User Manual

Technical Documentation on Operating

the baramundi Management Suite

IT management — simply clever

Legal Note

The information in this manual has been prepared with the greatest care. However, errors
cannot be completely excluded. baramundi software AG therefore accepts no legal responsibility
or liability for any remaining errors and their consequences.
All trade names are used without any guarantee of their freedom of use and may be registered
trademarks. baramundi relies mainly on the spelling used by the developer. The manual and all its
parts are protected by copyright. All rights are reserved including the duplication, translation, microfilming
and storage and processing in electronic systems.

Please send your comments and questions to us at:

baramundi software AG
Beim Glaspalast 1
86153 Augsburg (Germany)

Tel: +49 (821) 5 67 08–0

Fax: +49 (821) 5 67 08–19
Email: [email protected]

Copyright:
© 2017 baramundi software AG
baramundi Management Suite 2017 R1

Registered Office and Court:

District Court of Augsburg HRB № 2064
The registered office of the stock corporation is Augsburg.

Board of Management and Supervisory Board:

Dipl.-Ing. (FH) Uwe Beikirch (Board of Management)
Dipl.-Kfm. Karl Scheid (Board of Management)
Dr. Dirk Haft (Chairman of the Supervisory Board)

Texts, Typesetting and Page Layout:

Dipl.-Kfm. Tobias Berndt, M.B.A. (Technical Editor)
Preliminary Remarks

User and Software—a successful and proven relationship, but also a troubled partnership
of convenience which is daily put to the test!
Indeed, distributing, installing, updating and maintaining software in a business envir-
onment is often perceived as a necessary evil because these unproductive «preliminaries»
to operational readiness use up resources such as working time, production resources, and
sometimes even outside expertise—in other words, they cost money. It was precisely the
desire to minimize the costs involved in software preparation that was the motivation and
reason behind the development of baramundi Management Suite, which is now in version
2017 R1 and has become the unified endpoint management solution that you trust, for which
we are very grateful.
The intention of this document is to give you a sound basis of knowledge about the
modules of the baramundi Management Suite (bMS) and its features. It presents a set of
best practices and methods to help you get started with or upgrade to version 2017 R1.
Numerous figures and examples are also provided to help you deploy bMS in your company
infrastructure in a structured and efficient way. This manual guides you through the Suite’s
features.
These days, time is always such a critical factor, which makes no allowance for copy
deadlines. Our developers are also always working to improve baramundi Management
Suite and keep it at the cutting edge of technology. So if you find something that is out
of date, please contact our service department who can provide you with the very latest
informatation.
If you are missing any content or you have questions, comments or suggestions that you
would like to send us, we would be happy to hear from you. Our contact details can be found
at the end of this manual. We hope you find this manual useful and that it will help you to get
up and running as quickly as possible. We also wish you fruitful results from working with our
Management Suite.

With kind regards, YOUR

baramundi software AG
About Us
baramundi software AG provides companies and organizations with efficient, secure, and
cross-platform management of workstation environments. Over 2000 customers of all sizes
and from every sector benefit from the independent German manufacturer’s many years
of experience and outstanding products, around the world. These are compiled into an
integrated, future-orientated approach in baramundi Management Suite: client management,
mobile device management, and endpoint security are provided via a shared interface, using
a single database, and according to global standards.
baramundi Management Suite optimizes IT management processes by automating
routine tasks and providing an extensive overview of the status of the network and clients. It
relieves the pressure on IT administrators and ensures that wherever they are, users always
have the necessary rights and applications on all platforms and form factors, whether on PCs,
Macs, notebooks or mobile devices.
baramundi software AG is headquartered in Augsburg. The products and services of
the company, which was founded in 2000, are fully Made in Germany. baramundi successfully
works with partner companies around the world in sales, consultancy, and user support.

About this Manual

This manual is divided similarly to the Management Suite’s structure:
The text begins with Introduction information about the system architecture of bMS.
It also contains instructions on how to install the suite and a Getting Started section on how
to start using the Management Suite. This section also offers some examples of the main
administration tasks involved in a server structure: target system capture, hardware inventory,
software deployment.
Before describing the individual modules, this chapter presents and introduces the tools and
functions you need to work with baramundi Management Suite: the baramundi Management
Center: the Suite’s user interface and:
Jobs where all the «jobs» used to run actions in Management Suite are created.
Environments for structuring and managing target systems.
The next chapters presents the modules of baramundi Management Suite:
Software For software deployment; with explanations to use Managed Software and bara-
mundi’s scripting tool Automate.
Operating Systems For installing operating systems and with an introduction to OS Cloning, an
alternative OS installation concept.
Inventory For taking hardware and software inventories, texts to our inventory tool Assets as
well as to Application Usage Tracking (AUT), a tracking to for analysing software usage.

| 2
Compliance The observance of guidelines of certain regulations to keep your IT secure.
Patches For automatic deployment of security updates, and
Extensions For functionalities of the Management Suit which will be used in all modules:
• Mobile Devices Profiles

• Licence Management

• Reserved Licenses

• Reporting

• Recovery

• Import/Export

The last chapters documents the numerous management options offered by the bMS:
Configuration The settings to run the Management Suite in an adequate way and
Suite Help A kind of first aid catalogue to handle error situations.

Typographical Conventions
The manual uses the following text styles:
• Sans Serifs for headings in the various chapter levels,

• Italics for names, foreign words and general emphases,

• SMALL CAPS for abbreviations and acronyms,

• Non-Proportionals for occasional quotations of source text and user input.

baramundi Management Suite structures—node pathes—will be identified graphically,

for example: Configuration Server PXE Support for the PXE settings in the subnode Server of the
Configuration module. File pathes will be labelled with the usual directory icon, for instance:
C: Directory file.abc.

The «i» icon tells you further notes and instructions. These are more or less tricks and tips to i
use parts of the Management Suite more efficiently.

A stop sign symbolizes places in the text which indicate possible problems with using bMS. !
Reading this passages is very helpful to avoid common pitfalls.

This is a security warning, you should consider as very seriously. Read these texts in any case, j
your system- and data-security could depend on it!

| 3
Useful Keystrokes
The baramundi Management Center offers a number of keystokes for a more comfortable
operation:

Ctrl + F Opens the quick search

Ctrl + Shift ⇑ + F Opens the seach dialog
Ctrl + W Closes the current tab
Ctrl + Shift ⇑ + T Opens a previously closed (up to 10) tab

baramundi User Forum

Let us introduce our user forum already here: It’s a meanwhile very big and useful
data collection around the baramundi Management Suite. You’ll find anwers to so many
questions here, that you should not ignore this source of knowledge.
Our own experts visit the forum regulary, too. Meet the colleages of our
development, support or quality department there and lots of other users.

| 4
1
Introduction to the Suite
In this Chapter:
Installation Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Software for the baramundi Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Supported Operating Systems for use as End Devices . . . . . . . . . . . . . . . . . . . . . . . . . 6
Installation of the Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Preparation for Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Windows AIK/WinPE-Bootimage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Deploy Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
VM Ware Player . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Activating PXE Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Registering End Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Installing Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Registering Previously Installed Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Hardware Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Deploy Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Update Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Firstly we are going to explain the installation process and give a quick introduction in the
concise Getting Started section later on in this chapter, we would first like to familiarize you
with the installation requirements of the system.

Installation Requirements
• Modern processor with a minimum of 4 cores
• Minimum 8 GB main memory; 16 GB recommended
• 1 GBit network card
• A minimum sceen resolution of 1280 × 800 (for baramundi Management Center)

Software for the baramundi Management Server

• Minimum 5 GB disk space for bMS-installation and an adequate space for operating
systems (4 GB per OS), patches (> 150 GB) and applications (> 10 GB) to be distributed
• Windows Server 2008 R2 SP1, 2012 and 2012 R2, 2016 (64-Bit) in German or English
with Windows Powershell and Microsoft .NET Framework 4.6*

* On servers with .NET framework integrated, make sure that ASP feature is activated.
• Microsoft SQL Server 2014, 2012 SP1, 2008 R2 SP2 or 2008 SP3 (mixed mode), Oracle, at
least Version 11g R2 or 12c R1, with current Service Pack, respectively as well as 5–10 GB
disk space for the baramundi database
• Using an express version of MS SQL server products (ISO-Images with MSSQL-Server) is
possible. However, for 300+ devices we recommend using a regular SQL server.

Work with a current operating system and the latest patches—especially regarding to the !
ciphers you’re using*. Ciphers could be sources of security problems! You can avoid such risks
by updating your operating system and patches regulary and maintaining your cipher list†.

Network
• TCP/IP network (functional name resolution recommended)
• A DHCP-Server without specific boot options, if PXE-boot is required
• Device’s firewalls and ports must be unlocked

Name Port Protokol Executable File

bMA (32-bit) 10087 UDP %programfiles%\baramundi\BMA\bma.exe
bMA (64-bit) 10087 UDP %programfiles(x86)%\baramundi\BMA\bma.exe

Table 1.1.: Native Firewall/Port Setting

Supported Operating Systems for use as End Devices

Workstation Operating Systems Windows XP SP3, Windows Vista, Windows 7, Windows 8(.1) and
Windows 10 as 32-Bit or 64-Bit variants of professional editions; macOS 10.7 and later
Server Operating Systems Meaning Server Operating Systems to be managed as clients by the
baramundi Management Suite: Windows Server 2003 (min. SP2), 2008, 2008 R2, 2012
and 2012 R2, 2016 in both—32-Bit or 64-Bit—variants with latest service packs are
supported.
Mobile Operating Systems Apples iOS 7 and later, Googles Android 2.3 and later, Windows Phone
8.1 and Windows 10 Mobile

Parallel operation with other server applications. Operations of the baramundi Management Suite j
together with other server applications on one server are possible. However, problems can
occur for certain resources. Please note the port settings documented in our communication

* Ciphers: device and server communicate via HTTPS. On the server side, WCF and
http.sys are used (Microsoft Schannel). Your operating system specifies which Ciphers
gets prioritized and used.
† See page 303

1. Introduction to the Suite | 6

schemes. These ports must not be used by other applications. Under some circumstances
a bMS adjustment may be possible, but would need to be carefully checked. Furthermore,
there is a possibility of unauthorized access to sensitive bMS data (e.g,. server saved scripts) by
vulnerabilities of third-party software in parallel operation.

Installation of the Suite

Our baramundi Management Suite can be installed quickly by simply accepting and clicking
through the options presented. Nevertheless, the relevant steps are briefly described below.
Installation is essentially carried out in three phases, namely:
1. Preparation for installation (Windows Tools)
2. Installation of the Management Suite
3. Database-related installation steps

This is because certain Windows components (such as .NET, MSXML) and a database system
are required in order to be able to work with Management Suite.

Preparation for Installation

In order to use baramundi Management Suite, certain Windows components are needed, so it
needs to be checked if these components are already installed.

Database Server
If you do not want to rely on an existing database server for the operation of the baramundi
Management Suite, an appropriate product should be installed and configured. For starters, a
SQL Server Express will be sufficient in smaller environments (up to 300 devices) also. This
can be downloaded it from Microsoft. A collection of sources you can always find in our
baramundi user forum*.

Please consider when using a Microsoft SQL Server that we currently recommend using the i
mixed authentication. Access to bMS server services thus takes place via a database user. Such
an user must have dbcreator-rights.

.NET
If .NET is not present, a message is displayed. The .NET is available on the installation DVD. If a
message shows up, just confirm with a click on Yes and the .NET-Framework will be installed.

* NEU:https://forum.baramundi.de/index.php?forums/60

1. Introduction to the Suite | 7

After installation your system has to be restarted.
Once all the necessary Windows components are available and installed, start the bMS-
Setup again. The bMS setup wizard displays some information to confirm.

Management User Accounts

To manage Windows devices, several user accounts are necessary. You’ll need those accounts
to execute administrative tasks, automatically. They are:

Administration User. This user will be used for tasks, executed on the server, directly. Tasks like
• The automated bMA installation on Windows devices (MSW and patches on the primary

DIP$, Compliance rule set to the configured* storage location, Import of files in the
FileImport directory of the server)
• To create new delete existing computer accounts in operating system installations

• (if configured) Import of computer accounts, organization units, user and user groups

from an AD into the bMS

Installation User. This user will be used to execute Server Side Actions within jobs for any device
types. That includes a DIP access and access to other network resources.
This account may not use a roaming profile as a domain user. We recommend using
that user always with local user rights. Otherwise, problems with the Crypto-API used by bMA
could occur.

Local Installation User. There is no need to create this user manually—it will be created by the
agent on Windows systems. This user will be named baraInstLocal. The user will be used
to execute job steps of the Software, Patches and Inventory (only for user defined inventory
templates) modules.
• Executes Deploy-, Patch-, Inventory jobs on Windows devices (but does not accesses to

the network) if configured

Network User. This user will be used to access on network resources during a job execution.
If the specified user is not member of the domain administrator group, the database
manager returns an appropriate message. If you, however, the above rights have granted, this
is not a problem. The user is also used to log in to bBT DIPs if you use baramundi Transfer and
DIP sync.

* to be configured under Compliance/Settings

1. Introduction to the Suite | 8

Installation
The bMS-installation itself* is done within a few steps. First, you have to accept our licence
agreement. As Setup Type select Complete and confirm the installation request. After a click on
Install bMS installation begins.
You will be prompted as to whether or not you would like to start the Database Manager.
If you do, the installation switches seamlessly to the database setup.

Database Setup

Figure 1.1.: Create Database Figure 1.2.: Create Database

To start the Database Manager setup process, select the appropriate dialog: Create New
Database. In this dialog, you first need to select the database system.
You can select between a Microsoft SQL- or an Oracle-Server. In the second dropdown
menu, enter the database server (YOURSERVERNAME\SQLEXPRESS) on which the database should
be created. By default, the Login ID for the SQL Express Server supplied is sa, the Password is
baramundi-2008. Under Database, enter a name for the database.
In the next dialog, entries are required for Database Medium and Log Medium. These
paths can essentially be freely selected, but the directories must already exist.

Database Medium:
C: Program Files Microsoft SQL Server MSSQL12.SQLEXPRESS MSSQL DATA

Log Medium:
C: Program Files Microsoft SQL Server MSSQL12.SQLEXPRESS MSSQL LOG

* All further information refers to the standard bMS setup.

1. Introduction to the Suite | 9

After entering your company’s name: The subsequent dialogs are self-explanatory and can
be simply clicked through; default option selections should normally be accepted. A simple
click on Next within the License Information dialog activates a 30 day bMS full version. If you
already have a license, please enter your license key, here. Click through the dialog Internet
Connectivity. Under Domain Configuration you can give an administration-, network- and
installation-user, for the first domain*.
In Global Unlock Password give a password. Click through the dialogs and confirm:
• bMS Configuration

• Application Usage Tracking AUT

• Setup Download Jobs

• Setup DIP

• Configure Patch Management

• Setup Maintenance Tasks

• Configure Other Options

• Activate Database

• Create Database

To create the database, click on the last dialog on Finish to close the Database Manager. Then
close the bMS setup. Now, baramundi Management Suite is ready to be used.

Database Backups. The bMS data base contains almost all critical information needed to run the !
Management Suite. Your database itself is therefore the most critical component in the event
of a system crash. Be certain to run automated and regular backups of your database. Keep
also in mind that this data needs to be carefully protected and unauthorized access needs to
be prevented. Hackers are per se able to extract authentication information of management
user accounts!
Shares will be created during a database installation. Via default, each and everyone will j
have access to those shares. But this is not necessarily. You can restrict accesses by doing the
following.
bMS$: Access to this share have, beside administrative users, only the bServer user (usually
LocalSystem). Make sure, that the service user always has access. Administrators also should
have access according to their tasks.
DIP$: All installation users must have read and write permission to access a DIP. Users,
who want create new source files in the DIP need write permission. On the first, the primary
DIP, the bServer user needs write permission to save automatic downloaded files (e.g. Managed
Software), there.

For a more detailed look into the database setup subject, we recommend our database
reference† you can find in our internet customer forum.

* If it is a group system, it is only created an entry for the server system itself.
† https://forum.baramundi.de/index.php?threads/5569

1. Introduction to the Suite | 10

Getting Started
To gather a first impression of the Management Suite, a few small jobs can now be carried out.
At the first bMS-start, under State Server State switch from Maintenance Mode to Operate Mode.
To comprehend the following examples, some preparation has to be done.

Using bMS in combination with other third party products on the same server should not j
cause issues. However, some applications could limit the performance and/or pose a security
risk to the bMS installation. Where possible, productive operation should take place on a
standalone server system.

Windows AIK/WinPE-Bootimage
The Windows Assessment and Deployment Kit (Windows ADK) is a collection of tools that you
can use to customize, assess, and deploy Windows operating systems to new computers.
1. Load installation sources for Windows ADK*
2. Start executable files for your system.

It is quite possible that you can not start WAIK-Setup from installation medium. In this case i
copy the files locally to your server and start again.

Accept our licensing terms and click through all the dialogs by using the Next-button. Finally
click on Finish to complete the installation. Now, a boot image is needed. The most comfort-
able way to create a boot image is using baramundi’s Boot Media Wizard.
3. Start Boot Media Wizard via Configuration Tools Boot Media Wizard

Click through all the other dialogs by using the Next-buttons. As soon as the boot image is
created successfully, Finish the wizard.

