Welcome – A letter from the Founder

Max Ranzau (aka RESguru 1)My name is Max Ranzau. I founded RESguru.com as a technical blog at the end of of 2008, dedicating my time and efforts towards creating better IT solutions through use of RES Software products in the enterprise. This site is the home of RCS – RESguru Consulting Services and is one of the primary go-to places for independent information, brain-share and tools for the workspace and automation engineers across the planet. I intend to keep it just that way.

If you are a new visitor, allow me a moment to welcome you properly, by immediately dispensing with the glossy marketeering and cut to the chase:

I am here to change Enterprise IT.

I dare to guess that plenty suit & tie jobs have said similar to you over the years. Nothing more or less, it’s the best one-liner by which it can be expressed what RCS does. Fact: it is exceptionally hard to explain what exactly and completely RES Software does in one sentence, without either becoming too vague or a long winded tale. Trust me on this, the good folks at RES Software have been grappling with this conundrum over the last 15 years: Having a stellar product suite, but no quick and singular way of explaining what it does!

I’m not going to pretend I’m driving around with the tomes of messaging wisdom* in my trunk. However, that is not going to prevent me from pitching in my two cents. As I see it, there are two main avenues of putting RES technology into context:

A) Presuming you’re technically oriented:  tbox

  • Get rid of complexity in  policy management, point-solution utilities and scripting. You know as well as I, that enough of this, or  by inheriting someone else’s hand-me-down environment, you’ll be up to your eyeballs figuring out what’s going on before you can make any changes.
  • Best profile+configuration management: Microsoft’s ways of handling configuration, both central (policies) and users (profiles) haven’t changed much in 20 years. The RES Suite will make profile management work smoothly for you.
  • Automation of complex script-less tasks across the entire IT estate, independently of domains. 150+ built in graphical tasks range from the simplest of deployment/configuration items to VDI, Mobile Device Management and Helpdesk, integrating with all the major vendors.
  • Workflows can be automated. The RES Suite will allow a company to define and execute workflows for almost anything that can be given to a user. It’s all about service. I usually tell my students that you can make workflows for giving employees their phones, forklifts or PhotoShop. It doesn’t matter as you model the business in the software, define who is qualified to automatically get or request what, assign any approvals to the workflow and then tie it all into the automation and configuration management where necessary. The real strength here is that all 3 products in the RES Suite talk together.
  • Documentation: As engineers, we just love cranking it out by the page, right? That was sarcasm! We love building great solutions but creating the associated paperwork afterwards is a hassle, even if it’s billable. For admins in terms of auditing, it’s the same challenge. The RES suite can do the documentation for you.

The RES Suite is like a well-organized Swiss Army knife, with 15.000+ blades. There are loads of other things the RES suite can do for you, and hopefully you’ll get a sense of this when you browse through the Tech Library of the RESguru site. There is over 100 and counting free practical how-to articles on how to solve common everyday problems with RES technology. Have a look at the intro page here for a proper introduction and tour around the site.

brfcaseB) Presuming you are financially oriented:

  • 60% savings on current support/helpdesk/administrative load is not unheard of.
  • 90% savings on external consultants camping in your data-center for months at a time as your own staff becomes able to do most things faster on their own. These kind of numbers been reported by some of my clients.
  • 20% more users typically on a central environment – just by virtue of efficient management.
  • No doctors with flashlights were involved in obtaining the numbers above! These are based on real RES projects that I have worked over the last 15 years. Having said that, obviously your mileage may vary in accordance with what you are trying to solve.
  • Business Processes – any organization has them. If your ever move people around, hiring or firing, the IT folks are usually the last to know, resulting in a long time before new employees can do what they’re paid to or exposing the company to unnecessary risk, by not closing down access properly when someone leaves. Sometimes I encounter customers who have custom-built and rather byzantine systems in place, some may be even manual of tossing around emails or even paper forms for approvals. As long as nothing changes you can maintain status-quo, however when the business requirements change, that’s where your costs become evident.
  • Appsense. Have you been struggling with their products for too long not being able to get things to work for you as promised? Spent countless hours having consultants in and out the door on break/fix missions? It’s time to stop and look at a Real Enterprise Solution.
  • Agility: What can be stood up in a few days by a engineer proficient in RES tech, can in most cases match and trump what would take a team of engineers using classic tools and methodology several months to implement.

