rollout Assign Rollout Assign Read
Device Task Assign Task Assign Read
Device Transfer Window Assign Transfer Windows Assign Read
Device Group * Compliance Rule * Assign Compliance Rule Assign Read
Device Group Inventory Filter Assign Filters Assign Read
Device Group Managed Application Manage Managed Applications Assign Read
Device Group Monitored Object Assign Monitored Objects Assign Read
Device Group Operational Rule Assign Operational Rules Assign Read
Device Group Package Assign Packages Assign Read
Device Group Patch Group Assign Patch Groups Assign Read
Device Group Report Assign Reports Assign Read
Device Group Rollout Assign Rollout Assign Read
Device Group Task Assign Task Assign Read
Device Group Transfer Window Assign Transfer Windows Assign Read
Operational Rule Monitored Object Manage Monitored Objects Assign Read
Operational Rule Task Assign Task Assign Read
Package Operational Rule Manage Operational Rules Write Write
Patch Group Package Manage Patch Groups Write Write
Patch Group Task Assign Task Assign Read
Port List Scan Assign Scan Assign Read
Prohibited Applications Schedule Template Manage Scheduled Templates Assign Read
Push Rollout Task Assign Task Assign Read
Query Sub-Report Manage Reports Write Write
Rollout User Account Populate Rollout Assign Read
Scan Task Assign Task Assign Read
Scan Configuration Scan Assign Scan Assign Read
Scanner Scan Assign Scan Assign Read
Target List Scan Assign Scan Assign Read
User Operational Rule Manage Operational Rules Assign Read
User Group Operational Rule Manage Operational Rules Assign Read
Vulnerabilities Task Assign Task Assign Read
Vulnerability Group Report Assign Reports Assign Read
* The assignment of a compliance rule to a device group in this case is used by the compliance rule to check
the group members for their compliance.
The following table recapitulates the required capabilities and access rights to manage assignments between the
different database objects concerning their population. Same as with the table above, the view capability as well
as read access is always required on both the parent and child object:
Parent Child Parent Capabilities Parent Access Child Access

Administrator Group Directory Server Manage Administrators Write Read
Device Group * Compliance Rule * Populate Device Groups Write Read
Device Group Directory Server Populate Device Groups Write Read
Device Group Query Populate Device Groups Write Read
User Group Directory Server Populate User Groups Write Read
User Group Query Populate User Groups Write Read
* The assignment of a compliance rule to a device group here actually populates the device group with the
result of its compliance check, i.e. the group will contain all compliant devices, all non-compliant devices or
those which could not be evaluated.
16.4 Specific Cases

While for most objects of the NAMP database security on the capabilities and access levels can be defined in the
same way, there are some exceptions to the rule, which are detailed as follows.
• Administrator Capabilities
• Devices and Device Groups
• Modifying Administrator Rights
• Device Topology
• Vulnerability Management
16.4.1 Administrator Capabilities

The administrators, their groups and their capabilities have specific requirements regarding their security settings
for both the capabilities as well as in the definition of their access.
Capabilities
The capabilities defined for the operation with administrators, administrator groups and capabilities are the same.
This means, that there is no distinction between working on an individual administrator or on working with a
group. It also includes working on the capabilities through their specific node. For example, if an administrator is
assigned the capability to manage administrators, he will also be able to create administrator groups and he can
also modify or delete these groups as well as modify their capabilities, through the Modify Capabilities tab or
through the Capabilities node.
Access Rights
As you can see on the console neither the Administrators nor the Administrator Groups node have a security tab.
Access rights must therefore be defined individually through the Security Profile node or the Security tab of the
respective administrator or administrator group.
16.4.2 Devices and Device Groups