Deploy Windows
As a part of this Getting Started the distribution of an operating system should be shown
already. For demonstration purposes you do not have to have a Windows source. A 90 day
test Windows version is available on the internet for free.
1. Download the current Windows Enterprise Evaluation† as 32 bit version
2. Unpack the ZIP file of an operation system in a directory

* You’ll find a collection of relevant third party products in our baramundi user forum
NEU:https://forum.baramundi.de/index.php?forums/60.
† https://www.microsoft.com/de-de/evalcenter/

1. Introduction to the Suite | 11

VM Ware Player
We are using a virtual VM Ware machine as end device in our example.
1. Download VM Ware Player from internet: http://www.vmware.com/products/player/
playerpro-evaluation.html
2. Install VM Ware Player (simply click through with Next)
3. Once the installation is done, if necessary initiate a reboot

We want to build a new virtual machine. An already configured one can be found here: https:
//download.baramundi.de/bms/Gettingstarted/bMS-Demo-Win7.zip—in this case continue
at Registering a End Device.
4. Open VM Ware Player
5. Give a valid email address
6. Select Create a New Virtual Machine.

Usually, a virtual machine should get an operating systems immediately. But that is what we
want to do later on, as an exercise. Therefore:
7. Select I will install the operating system later.
8. Select under Guest Operating System the item Microsoft Windows
9. and under Version chose the most current Windows.

Just confirm/finish the virtual machine configuration. Do not start your virtual machine, yet.
10. Select Edit virtual machine settings.
11. Select Network Adapter under Hardware tab
12. and under Network connection select Bridged.

Only in the operating mode Bridged can a virtual machine be connected to bMS server’s PXE
module. Now the preparation is complete, we can start a few exercises, demonstrating some
frequently used bMS features.

Activating PXE Support

Later on, within the introduction examples, a Windows device will be registered via PXE. The
baramundi Management server contains an integrated PXE server to do this. However, this
PXE must be activated, first.

Please note, within a network segment, only one PXE source should be active! i
1. Start the baramundi Management Center.

1. Introduction to the Suite | 12

Figure 1.3.: Boot Sequence Figure 1.4.: Registering Menu

2. Open the Configuration module tab.

3. Select the Server view and therein edit the PXE Support.
4. Check PXE server active and TFTP server active options and restart baramundi Server.

Registering End Devices

Please verify the status of the baramundi Management Server service. It has to be running to i
allow the following steps to work. Execute net start barasrv to start the service.

What we currently have, is a computer, not known yet by our Management Suite.

Registering Manually
To make our virtual machine able to boot via Windows PE, its boot order has to be adjusted.
So, we have to go into BIOS-setup and change the boot sequence.
You can change from working on your desk to the virtual machine by a simple click within the i
virtual machines screen. To get back to your desktop press the key combination Strg + Alt .

1. Start your virtual computer with Play virtual machine

2. Then, press F2 to get into the BIOS-setup
3. Select under Boot the item Network boot and move that line up, that it will on top of the
boot sequence
4. Confirm and close these settings by pressing F10

Alternatively, you could press Esc (vgl. Fig. 1.3)! The boot sequence then will be valid for the i
current session, only.

Now, your virtual machine will boot again—menu baramundi PXE Bootclient appears:
5. Press F8 within the next five seconds* and PXE boot menu opens

* Otherwise turn off the machine via «Virtual Machine/Power/Power off» and start again.

1. Introduction to the Suite | 13

6. Select Register manually (WinPE)* (Fig. 1.4)

Windows PE will load.

7. Click through the dialogs until Register Information
8. Give your virtual machine a Name
9. Click Next to proceed through the menu dialog
10. Confirm the notification of the missing job

As you can see, at this point the installation dialog forces you to select a job. We want to ex-
ecute jobs, anyway. Therefore, just leave the VM Ware end device tab open, we’ll take care of
it later on. Your virtual machine is now registered and visible in the baramundi Management
Center. Now, take a look at the node Environment Logical Groups . Your just registered end device is
already there and able to execute jobs.

Installing Operating Systems

Our virtual machine has no operating system, yet. This exercise will show you how an OS can
be distributed to the virtual machine.

Getting a new OS into the Suite

To distribute operating systems at all, they must be available within the bMC first. Therefore,
we want to have our previous downloaded Windows test version within our baramundi
Management Center.
1. Select in the bMC Operating Systems and New/Operating System
2. Stay with the default settings native
3. Give the path to the unpacked OS sources
4. Selcect the associated unattended-file
5. Click through the following dialogs with Next
6. Close the dialog with Finish

Once you have finished the whole procedure, a new bMC node below Operaing Systems Operaing Systems
will be created, called Microsoft Windows. Now, you are ready to distribute this OS.

Deploy Operating Systems

The following sections will focus on how to install an OS on a target system.
1. Select Jobs and New/Job for Windows Devices

* This option will be available only to systems, their MAC address is not known in the DB.

1. Introduction to the Suite | 14

2. Give the job a Name, e.g. Install Windows
3. Now select job step Deploy operating system
4. Click through the following dialogs and finally on Finish

The newly created job can be found below the node Windows Jobs.
5. Select the just created job and click on Assign
6. Enter name of your test system (top-right) and confirm
7. Click on Next and check your selection
8. Close the job assignment with Finish

The job is now ready for execution. You can watch it via the Jobs- and Environment-nodes.

VM Ware Player Your virtual machine is still waiting for a job. Just confirm the diplayed message
and select Back. The job then start by itself.

Registering Previously Installed Devices

Having discussed, how to register unknown computers. Now we will see how to register
devices, which are already part of our system. To do this, open the right-mouse context menu
for Environment Logical Group and select New/Windows Device. This time, we want to select Without
Hardware Profile. Under Display Name, enter the computer to be registered (this is also used
as the Host Name) and confirm your entries. The computer is then listed under the Environment
Logical Group node.

Figure 1.5.: New Job Figure 1.6.: Job Step

1. Introduction to the Suite | 15

Hardware Inventory
Next we want to collect detailed hardware information. As mentioned previously, most
actions within baramundi Management Suite are executed using a job, that is, a specific task
that is transferred to the system. And this is how it works:
1. Select New/Job for Windows Devices from the Jobs module and give your new job a Name
(here: «Hardware Inventory»),
2. Then select the job step Perform Inventory
3. In the next dialog, select Standard Hardware Template.
4. Click through to the last dialog to finalize the job with Finish.

The job has been created and can be found under the Jobs node. The job must now be
assigned to the appropriate device via the Assign action in the job’s context menu. On the
end device you will find the Assign Jobs action within the action bar or context menu.
You can watch bMS at work. To do so, go to the logical group within the Environment mod-
ule and select your system under the Content tab. The detailed list (right hand) shows your
the current job state under Last five executed jobs. More information you will get if you open
the object in its own view—reachable via double-click or click on Open-action.
Under Assignments tab, all assigned jobs are listed. If you select a job, the detail-list (right) will
inform you about single jobs steps and their conditions. Once the job has been successfully
completed (the progress bar changes from blue In Progress to green OK), the hardware data
that has been determined is available under the name of the executed inventory in the …
Hardware/WMI node.

Deploy Software
In this section, we should of course also show you how to perform a basic software installa-
tion. To show you an automatic update of an already installed software, we want to install an
older version of Notepad++.

Copying Installation Files to DIP

Before software can be distributed, it must be available to the system.
1. Download an older Notepad++ version*
2. Store downloaded data to your local DIP to c: dip$ Apl directory
3. To get software into bMC: Go to Software node, click New, use the baramundi Application
Wizard and select downloaded data from your DIP.

* https://notepad-plus-plus.org/download/v7.3.1.html

1. Introduction to the Suite | 16

4. Select Direct enter command line in the next dialog.
5. Add in the command line the /S (silent) parameter.
6. Enter vendor, software name and confirm the following dialogs to get finished.

Notepad++ application is now part of your data base; installation sources are available on
your DIP.

Creating and Assigning a Software Deployment Job

Now, an appropriate job should be created and assigned to a target system.
1. Select Jobs and New/Job for Windows Device
2. Give the job an unique name
3. Select the first job step Install software
4. And select the relevant software
5. Complete the job

The job for deploying Notepad++ is now available under the Jobs node. At this point, the
distribution job can now be assigned via Assign action to a device or a group of devices under
Environment , so it can be executed.

Update Software
It is quite possible that the version of Notepad++ editors from the last example will be out-
dated already, by the time you read this. So, it might be a good idea to update this browser
for testing purposes.
Please consider, an automatic update is only possible for MSW within one product line. !
First, our system must know that we want update the Notepad++ editor:
1. Open in the bMC the Software module and select Managed Software/Products/Notepad++.
2. Select here Notepad++ Team Notepad++ 7.x-x86-us and in its context menu Edit.
3. In the opening dialog select the Managed Software tab and set Default Release to
Released for Test.
4. Check Apply release settings immediately to child elements and confirm with OK.

The server will download the installation sources for Notepad++ now. You can watch this in
the start menu under Server Status. When the download has finished, the next step will be the
update itself. We are going to create a job …
1. Open the Jobs module and select New/Job for Windows Device.
2. Give the your job an unique name, e.g. MSW Software Update.

1. Introduction to the Suite | 17

3. Select the Update Managed Software job step.
4. Under Actions set Inventory and Update and as Release Level set Released for Test.
5. In case you already gave other releases, but this job should only allow the Notepad++
update, please use filters. Otherwise do not care about.
6. Finish the job.

Assign the job to a end device, now. You can watch the execution in the Assignments under
Jobs or within the object view of the end device.

1. Introduction to the Suite | 18

2
Jobs
In this Chapter:
Jobs for Windows Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Jobs for Mobile or macOS Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
macOS Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Cross Platform Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
An Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Structure of the Job Node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Jobsettings and -results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
User Interactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Client/Server Interaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Job Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
An Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
User-Related Job Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Practice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Automatic Job Assignment/Job Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
baramundi Kiosk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Kiosk OS Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

As mentioned previously, most actions within baramundi Management Suite are executed
using jobs. For this reason, Jobs view can be seen as your executive control center, as it is via
this node that you manage your jobs. A job consists of at least one job step, for example
an operating system installation or creation of an inventory. It is also possible that a job may
comprise several steps. The composition of these job steps may vary greatly and can be
individually adapted for specific tasks. The following sections describe how to create, execute,
manage and automate jobs.
To select clients and devices of a certain platform quickly, filters have been integrated in
the corresponding views. These filters uses the following icons:

PCs (clients, running under Windows operation systems)

Macs (clients, running under Apple’s macOS)

Mobile Devices (iOS, Android, Windows Phone)

To select a platform, just click on the corresponding icon. Multiple selection is possible; a
double-click on an icon will activate the correponding plattforms and deactivates the rest.
Figure 2.1.: Job Management

Jobs for Windows Devices

Jobs are executed in four simple phases:
• The server indicates to the device that jobs are available.

• The device then signals to the server that it is ready to execute them.

• The server transfers the job(s) to the device, one at a time.

• The device informs the server that it has executed/rejected the job sequence.

Figure 2.2.: Workflow of Windows Jobs

Server (bMS) - MOC - DB
-

6

(3) (4) (1) (2) (1) Server Reports: Job(s) available

(2) Device Reports: Ready to execute jobs
(3) Job transfered: Server—Device
? (4) Result communicated: Device—Server
Device (bMA)
-

2. Jobs | 20
Please note: Before jobs can be transfered by the server to the target systems, a few prepara- !
tions usually need to be made. For example, software to be distributed must be available on
the DIP and so on.

A line separates the job steps in the upper area, which can be executed as often as desired,
from those in the lower area, which take some time.
The following tasks can be performed on Windows systems using jobs:
Install Software This job step installs software on target systems.
Uninstall Application To uninstall an application, an uninstall job can also be directly created for
all applications for which an uninstall mechanism has been defined. The select button
opens a new window where you can select the applications you would like to uninstall.
Perform Inventory This creates jobs for taking an inventory of the hardware and software on
target computers.
Deploy Microsoft Patches This job step is used to determine and, if necessary, update the patch
status of target systems.
Update Managed Software Job step to make an inventory and an update for Managed Software.
Besides that, here, the release level for installations are to be set.
Create Personal Backup Based on the backup templates, the data backup is also available as a
separate job step. Just as with the creation of the image, it is necessary to specify the
path for the backup from the perspective of the device. Make sure that the destination
is accessible. You can select the different backups that are to be performed from the list
of defined backup templates.
Create Image Backup To create an image, make sure that the destination where the backup data is
to be stored can be accessed from the system you want to back up.
Deploy Energy Policy Deploys a previous defined energy policy to save energy costs.
Run Server Side Action Jobs, executes on the server instead on a target system.
Run Compliance Scan This job step is used to examinate the degree of vulnerability to computer
systems, and the halt of guidelines for security of mobile devices on the other.
Manage Virtual Machine A module to manage virtual environments based on VMWare vCenter.
Perform Network Scan This job step executes a scan within certain IP areas to detect network
devices. The result will be shown as IP Map.
Deploy Operating System Select the OS you would like to install as well as the options for how the
partitioning should be handled. Then you can select the image that is to be booted.
Wipe Hard Disc baramundi Wipe Disk has been developed as a tool for completely erasing data
from a computer, for example if it is to be scrapped. Specify which hard disk is to be
wiped and select the mode to be used:
• Write same pattern

• Write alternating pattern 00/FF

• Write random data

2. Jobs | 21
• US DoD 5220-22.M/US DoD 5220-22.M (short)
• Peter Gutmann
• RCMP TSSIT OPS -II
• German VSITR standard
• Bruce Schneier

You can log wiping processes. That’s why you should give an UNC-path for the log-files.
Create Master Image of an Operating System Via this job step it is possible to create a so-called clone-
image from a master-device. With this clone-image, new systems can be installed by
giving them the same configuration like the master-device.
Restore Data from Personal Backup When restoring data, it’s possible to select the directory for data
backup. In addition, selecting the option Restore data from Personal Backup allows you
to set in a subsequent prompt which of the backed up files you would like to restore.
Restore Partition from Image When restoring an image, the path to the location of the image must
be specified from the perspective of the device and must be accessible. Configure the
options as desired and then select the boot environment you would like to use.
Execute Software in Windows PE This job executes an installations command in a Windows PE.
Boot PXE Image The job step gives you the option of booting an image. This can be useful, for
instance, when a BIOS update has to be performed. Using this job step, any image that
you have created can be booted. If Windows is running on the target system at the
same time the job is executing, a system restart can be initiated by the server with the
an option. In this case, a forced shutdown will be executed.
It can happen that not all jobsteps of a job will be executed, e.g. because of different platform i
definitions. You can ignore such job steps for further executions by selecting the Skip Jobstep
option in the context menu of that certain job step within the information area (right side).

Jobs for Mobile or macOS Devices

Because the job handling of mobile or macOS Devices is quite similar, both systems will be
described in the text below. The differences will be pointed out if necessary.

Mobile Devices
Jobs for mobile devices differs in some respects from their counterparts for Windows PCs.
1. Server notifies the push services and ask to be contacted by the target device
2. Target device will be informed at the earliest opportunity on a connection request
3. Target connects to the server
4. Server transmit the job information
5. Target executes the job and notifies the server the result

2. Jobs | 22
Via jobs, the following actions can be executed:
Install App Job, which installs an application on a mobile device
Uninstall App Job, which deinstalls an application from a mobile device
Configure App Job, which configure an iOS app or an already pre-configured app can be de-
ployed to devices*
Remove App Configuration Removes a previous created iOS device configuration
Install Profile Installs a collection of device settings on a mobile device
Uninstall Profile Uninstalls a collection of device settings on an iOS device
Perform Hardware Inventory Job, which reads out hardware data of a mobile device
Perform Software Inventory Job, which reads out installed software data of a mobile device
Lock Device Job, which locks a mobile device, after input of the lock code, a re-use is possible
Unlock Device Job, which unlocks a mobile device, temporarily
Wipe Device Deletes personal data/settings of a mobile device and sets back default settings
Server Side Action Executes a bDS on the server for an end device

Take into consideration: To wipe data, the target device has to be switched on and must j
be connected to an internet connected network.

Update OS Tells you that there is a newer OS version available and/or installs the new OS (DEP
managed iOS devices (iOS 9) in supervised mode, only)

macOS Devices
Because of the similarity in the management of iOS and macOS devices, the job handling is
quite similar, too. Both systems have the same inventory commands, for example. Therefore,
already existing inventory jobs can be assigned directly to both, iOS and macOS platforms.
Currently, the following job activities can be performed:
Hardware/Software Inventory Collecting, saving and analysing of software- and device information
within the bMS.
Execute a Script This job step executes Shell scripts on a target system. The bMS server will
establish a SSH connection to the target system, to do so.
Server Side Action As for all the other device types, you have the possibility to execute bDS scripts
on for target system.

The jobs will be handled as usual: For example on the device under Environment with a click on
Assign Job within the action bar or in the context menu.