The above should provide you with an decent idea of what is within the realm of the possible in the RES universe. RES technology is not rocket science, it’s just good product design and common sense for the modern enterprise. Covering the entire RES Suite, RCS offers the following on all VDI platforms, TS/Citrix, Laptops, Mobile devices, Windows and Linux environments:

  • Consulting, advisory and managed service agreements for new and existing RES installations
  • Scoping and technical presales assistance to integrators
  • Design and technical architecture documentation
  • Implementations, remote and on-site.
  • Technical competitive analysis. Here is a couple of examples.
  • Training, Education and Workshops in all RES products both online and on-site. See this for details.

For information on services, rates, schedules and anything else, reach out via the contact page , or call +1 610 462 2200. I look forward to talking with you.

With best regards,

Max Ranzau

 

Authorizing in WM – How it SHOULD work

By Max Ranzau

 

chockFrom the My-Two-Cents Dept. Working with RES Workspace Manager for about 1½ decade, I’ve been witness to many improvements. While the products gets better with each release, regardless of vendor it’s not always flowers and chocolate. By now, most seasoned Workspace Engineers familiar with the product, know the difference between learning mode and blocking mode on the security subsystems. Dialing in the security for a new client/customer always takes a bit of time, as you’ll have to deal with the security baseline – and then authorizing the things that are unique for said customer environment. The work I always seem to find myself spending time on is hopping back and forth between Authorized Files and either the Managed Application node or the Read-Only Blanketing node.

The issue at hand is this; every time that one has dealt with a log entry by right-clicking on it, said log entries will still be in the log. It makes it a challenge to maintain an overview of what’s been dealt with and what hasn’t – especially if you are using wildcard rules to kill multiple log entries with one stone. It would be wonderful if this process could be managed better. I’ve gone through the necessary steps in a previous article here. To optimize this work, below are a few of ideas off the top of my head how this ideally should work:

  • The security logs should be reworked to show a “Processed” or “Authorized” flag. Think of it like the little red flag you can set on your emails and tasks in Outlook.
  • When authorizing a specific log entry, there should be check boxes in the authorization dialog box to “Mark affected log entries as authorized” and/or a “Delete affected entries in log file”. Workspace Manager can already can filter views with the Attention flag etc. in Workspace Analysis, so it should be familiar territory, development wise.
  • In the Authorized file node there should be similar options to process all current log files through active authorizations so it becomes evident which things you haven’t dealt with yet.
  • Finally, it would be stellar to incorporate Patrick Grinsven’s excellent work on the DBlogCleaner tool (which is out in a new version, stay tuned)

Now, before some well-meaning person asks why I don’t put these ideas into UserVoice for voting etc, I will offer my thanks for the consideration, yet I am perfectly happy passing that baton with the associated credit to someone else. In other words, feel free to co-opt these ideas and make them your own.

 

Keeping Virtual Sandboxes under control

By Rob Aarts and Max Ranzau

Rob: After using VMware Thinapp in several projects I wanted to share some best practices The first one is about a common mistake I see made on a regular basis. Applications with several entry points for executables, are presented using Workspace Manager, using multiple managed applications. So far so good.

The problem arises when all entry points (from the same Thinapp capture) have their own Zero Profile setting pointing to the same Sandbox location. Are you still with me here? Let’s have a look at the example below:

p1

Here’s a working example:

  • When a user launches Application 1, Zero Profile settings are loaded and written to the sandbox.
  • The user then launches Application 2 and Zero Profile settings are loaded and writes to the same sandbox location.

What is likely to happen, is that settings for Application 1 become corrupted, due to it’s settings are being changed by another process while it’s running. I personally have seen some strange behavior from apps, which absolutely don’t like this messing are around with their appdata behind the scenes. It doesn’t take a degree in rocket science to imagine what may happen when Application 3 is launched. It will just increase the likelyhood of corruption.

The solution to avoid this mess is simple and was covered previously, although for natively installed applications only: Have a look at Max’s article RG056 in the tech library. Setting up a placeholder application as described in the article will allow you to configure  individual apps app to save the sandbox and direct The Zero Profile from Application 1, 2 and 3 to this placeholder App:

p2

Max: Once you have this set-up, the next challenge is to make sure your User-Settings capture configurations are not overlapping. As of WM SR3 there is a setting for global User settings to grab a setting exclusively. This means that if say 3 different global user settings grab the same registry value you can check one of them as exclusive and only that UserSetting will store it. Unfortunately this approach doesn’t work well for Managed Application based user-settings, as the capture-exclusive feature isn’t available there (yet?). Anyhow, there is a workaround for this. Let’s say you start with creating a suite-settings placeholder app, like described above for Office:

  1. You create a new managed app
  2. Under user settings, you add all the capture templates for Word, Excel, Powerpoint etc. and you have a nice list like shown below
  3. Then everything is cool and ready to rumble, right?