Devices and device groups are a specific case, as devices cannot be seen or accessed in any way if the
corresponding permissions, capabilities and access rights, have not been accorded to the device groups they are a
member of.
Capabilities
Contrary to the administrators and their groups, devices and device groups have separate capabilities which must
be assigned. Assigning the capabilities for device groups follows the general rules, but if devices are to be viewed/
managed as well you need to specify these capabilities separately as well. Device groups also have an extra
capability, Populate, which must be defined when the content of the group is concerned, such as when you
manually add or remove a device from a group or when the group is to be dynamically managed through a query
or a directory server.
Access Rights
Devices may be accessed under two different nodes: the Device Topology and the Device Groups nodes. How to
define the access to the devices in the Device Topology is explained in the following paragraph, and may be
sufficient for a specific type of administrator. However, in other cases, it may be useful for administrators to be
able to access their devices via the Device Groups node. For this to be possible, you need to assign at least read
access to the Device Groups top node as well as any other device group (including its hierarchy structure to
access the respective group) the administrator needs to access.
16.4.3 Modifying Administrator Rights

When a new administrator is created in the database, he is automatically added to his own Security tab with the
following access rights defined: Read Allow and Write Deny. Through this the newly created administrator is able
to see himself in the console and to check his capabilities, for example, but he cannot make modifications to any
of his settings.
When an administrator is to modify access rights to a specific object he must have the following capabilities and
rights:
Capabilities
View Administrators
View Security
Manage Security
View Object Type
Manage Object Type
Access Rights
Read and write access on the object itself.
It is strongly recommended to NOT provide the general administrators with the possibility to modify their
security settings, only the superadministrator should have this option. If administrators can modify their own
settings they may gain access to objects, to which they should not.
16.4.4 Device Topology

The Device Topology node is not an object in the database and as such does not have a specific Security tab
defining its accessibility and it cannot be included in the Security Profile either. It will thus always be part of the
directory tree of every administrator, even if some of them cannot see anything under the top node. To view
devices under this node:
• The administrator has at least the View Devices capability.
• The administrator must have at least read access to the devices. Be aware that he needs read access to the
complete hierarchy to these devices, i.e. to the master as well as all the relay hierarchy under which the
devices are located.
To provide your administrator with read access to all devices in the system in the Device Topology node, the
following steps must be executed:
1 Create a query searching for all devices.
2 Create a security access via a Security Profile for the administrator.
1. Creating Query
For the first step, how to create a query, please see the respective earlier chapters in this manual. The query
AllDevices was imported with the Out-of-the-Box objects.
2. Defining the Security Access
The action which remains to be done is to create the appropriate access rights for the administrator to be able to
see them in the topology.
1 Connect as the superadministrator Admin to the console.
2 Go to the administrator’s node, and select its Security Profile node, the Capabilities tab will be displayed.
3 Select a row in the table and then the Edit->Properties menu item or the respective icon ( ) in the icon bar.
5 Check at least the View capability for devices, then click the OK button to confirm.
6 Then select the Dynamic Objects tab.
7 Select the Edit->Add Query menu item or the respective icon ( ) in the icon bar.
8 The Select Dynamic Objects dialog box will appear on the screen, displaying all queries.
9 Select again the AllDevices query from the list.
10 In the Properties dialog box leave the Allow radio button for Read, Write and Assign Access checked.
Remember here you are not assigning access to the query itself, but to its result, i.e. the devices it will collect.
11 Click OK to add the object and close the dialog box.
3. Verifying the Assignments and Access Rights

Now to check if everything works as intended proceed as follows:
1 Log off the console.
2 Re-logon to the console as the new administrator.
3 When the console opens on your screen, you should see at least the following top nodes, depending on which
capabilities you assigned additionally:
Search
Global Settings
Device Topology
4 Now select the Device Topology node.
5 In its Members tab you will find the same list of devices as in the group.
6 If you select the Graph tab, you will see all your devices in form of the graph.
Having executed all these operations your administrator can see all managed devices in your system. However,
this complete view may be limited by removing access to all devices which he is not supposed to see. This can be
done via the query through more restrictive criteria.
16.4.5 Vulnerability Management