* see page 107

2. Jobs | 23
Cross Platform Jobs
It is possible to edit jobs with job steps for several platforms: for Macs, iPhones/iPads, Android
or Windows Phone devices. The idea behind is, that you don’t have to edit several jobs for
several platforms but one job with several job steps for different platforms.
Lets imagine a job to deploy two apps. The first
one—step 1—a Windows Phone app and the
second—step 2—an Android app. This job should
be assigned to a group of mobile devices: an iOS-,
Windows Phone- and Android-device. As a result,
nothing will be installed on the iOS device, an error message will display, telling you that the
selected device type is not compatible. For the Windows Phone and the Android device, the
incompatible job step will be skipped, the other one will be executed. So, in case that at least
one of the job steps can be executed, the job itself will be displayed as OK. If none of the steps
can be executed, an Error will be shown. To summarize such jobs:
What, if there some job steps which cannot be executed? Such job steps will be skipped.
Where can I see which steps were executed and which ones were skipped? With a click on the corresponding job
you’ll see the job details on the right hand side within the bMC. Under Steps informa-
tion about job steps are given.
How are skipped job steps labeled? Skipped job steps will be emphasized by a gray stop sign. Below
you can open a short description why the step could not be executed.

An Example
Let’s illustrate Mac jobs with a little example of a software inventory for an macOS device: We
want create and assign a new job. Afterwards the job results shall be shown and analysed.

Create a Job. First, create a new job for an macOS device:

1. Under Jobs please select New/Job for mobile or macOS Device.
2. Give the job a Job Name and a short description within the comment field (Fig. 2.3).
3. Select Add Step (Fig. 2.4) and in there Perform Software Inventory.
4. Click on Save and the job will be created. (Once you have saved ths job, let stay the
object tab to be opened)

Assign Job. From this view you can assign the job to a certain macOS device, directly.
1. Select in the tree structure or within the action bar the Assign Device button.
2. On the left, select the macOS device you want and click the right arrow symbol.
3. Confirm your settings with Next and Finish.

2. Jobs | 24
Figure 2.3.: Describe Job Step

Figure 2.4.: Add Job Step

2. Jobs | 25
Figure 2.5.: Select Device

Figure 2.6.: Job Results

2. Jobs | 26
Evaluate results. According to your settings Also show system apps all non-system/system apps
will be listed.
Under Inventory Software macOS Devices you’ll find a cumulated list of apps found for this platform.
From this view you can also open object tabs of single apps.

Working with Scripts

The job steps Perform Hardware Inventory and Perform Software Inventory are more or less
self-explanatory. However, the script-related job steps should be a bit examined, below.

Server Side Action. You can run bDS scripts (Fig. 2.7) on the target device, via this job step.
Via the Select bDS you can load a script from BMS$ Scrips ServerSide directory; the
script must be there, no other localisation will be possible. If you want to edit the script before
running it on your target device: A click on Edit bDS will open the baramundi Automation
Studio to do so.
Select a Security Context (LocalSystem/InstallUser) and an appropriate time limit (in
minutes) afterwards the script will stop trying to run on the target device, before you confirm
the settings with Save.

Figure 2.7.: Server Side Action

2. Jobs | 27
Figure 2.8.: Execute Script

Execute Script. This job step will execute Shell scripts (Fig. 2.8) on the target device. Such
scripts must be saved under BMS$ Scripts Mac. Only from there you can Select a script.
You can Edit such a script or create a New one. With a click on these buttons an editor re-
ferring to the .sh file ending will open. Within a script, you can use bMS standard variables.
The execution of a script is determined by a Timeout you can select; the default value is
15 minutes. After this duration, the job step will be stopped. Selected timeouts should be
appropriate to the job activities. The job step can copy additional Files required for execution
via SCP by clicking Add Item. The localisation of such data should be the primary DIP. The
result of a script execution will be validate with a return code, usually. Valid return codes
you can give as a list, separated with semicolons. Instead or additional you can check for the
existence of files and directories. Multiple inputs have to separated by semicolons.

Structure of the Job Node

To keep different tasks well organized, it is useful to manage the jobs within a structure. It
is advisable to create a structure that separates the main tasks of inventory creation, patch
distribution and software distribution, for example.

2. Jobs | 28
You can set up, change or add to a structure by renaming, deleting, or adding folders. It
is also possible to add sub-folders. In order to do so, use New/Folder action.

Jobsettings and -results

Jobs can be run via various procedures:
• Jobs has been manually assigned to devices or device groups in bMC

• Jobs has been requested from the device via baramundi Kiosk

• Jobs has been automatically assigned: Manually defined conditions will be fullfilled

• Jobs has been run for specific users: job executed when user logs on

Scheduling
In day-to-day practice, there are often tasks that require jobs to be executed cyclically on the
target systems, such as patch distributions or the taking of inventories. For these types of
tasks you can also execute jobs according to a schedule. This allows installations to be carried
out during low-traffic times, for example.

Jobs for Windows Devices

This configuration can either be performed by deactivating the express mode (only for
Windows jobs, bMD jobs have always access of all job options) when you create the job or
by editing the properties of existing jobs. You can access the properties pages from both the
context menu and the task area once you have selected a job. Under Edit in the context menu
of a job, you will find the validity and interval options on the General tab.
Under Validity, you can define the
periods in which the job should be run. In
this way, you can define a start and end date
or the times when the job is to run.
Unrestricted the job is always valid.
All days equally the job runs every day at a
certain predefined time.
Set Weekday and Weekend Days it is possibly to
set jobs for weekdays and weekends,
separately.
Set Individually Times are set separately for each
weekday.
Figure 2.9.: Job Validity

2. Jobs | 29
The yellow sliders (Fig. 2.9) indicate the valid time period. You can modify the start and end
time by grabbing the upper or lower edge, holding down the mouse button and dragging the
slider up or down. You can set additional sliders by clicking the mouse button and dragging it
over an unoccupied area. The times of day defined in this way only apply to the range defined
under Validity. There is also the option of defining intervals for a job. For example, you can
configure a job to repeat four times, on Wednesdays and Fridays at 8 pm. Chose:
• Specific weekdays

• The 1st of every month

• The 15th of every month

• Every x-th minute/hour/day

With Unlimited option, the job will be repeated according to the configurations determined.

Jobs for Mobile or macOS Devices

To get a job for mobile or macOS devices repeated, activate in Settings/Overview option
Repeated Execution. Then select the desired interval. Enter to after how many hours, days
or weeks of job should be performed again.

User Interactions
Here you can allow the user to defer
or reject a job execution. You can also
configure custom notifications and the
keyboard and mouse locking.
The Job Info Window determines in
which way a user will be informed about a
pending job execution: Always show, Never
show or Only show when rebooting. There
is also Determine automatically to select. In
that case, a user will be informed if the job
or job step configuration will result in an
interruption of the users work, e.g. a reboot
should be done.
Under User set the degree of influence
a user has on the job execution:
can not influence User has no influence
on job execution can delay the job Job
Figure 2.10.: User Interactions
execution can be delayed, but only until

2. Jobs | 30
user logout, reboot of device or after expiration of time limits; a delayed job blocks following
jobs can deny or delay the job Job execution can be delayed (see above) or denied and thereby
cancelled has to confirm job Job only starts at user confirmation or after expiration of time
limit; delayed job blocks no following jobs
Via delay and execution time settings, you can control the time a job will be executed.
Beside that, the dialog offers a reminder function, to get users remembered to execute jobs.
And you can determine if keyboard and mouse are to be locked during job execution. If Show
custom tray information option is activated, a custom notification may be added to the job
info window. Basic HTML tags may be used for formatting.

Client/Server Interaction
For any Windows jobs, you can specify in the job options how they should be executed. You
can also determine the job type, set up log-offs and define what should happen after a job
has been successfully executed (Fig. 2.11).
Active (Server contacts clients) If the target system can be reached and is running, the server ad-
dresses and executes the job on the client.
Active with WakeOnLan If the target system is not running, the server sends a wake-up signal to the
target system in order to initiate an operating system startup.
Passive (Server waits for client to contact) The server does not attempt to reach the client, but waits for
contact to be made.
Active to Online Clients (Recommended) If the last announce signal arrived at the server during double
the announce (see Configuration Server Base Settings under Communication tab) time (default
setting 30 minutes), it assumes that the client is online.
At Shutdown (Server contacts clients) Jobs will be executed during a client is shutting down. Hereby,
all target systems will be contacted by the server.

The following restrictions apply to shutdown job types: (a) Within the application properties, !
the Visible Execution option must not be set to Desktop Required. (b) Working with UAC,
shut-down job types can be used with LocalSystem Security Context, only.

At shutdown (only on online clients) Jobs will be executed during a client is shutting down. Hereby,
only those target systems will be contacted, the server has a valid announce.

If a user is logged onto a target system, you can define how this situation is handled in the
Extended tab (Fig. 2.12).
Log off before job starts Open programs which needs to be saved, induces to job termination.
Enforce Logoff All processes will be ended. A user has no possibility to save open documents.

2. Jobs | 31
Figure 2.11.: Shutdown Jobs Figure 2.12.: Template Selection

Log on as late as possible Relevant for jobs with several job steps. A logoff takes place as soon a job
step makes it necessary.

In addition, you can use the following options to define what happens once the job has been
successfully completed on the target system: No additional action (default), Active screen saver
(requires at least Windows 2000), Shutdown system, Powerdown system when WakeOnLan was
used or restart the system. If you would like to remove the job from the job definition after it
has been run, you can do this by activating the option Remove jobtarget from job on success.

Job Results
To select a certain group of jobs, just click on the corresponding
icon. Multiple selection is possible; a double-click on an icon will
activate the correponding jobs/deactivates the rest. The state of
jobs can be seen in the module nodes Jobs and Environment . There,
all assignments of each group (folder for Jobs, Logical group for
target systems) are summarized shown. If you only want take a
closer look at certain jobs or the jobs of a particular goal, open the
desired object. In the action bar/context menu you will find the
information sought in the Assignments/Device node.

Figure 2.13.: Selection

2. Jobs | 32
To run certain jobs on certain devices, you can such devices Save as Static Group here.
Also the Set Jobtarget OK option deserves a closer look. Using this function, it is possible to
mark jobs as correct, even if they did not run properly. This might be useful, for example, if
jobs with errors have been manually corrected by the administrator.

(%-Progress) File is downloading

Boot-Client Job is waiting for Windows PE
Connecting Job is establishing a connection to the bMA

Error Job runs on an error

OK Job finished successfully
Precondition Job doesn’t meet precondition
Queue Job has been queued
Reboot Job will reboot the client after execution
Reschedule Job rescheduled after success
Reschedule Job rescheduled after error
Running Job is just executing
Scheduled Job has been planned
Shutdown Job will shutdown client after execution
Time Slot Job should run to a defined time
User Action Job is waiting for a user input
User Action Job is waiting for user confirmation
Waiting for Device Job is waiting for device/internet connection
Warning Job step runs on error, job will go on/Job canceled by user

An Example
The following section briefly demonstrates how job management works using an example.
For this, an application, the editor Notepad++, is distributed to a target system.

Copy Installation Files to DIP

To distribute software using baramundi, it must first be made available to DIP. Download the
editor from the Internet* and copy the application into the appropriate DIP directory.

* http://notepad-plus-plus.org/download

2. Jobs | 33
Create the Application

Now Notepad++ must be created in the Software module. Select Software Application and New/Ap-
plication and in the dialog that opens (Fig. 2.14) select the option Use baramundi Application
Automation Wizard. Then enter the path (Fig. 2.15) to the editor in the DIP directory. Within
the dialog Command Line give a /S for Silence. Then, the process runs invisible, without any
prompts to be answered by the user.
Click through the subsequent dialogs and then click Finish. Notepad++ then appears in
Software Application and is ready for distribution.

Figure 2.14.: Wizard Selection Figure 2.15.: Path Selection

Create a Software Distribution Job

Once the software is available to the system, you can create an appropriate job to distribute
the editor.
1. Select Jobs and New/Job for Windows Device.
2. Give the job a name and accept the rest of the settings.
3. Now select the first option (Fig. 2.16) Install software.
4. In the selection menu, select the required application (Fig. 2.17).
5. Click Finish to complete the job creation.

The job is now in the Jobs node, ready to be edited, deleted or assigned to target systems.

Assign a Job to One or More Target Systems

The job is now ready to be transferred to target systems. This can be done either by selecting
the Assign—Devices item from the context menu or by dragging and dropping it to the

2. Jobs | 34
Figure 2.16.: Jobstep Selection Figure 2.17.: Application Selection

device or device group. It is also possible to assign the job via the Assign Job action. Once
you confirm the prompt, the job is executed.

User-Related Job Execution

The benefits of a user-related job execution are clear: Actions are not limited to one specific
computer, they can also be set up for one particular user who is logged onto the computer.
This means that the job is carried out when a specific user (or member of a user group) logs
on or during operation if the user in question is logged onto the device.

Theory
When software is distributed, there are several possible scenarios: A newly hired designer
from the editorial office does not have a computer, yet. In this case, the system administrator
no longer has to appear on site: The employee receives a new computer, logs on and is
then automatically equipped with the software he needs. Or: To supplement the script of
a product document, the designer—let’s call him Thadeus Punkt (we’ll be come back to
him)—is carrying out research for his company in the development department.
If he logs onto a computer in the development department, «his» programs and settings
will be available for him. In order to distribute software in a user-specific way, employees con-
cerned with distribution jobs must first be entered into the system. Along other information,
users data can be found in Active Directory (AD). This means the user data should be taken
from the AD from now on. A synchronisation job is set up for this. This information must
be entered into the context menu dialog under Configuration Active Directory Synchronisation and then
New/User Synchronisation Job.

2. Jobs | 35
Name Give the job a meaningful name.
Source The data source can be selected using the browse button (Fig. 2.18).
Interval This is where you can set an interval for refreshing user data: either as a time, e.g.
18.30, or a day Monday to Sunday. You can make links using/ and ; Example: 15:00/Mon;
18:00/Tue for Mondays at 3 pm and Tuesdays at 6 pm.
Skip empty organizational units If you enable this option, empty organizational units will be ignored
during synchronisation.
Ignore Error Does not stop synchonization due to errors.

Once you have finished and clicked Ok to

confirm your entries, the job you created
is stored under Configuration AD Synchronisation .
From here you need to select Execute Now
from the job context menu or choose to
wait for the interval just set before starting
synchronisation. The users and groups are
then entered under Environment Users and Groups .
By accepting this data, it will be possible to
carry out jobs in a user-related manner.

Under Active Directory i

Users & Groups you can find a
structured copy of your AD. All
synchronised users and groups
will be applied within your AD
organisation units, analogically.
Figure 2.18.: User Synchronisation

Job Assignment
In principle, jobs can either be assigned to a user within the job itself or within the corres-
ponding user or user group. They are arranged according to AD structure, for example.
1. Users
2. Security Groups
3. Organizational Units

A user can be a member of one or more security group. This security group can in turn be a
member of other security group—provided the structure allows for complex constructs. Jobs
can be allocated in two ways. Jobs can be assigned under Environment Users & Groups . The Assigned
Jobs view shows all jobs that have been assigned.
It is also possible to set up a user-related execution in the job itself. Simply highlight the

2. Jobs | 36
job using the mouse and select Assign user from the context menu. In the dialog that appears
enter the user or the rights group and confirm by clicking Next.
Dynamically loaded users: If there are groups synchronised containing unknown mem-
bers, the system loads these automatically and saves them to this node.

Job Execution
The addresses of user-related jobs (users/rights groups) are taken out of the AD and jobs
are assigned to them but the jobs have not been executed yet. This takes place automatic-
ally when software is distributed and once the respective user has logged on, or relatively
promptly for job assignment.

User Settings. User settings are settings that are provided for the user(s) for distribution jobs:
text messages, desktop icons, loading certain templates to the programs to be distributed,
and much more. Such scripts are made in baramundi Automation Studio, which is a develop-
ment application included in the delivery of bMS.
Since user-related job executions apply in the first place in relation to software distri-
bution, user settings are also provided with the software to be installed, for example already
configured under Software Applications in the application properties in the Installation tab in the

Figure 2.19.: User Settings Figure 2.20.: Job Execution

2. Jobs | 37
relevant application. In the scrolling field at the bottom of this tab, enter path and filename to
the script under User Settings/baramundi Deploy Script (Fig. 2.19) and click Ok.
To take user settings into account for a user-related job execution for a specific user,
enable the Execute user settings user-related option in the job context menu under Proper-
ties/General. Otherwise the user settings will apply for any user, i.e. any user logged onto this
device will be assigned these user settings.

Limiting Job Execution. In order to be able to control the execution of user-related jobs, settings
can be configured on the device for execution. In the Properties context menu on the device
computer under Environment Logical Group in the Job Execution tab, there is a scroll menu entitled
User-related jobs with three settings:
Execute Always Regardless of who is logged onto this device, the job is always executed—for
example, think of computer workstations in places like call centers or insurance com-
panies &c. which have a new user every day.
Execute Never The opposite of the first one, i.e. a computer used for one specific task, e.g. the
presentation PC in a meeting room.
Execute Only for Registered User This setting ensures that only jobs assigned to the user who is set as
the registered user at this system (default).

But who is the registered user and how and where are they registered? Stay in the same dia-
log, i.e. Environment Logical Group in device properties, go to the General tab and then to Registered
User. By default, the first person to log onto the device computer is set
as the registered user; setting: Use next logged on user as registered user. For continued opera-
tion, the setting jumps to Enter registered user manually.
You can also select from the two extremes Don’t use registered user or Always use current
logged on user as registered user. In the first case there is no registered user; in the second
case anyone who logs onto the device is the registered user. There is a tab for the features of
user-related job execution available in the view of the baramundi Management Suite: History.
This tab is intended to be used by the system administrator for controlling and evaluating
user settings. You can see the History tab in the view and at device level as well as for users
under Environment Users and Groups . In all views you can see the status of the user settings provided.