p6

Unfortunately that’s not quite the case, as the templates are likely to overlap. This is not the fault of the template designers, but a function of that they need each to be able to stand alone. This means we have a bit of cleaning up to do, but it’s quite easy. When you are on the User Settings|Capturing tab of the SuiteSettings app as shown above, do the following

  1. Click the Show details checkbox at the bottom of the dialog box
  2. Now click on the data column header to sort on files and registry entries being captured
  3. Look for identical rows (highlight)

p5

Note the line for the ‘Microsoft InfoPath Designer 2010’, which I have highlighted and disabled. I disabled it because that particular User Setting was already captured by the template called ‘Microsoft Infopath Filler 2010’ and as you may recall from our discusion above, we do not have the option to capture exclusively on Managed apps.

You disable an item by doubleclicking on it. Don’t fall for the temptation of removing the checkbox you immediately see, as that will disable the entire template, in which you are only interested in disabeling a certain file/reg grab. Instead  go to the Capturing tab, then select the offending/duplicate entry, double click again and THEN remove the Enabled checkbox you see. Sequence shown below:

p7

You can of course also delete the duplicate entries to tidy things up. In this case I kept them around for illustrative purposes. One thing I’d like to make you aware of: First, go to the global User Settings node, and at the bottom check both ‘Show details’ and ‘Show all User Settings’:

p4

dpNotice that once you link up multiple applications to the same suite app, you will see multiple entries of the same user-setting. This is not a bug or an indication that something unnecessary is being captured. For example, look at the example above where about half way down you see about 7 references to %APPDATA\Microsoft\Access and both Word, Excel etc are pointing to it. This does NOT mean the and Word and Excel templates had duplicate entries. It’s simply because the combination of the two checkmarks shows the canonical list of all combinations of apps and user settings, thus the repeats. In short: They’re mostly harmless. Don’t panic!

We hope with this little away-mission into advanced WM User Settings management to have given you some new thoughts on how to both wrangle virtual applications as well as suite settings for multiple apps.

Rob & Max

 

Removing zombies from IT Store

By Max Ranzau

 

From Rick Grimes has no patience for the undeleted dead.the Hacking Dead dept. IT Store is a fine HR data processor and workflow engine, when you set it up to pull people and department data in from an authoritative data source. In a previous article I showed an example on how to do just that.  However, when a person is marked as deleted in your datasource, IT Store doesn’t delete the user. They effectively are the living dead IT Store people, except in this case they won’t try to claim a license or your brains.

Deleting a user in IT Store has always been a two-stage affair. Initially when IT Store marks a person for deletion it uses the opportunity to scan for any and all delivered services. One should not tinker with this. However, once mentioned services have been properly returned, the user is then marked as [Ready for deletion]. But that’s all she wrote. Nothing more happens.

3zombiesEffectively this means over time an organization with thousands of annual onboarding/offboardings (think educational institutions for example) will have a pileup of undead un-deleted people in IT Store. Sure, they’re obscurred from view until you check the “Include people marked for deletion”. Your only current option is to manually go Mischonne on them in the console yourself.

The design rationale is that since some HR systems don’t delete the employee when off-boarded, then neither should ITS. Here’s where I disagree. It makes sense for HR systems to keep a record of previous people for administrative reasons, but since ITS is the conduit into the rest of the IT infrastructure organization, there’s IMHO little point in keeping a record here once you’ve cleaned up everywhere else. After all, during off-boarding we’d probably be exporting the user’s mailbox and zip up his homedrive as we don’t want dead user remains floating around in the production environment.

At this stage there’s only one way to deal with this if you don’t want to manually flush users marked ready for deletion: Hack the IT Store database.

warning, yellowLike any other vendor, RES gets nervous ticks and reaches for their crossbow, when  you start messing with the brraaaiiins grey matter of the datastores, thus the usual warnings apply: If you do this, you’re on your own. See the MOAD for details.

That said, let’s look at the hack. It’s a simple SQL update query. Presuming your datastore is running MSSQL, the update SQL looks like this:

DELETE FROM [$[in.db.its.name]].[dbo].[OR_Objects]
WHERE [TYPE] = 1 and [RecordStatus] = 2

The $[in.db.its.name] above is an Automation Manager module parameter, containing the name of the ITS database. Running this update query will be the same as manually marking all the users marked [Ready for deletion]. One SNAFU to be aware of is that the users will not be removed from the console before you exit and re-launch it. My guess is that the records are cached in RAM and are only updated when IT Store is doing it’s own operations.

sql Putting this into Automation Manager, I came across a minor problem with the SQL statement execute task in Automation Manager. It looks like as of SR3 (7.0.3.0) the password field can’t be properly parameterized. Sure, you can rightclick on the password field and insert a parameter, but next time you go back and edit the module, the password stops working. Until RES fixes this and puts in a proper set of credential-type accepting field, you’re better off hardcoding the password.