The Vulnerability Management presents the following specific situations:
Wizards
To be able to launch the scanning wizard an administrator needs to have the VM view capabilities on scan
configurations, target lists and devices as well as the manage and assign capability on scan configurations.
The wizard may either use existing objects to execute or they may create new ones. Be aware, that to create new
objects you need the manage capability for the top node of the respective object or at least one of its folders. By
default objects created with the wizard will be located directly under the object‘s top node. If you do not have
access to this node the new object will be created in the first folder for which you do have access rights.
Otherwise, i.e. if you do not have access to any of the objects of the type the object created via the wizard will be
stored under the Lost and Found node.
Scan Targets
Target lists in VM may consist of devices known to the database, thus with defined security and devices without
NAMP agent. Once a scan is executed on a target list the vulnerability inventory will be available via the console
and the administrator, who created the scan may see the inventory for all the devices he was not expressly
forbidden the access. As yet unknown devices without NAMP agent will be added to the database now with the
status ’scanned’ and no security defined, and any administrator with read access on the respective target list and
thus the target devices can view the scan results.
Scanners
To define a device as a scanner or remove it from this functionality the Manage capability as well as Write access
rights one the respective device are required.
As scans are assigned to their scanner and not to a top node of this type, when removing a device as a scanner all
scans assigned to this scanner will also be removed. The administrator therefore also must have the capability
Scan - Manage, as well as the Write access rights to all scans and folders defined under the respective scanner.
16.5 Scenarios
This paragraph will provide you with a number of examples for security scenarios describing the environment in
which it is setup, what exactly happens when trying to access and what needs to be defined to ensure the
respective scenario works according to definition.
We propose, that you create these profiles not for individual administrators but for administrator groups, thus it is
easier to add new admins with the same profile and to make sure there always is at least one administrator of the
specific profile. The administrator in these cases will be created with no capabilities and no access rights, all
these will be given to him via the groups he is a member of.
Also we assume that the Out-of-the-box objects have been imported, as they contain a number of very useful
settings which we refer to in the following scenarios.
• New Administrator with System Logon
• User Administrator
• Read-Only Administrator
• Installer
• Reporting
• Scan Administrator
• Vulnerability Manager
• Compliance Analyst
• Compliance Manager
16.5.1 New Administrator with System Logon

The following scenario describes what happens when an administrator tries to log on to the console:
• that has never before tried to log on,
• that is not yet created in the NAMP database as an administrator but
• who has a valid local system logon.
For this to work, you must however have activated the option to create new administrators via their system logon.
To make sure this option is activated proceed as follows, as by default it is deactivated:
1 Go to the Global Settings->System Variables and its Security tab.
2 Select the entry in the right window pane.
3 Then select the Edit->Properties menu item or the respective icon ( ) in the icon bar.
5 Check the box in the window and then click the OK button to confirm.
6 The required option is now activated.
As the user is not registered in the database, he can only use his local system logon to log on to the Numara Asset
Management Platform Console. The following happens:
1 The user logs on with his system logon and password.
2 Basic authentication is executed via the HttpProtocolHandler:
a The HTTP protocol handler verifies with the Host Access module if the requesting client is authorised to
connect to the master server. If no modifications have been made in the Host Access module since startup
the requesting client is authorised.
b Then the HTTP protocol handler verifies with the User Access module if the supplied login and password
are authorised. When checking the table of configured users the handler will find an equivalent as system
and authorise the login.
c Then the vision64database module will verify with the database if an administrator user exists for this
login/password pair, which is not the case. As the login was authorised beforehand, the database module
will create a new user with the provided login and password in the access list. However, no capabilities and
access rights are assigned at creation time.
d Now the console window will appear on the screen with a connection to the requested master server, but
the displayed contents are very limited:
He will only be able to see the following top nodes: Search, Global Settings, Device Topology and
Events. However, he will not be able to view any devices in the Device Topology nor will he be able to
execute operations on Global Settings subnodes.
As he has no capabilities assigned either, he will not be able to execute any operations on the visible
nodes and objects in the console.
This scenario will only work if the default system administrator creation is activated which is not the case by
default. To activate it proceed as follows:
1 Log on to the console with the predefined admin login.
2 Then go to the Global Settings and the System Variables node.
3 Select the Security tab.
4 Mark the value in the right window pane.
1 Then either select the Edit->Properties menu item or click the respective icon ( ) in the icon bar.
3 Check the Create Default System Administrator box.
16.5.2 User Administrator