Erroneous UbDS. This is where the system records all incorrect user settings. The job shown
is there to provide more clarity in this tab so that you can trace at any time which job the
incorrect user settings is assigned to. It could happen that jobs have been executed without
any problems but then—especially when the user concerned logs onto his system again
after job execution—their user settings fail. The system notes the job, user, application and
fault status with the date and time that it happened. In the view, the incorrect user settings

2. Jobs | 38
recorded can be edited: You can either accept these errors in the menu via Set jobtarget Ok
(e.g. due to insignificance) or restart via Resume Jobtargets.

The user settings must be configured before the job is executed. If the application has already !
been used without any user settings the software needs to be distributed again in the event of
subsequent changes.

History Tab at Device and User Level. In the user and device views under Environment beside the
faulty script processes a chronicle is created that is for jobs running on user or device computers—
and it is set up to suit the respective view. To understand the views the following questions
may help:
User: Which job has been executed for this user on which device?
Device: Which job has been executed for which user on this device?
This means that an administrator can gain a clear overview at any time of which users initi-
ated which jobs on which computer. If, for example, the message came from a department
regarding a software application not yet installed with the associated user settings, in just a
few mouse clicks you can see possible causes and make any corrections if necessary.

Practice
The following should serve as an example to illustrate all of the above: Thadeus Punkt, men-
tioned at the start, designer in the technical editorial department of your company. The aim
is, on the day Mr. Punkt starts work, to install Acrobat Reader on his machine as soon as he
logs on and to provide him with a shortcut icon to it on his desktop; i.e. to distribute software
and user settings.

Preparation. The aforementioned new designer and his department should already be created
through the AD, according to the interval settings (which there should be, but it is of course
possible that the Interval list has been left blank), under Environment Users and Groups. However, we
are assuming that creative work is separate from productive work to such an extent that they
use a separate domain—testlan.net in our example.
1. Open the synchronisation job dialog under Configuration AD Synchronization and New/User
Synchronisation Job.

The name should simply be testlan.net. Under Source, browse to the LDAP path of the domain
you want. This domain should refresh every day at 6 pm: so the setting should be 18:00.
Leave the Skip empty organizational units option enabled so that empty organizational units
are not included in the synchronisation.
2. Configure your settings and confirm them by clicking Ok.

2. Jobs | 39
The testlan.net synchronisation job is now ready to run under Configuration AD Synchronization .
3. Highlight the job and select Execute now from the context menu.

Once the job has been successfully completed the new domain testlan.net is available
under Environment Users and Groups for further processing. This includes: the area Documentation/Ed-
itors/Thadeus Punkt, who is the designer from our example.

Execution. Now that the user is entered in the system, software can be directly assigned
to him in a user-related manner. A corresponding job must be created. The application,
Acrobat Reader, is already available in the Software module, the user settings just need to
be completed—by adding the desktop icon. The job itself has already been created. The
user-related job execution must be enabled.
4. In the application (Acrobat Reader in this case), go to Software Applications , open Edit and
select User Settings in the bottom part of the Installation tab. Under baramundi Deploy
Script, enter the path to the user settings and confirm by clicking Ok.

These user settings are configured with the application for every user that logs onto
Mr. Punkt’s computer. To set up the icon only on our designer’s desktop, it has to be specified
at the job itself.
5. Create a software distribution job that installs Adobe Reader.
6. Edit the job and enable the Execute user settings user related option in the General tab.

This job must then be assigned to Thadeus Punkt. This should be done directly at the user
level in this example.
7. Highlight the user you want under
Environment Users and Groups and Documentation/Thadeus Punkt.
8. Select Assign Job from the action bar.
9. Enable the job you want by checking the box and click Ok to confirm your settings.
10. Finally, Mister Punkt has to be the Registered user, adjustable within the device proper-
ties under the General tab.

This means that the next time the designer logs on, Adobe Reader will be installed and the
corresponding icon will also be available on his desktop.

Results. Activities relating to this user can be seen in the user view. If you highlight Thadeus
Punkt, his status in the Active Directory, the jobs assigned to him, the failed user settings
and a chronicle of all user related jobs are displayed in the Active Directory, Assigned Jobs and
History tabs.

2. Jobs | 40
If—for the sake of our example—we
assume that the deploy script for the
desktop icon failed: The job itself completes
successfully, but the user settings do not.
In such a case, in the History tab—here for
user Thadeus Punkt—the deploy script has
returned an error. You now have the option
of accepting this error simply by clicking Set
OK—the error message disappears; or you
can select Resume Jobtargets to assign the
user settings to this user again.

Automatic Job Assignment/Job Conditions

It is possible to execute jobs automatically.
Arranging automations is a similar process
to that of defining criteria for the conditions
Figure 2.21.: Automatic Job Assignment
and is carried out on the Automatic
Assignment tab. The job then is assigned
to all target systems meeting the conditions.
To automate jobs, you’ll need to stipulate conditions in the Automatic Assignment tab
of the job properties. You can add, link or delete these conditions by using the select-button.
Use the default setting * = * and select the first asterisk to choose the a category.
Click on the equals sign to select the logical operator. Select the asterisk at the end to open a
freely editable text field to define a condition. Once you have completed this, automatically
assigned jobs are executed if they meet the selected condition without any explicit assign-
ment to a target system.

Job Conditions
The properties of Conditions is almost the opposite of the tab for automatically assigning jobs.
The Conditions tab defines criteria–albeit in the same way as under Automatic Assignment—
that must be met in order for the job to start. After a job is initialized, the server first checks
whether there are any opposing conditions. If there are, a note appears.

2. Jobs | 41
baramundi Kiosk
baramundi Kiosk gives users the option to quickly and easily request jobs themselves. Here,
the administrator can for Windows devices also define beforehand which jobs can be reques-
ted from which systems or groups of systems.

Please note: The installed version will be in German language by default. However, you’ll find i
English templates within our baramundi web forum (https://forum.baramundi.de) under
the baramundi software Kiosk – englisch thread.

For the Kiosk a web server was bMS integrated. The Kiosk is deactivated by default. If you
want to use the Kiosk, activate it under Configuration Server Webserver (Abb. 2.22). Then, for ex-
ample, it will be possible to provide jobs from a central localisation. The address of the Kiosk
software is: http://<baramundiManagementServer>:10080
baramundi Kiosk has been developed as an HTML application. The benefits are clear:
On the one hand, the device does not require any additional components in order to use
baramundi Kiosk. And on the other hand, it is possible to integrate baramundi Kiosk into the
corporate design of your company.
Jobs that you have created can be released for all groups and computers. These settings
must be configured in the root group under Environment Logical Group .
On the Requestable Jobs tab for the properties (Edit entry in the context menu) of logical

Figure 2.22.: Activate Kiosk Figure 2.23.: Kiosk Job Release

2. Jobs | 42
groups (Fig. 2.23) and computers, you can manually specify which jobs will be made available
in baramundi Kiosk. Entries made for groups are inherited by subordinate groups and com-
puters and cannot be deactivated. Using the Add and Remove buttons, you can define which
jobs should be made available. The Kiosk is password protected by default (Name: baramundi;
Password: kiosk). When you call up webserver properties, you can set the parameters for
baramundi Kiosk there. On computers, you can double click on the baramundi icon to call up
the Kiosk. Clicking Switch to job selection takes you to the job selection window.
Check the boxes for the jobs you would like to install. Click on Check and start selected
jobs. The system will then check whether an installation is permitted for your system based
on the options configured for the application. Next you will see an overview of the jobs that
will be executed on your system. If you now click on Start, the jobs listed will be executed on
your computer. Depending on how the job is defined, the user will see a window providing
information about the job.

Kiosk OS Installation
Under Requestable Job you can request also operating system deployment jobs. Such jobs will
not be shown within the baramundi Kiosk. Instead, you can select OS jobs in the Windows PE
Boot Client. To do so, you have to make sure that OS installations are activated in the devices
properties.
Please note: There will be no more authentication in Windows PE. Therefore, it cannot make j
sure that critical jobs will be done by authorized stuff only. Moreover, an assignment of OS
installation jobs will temporarily switch off the client certificate identification. This makes
attacks of managed devices possible.

2. Jobs | 43
3
Environment
In this Chapter:
Logical Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Dynamic Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Creating Dynamic Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Other Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Users & Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Static Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Environment Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Monitoring—Information at a Glance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
baramundi Remote Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
System Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Registration of Windows Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Registration of Mobile and macOS Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
IT Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
baramundi Virtual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Creating New Virtual Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Inventories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Virtual Machines Provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Virtual Machine Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

In a similar way as you can structure and configure your jobs in Jobs , you can also manage
the Environment of your target systems. The option of grouping device systems lightens the load
for system administration. To select clients and devices of a certain platform quickly, filters
was integrated in the corresponding views. These filters uses the following names, colors and
icons:

PCs (clients, running under Windows operation systems)

Macs (clients, running under Apple’s macOS)

iOS Devices (Apple’s mobile devices)

Android Devices (mobile devices, running under Google’s Android)

Windows Phone Devices (mobile devices, running under Microsoft’s operation system)

Network Devices (SNMP devices in a network)

To select a platform, just click ob the corresponding icon. Multiple selection is possible; a
double-click on an icon will activate the correponding plattforms and deactivates the rest.
Figure 3.1.: Logical Group

Logical Group
Settings are inherited by sub groups and the target systems they contain (from top to bot-
tom). For example, if a path to the DIP is specified in the General tab of the properties for the
Logical Group node, the device groups and devices underneath also access this DIP, unless
another DIP path is explicitly specified in the sub groups.

The values entered in the Variables tab are an exception to the inheritance rule. Entries !
present here are only inherited by the target systems contained in this group, not by the
sub-groups in this group.

As the DIP to be used has already been specified in the parent group, it does not need to be
specified for the sub-group unless a different setting is to be used. The corresponding list field
remains empty.
One of the most important functions of logical groups should be emphasised already
here: Auto Installation. Via the job list with the same name in the properties (Edit context
menu) of a logical group, you are able to define a standard installation for Windows systems.
If you add—for example—an operating system to the list, each target system to do an OS
install job will inherit this list of jobs. Only exclusion: There shall be no other OS jobs assigned

3. Environment | 45
directly, before. So, an administrator prevents errors and saves time. The application list will
be inherit itself backwards through the hierarchy. The list can be extended. interrupted or
newly defined at any level. An example should help to illustrate this:
1. Make sure you have an OS installation job and a few applications installations available
2. Create a test group within the Logical Group
3. Edit this group: Add the few jobs you made available to the list you will finder under the
Autoinstallation tab
4. Create a new device within your test group
5. Allow an OS installation and set a boot environment for the OS to be installed
6. Execute a PXE start with your test system

As far as all steps has been completed correctly, you system will connect itself to the bMS
server. The server notes that the target has a permission to get an OS installation and inherits
the standard configuration, attached to the group. And … there is no more need to do a job
assignment, manually.

Dynamic Groups
Dynamic groups are groupings of target systems according to certain criteria, such as hard-
ware properties, installed software, and so on. You can use dynamic groups to bundle to-
gether target systems without having to remove them from the logical groups. This could be
useful, for example, if you want to distribute a software component to all systems which are
running a server operating system.

Creating Dynamic Groups

You can create dynamic groups by selecting the relevant entry from the context menu (right
click) for the Dynamic groups node or in the action bar. In the same way as for the Jobs module
tab, you can also use folders to help you organize your structure more clearly.
Compared with the Jobs , the Environment Logical Group differs especially in one point: Within
a logical group it is possible to manage Windows- and mobile devices together. That means,
you can put Windows systems and smart phones in one organization unit, together.
Criteria are assigned in the same way as for the configuration of criteria in the Automatic
Assignment or Conditions tab entries in the jobs. The target systems that meet the defined
criteria will automatically be included in the dynamic groups if you use them. Dynamic
groups are therefore a type of hit list for a search query and jobs can be assigned to them.

3. Environment | 46
Figure 3.2.: Dynamic Groups

An Example
Creating dynamic groups is not a completely self-explaining process. Therefore, the following
example may help.
Let’s say you are a system administrator and you want to know, on which devices of the
Ausgburg unit of your company (Konzern Europa AG = logical group) are running two office
systems (Microsoft Office, MSO and OpenOffice, OOo)? What is to do? New dynamic groups
have to be created by clicking Dynamic Groups and New/Dynamic Group, therefore:
1. Click Dynamic Groups and New/Dynamic Group
2. Under Name give your group a name (here Double-Office-Search)

With a click on the browse-button (Criterions) you can add a new condition. An ASCII-set
displays (* = *) to define conditions. First, the number of devices should be restricted,
locally: Within the condition menus you’ll find Groups/Logical Groups. Here, one can give any
existing logical group, for our example this path is to chose.
3. Just click on the left asterisk and select the certain logical group (Groups/Logical Group/…)

With this selection, our search is restricted to Augsburg devices. Now we have to create
another condition to get the devices having two office systems installed. That’s two condi-

3. Environment | 47
tions: (1) Microsoft Office (MSO) and (2) OpenOffice (OOo). What we therefore need is a new
complex condition.
4. Once again, click the left asterisk and select Add a new complex condition

Here are four settings selectable. Our «Two Office Search» in mind, those are: i
• All conditions (Logical AND): OOo and MSO,
• One condition (Logical OR): (a) OOo, (b) MSO, (c) OOo and MSO,
• One condition not (Logical NOT OR): (a) OOo, (b) MSO,
• No condition (Logical NOT AND): neither OOo nor MSO.

We want to know, on which devices are equipped with Microsoft Office and Open Office.
What we need is therefore an and-condition, ergo:
5. Leave the setting as it is: All Conditions

Our complex condition is to be defined as Software/…= …/Office-System.

6. Select Add New Condition and Software/Application/Microsoft/Office 2007
7. Once again, Add New Condition and then (in this example) Software/Application/Sun/Open-
Office and confirm these settings with OK

Now, all conditions are set and the new dynamic group saved. To delete one of the office
systems, an administrator can create an proper job for that dynamic group. Via a click to a
dynamic group, you’ll see a single view about that certain group. It consists the Content (all

Figure 3.3.: Empty Group Definition Figure 3.4.: Exemplary Group Definition

3. Environment | 48
grouped devices, the Assignments (jobs, assigned to the group devices), the Software and the
Patch State of the grouped devices.

Other Environments
As well as the main nodes we have covered, other environments are also relevant.

Users & Groups

Following synchronisation of user data Configuration AD Synchronisation the data is available here for
user-related job execution.

In the view of the Users & Groups, you can either search by organizational unit or the users i
that these contain. To go to the user data, simply click on the appropriate organizational unit.

Static Groups
Via static groups, target systems can grouped in any way. Like in dynamic groups, each single
system can be part of as many static groups. While a criterion based target-grouping is only
possible for Windows devices, Windows devices as well as mobile devices can be members
of static groups; mixed groups are possible. Static groups supports users in different ways:
As work lists, to assign jobs, to get a cumulative overview of installed and inventoried via the
software view or to check patch conditions.

Environment Tools
Finally, we would like to explain a few working methods that should help you with your work
in the Environment node.

Monitoring—Information at a Glance
The more complex your infrastructure will be, the more important it is to maintain an over-
view of the processes that occur in your environment. For this reason, a number of views have
been integrated into all the important locations in the user interface to give you a quick and
comprehensive overview. In the object tab you can access the Monitoring, Statistics and Failed
tabs from the selected node. They can be accessed in job folders and its sub folders as well as
from all logical groups.

3. Environment | 49
The color coding and detailed information about the statuses of the assigned jobs can
be found in the Statistic tab. The Monitoring tab gives you an overview of the status of all
jobs currently waiting, running and ended. The Failed tab gives you a list of all jobs below the
selected node for which errors have occurred during a job.

baramundi Remote Control

baramundi Remote Control is an easy way to connect on an user interface of a remote com-
puter for administrative or support purposes.
As we developed baramundi Remote Control, a special attention was given to protect
the privacy of the users. First: Each external access to a device has to be permitted by the
user. An access without user permission is possible by giving the password of the currently
logged on user. Moreover, a note with name and (optionally) picture of the connected user
will be displayed permanently during the remote session. An user could hide this message
for a maximum of 30 seconds to work with something covered by this message. Afterwards
it will be displayed again. This user protection concept is supplemented by an effective rights
management. Administrators, who wish to be connected to a device need a special right
for doing so. Thus, without such a right, no remote connection can be done. You can start
baramundi Remote Control from the management Center, directly. But please note: You need
an extra license to work with our remote control tool.

License/Rights Management. Once, you have obtained a baramundi Remote Control license, just
add the license key under Configuration Server Licenses.
Only after the license key is registered, the
Remote Desktop action will be visible within
the Action bar under Extras of a Windows
device. To use baramundi Remote Control,
you’ll need a special right. In establishing
a remote control connection, you need to
edit the properties of a logical group or a
Windows device within the Rights register
under Special chose Remote Control. Make
sure that all desired security profiles are
granted this permission.

It doesn’t work? Maybe, you have i

to uncheck the Inherit rights box for
editing?