If you’re still up for it, try out this buildingblock in your lab:  legobrick-cropped

Migrating from a broken UEM product, part 1

doesnot2From the REScue 911 Dept. Recently I was involved in a client project where they had a problem. And it was a big problem:  Effectively they were using another profile management product which was malfunctioning. I’d prefer not to give the game away by naming the vendor. Not that I have any problem with verbally beating vendors over the head when they deserve it – this is out of courtesy to the client.

Suffice to say, the product in question employed by my client was practically holding the user’s profile settings hostage. Allow me to clarify: If your current UEM tool redirects a write to a proprietary format, you are putting all the user’s profile data into a basket you have no or little control over. Meaning: If you switch said UEM tool off, then all your user’s settings are stuck in said basket. The following article puts you on a path out of this situation.

doc-icon2<<< Click here to read the article

 

Seamless switch from Policies to WM

gpo-morpheusFrom the The-GPO-has-you Dept. As of recent, one of my clients was facing an interesting issue: They wanted to do a seamless switchover from a currently windows GPO managed environment to a RES Workspace Manager environment. Essentially the job was to devise a method to make one system let go and have the other one take over at the same time. This example was built on a 2012R2 AD with a Win7 front-end.

This method revolves around using a simple AD group that serves a dual purpose. 1) When a user is put in the group, specified policies are denied and 2) Workspace Manager takes effect. The nice part of this approach is that it is fully reversible, just by removing the user from the group.

doc-icon2<<< Click here to read the article

Setting up a Lab HR system for IT Store

xor-logoFrom the Lab Essentials Dept. This article is to show you how you can stand up your very own open-source HR system and hook it up with RES IT Store. One of the things you may often hear about in regards to RES IT Store, is the ability to do employee on/offboarding. If you want to test this out for real, you probably won’t get access to a live HR system in production, thus I wrote this article.

doc-icon2<<< Click here to read the article

 

Managing VMware AppVolumes with RES

appvolumesFrom the Skunkworks Dept. This is an article I’ve been looking forward to writing for a while. I had the opportunity to look at AppVolumes when it was still pre-VMware Cloudvolumes, but as you know – timing is everything, so I decided to hang back until VMware released AppVolumes today! In this article I will share some thoughts on how the AppVolumes product can be augmented by RES technology to offer some very interesting options for integrators.

doc-icon2<<< Click here to read the article

Inside Workspace Manager 2014 SR2

res-wm2014-00From the Nuts&Bolts Dept. November 2014 saw the release of Workspace Manager 2014 Service Release 2. You may have read the initial post over at RES, but as always here at RESguru.com we like to kick the tires and take it for a spin around the block. There’s several items in this release that are important to know about and I’m going to highlight some and give you my view on them.

doc-icon2<<< Click here to read the article

Updated WM Registry Guide

iabtFrom the About-Damn-Time Dept. One of the most popular articles on RG is the Registry reference for RES Workspace Manager. Unfortunately it’s been sitting on the backburner for a while, but no more! As of this weeks release of Workspace Manager 2014 FR2, the guide has been updated with all published registry settings available from the base 2014 release notes and up to. If you come across missing or any other spooky settings, feel free to contribute in the comments section on the article.

doc-icon2<<< Click to view the WM Registry Guide.

 

Free RES Consultancy

Is your company a RES Software customer? Are you considering if you are getting enough out of your investment? Want to make sure you’re doing it right, and the products have been implemented as they should to suit your business needs? Have a great use-case but not sure how to best go about it?

Why not take advantage of the 15 years of RES experience through RCS and find out how you can extract even more value out of you RES software purchase. RESguru Consulting offers:

  • wbRES Environment health check
  • Tune-up / Optimizations sessions
  • Best practice audits and advisory
  • Design Q&A whiteboarding sessions
  • Technical Workshops

Reach out today to RESguru Consulting Services for a free 3-4 hour online consultation with no strings attached. Until December 31st 2014, RCS is running a global campaign for new and current RES customers. Only requirement is that you currently own RES licenses. No Software Assurance? Not a problem.

Call +1 610 462 2200 or contact m.ranzau@resguru.com to schedule your free consultation.