The user administrator scenario describes the security settings to be defined for administrators who have quite far
reaching rights, similar to the system administrator, i.e., they may access all objects and types apart from the
actual system settings.
1 Log on to the console with a superadministrator or the admin login.
2 Then go to the Global Settings and the Administrator Groups node.
3 Create a new group called UserAdmins.
4 Select the Security Profile node below and in the Capabilities tab.
3 In the Modify Capabilities tab select ALL capabilities and then deselect the following:
Both Administrator capabilities
Both System Variables capabilities
Both Security Profile capabilities
Both License capabilities
5 Then go to the Static Objects tab and via the Properties popup window select all Top Nodes to be added to the
static objects with Read, Write and Assign rights Allowed.
6 In the Dynamic Objects tab add all queries which can be found under the folder Numara Asset Management
Platform Database apart from the All Administrators and All Administrator Groups queries with Read, Write
and Assign rights Allowed via the Properties popup window. These queries ensure, that the administrator
will have access to all objects of any type that will be created in the future by any other administrator.
Remarks regarding this configuration:
• We consider administrators and administrator groups part of the system management and therefore have
excluded them from the field of activity of the user administrator.
16.5.3 Read-Only Administrator

The Read-Only administrator is somewhat an equivalent of the user administrator without the permission for
modification. This type of administrator might be interesting for the head of the IT department to have an
overview of the whole system and what goes on in it without active intervention.
1 Log on to the console with a superadministrator or the admin login.

3 Create a new group called ReadOnly.
3 In the Modify Capabilities tab select ALL View capabilities apart from the following:
View Administrator
View System Variables
View Security Profile
View License
5 Then go to the Static Objects tab and via the Properties popup window select all Top Nodes to be added to the
static objects with Read right Allowed, and Write and Assign rights Denied.
6 In the Dynamic Objects tab add all queries which can be found under the folder Numara Asset Management
Platform Database apart from the All Administrators and All Administrator Groups queries with Read right
Allowed, and Write and Assign rights Denied via the Properties popup window. These queries ensure, that
the administrator will be able to see all objects of any type that will be created in the future by any other
administrator.
Remarks regarding this configuration:
• We consider administrators and administrator groups part of the system management and therefore have
excluded them from the field of activity of the read-only administrator.
16.5.4 Installer
This scenario describes the security settings to be defined for an administrator who only executes agent rollouts
across the network.
1 Log on to the console with a superadministrator login.
3 Create a new group called Installer.
3 In the Modify Capabilities tab select the following capabilities:
All Rollout capabilities
All Device capabilities
View and Manage Device Group capabilities - no Populate capability
5 Then go to the Static Objects tab and via the Properties popup window add the following static objects:
Device Groups top node with Read and Assign Access: Allow and Write Access: Deny
Rollouts top node with Read, Write and Assign Access: Allow
6 In the Dynamic Objects tab add the following dynamic objects via the Properties popup window:
The following queries to be found in the Numara Asset Management Platform Database folder:
All Devices and All Device Groups queries with Read Access: Allow and Write and Assign Access: Deny
All Rollout Folders and All Rollouts queries with Read, Write and Assign Access: Allow.
16.5.5 Reporting
This type of administrator profile is created for users who only create reports, but reports regarding any object in
the database.
3 Create a new group called Reporting.
3 In the Modify Capabilities tab select ALL View capabilities apart from the following:
View System Variables
View Security Profile
View Agent Configuration
View Direct Access
View Remote Control
4 Then in addition check the following capabilities:
Manage Query
Manage and Assign Report
6 Then go to the Static Objects tab and add the following top nodes with the following access rights via the
Properties popup window:
Queries and Reports top nodes with Read, Write and Assign Access: Allow
7 In the Dynamic Objects tab add via the Properties popup window all queries of the Numara Asset
Management Platform Database folder with access rights Read Access: Allow and Write and Assign Access:
Deny apart from the following which will also be added but with different access types:
All Devices, All Device Groups and All Vulnerability Groups queries with Read and Assign Access: Allow
and Write Access: Deny
All Query Folders and All Queries, as well as All Report Folders and All Reports queries with Read, Write and
Assign Access: Allow.
A few points regarding this configuration:
• If you have different report creation profiles you may restrict the view to the necessary objects the profiles
create reports for. However, make sure you provides them with the same access as above to queries and device
groups, as reports are based on either one of these object types. If you do not provide access to the device
groups, no reports may be generated being assigned to a device group instead of being based on a query.
16.5.6 Scan Administrator