Figure 3.5.: Licenses

3. Environment | 50
Establishing a Connection. If all preparations have been done, a
connection can be established: Now select a device in the
Environment node. Click on Remote Desktop in the Actions
menu and an access request will be sent to that device. If
connected, you’ll be restricted to watch the users activities.
Figure 3.6.: Remote Request In getting control of the input devices, you have to click the
Keyboard & Mouse button within your bRemoteViewer. Taking control of the input devices will
be logged. In fact: All remote activities will be logged: Firstly, within the agent log; Secondly,
within the server log. There, the connect and disconnect events will be logged along with
the corresponding user- and host names. Via bRemoteViewer several remote sessions can be
opened. Each session will be displayed by a tab within the viewer.
If you do not want to see your user name within the access request display: This Name
(and picture) can be changed, easily by editing your display data under Personal preferences
properties. Go to the General register and give other information.

Figure 3.7.: Remote Control

3. Environment | 51
Windows PE via Remote Control. It is also possible, to control Windows PE boot processes via bara-
mundi Remote Control. In doing so, some preparatory steps are necessary.
• Start Boot Media Wizard

• Chose WinPE

• Make sure that the Activate baramundi Remote Control option is activated

• Finish your Image as always

First, the option Activate baramundi Remote Control under Configuration Tools Boot Media Wizard must
be chosen. Especially for Windows PE boot connections, you have to use the button Connect
to PE Client within the baramundi Remote Viewer. Once, you have clicked that button, the
connection dialog requires the devices IP address. In case the device was already connected
to the bMS-service, the IP address will be added, automatically. Otherwise, you have to
know it. If you have established a connection, you are able to control the Windows PE boot
procedure of a device. A useful side effect of our Remote Control: It is possible to get almost
any VNC device to serve like Mac or Linux.

System Registration
From the perspective of baramundi Management Suite, each system that is to be managed
using baramundi is a device, regardless of whether the target system is a workstation, server
operating system or smartphone. For the sake of simplicity, they will all be referred to here as
«target systems». In order to manage the target systems in your infrastructure, they must first
be registered in baramundi. There are standard procedures for doing this.

Registration of Windows Devices

After you have named your Windows target system, you fulfil the minimum necessary require-
ments, already. The host name and the display name should be the same. For OS installation
jobs it will be additional useful to have the MAC address of the network connected LAN
adapter saved as primary MAC in the Network tab. If all settings are made, finalize the dialog
with OK. Now, you can assign jobs to your targets.

OS Installation Release: For deleting, formatting and partitioning of a devices hard disk, you !
will need an explicit release to do so. In such a case, you have to check the Allow Operation
System Installation option in the properties of your target system under the General tab.
Without checking this option, any OS installation job will fail.

3. Environment | 52
Active Directory Import
Import Windows based target systems from your active directory. In doing this, create a
logical group. This group will be the root node of your synchronised AD structure, later
on. Then, you’ll need a job for machine synchronisation. Create such a job in Configuration
AD Synchronization . Give the job a name and set up the OU-root for synchronisation purposes.
The job will be searching through all organizational units below for computer accounts,
recursively. Once an account found, it will be written within a logical group. You can set an
interval if you wish to have a synchronisation regularly.

Note that each system that is registered in baramundi is designated as a device system, i
irrespective of whether baramundi Management Agent has been installed on the system
or not. Because the modules of baramundi Management Suite are licensed for a specific
number of devices, each system that is registered affects the license count within baramundi
Management Suite. If you would like to remove unnecessary systems from the Management
Suite, simply delete the corresponding entry. The associated license is then released again.

Registering Systems Manually

For mobile devices, registration has to be done manually. Sometimes there will be circum-
stances to register a Windows device manually, also. The first steps to do so are identically.
1. Select the logical group the new target system should be registered in
2. Select from the action bar New and the kind of device, Windows Device or Mobile Device
3. Give the name of the target system

From here, the further proceedings differs, depending on the platform, used.

Automatic bMA Installation. Once you have registered all of your Windows devices, you can start to
assign jobs to them. As far as the server establishes a connection to the target system, it will
get notice that there is no agent installed. The bMS installation will start automaticaly if the
file, print and standard (Admin$) shares will be active.

Registration of Mobile and macOS Devices

The registration procedure of Mobiles and Macs is quite similar because both need a two-
stage registration: You have to register a device within the bMC first, then you need to register
the device on the server (enrollment token). These codes will be valid for two days—set
under Configuration Mobile Devices. Within this period of time, the registration must be finished. The
differences between the systems will be mentioned.

3. Environment | 53
iOS Devices
In getting iOS devices managed by the baramundi Management Suite, give the device an
unique name and proceed as follows:
1. Enter the information about the Owner* here
2. Choose the appropriate Platform (here Apple iOS)
3. In case the user shall register device† by her-/his-self, check the Email option
4. Save your settings
5. Your device is registered now; the register URL will be shown as text and QR code

Leave this dialog open or copy the enrollment code: There will be no possibility to get the
code again after closing this dialog. However, the registration has not yet been finalized. The
following settings need to be done on your mobile device, directly.
1. Start up the mobile device
2. Get connected with the Internet
3. Install the baramundi Mobile Agent from AppStore
4. Start the agent and begin registering
5. Register the agents on the Management Server
a) Edit the code

* Provided that an AD user information synchronisation was performed properly before,

user names and email-addresses will be shown while entering the first letters.
† You’ll find customizable email templates here: …/baramundi/Management
Server/MailTemplates

Figure 3.8.: Activate Figure 3.9.: Install Figure 3.10.: Confirm

3. Environment | 54
b) Scan the QR-Code
c) Execute the links from the Email
6. Your browser opens and disolays the management profile
7. Install the profile

After a successful installation the state within the Management Center changes to Managed.
You can assign jobs to your end device, now.

Device Enrollment Program. You can register iOS devices very comfortably by using Apple’s Device
Enrollment Program* service (DEP). Once you have bought new devices, they will be auto-
matically registered within the Management Suite via their order or serial number. When
an user takes such a device into operation and the start procedure has finished, it will be
bMS-manageable, too. To use the DEP service, the following conditions must be fulfilled:
1. iOS devices must be bought from Apple (from 2011) or from an authorized dealer
participating on the DEP
2. bMD users must create an account for his/her company at deploy.apple.com (you can
also use an already existing VPP account)
a) You must create some administrators
b) The bMS installation must be connected with a virtual MDM server (see page 228)
3. You should edit the DEP settings under Configuration Enrollment Profile .
From then on new devices can be added to the virtual Server. In doing so, they are automat-
ically imported to the bMS. As soon as such a device is taken into operation it will register to
the server. In that process a user has to authenticate itself by giving a valid username and
password†. The device should be ready to be managed, now. Administrators can configure
their enrollment profiles that a reset will force a new registering to the bMS server (see page
222).
To gain the full bMS functionality the baramundi Mobile Agent for iOS is required. Use a
bMS job to deploy it. The user has to start it once to complete the agents registration. Again
username and password will be necessary to complete the process.

Android Devices
To get Android devices registered, proceed as follows:
1. Select the preferred logical group and from the action bar New/Mobile Device
2. Give your new device a Name

* For information see at https://www.apple.com/education/docs/DEP_Guide.pdf

† This behavior is configurable. You may also use an one-time-key for registration; see
page 228.

3. Environment | 55
Figure 3.11.: Register Figure 3.12.: Activate Figure 3.13.: Result

3. Choose the appropriate Platform (here Android)

4. For an email enrollment of register information* check the Email option
5. Save your settings
6. For a direct registering a QR code will be shown, which is attached to the email, too

After saving your settings, the device will be visible within the bMC. But it can not be man-
aged, yet (see Condition state). The following settings need to be done on your mobile device.
1. Start up the mobile device
2. Get connected with the Internet
3. Install the baramundi Mobile Agent from PlayStore

APK-files can be copied on a SD card, directly. So, an installation could be done from there. i
4. Open the App
5. Activate the device administrator and
6. Register the baramundi Agent to the Management Server
a) Enter the code manually
b) Scan QR-Code with integrated scanner
c) Follow email link

* You’ll find customizable email templates here: …/baramundi/Management

Server/MailTemplates

3. Environment | 56
After that procedure your Android device will be ready to be managed. If errors occurs in this
enrollment process, reasons could be found in the baramundi Management Agent log.

Windows Phone Devices

To enroll Windows Phone based devices, an Active Directory synchronisation has to be done,
because a valid AD user is needed for assignment. Again, we start with registering the mobile
device within the Management Center.
1. Select the logical group the new target system should be registered in
2. Select New and the kind of device, either Windows Device or Mobile Device
3. Give the name of the target system.
4. In case the user shall register device by her-/his-self*, check the Email option
5. Save your settings

If you want to continue registration immediately, let the dialog opened to scan the OR code or
to write down the registration data. To finish, register the company app, first:
1. Within the device settings, select company apps (WP8) or workplace (WP8.1) or for W10
Mobile Settings/Accounts/Work access/Enroll in to device management
2. Here, select add account (Fig. 3.16)

* You’ll find customizable email templates here: …/baramundi/Management

Server/MailTemplates

Figure 3.14.: Login Figure 3.15.: Activate Figure 3.16.: Menu

3. Environment | 57
3. Give the Email address* of the previously given device owner (AD user)
4. Give the name† of the bMS servers or—if used—of the gateway.
5. Give a Password of the AD user and select sign in (Fig. 3.14)

An additional input fields will be displayed. The name of the bMS server‡ (…/IP/URL) has to
be given under Server. No further details are needed. Now, if you sign in again, the process
may complete. To finish this part of the registration, the device needs to make contact with
the server. This will automatically happen within the next 60 minutes. If you want trigger
the connection, you can do so by tapping the synchronisation button under Workplace/bara-
mundi Mobile Devices. The device status in bMC will switch to Managed. Now continue with
installing the baramundi Mobile Agent from Windows Store.
5. If ready, start the baramundi Mobile Agent
6. Edit the registration information
a) Enter the code manually
b) Scan QR-Code with integrated scanner
7. Finally Activate (Fig. 3.15) your device

A successful enrollment will be displayed by a message within the app within the Manage-
ment Center.

macOS Devices
Communication between macOS devices and a bMS server will be protected by using a SSL-
TLS certificate. Such a certificate is bound to a certain name, usually the primary fully qualified
domain name of the bMS server (e.g. MyServer.domain.local). You must give the correct
name for registration purposes to establish a successful connection. Therefore check this
name first. To do so, open the Configuration Mobile Devices module view. Here you’ll find the name,
the certificate has been issued to, under bMS Server within the Server SSL Certificate. Use that
name which is given as CN.

Management Center Settings. You can register a new device by selecting New/Mac OS X Device in
the action bar under Environment Logical Groups .
In the registering dialog you have to chose a Display Name. All the other properties are
optionally or filled with default settings. If you give an User Name, the display name will be

* If the AD object does not supply an Email address you may use this alternate syntax:
DOMAIN\[email protected]
† Please pay attention to the correct spelling. It must be the spelling of the SSL certificate
of the remote station.
‡ This information you’ll find within the Add-dialog of your mobile device.

3. Environment | 58
Figure 3.17.: bMC Settings for macOS Device Integration

set automatically to Device of <User Name>. You are free to enter the Host Name. If you do
not, it will be given also automatically at the end of the registering process. If you activate the
option Send Email for Enrolment, the installation package as well as the server and registera-
tion code will be send to the Email address below. With this information*, an user can do all
the settings at the device by herself, later on.
Be sure, the Check the Compliance State option stays activated (default) if you want to
have this device be compliance checked with our Compliance Management tool.
When you presses the Save button, the registration code for the device registration later
on will be displayed. Please write the code down or save it to the clipboard via the symbol on
the right hand side of the screen.
In case you do not take a note or save the registration code, you will have to do the procedure !
again via the context entry Extras/Re-enroll. This registration code remains valid for 48 hours
via default; you can give another validity under Configuration Mobile Devices .

After another click on Exit your settings will be applied—you can see the new macOS device
within the bMC, now. However, its symbol is greyed out because you have to continue the
registration process on the macOS device for getting the device activated.
For customers with further security requirenments we offer a second macOS package: bma- i
authsrv.pkg (you’ll find in the bMS-ISO under …\baramundi\MacInstaller). It checks

* You’ll find customizable email templates here: …/baramundi/Management

Server/MailTemplates

3. Environment | 59
the SSL server certificate of the bMS server before registering. To do this successfully, that
certificate has to be from a trusted certificate authority. Either use a public certificate or you
must register the CA within the keychain administration of the managed device. If you want
to use that alternative package, please replace the original file in the bMS installation folder
under …\Client\Mac.

Registration Settings on the macOS Device. On the device itself you have to install the bMA.pkg to
get your Mac registered. This file as well as the registration code will be send to you via
registration mail if you have activated this option in the bMS macOS device registration
settings before. Another source is the server’s installation folder and can be copied under
smb://<IhrServer>/bms$/Client/Mac on your device.
Double click the bMA.pkg and perform the installation. One of the installation steps is
the Activation dialog. In here enter the previously saved/noted registration code.

Figure 3.18.: Device Settings for macOS Device Integration

Once the installation procedure has finished, an installation user will created on your macOS
device. Within the bMC the device state changes from Unmanaged to Managed and the
symbol changes to coloured.

Device Re-Enrollment
To re-enroll an already registered device, deactivate manually the device (Extras/Deactivate)
and then re-enroll (Extras/Re-Enroll).

3. Environment | 60
Deactivate/Remove Devices
No longer needed mobile devices can be deactivated or deleted. In either case: deactiv-
ated/deleted devices have to be enrolled again before re-using. However, while deleted
devices will be completely removed, afterwards; deactivated devices will keep their database
information, but cannot execute jobs any longer.
To clear all bMD -entries on mobile devices itself, the profile has to be removed and
the agent has to be uninstalled. Deleting profiles of iOS devices means, all deployed apps,
settings, WiFi-connections and so on will be deleted.
If you wish to delete the Android agent you must deactivate the device administrator,
first. As long as the administrator stays active, it will prevent all attempts to remove the
Agent application. Under Windows Phone, besides uninstall the agent, you have to delete
the company app account, too.

IT Map

Figure 3.19.: IT Map

3. Environment | 61
One result of network scans* is the IT Map. The map shows devices detected in a network
scan in a star- or tree-structure view.

baramundi Virtual
With baramundi Virtual, our Management Suite offers you a VMware vCenter/VMware vSphere
Hypervisors based module to manage virtual environments to fulfill the following tasks:
• Inventory of VMware environment

• Creating of new virtual machines via VMware vCenter templates

• Start, stop, restart, shutdown and reset of virtual machines

It connects already managed virtual machines to corresponding hypervisors. Therefore, it

shows to you the context of your IT structure as a whole.
Managing of free ESXi servers: baramundi Virtual can also be used to inventory ESXi servers i
which are running under a free license. VMware PowerCLI can only be used with valid vSphere
API licensed servers. Therefore, you cannot execute other job steps for these systems.

Prerequisites
Before you start managing virtual systems, some prerequisites on the bMS server have to be
considered:
VMware PowerCLI Version 6.5 Release 1 (or higher) The bMS will use PowerShell Cmdlets to execute
jobs on vCenter environments or vSphere Hypervisors. These cmdlets are part of the
VMware PowerCLI API. You can download the installation package from MyVMware
portal. Thereby, the required VMware Remote Console Plugin for IE and Firefox will be
installed. You just need to install vSphere PowerCLI from the list of available features.
You could ignore all other components(see figure. 3.20).
PowerShell 4.0 baramundi Virtual needs PowerShell Version 4.0. at least. Make sure it will be
available on the bMS server.
Windows Management Framework This component installs a current PowerShell. Install at least
version 4.0 on Windows Server 2008 R2 and Windows Server 2012.
A valid user will be needed for a managed environment. In order to manage the hypervisor
environment you need the credentials of a user account of the managed environment. For
active accesses an user must have administrative rights. Keep in mind, you’ll need to have
vSphere API VMware license feature for all actions, except inventories.

* see 149

3. Environment | 62
Figure 3.20.: Feature Selection for VMware PowerCLI

Creating New Virtual Environments

You can find virtual environments within the Environments module tab into the Hypervisor node.
To create a new environment, select New in context menu or action bar and then VMware
vCenter/vSphere Server. A new object tab will open for needed inputs, at least:
• Display Name

• Server Name/IP Address

• Port (Standard 443)

• User Name

• Password

Hypervisor Properties
In the Hypervisor object’s edit mode you can specify the time intervals within an inventory
should be executed. You can define a value in hours, days or weeks in here. You can decrease
the number of inventories running at the same time. That’ll avoid overload-problems if you
have to manage several environments. To do this, open the Configuration module tab and select
the Virtualization node.
Back at the Hypervisor tab, you can define whether or not bMS should try to link invent-
oried virtual machines to already existing Windows or macOS devices.

3. Environment | 63
Inventories
Via default, all managed virtual environments will be inventoried once a day* by the bMS. But
you can initiate additional inventories at any time via context menu or action bar. Inventory
data contain information about host systems and virtual machines.
Additional, beside hosts, data storages and resource pools you’ll see available data
centers, clusters and data storage clusters within vCenter environments. Moreover, created
VM templates and OS customization specifications will be listed. In order to create a virtual
machine with the bMS the inventoried data/information listed above will be used.
You’ll find virtual machine data of a hypervisor in the Virtual Machines node with the
object tab of a hypervisor. This view contains the current operational state and available
resources, among others. You can open single virtual machines in an object tab at any time.
Such tab will give you more detailed information, for example the snapshots of a virtual
machine.

vSphere servers that are part of a vCenter environment cannot be managed directly by the i
bMS. Performing an inventory on such hypervisors results in the following error message:
This server is currently being managed by the VMware vCenter Server with the
IP address XX.XX.XX.XX. Please add the VMware vCenter Server instead of the
single host.

Assigning Devices
The bMS always tries to link inventoried virtual machines to the devices that are already
managed by the bMS (Windows and macOS). This is required to execute jobs steps via a
device’s hypervisor. If edited within the properties of a hypervisor in the bMS, a link will be
set automatically if the following rules shall apply:
Step 1: Compare MAC Addresses This step compares the MAC addresses of every virtual machine’s
network adapter to the MAC addresses of Windows and macOS devices managed in the
bMS and searches for the virtual machines with the largest number of corresponding
MAC addresses. The bMS continues with step 2 for all virtual machines that have the
largest number of matches for a device. There is no assignment for virtual machines
without match.
Step 2: Compare Host Name The second step compares the host name (identified via the DNS name)
of the virtual machines with the host name (Windows) or DNS name (macOS) of the
devices. If a match was found, the bMS continues with step 3. The step is terminated
without assignment if:
• Host or DNS name of the device doesn’t match the DNS name of the VM or

* This value can be changed within the properties at any time.

3. Environment | 64
• Virtual machine has no identifiable DNS name.
Exception: The virtual machine without identifiable DNS name can be unambigu-
ously assigned to one device on basis of the largest number of corresponding MAC
addresses from step 1.
Step 3: Check for Existing Assignments The last step checks for existing assignments to a device, e.g. from
a manual assignment.
• If no assignment exists, the virtual machine will be assigned to the device determ-
ined in step 1 and 2.
• If an assignment already exists, the virtual machine will not be assigned to a
device, regardless of the outcome of step 1 and 2.
If an automatic assignment is not possible, you can select the certain device from the object
tab of a virtual machine manually. Already assigned devices cannot longer be auto-linked
to another virtual machine. To link a machine manually again, the existing link must be
dissolved, first. Multiple links are not possible. You can remove an already existing link from
the object tab at any time.
Automatic linking of virtual machines to devices can be deactivated via hypervisor’s
edit mode. The bMS will make suggestions of corresponding devices under such conditions
anyway. But this state needs a manual confirmation.

Virtual Machines Provisioning

You can create new virtual machines via job with Manage virtual machine job step. This allows
different management actions like Provision virtual machine with profile. Before you can use
such jobs*, you have to create at least one VM Provisioning Profile.

Creating VM Provisioning Profiles

A VM provisioning profile defines how and where you have to create a virtual machine. Under
the Extensions VM provisioning profiles node new profiles can be created or managed at any time. To do
so, enter the following values:
VMware vCenter Select an already created vCenter system in the bMS to create a new virtual
machine, later on.
OS customization specification Select a set of specifications for profile virtual machines. All known
sets of known OS adjustment specifications of a VMware vCenter systems will be
selectable. This parameter is optional.
Datacenter Select, on which datacenter the new virtual machine should be created. All known
datacenters of a chosen VMware vCenter system will be selectable.

* for Windows devices/VMware vCenter server, only

3. Environment | 65
VM Template Select, with which template a new virtual machine should be created. All known
VM templates of a chosen datacenter will be selectable.
Folder Select, with which in Folder a new virtual machine should be saved in. All known folders
of a chosen VMware vCenter system will be selectable. This parameter is optional.
Cluster/Host/Resourcepool Select, on which cluster, server-host or resource pool a new virtual
machine should be created. All known clusters, server-hosts or resource pools of a
chosen datacenter will be selectable.
Datastore/Datastore cluster Select, on which datastore/datastore cluster files of a virtual machine
should be saved in. All known datastores/datastore clusters of a chosen Cluster/Host/Res-
sourcenpool will be selectable.

Creating Jobs
Once, you have created VM Provisioning Profiles, you can use the Manage virtual machine
job step to create new virtual machines. To do so, select the Manage virtual machine job step
within the job step configuration. Then you can select the VM Provisioning Profile you want to
use and you can add further job steps to install software on the virtual machine &c.
The job can be assigned to Windows devices now, and a new virtual machine will be

Figure 3.21.: Creating a VM Provisioning Profile

3. Environment | 66
created and configured. This job step will be executed only if the Windows device has been
newly created in bMC. If a Windows device has had already contact to bMS or if a virtual
machine has been already assigned to this device, the job step will be skipped and marked.
If the VM provisioning profiles contains an OS customization specification, the newly
created virtual machine will be started during job step execution. In such a case, the job step
will end if the OS customization specification has been completely applied.

Virtual Machine Jobs

You can control virtual Windows devices via a job if the hypervisor of such devices is managed
by baramundi Virtual. The following actions are possible:

Turn on virtual machine Switches on a virtual machine. If the machine has been already running,
the job will complete successfully. A suspended virtual machine can be switched off.

Turn off virtual machine Switches off a virtual machine. If the machine was already switched off, the
job will complete successfully. A suspended virtual machine can be switched on.

Reset virtual machine Let a virtual machine restart. In case of a restart, the current session will be
interrupted. When a job execution starts the machine will switch on (if not running). For
a paused virtual machine, the job step will give an error.

Shut down guest Sends a shutdown signal to the guest OS via VMware Tools. If no VMware
Tools are running on the guest, an error message will be displayed. If the machine was
already switched off, the job will complete successfully. For a suspended guest, the job
step will give an error.

Restart guest Sends a restart signal to the guest OS via VMware Tools. If no VMware Tools are
running on the guest, an error will be given. The virtual machine will be switched on
when it is running. For a suspended guest, the job step will give an error.

3. Environment | 67
4
Software
In this Chapter:
Basic Working Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
baramundi Background Transfer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Execute Server Side Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Distributing Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Copying Installation Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Installing Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
An Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Microsoft Installer (MSI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Managed Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Approvals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Inventories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Updating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
An Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Automate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Basic Information about Automation Studio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Creating Deploy Scripts/Adding New Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
GUI-Aktions/Analyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Debugger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Another Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Working with Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Applications for Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Load Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Edit Apps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Create Install/Uninstall Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Getting Applications Via VPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
An Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
App-Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

With the software module you can easily and reliably install/uninstall software and take care
of administrative tasks.

Basic Working Procedure

First, copy the original setup files from the disk to DIP (1). They are then either automatically
(baramundi Application Wizard) or manually created as an application on the Management
Server (2), and as a result of this, they are also listed in the bMC under Software Applications. If this
has been done, the respective distribution job can be created (3) and executed on a target
system (4). The device retrieves the installation files to be executed from DIP (5), installs the
software and reports the job progress to the server (6).

CD (1) DIP (5)
h -

(2)

? ?
Application DEVICE (bMA)

(3) (4)
?
Job -

SERVER (bMS) (6)

Figure 4.1.: Software Procedure

baramundi Background Transfer

• Runs installation sources from DIP directly,
• Copies installation sources from DIP,
• Downloads installation sources using baramundi Background Tranfer (bBT).

To use bBT you have to install baraDIP on a DIP, first (see page 248 for details).

Usage
Especially mobile users are not online long enough, to load down data in total. Maybe they
have a poor connection. To solve such problems, baramundi Background Transfer makes it
possible to download data from DIP step by step.
1. There has to be a bBT-DIP (bbt:http://SERVERNAME:10083) for target systems. This can
be done by editing Configuration IP Networks within the network properties or via Environment
Logical Groups , alternatively. The bBT-DIP—separated by a semicolon—has to be listed
right beside the UNC-DIP under DIPs.
2. Within the application properties, the option Support bBT has to be activated in the tabs
Installation and Deinstallation (Fig. 4.2).
3. Within the job properties under General, the default setting Enable baramundi Back-
ground Transfer must be kept (Fig. 4.3).

4. Software | 69
Figure 4.2.: Application Properties Figure 4.3.: Job Properties

Execute Server Side Action

For actions which shall be executed on the bMS-server, representative for a target system,
there is the job step Execute server side action. With this job step you could manage a Linux
device, for example, which can not has a baramundi Management Agent installed.
Server Side Actions will be controlled by baramundi Deploy scripts, which has to be stored
within the {SERVER} bms$ Scripts Serverside directory.

Please consider, read- and write-permissions for this certain folder are giving the user the !
possibillity to do almost what ever she/he wants on your server. Therefore, you definitly should
restrict those rights! Please take also in consideration: There is no sub-directory support.
Scripts located in sub-directories will lead to erroneous job executions.

Under baramundi Deploy Script please choose the script you wish to execute via select-
button*. The edit-button right beside opens the script with baramundi Automation Studio.
You want to leave the Security context as it is, by it’s default Configured install user, which
means the user account designated for the target machine. The LocalSystem (service) alternat-
ive is a server service, probably with limited network resources. However, LocalSystem (service)
is the only option to start administrative processes on the server in avoiding the UAC.

* Without reading rights for this folder, you can not use this dialog. If you know the name
of the file, you can enter the script’s name, directly.

4. Software | 70
Figure 4.4.: Job Step Figure 4.5.: Settings

Script abortion after is a time, the script-execution will be aborted in any case. Give here
a number of minutes. This will prevent corrupt scripts from running on the server for an
indefinite period of time. In such a case, only the concerned job-steps will be aborted, not
neccessarily the job itself. To avoid an overload of your server through scripts, executing at
the same time, their number is limited to 25. The execution of each additional server side
action will wait until the first 25 scripts has finished.
Scripts, as well as variables will be saved into a temporary directory, deleted from the
server after a job has ended, automatically. Therefore, only use relative paths for created files
not longer needed after a job is done. For a permanent data storage on the server, please use
absolute paths. To avoid that a job hold with error after the first vain attempt to reach it, use
the End Script action and give a Magic String with the Return text to reschedule it’s execution.

Figure 4.6.: Magic String

• Select the End script- action within the baramundi Automation Studio
• Here, choose the End with success-entry under Mode
• The Return Text is #DELAYJOB# (Magic String) plus an additional text if you want
• Click OK

4. Software | 71
Now, the job will be—according to the settings in Configuration Server Job Execution within the
General register under Delay interval if job can’t be executed (Minutes)—repeated. If e.g. an
interval of 60 minutes has set, the server will try to deliver* this job to the server, hourly.
An overview of currently running and waiting server side actions shows the Server Status
within the start menu. There you will find the Server-Side Action Executor module as a part of
the bMS-NET service of your server.

Distributing Software
In order to set up applications on the baramundi Server, these must be copied to DIP first. In
addition, it is necessary to create an application in the bMS. Only software found there can be
distributed.

Copying Installation Files

The DIP (Distribution Installation Point) is a directory where the installation files of all applica-
tions to be installed can be found, the primary DIP. Under Configuration Server Basic Settings you will
see the release of your network. Just look at the General tab in the Primary DIP field. There,
Save all files needed for installation.

Installing Applications
If the installation data of the programs intended for distribution is in the DIP, then the respect-
ive applications can be installed in the Management Suite.

Automatic Application Integration. The baramundi Application Wizard was developed to make it
as easy as possible to integrate new applications. This wizard supports the most common
install engines, e.g. MSI, Installshield, NSIS, Wise, Innosetup, SFX Installer and also provides for
the installation of baramundi Deploy scripts. In the case of Installshield and Innosetup, the
associated response files are created during integration. For MSI and the other install engines,
you can choose from the most common command line parameters. The Application Wizard
starts via Software Applications and New/Application. If new software should be automatically
integrated, then select Use baramundi Application Wizard in the first dialog. Then, enter the
path to the application (Fig. 4.7) that should be installed. If the required installation files
are provided, then the setup is detected in the next dialog (Fig. 4.8) and the corresponding
method for automation is offered.
* Editor’s note: This is, if you like, the reverse extrema of «Error, because job can not be
delivered» namely «No error, instead an endless re-scheduling»

4. Software | 72
Figure 4.7.: Application Selection Figure 4.8.: Automation Method

Then follow the program guide (An example of automatic application integration is
provided at the end of this section).

Manual Application Integration. In addition to automatic software integration, applications can also
be installed manually. There are two options for this: Manual integration with wizard support
and Manual integration without wizard support. While this option only offers a corresponding
dialog in which all details are entered, manual integration with Wizard support automatically
enters the details required, when a specific application is selected.

Dependencies
Sometimes, application usage depends on
the existence of another software. So—for
example—the paint.NET application needs the .
NET-framework. Without it, the program does not
start. Therefore, such applications—such kind
of dependencies, respectively—can be handled
within the Properties menu of applications, under
the Dependencies tab. Alternatively, dependencies
can be used to uninstall a certain application prior
to the installation or to end a job with error if an
application is present on the device or not. Use the
Add-button and select a software via a click on it.
Then, within the Type column, choose one of the
possible options.
Figure 4.9.: Dependencies

4. Software | 73
Install before, if required Based on Inventory- or Deploy-data, it will be determined whether or not
required applications are part of the target system. In case such required software is
missing, the running job will be completed with those programs.
Always install after A running job will be completed with required software in any case—at the
end of this process. That means, needed software will be installed, even if its already
part of the target system, automatically. bMS reinstalls required software. Only, when
option Reinstall Allowed (Installation tab) is not set (default it is), the job will be can-
celled by showing an error message.
Always install before A running job will be completed with required software in any case—to
begin of this process.. That means, needed software will be installed, even if its already
part of the target system, automatically. bMS reinstalls required software. Only, when
option Reinstall Allowed (Installation tab) is not set (default it is), the job will be can-
celled by showing an error message.
Uninstall before Based on Inventory- or Deploy-data, it will be determined whether or not re-
quired applications are part of the target system. If so, such programs will be unin-
stalled. If not, the dependence deemed to be solved.
Error, if not installed Based on Inventory- or Deploy-data, it will be determined whether or not
required applications are part of the target system. In case such required software is
missing, the running job will be cancelled with an error message.
Error, if installed Based on Inventory- or Deploy-data, it will be determined whether or not
required applications are part of the target system. In case such required software is
installed, the running job will be cancelled with an error message.
Targets of dependencies could be the following objects:
• Applications

• Managed software products

• Managed software product lines

Creating Bundles
Sometimes, if not technically necessary, it is advantageous to compile several applications
into packages called Bundles because this arranges everything clearly. First, the bundle
applications must be created for this.
A new bundle can be created via Software and the New Bundles with this Application action.
First, name the new software bundle in the General tab (Fig. 4.10). If you want to uninstall
software via bundles, you need to enable the Deinstallation Bundle option. Normally, software
dependencies are taken into account for these bundles. If that is not the case, enable the
Ignore Dependencies option.
Specify which applications should be a component of the bundle in the Software tab

4. Software | 74
Figure 4.10.: Bundle Name Figure 4.11.: Application Selection

(see Fig. 4.11). The relevant applications can be selected using the Add button. It is possible to
delete applications from a bundle using the Remove button.
Software bundles can be installed or uninstalled via Jobs after they have been created,
just like normal applications.

An Example
Software integration via the baramundi Application Wizard will be explained in more detail in
the following. Here, Adobe Reader will be integrated into bMS.

Microsoft Installer (MSI)

1. Open the Wizard by going to Software and New/Application
2. Select Use baramundi Application Wizard

The installation files for Adobe Reader are provided in the DVD source 3rd-Party Adobe as
Setup.exe and as AcroRead.msi. The latter is used in our example (see Fig.4.13). Via the meta
data of the file, the installation mechanism will be detected, automatically. In this respect the
recommended automation method can be accepted.

4. Software | 75
Figure 4.12.: Method Selection Figure 4.13.: Application Selection

Figure 4.14.: Automation Figure 4.15.: Windows Installer

3. Select the setting Create windows installer command line.

4. Accept the settings in the Windows installer action step.

About the settings: There are four options available under Installation mode—Install and
Uninstall installs or uninstalls the respective device application. It is possible to correct a
malfunctioning installation using Repair. The application is only installed on the target system
if necessary when the Advertise option is used, this means the start menu entries or desktop
icons are in fact provided on the device; however, the program only installs when used for the
first time (similar to the language packs from Microsoft Word). If the application needs to be
accessible to any user of the target system, keep Install for all users option enabled.
Under User Interface, specify whether or not dialogs will be displayed during installation.

4. Software | 76
The installation runs entirely without user interaction if No User Interface (/qn) (default setting)
is selected; on the contrary, a Complete User Interface (/qf) ensures that the installation is made
entirely by the user.
If you select the last field Transform, this allows access to mst files (Microsoft Setup
Transform), which are used to make changes to default installations. So, for Office bundles
for example, it would be conceivable to exclude certain components from the installation.
5. Specify the parameters for logging.
6. Specify the msi properties.

Settings can be made with the Activate logging option that are saved in a text file during
setup. MSI properties are values defined by the manufacturer that are fully executed here.
7. Check the source of your entries in the Command line.
8. Describe the application project.

The entries made are stored in the command line as a command that is then transferred to
target systems. The command can be checked here. The dialog for the application description
can be freely edited and is then accepted.
9. Confirm path selection.
10. Enable the option to display the application properties.