This type of administrator profile is created for administrators who only create and execute scans. However this
also implies creating/managing the target lists, scan configurations as well as port lists.
3 Create a new group called Scan Administrator.
4 Select the Security Profile node below.
5 In the Capabilities tab select the Edit->Properties menu item or click the respective icon ( ) in the icon bar.
View Devices
View Vulnerability Management
Manage Port Lists
Manage & Assign Scan Configurations
Manage Target Lists
Manage, Assign and Schedule Scans
9 Now go to the Static Objects tab and add via the Properties popup window the following top nodes with the
following access rights:
Port Lists, Scan Configurations and Targets top nodes with Read, Write and Assign Access: Allow
10 If the administrators are to be able to not only create their own new scans with all connected other objects but
also use those that are created by other administrators you may add the access to these via the Dynamic
Objects tab via the Properties popup window:
add all queries concerning scans, scan configurations, as well as port and target lists with access rights
Read and Assign Access: Allow and Write Access: Deny.
16.5.7 Vulnerability Manager

This type of administrator profile is created for administrators who analyse the scan results and actively remedy
the current situation on the targets.
3 Create a new group called Vulnerability Manager.
4 Select the Security Profile node below
View & Assign Devices
View Inventory
View Packages
View & Schedule Operational Rules
View, Manage, Assign & Configure Patch Groups
View, Manage & Configure Vulnerability Management
View & Manage Vulnerability Groups
View & Manage Target Lists
9 Now go to the Static Objects tab and add the following top nodes with the following access rights via the
Operational Rules and Packages top node with Read and Assign Access: Allow and Write Access: Deny
Patch Management and Vulnerability Groups top nodes with Read, Write and Assign Access: Allow
10 If the administrators are to be able to not only create their own new vulnerability remediation actions with all
connected other objects but also use those that are created by other administrators you may add the access to
these via the Dynamic Objects tab via the Properties popup window:
All Scanned Devices and All Scans queries with Read Access: Allow and Write and Assign Access: Deny
All Patch Groups, All Packages, All Operational Rules and All Vulnerability Groups queries with Read, Write
and Assign Access: Allow.
A few points regarding this configuration:
• This profile consists mainly of patch management capabilities as the major part of actively remeding
vulnerabilities is executed via the patch objects and wizard.
16.5.8 Compliance Analyst

This type of administrator profile is created for administrators who analyse all devices of the infrastructure for
compliance.
3 Create a new group called Compliance Analyst.
7 In the Modify Capabilities tab select the following minimum capabilities:
View & Manage Devices
View & Manage Device Groups
View, Manage, Assign & Configure Compliance Rules

9 Now go to the Static Objects tab and add the following top nodes with the following access rights via the
Compliance Management top node with Read, Write and Assign Access: Allow
16.5.9 Compliance Manager