After a prompt about the installation path—normally, the first path named is selected—you
can still decide whether the application properties should be displayed for possible further
editing after you have finished the application project.

Figure 4.16.: Logging Figure Figure 4.17.: MSI Properties

4. Software | 77
Figure 4.18.: Command Line Figure 4.19.: Description

Managed Software
Updating standard applications makes sense: Updates provide new features and not seldom
they closes security issues. To relieve your administration from regularly research and prepara-
tion jobs, baramundi offers a service to do it for you: Managed Software. The whole procedure
of looking for updates, scripting it and deploy such applications will be prepared by us:
• Research for new updates,

• Providing scripts for automation,

• Grouping of target systems within the bMS,

• Deploy those products.

Note: For certain products—mostly due to licence conditions—you have to provide the i
sources of a MSW product by your own.

Now, release the provided products. To use this service, you need a license. For test matters, it
is possible to use the MSW service with baramundi products, unlicensed.

Out of date product lines (not further developed by the vendor) will be labelled as Outdated. i

Approvals
Approvals can be made for versions and pre-set products and product lines. To do so, select
an exemplary version of a product and click on the Edit button within the action bar. The
Properties dialog opens, offering you the following options:
Released This version is released for all devices.

4. Software | 78
Figure 4.20.: Managed Software on the Group

Released for Test This version is released for tests, only. You can indicate devices as test systems
by assigning them to a job with a Managed Software update job step.
Released Productive system
Released for test Testing system
Not Released A deployment is not allowed.
As far as the settings above has been made for products and product lines, they will
be work for future versions, only. The activated Apply release settings immediately to child
elements option will inheritate approvals to all versions of a product or product line.

Inventories
First, you need to know whether or not and which versions of Managed Software is already
running on your target systems. Via the Update Managed Software job step it is possible to
check which version of which product is installed on your systems. In doing this, create a new
job: Jobs and New/Job for Windows Devices with the Update Managed Software job step. Under
Actions you have the following alternatives to select: Inventory Only, Inventory and Update,
Update without Inventory. In case of an initial registration Inventory Only should be your choice.
The result will be shown under … Managed Software . Thereby, several conditions are possible:

4. Software | 79
Figure 4.21.: Managed Software on the Product

State Product Line Version Last Release

green + + + +
yellow + + + –
red + + + –
grey + + – –

Table 4.1.: Installation state

(Green bar) The currently used version is supported by Managed Software (product name,
product line and product version is known) and released.
(Yellow bar) The currently used software is supported by Managed Software (product name,
product line and product version is known), but is released for tests, only.
(Red bar) Product line and version detected. However, when the version is known, it will not be
the last released one.
(Grey bar) The currently used software is not supported by Managed Software (product name,
product line and product version is unknown), the version is either outdated or too new.
These installations can be uninstalled or updated by Managed Software.
For global analysis of the collected data use the Cumulation tab in the Managed Software/-
Products node. First, activate the statistical data view through a click on the diagram symbol
in the Installation Status column. Data will be shown on three levels.

4. Software | 80
Notepad++ Product (name)
Notepad++ 6.x x86 Product line (major version, architecture, language)
Notepad++ 6.1 x86 Version

Results of Managed Software updates will be displayed on other locations, too, e.g. within the
device view or are shown as cumulated list on groups, products, lines and versions. Within the
product- and line-views it is possible to filter by current, outdated and unknown versions.

Updating
Again, via Update managed Software job step, you are now able to update your target systems.
That’s the same procedure described above: Create the job step and select Inventory and
update or Update without inventory from the actions drop down menu.

An Example
To illustrate the whole thing, an example should be given: Assume a network of three devices.
On a certain day, a Managed Software license is available to deploy standard applications,
automatically. The company wants to manage (among other) Adobe Reader and Notepad++.
In the Software Managed Software view, all products are shown which are prepared for deploy
matters by baramundi. Newly provided products are labelled with a little yellow bulb.

Managing Releases
First, you have to make sure which of the provided products should be released for a further
deployment. In case of Adobe Reader, the company wishes the newest version, always. So,
let’s guess they want a German version, x86 architecture (Product line) for Notepad++, they
do not trust the current version. Instead using the newest version, they want stay with the
stable previous version. How can this situation to be handled?
1. Extend by clicking the arrow icon under Software Managed Software Products within the view
the version you want.
2. Click on Edit in the action bar.
3. Select within the upcoming dialog in the Managed Software tab under Release the
release entry.
4. Repeat the same procedure with the Adobe Reader and Notepad++.

Let’s assume the Adobe Reader 11.0.1 version should be released. As soon as you release the i
Adobe Reader (AR) 11.0.1, the version 11.0.0 will be released as well—being a prerequisite
for it’s installation. Managed Software considers dependencies, and releases such depending
products automatically.

4. Software | 81
Figure 4.22.: Release Information Adobe Reader

Software Inventory
First, a Managed Software inventory has to be initiated—as usual via a proper job.
1. Open and name a new job: Jobs and New/Job for Windows Devices.
2. Select job step Update Managed Software.
3. In the dialog under Actions choose Inventory only.
4. Confirm this job and assign it to your device.

As a result—displayed under Software Managed Software —you’ll see the state of the installed
Managed Software on the cliens. As shown in the figure above, product entries are found
for Adobe Reader (first row).
Under Installation State (first bar), 60 percent is green and another 40 percent is red
displayed. Which conclusions we can assume?
Consider the product line rows: All installations relate to a single product line. Within it,
a distribution of 60 percent green and 40 percent red is shown. That means, just on one of
the three network devices runs an up-to-date Adobe Reader version; on the others, another
Adobe Reader version lesser or greater than the current one has been installed.

When another version (smaller font size) is shown below the used version (red labelled), that i

4. Software | 82
Figure 4.23.: Inventory Result

will be the current released one. When another version (smaller font size) is shown below the
used version, a newer version as the used one is available.

Update Software
Once, we know there are outdated Adobe Reader versions installed, these versions should be
updated.
1. Open and name a new job.
2. Select job step Update Managed Software.
3. In the dalog under Actions choose Inventory and Update.
4. Finish the job and assign it to the devices.

All out-of-date installations of Adobe Reader have been updated. Configure the update-job
for regular executions (interval) to get your environment automatically updated.

4. Software | 83
Automate
baramundi provides the development environment Automation Studio for software install-
ation automation. The Automation Studio is a part of the Software module and provides bara-
mundi Deploy Scripts (filename.bds) for deploy jobs.

Install Engine. A baramundi Deploy Script (bDS) is executed instead of a setup. The purpose of
such bDS controlled installation is:
• Additional adjustment before, during and/or after installation.

• The automation of user data during installation.

User-related Deploy Scripts. (Usersettings) One of these scripts is copied to a target system and runs
for or multiple users or one specific when they first log on.
The baramundi Automation Studio is easy to use, adjusts quickly to the user’s needs and is a
very powerful development environment for automating installations.

Figure 4.24.: baramundi Automation Studio

4. Software | 84
Basic Information about Automation Studio
When using Operating Systems Windows Vista ( Server 2008 ) and later you will need local !
administrator rights—especially for GUI automations. Otherwise, it will not be possible to
access the program window.

The baramundi Automation Studio interface—the development environment for creating

Deploy Scripts—is divided into five areas: At the top, the row with ribbons is used to control
the features in Automation Studio and is made up of three areas:
Clipboard Simple editing functions: paste, cut, copy
Actions Provides all features for script editing.
New Action Pastes an action into the script
Edit Opens an action edit dialog
Delete Deletes an action from the script
Comment Out Script entries can be commented out or reset in function
Conditions Sets and removes conditions
Arrow Keys Script actions can be moved up/down or inserted (e.g. for subroutines) and
removed using the arrows.
Execute Debugger functions—
Debug ( F5 ) Executes the «monitored» script action in the development environment
and thus enables:
• A response to errors

• Interactive adjustment of actions

• Pausing of the script

• Access to and modification of variables

• A program and/or script process change

Stop Stops the running debugging action

Pause Pauses the running debugging action
Single Step Runs the script step by step
Set Start Position Determines which action is executed first
Toggle Breakpoint Defines a script position a debug run is either paused or deleted

Figure 4.25.: Ribbon Area (on the top)

4. Software | 85
Execute ( Ctrl + F5 ) The script is not monitored when executing.

There is a small arrow symbol in the right, lower corner of the Actions area in the Ribbon i
menu: If you click on it, this hides the left action menu and thereby enlarges the script window
for clearer script processing.

On the left side—the list of actions:

• Favorites (simply copy in actions)

• User Interaction

• Variables

• File Operations

• Registry

• User Management

• Network Functions

• Service Control

• System Functions

• Program Flow

• GUI Automation

Figure 4.26.: Actions

Individual GUI actions are listed in the main window—the script window—in order to test and
edit program steps. All actions can be created, moved and/or deleted there.
To the right, the variables window—where variable values are displayed. Two views are
provided, one for baramundi variables, another one for runtime variables.
Runtime Variables Variables generated by the script during execution
baramundi Variables baramundi variables: internal variables, e.g. bMS path

There are also two views provided below: the Error list, for displaying syntax errors and the
Output, in which individual action steps are logged.

Adjusting the Interface

The Automation Studio display elements can be easily adjusted to the individual needs of
the user in the menu located at the top on the right. It is possible to display or hide all work
windows in the Window menu item. The variable view can be disabled and enabled again if
needed. The status bar at the bottom of the studio can also be enabled and disabled.
The variables window can be positioned to suit the user’s preferences. All you need to do is
move it with the mouse. In order to «dock» the window on the bottom or right side: Slide the
mouse directly over the marks when positioning and a shadow indicates the position.

4. Software | 86
Figure 4.27.: Script and Variables Window

There are different interface styles available for the Automation Studio: Office 2007 Blue,
Office 2007 Black, Visual Studio and Office XP. Changes can be reset to their original state via
the Undo Changes Menu item*.

Keyboard shortcuts can be adjusted via the Automation Studio title bar drop-down menu i
under More Commands.

Creating Deploy Scripts/Adding New Actions

After a new Deploy script has been created or an existing script has been opened (via the
function bar top left), the respective actions (left, from the action menu) must be moved to
specific positions in the script window either via drag & drop or double-click. This opens a
dialog in which the information for the respective program step is entered. After checking
and confirming the dialog, the created actions are in the main window and can be tested,
moved or deleted there.

* This also resets any changed keyboard shortcuts!

4. Software | 87
Script Control (Program Flow)
All actions that serve the script process are compiled in the Program Flow area in the Actions
menu (left). Well-structured scripts can be created very clearly in connection with the arrow
functions in the ribbon bar.
Comment Similar to programming, comments can be added to the script in order to quickly
document script content. A comment has absolutely no influence on the script run; it
only acts as a script explanation.

Figure 4.28.: Program Flow/Comment

Jump Label A jump label defines a specific point in the script that can be controlled in one run,
even outside of the normal order.

Figure 4.29.: Program Flow/Jump Label

Go to Label This action allows the script to jump to a pre-defined jump label, in order to con-
tinue execution there.

Figure 4.30.: Program Flow/Go to Jump Label

Subroutines: Subroutines are program steps that—e.g. repeating—have an effect on other ac-
tions. They are set up once, and can always be accessed again afterward. If a subroutine
is inserted in the script and commands engaged via the arrow keys in the ribbon menu,
all actions found and engaged there are included in the subroutine. The subroutine
ends with the next disengagement.

4. Software | 88
Figure 4.31.: Program Flow/Subroutine

Call Subroutine Accesses a pre-defined subroutine.

Figure 4.32.: Program Flow/Call Subroutine

End Script Ends script processing—in most cases because of a pre-defined condition. It can also
be differentiated whether the script is stopped with an error or with a success message.
Alternatively without status, a script can be ended by using a return code.

Figure 4.33.: Program Flow/End Script

Conditional Action Execution

Figure 4.34.: Conditions

4. Software | 89
Execution of most actions can be tied to conditions. In doing so, just double click at the action
line on the Condition-column. An adequate condition can be set by two operators that are
connected via logical parameters.

Conditional Groups Via conditional groups you can tied a condition to several actions. Available
within the action menu; the control of conditional groups is similar to the control of standard
conditions.

GUI-Aktions/Analyzer
In order to create scripts for the automation of
installations, the interface action is accessed from
the Actions menu (GUI Automation). When Empty
Action is selected, the steps needed to describe the
actions must be entered; whereas Record Mode is
an easy way for the user to start installation and
record the individual steps required. The Deploy
script created can then be saved and used for
Figure 4.35.: GUI action
subsequent installations.

If you have to work regularly with interface actions: Record mode can be started by pressing i
the F2 key. The Automation Studio window must be open for this.

Localization and Identification of Elements

The issue of localizing/identifying program elements with the analyzer can be compared in
an abstract way to a car journey in a foreign city using a navigation system. We are going to
compare a trip to Vienna with GUI automation on the calculator interface, this little calculator
program in Window operating systems.
When traveling to Vienna, a tourist would definitely go to the city center, because he or
she really wants to see St. Stephen’s Cathedral, St. Rupert’s Church or «Maria am Gestade»
(St. Mary on the Strand). His navigation system will first search the entire city—i.e. Vienna—
and then narrow down the search.
The Automation Studio analyzer acts in a very similar way: Let’s look at the Calculator under
Start—Programs—Accessories. Similar to a navigation system that first finds the city, the
analyzer first detects the entirety, whether this is a program, a dialog or something similar. In
our case, the software itself, i.e. the Calculator—the outer borders if you like—the application
window.

The application window (TopWindow) is the highest selection hierarchy.

4. Software | 90
Figure 4.37.: The Application Window
Figure 4.36.: The City of Vienna

Our tourist must get to Vienna downtown to start the sightseeing tour in the first district.
In the Calculator the calculation 1 + 1 = 2 needs to be automated. Navigation must also take
place in a smaller unit, a sub-window in the main window: There is a generic control here—so
actually like the first district in Vienna, because the actual destinations can be found in this
control, key 1 and the equals sign.

The sub-window is higher than the elements in the selection hierarchy.

After the navigational system has identified the first district, it easily leads our tourist to the
«Steffl» and other places of interest. Very similar to the analyzer in the Automation Studio: If

Figure 4.38.: The First District of Vienna

Figure 4.39.: The Sub Window

4. Software | 91
Figure 4.40.: The «Steffl»
Figure 4.41.: The Element

the mouse pointer is in the sub-window, the elements are quickly localized—even number
keys and the =/- key.

The element is ultimately the actual target.

Therefore in the same was as a navigational system recommends a suitable route to the
destination, the detected element under the mouse pointer is also only an analyzer recom-
mendation. This is to be checked and adjusted if necessary before transfer into the script.

A Bit Theory
After the quick explanation of the basic procedure thanks to the Vienna example, here are a
few «official» comments on the subject.
baramundi Automate uses a double concept during element identification that is ne-
cessary for the automation of software installations: the Windows Application Programming
Interface (WinAPI) and Microsoft Active Accessibility (MSAA).

WinAPI: It concerns programming interfaces that allow programmers to develop WinAPI

software for Windows operating systems. The classes used for Automate normally determine
the dialog elements. The TopWindows and Controls (control elements, black frames) are
always determined by WinAPI classes or via WinAPI methods.

MSAA: This is an interface developed by Microsoft, via which MSAA has access to program
information of an element. Communication with standard user interfaces is possible via MSAA

4. Software | 92
in order to establish access to their interface elements, i.e. in order to identify, read out and if
necessary, integrate such elements with this.

Element Analysis. During the analysis of elements (Bottom-to-Top Analysis), the control element
is determined first and then the MSAA object that is under the mouse pointer. The path from
the MSAA object to the control element found is presented in the analyzer under MSAA Object.
Finally, the system analyzes the path to the application window, starting from the control
element toward the top through the window structure. The path determined thereby is listed
under Control Element in the analyzer.
Differentiation/identification takes place according to element names, their paths
and attributes (size, color, position, etc.). A Type is specified for the determined criteria and
suggested in the action dialog. Mapping is done preferentially to a normal control element
type, to the one that is most likely to appear. If the required element cannot be mapped via
its signature to one of the basic types, only then will the MSAA Control be selected as a Type
(an initial attempt at mapping to basic types is sensible because the basic types offer more
precise and varied actions than with a (generic) MSAA object).

Element Identification. In order to identify and retrieve an element in the script run, this process
is carried out in the reverse order (Top-to-Bottom Analysis): from all available application
windows, select the one that first meets the entered/determined search criteria. Then the
whole application window control element structure is searched until the control element
specified is found. If this search does not yield any results, the next suitable application
window is searched.
If an (optional) MSAA object is defined in the search criteria, the MSAA object located
there is determined based on the localized control element.

Simulating User Entries

Start Record mode to record an installation using the analyzer (start a GUI action by double-
clicking on GUI Automation/GUI Action in the Actions menu*). The installation is then ex-
ecuted. In order to select a standard action, place the mouse pointer on the element you
want—a frame appears. All information for the element selected is displayed at the same time
in the right analyzer window.
If the mouse pointer is on the required element, right-click on it to open the GUI Action
dialog (Fig. 4.42). A check can now be made to see to what extent the information matches

* For excessive interface action users: when the Automation Studio window is open, try
using the F2 key to take you to your destination faster.