This type of administrator profile is created for administrators who ensure the compliance of the complete
infrastructure, i.e. they do not only analyse the current situation of the IT park concerning its compliance but take
action to keep it compliant.
3 Create a new group called Compliance Manager.
7 In the Modify Capabilities tab select the following minimum capabilities:
View & Manage Devices
View & Manage Device Groups
View, Manage, Assign & Configure Compliance Rules
8 Following you will find a list of possible capabilities that may be assigned to the administrator, depending on
the compliance targets:
View & Manage Inventory - to provide access to all inventory criteria
View & Assign Packages - if compliance includes specific installed packages as criteria
View & Schedule Operational Rules - if compliance includes specific assigned operational rules as criteria
View, Manage, Assign & Configure Patch Groups - if compliance includes specific installed patches as
criteria
10 Now go to the Static Objects tab and add the following top nodes with the following access rights depending
on the capabilities you added in the previous tab via the Properties popup window:
Compliance Management, Operational Rules, Packages and Patch Management top node with Read,
Write and Assign Access: Allow
11 The definitions in the Dynamic Objects tab of the Security Profile node also depends on the selections made
in the Capabilities tab:
All Patch Groups, All Packages and All Operational Rules queries with Read, Write and Assign Access:
Allow.
Corporate Headquarters
2202, North Westshore Boulevard, Suite 650
Tampa, Florida 33609, USA
p:813.227.4500 f: 813.227.4501
Regional Headquarters
2025 Loncoln Highway
Edison, NJ 080018, USA
p:732.287.2100 f: 732.287.4929
European Headquarters
Davidson House
Forbury Square
Reading, RG1 3EU, UK
NumaraSoftware.com
©2009 Numara Software, Inc. All rights reserved. Numara and the Numara Software logo are
registered trademakrs of Numara Software, Inc.

Getting Started

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Getting Started

Uploaded by

Copyright:

Available Formats

Getting Started with

1994 - 2010© Copyright Numara® Software, Inc.

Numara® Software, Inc.

Section I - Basic Objects and Functionalities

Section II - Advanced Management Suite

• Peripheral Device and Data Control - Step by Step

What’s New in this Version

11.2 Power Management Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .268

Basic Objects and Functionalities

1.1 Populating in the Device Topology

1.2 Remote Control

1.3 Direct Access

6 The new key will be created directly and selected.

7 Now we will create a string value for the new key.

12 Click OK to confirm the new value.

14 Click OK to confirm the modification.

1.4 User Preferences

26 The e-mail function is now set up.

The different types of inventory are available:

2.1 Device Inventory

2.1.1 Hardware Inventory

To display the history for an inventory refer to Option (a).

To display the hidden elements for an inventory refer to Option (b).

To add or remove an inventory object refer to Option (c).

2.1.2 Software Inventory

2.2 Device Group Inventory

2.2.1 Hardware Inventory

2.3 Inventory Options

(a) Inventory History

(b) Hide Inventory Elements

(c) Modify Hardware Inventory Filter for a Device

19 The Assign to Device popup window will appear on the screen.

21 Select the relay from the list.

3.1.1 Criteria Queries

Query 1: Query Collecting All XP SP2 Devices

11 Select the criterion Operating System Name.

15 Select the provided XP operating systems and click OK.

Query 2: Query Finding all Operational Rules of Type Software

15 Select the Software Distribution option and click OK.

Query 3: Reverse Query Finding all Devices without Firefox

8 Select the Firefox option and click OK.

16 Go to the Preview tab to see a preview of the query’s results.

Query 4: Query Finding All Updated Devices

16 Click the Add button ( ) to add the criterion to the query.

3.1.2 Free SQL Queries

Query 5: Devices On Which Word And Excel Are Installed

5 Click OK to create the query and to close the window.

The query must start with SELECT.

The content of the query is case sensitive.

3.2 Device Groups

Device Group 1: Static Device Group

Device Group 2: Create a Device Group from a Query

Device Group 3: Device Group Managed by Several Queries

11 Contrary to the queries groups are active immediately.

3.3.1 Query Options

8 Select the All XP SP2 Devices (1) in the table.

19 Select Client option and click OK.

8 Double-click the Clients and Relays query.

3.3.2 Device Group Options

1 Create Operational Rule

2 Assign Target Device

4.1 Operational Rule Examples

Rule 1: Inventory Management