4. Software | 93
Figure 4.42.: Record GUI Action Figure 4.43.: Search Criteria

the required element. If necessary, changes can be made here. There are options under Type
and Target that are specifically for changing or substantiating search entries.
Typ This is where you set how the element should be handled. The available action is to be
defined here too.
Target Opens the dialog for search criteria definition.
Action This is the action that should be executed on the element.
Action Settings This specifies the selected action.
Timeout This is the time limit after which the action stops if the target has not been found.
Ignore Error Script is continued despite error (equivalent to the action in the script).

The Search Criteria dialog (Fig. 4.43) is of particular importance because this is where you can
refine the criteria for search objects. It is possible to substantiate object selection in three
clear categories (four with MSAA objects)—for example, for multiple objects available for
selection at the same level.
The selected action can first be tested via the green arrow key in the dialog; this executes
the respective action. Click Ok to confirm your entries. This closes the dialog and the action is
entered as a Deploy script step.
Play: This tests the action
Play&OK: This tests the action and applies it to the script
OK: This writes the action into the script without testing
Cancel: This cancels the action

Output/Error List. There is an output window in the lower section of Automation Studio. This
displays the Output of the script process. Double-click on an entry to navigate to the action
quickly.

4. Software | 94
The Error list displays errors before script is executed, but also while it is being executed. The
Error list provides information if variables have not been defined, &c.

Record Mode
The mouse can be moved over a window dialog when
Record mode is running so the user can see all of the
windows and control elements contained therein, i.e.
every function available to a user for installation. Frames
are multi-colored:
• Application window (TopWindow) – the object

itself (determined via WinAPI)

• Control – black frame (via WinAPI)

• MSAA-Object – red frame (via MSAA)

All values determined in Record mode are displayed

in the Analyzer window on the right. The information
is sorted from top to bottom according to the above
mentioned order: Basic information about a found
element is listed under General; Application Window
shows the TopWindow settings; Control (WinAPI) (black
frame) shows the values for the basic element, and MSAA
Object (Red Frame) lists the values for the MSAA elements.
Figure 4.44.: Analyzer Window
Under Options, you can select whether or not the
Automation Studio window should be minimized during recording.
The Analyzer window status line at the bottom shows some information on the coordin-
ates of the current mouse pointer position. This differentiates between Desktop (absolute for
object) and Control coordinates (relative for object). Moreover, it shows the pixel color value
of what is located under the mouse pointer.

The Analyzer can be paused if you press the shortcut Ctrl + L in Record mode, in order to i
be able to use the mouse «normally». If you press Ctrl + L again, this stops pause again
and enables element selection via right mouse click.

An Example
We would like to use a short example to illustrate this. In this example, the installation of the
Notepad++ editor needs to be automated. Let’s say the installation program that is to be
used to record the individual installation steps is already provided in a known folder on the
computer.

4. Software | 95
Figure 4.45.: Launch Process

1. Double-click Launch Process in the Actions menu.

The script must first know how and where the program can be started so that installation can
be automated.
2. Enter the path to Notepad++ and disable the Wait for completion option.
3. Confirm your entries.
4. Execute the script to start the setup.
5. Start Record mode.

The script window will not be displayed because you are within the Record Mode.
6. Right-click the button needed for installation in the respective dialogs and confirm the
action by clicking Play & Ok, and then close Windows Analyzer.

Debugger
The debugger is a highlight of the Automation Studio. You can use it to check deploy scripts
for correctness via the Execute group ribbon symbols. For example, in order to test the Note-
pad installation script, click on the Debug icon in the Execute ribbon menu. The debugger
then begins monitoring all action steps during execution.
The next icon Stop is used to stop the debug run. Stop in this context means: the debug
procedure stops and it is no longer possible to make any additional interventions in the script.
Press the Pause icon to interrupt the run. This pause only stops script processing; it is still
possible to make changes and corrections. When you press Single step, the run does not
proceed automatically from top to bottom, instead it happens in steps—and more precisely
on the current action, i.e. the respective start position.
Use Set Start Position to select the action in the script at which the run should start;

4. Software | 96
through Toggle Breakpoint, it is possible not to execute the script at a specific action.
If you enable the checkboxes on the right next to the program steps this prevents the
breakpoint during execution of incorrect actions. The run is not interrupted at a point marked
in this way; instead, it continues running with the next action. The three bugs in the ribbon
bar are there to provide fast control of script runs:

Stop: Script processing is aborted.

Pause: Stops script run at the current point.

Single Step: Allows a script to be run on a step-by-step basis.

In addition, individual areas of the script can be excluded or skipped by a run through Com-
ment out, in order to test specific script sections for example. Through the Set Start Position
ribbon function it is possible to identify actions where a run through should be started or
continued; Toggle Breakpoint is used to do the opposite: to define actions in the script where
the run through can be interrupted.
7. Now debug the script you just created.

Error Handling
If an error appears in a script, the error dialog provides the following options: Abort script
execution. Script execution is stopped, further interventions are not possible. Pause script
execution. Script execution is paused, but not aborted, i.e. errors can be corrected in order
to debug the script again. Ignore error and continue script execution. An attempt is made to
continue script execution without paying attention to the faulty action.

Variables Simulation
If there has to simulate a variable while debbuging, access will be give to three sources :
1. The scripting environment will detect some variables dynamically, e.g. the hostname
(client) and the current storage location of the script environment (bMSPath).
2. An already existing install.ini will be load to get its [BMSVARS] section content available.
If there is no install.ini yet, it will be creating by the agents during software installation.
Since bMS 2015 R2, user defined variables have been saved encrypted in the install.ini;
within the file, the value will be displayed as ***. Via the bDS script properties, you can

4. Software | 97
give an individual INI file to load instead. In case there is no install.ini, Automate will give
an error message.
3. The project variables within the script properties will only be load to execute a debug;
they doesn’t have any effect for regular job executions. Project variables overwrite
values of other variables with the same name in other sources.

When a debug starts, you’ll see all currently valid variables in the right hand side of the
Automation Studio under bMS Variables. There, variable values can be edited while the debug
run has been paused.

Another Example
The standard font should be changed in the Notepad editor and actually «remote controlled»,
with the help of variables. The main role here goes to the Record mode. In order to be able to
record actions, the program must first be started.
1. Double-click the Launch Process entry under System Functions.
2. Enter the file notepad.exe under Command.
3. Select Start normally in Start behavior.
4. Disable the Wait for completion option.

First script line:

Start external process [notepad.exe]

Editor starts. The additional steps can now be determined via Record mode.
5. Start Record mode.
6. Select the Format menu item via a left mouse click.

Figure 4.46.: Start Notepad

4. Software | 98
Figure 4.47.: Font Menu

7. Choose Font with a right mouse click.

8. Check and confirm the action dialog with Play/OK.

On [Menu] with target [Untitled - Notepad] execute GUI action [Select menu entry «Font…»

This opens the font menu and allows you to select an alternative font (Font/Font style/Font
size): here, Courier New, in standard style with size 10 (pixel), i.e. three actions are required—
for type, style and size.
9. Right-click on Courier New under Font and then click Play & Ok.

You will probably be prompted to substantiate your selection during this step because other !
elements are included on the same selection level. In this case, confirm the message and
click the selector button under Target. In the Search Criteria dialog that opens, refine your
selection (the Resource ID is a good selection) so that the element selection is clear.

Figure 4.48.: Prompt for Selection Substantiation

4. Software | 99
Figure 4.49.: Change Font to «Courier New»

10. Right-click on Courier New under Font and then click Play & Ok.
11. Right-click on Standard under Font style and then click Play & Ok.
12. Right-click on 10 under Font size and then click Play & Ok.
13. Right-click on Ok and then click Play & Ok.

Figure 4.50.: End Notepad

4. Software | 100
Figure 4.51.: Finished Script

And that results in the following script lines:

On [Combo box] with target [Font] execute GUI action [Select entry «Courier New»
On [Combo box] with target [Font] execute GUI action [Select entry «Standard»
On [Combo box] with target [Font] execute GUI action [Select entry «10»
On [Button] with target [Font\OK] execute GUI action [Press button]

14. Left-click on File, right-click on Exit.

15. Press Play & Ok and stop recording.

On [Menu] with target [Untitled - Notepad] execute GUI action [Select menu entry «Exit»

16. Debug the script by clicking the Debug ribbon.

Working with Variables

Variables are always used if specific information is required, but they can show other values
from device to device—e.g. the computer name. Other areas of application are numerical
expressions (e.g. counter), the analysis of transfer and return values—i.e. in basic situations
where variables can adopt a type of placeholder function.
The variables accessible in Automation Studio are classified as:

4. Software | 101
• bMS Variables – internal baramundi variables
– Project Variables: From user to simulation purposes, i.e. only variables set for work
in Automation Studio
– Install.ini: Variables set when starting from the Install.ini
– System Variables: Variables set from the runtime that are always provided.
• Runtime Variables – variables generated by the script during execution

Passwords in Scripts. Please be very cautious using passwords within scripts. bDS scripts can j
be opened with an editor at any time. So, users who have access to the DIP could have
unauthorized gain possession of credentials.
To reduce this danger, you can use database stored variables. In this case, sensitive
information are additionally protected by restricting database access.
At runtime, of course there is still the possibility of unauthorized data queries. When
working with scripts, you’ll never avoid this risk, completely. However, in the bMS you have the
possibility to execute sensitive actions via server-side actions on the bMS server. Thus, on the
target system itself there are no longer runtime information available.

bMS variables created for jobs/device administrations used can also be used in Deploy scripts.

Project variables can be overwritten by runtime variables, usually. Project variables that can i
not be overwritten are: BMAPath, OSType, Domain, Architecture, Arch!

The actions to handle variables can be found in the Variables section of the Actions menu:
• Set variable: Defines a variable

• Determine variable: Calculates a variable value

To illustrate this, we will use a short example that probably will not offer much practical
benefit, but does provide a concrete view into the world of variables.

Example: Uninstall Software (if present)

The following script should first be checked to see if a specific software application (Note-
pad++) is present on a target system, in order to uninstall this if necessary. This is to be
done using a variable (Notepad++). In the first step, a variable must be set up to localize the
software being searched for, or not.
1. Double-click on Determine variable in the Actions menu.
2. Name the variable Notepad++ under Variable Name in the dialog.
3. Enter Installed Software Infos as Source.
4. The Parameter is the software being searched: Notepad++.

4. Software | 102
Figure 4.52.: Determine Variable

After you have confirmed your entries, the script receives the first line:

Determine variable [Notepad++] from [Installed software infos]: Notepad++

You can easily check for the existence of the variable by letting this first line run as a single
step and displaying the Notepad++ values in the Runtime variables view on the right: the
variable value is FOUND.
If this is applicable, a software application is found and then this should be uninstalled; if
not, it should close with a software not found message. Such a condition can be incorporated
from the context menu (Set Condition) of script steps. First, we have to define the first of the
both states:
1. Select from the Program Flow menu the End Script action via double-click.
2. Enter a Return Text in case, the software you wish to delete does not exist e.g. Notepad++
has not been installed.

Figure 4.53.: End Script

After you have confirmed your entries, the script receives the second line:

End script with Error and message [Notepad++ has not been installed]

4. Software | 103
The script shall be ended only in case the software you wish to delete is not installed. There-
fore, a condition is to be set:
1. Select in the context menu of the script step Set Condition.
2. Formulate the condition: {Notepad++} = NOTFOUND

Figure 4.54.: Set First Condition

After you have confirmed your entries, the script receives the first condition line:

{NOTEPAD++} matches (with wildcards) NOTFOUND

In case the software is installed on the system, it should be deleted. Again, we are going
to begin with the action—uninstall the software—and formulate the needed condition,
afterwards.
1. Select in the System Functions the Launch Process action.
2. Within the dialog, give the console commando to delete the software.

Figure 4.55.: Launch Process

After you have confirmed your entries, the script receives the third line:

Start External Prozess [{NOTEPAD++.UninstallString} /S]

4. Software | 104
Here, the software has to be installed, has to be FOUND.
1. Select in the context menu of the script step Set Condition.
2. Formulate the condition: {Notepad++} = FOUND

Figure 4.56.: Set First Condition

After you have confirmed your entries, the script receives the first condition line:

{NOTEPAD++} matches (with wildcards) FOUND

Your script is now finished and ready for «testing». But please be aware: The Debug functional-
ity does actually work. That means, your Notepad++ editor will be gone, after debugging.

Figure 4.57.: The Complete Script

4. Software | 105
Applications for Mobile Devices
In the Software Apps software for mobile devices can be imported or created for future deploy-
ment to mobile devices.

Load Applications
Before you can deploy applications to mobile devices, you need to have some. That means,
the ipa- (iOS) and apk- (Android) and xap-files (Windows Phone) must be available. In all cases,
you have to download apps you want to deploy from Internet: Either via iTunes (Apple), from
Play Store (Android) or Windows Phone Store.
You’ll find such ipa-files in the …/iTunes/iTunes Media/Mobile Applications folder, then. If
you install local IPA sources, please bear in mind to use the same Apple-ID within iTunes as
you do on your mobile devices.
To save Androids apk-files please use an appropriate application (e.g. AppSaver). Via such
a tool it will be possible to save apk-files of already installed apps to your SD card and to copy
them from there into a storage folder.

Figure 4.58.: Applications

4. Software | 106
Import. To get apps available for your mobile devices via Import App(s) function, they must be
available for bMS, first. Place them in the defined app path, therefore.
1. Select the Software Apps and New/App.
2. Apps from the app path not already known to the data base are automatically pre-
selected. Confirm your selection with Import.
3. Mark an imported app.
4. Select Create Deploy Job.

You’ll find the just created deploy job within the Jobs node. From there this app can be
assigned for deployment.

Manually. Via the Add app function, an app can be created, manually. Necessary information
for doing so should be provided by the app developer.
It is absolutely essential to give a package name (case sensitive). Giving a store ID makes
it possible for iOS to install an app from AppStore without source.

Edit Apps
With the Edit action, the name of applications can be adjusted.

Configure iOS App

To configure an iOS app or to deploy already configured iOS apps to devices, use the job
Configure app the correspondending settings in the Install app job. With the manufacturer’s
information, you can edit here configuration data for a corresponding app.

Figure 4.59.: Add Apps Figure 4.60.: Import Apps

4. Software | 107
Since it can be a quite arduous procedure obtain all the information for an app to be
configured and to edit all information error-free, the AppConfig.org Community was foun-
ded in order to provide more comfort: registered apps there have configuration schemes.
Using these schemes will provide an easy to use and option-controlled way to configure
apps. Configuration data of https://www.appconfig.org are already available via AppConfig
Schemas download job by default. Manually, you can import configuration scheme data
via Import configuration file. However, schemes must be conform to the schema standard of
AppConfig.org; an user must own Modify- rights to the app. Without these schemes, apps
must be edited by hand in the edit window as XML code (schema standard). Notwithstanding
which way of configuration will be chosen, baramundi variables*.
If the App Configuration option is not activated, all configuration settings will be reset. !
Using the job step Remove App Configuration to remove previously given configuration data.

Figure 4.61.: Edit Apps

4. Software | 108
Figure 4.62.: Installation Job

Create Install/Uninstall Jobs

With these two actions, you can create, install or uninstall apps. Select the applications and
click on the appropriate action. The job has to be created directly under Jobs, and stored in
object tab open for editing. Here, you can specify the name and adjust the parameters of the
job as needed, for example, put the app in the kiosk of baramundi Mobile Agent*.
Uninstalling apps is different, depending on the its platform.
Apple iOS Allows just to uninstall apps. User apps could not be uninstalled.
Android Asks for user confirmation to uninstall apps.
Windows Phone Does not allow to uninstall apps by MDM systems, except for Enterprise Apps
(from version 8.1 on).

Getting Applications Via VPP

The Volume Purchase Program for iOS offers companies the possibility to get licenses in large
quantities—mostly many of them—in advance. With this kink of VPP you’ll have a full control

* see S. 294
* not for iOS devices

4. Software | 109
over the company-wide license management, that means you can get licenses from Apple,
install/uninstall (take back) licenses. Appropriate configured, there should no more user
interactions be necessary. Information you’ll find here: http://images.apple.com/business/
doc/vpp_business_guide.pdf. Under http://apple.com/business/vpp you can register.

VPP Managed Distributions Device Assignment

For this VPP model, Apple gives you a so-called token (one time*) to authenticate to the server.
You can get all licenses via this token. To do so, import the token under Configuration Mobile Devices
within the Apple Volume Purchase Program (VPP) area, clicking the Import Token link. After
a successful import of the token, the Apps, were procured for the licenses, will be checked
periodically by the server at Apple.
You can import the token only for one MDM solution. Therefore you also can use a token for !
one MDM solution, only. If you have got all licenses after a token import, already existing
connections will be removed/those licenses will be taken back.

Once you have bought licenses via VPP Managed Distributions, you’ll find them under Software
Apps . There you may want to create directories to put «VPP apps» in, to find them again easily.
To identify VPP apps within the general folder, just add the VPP Redemption Codes and VPP
Managed Distributions columns to the view. You can do that by right clicking into the table
head (context menu), selecting Add/Remove Columns.
Communication between Apple’s web server and bMS will be limited to necessary incense i
information.

In case you have so-called Redemtion Codes left—VPP apps, still licensed via Excel file information—
Apple will convert such licenses into the newer VPP Managed Distributions Device Assignment
format. You also can still use such apps within the bMC under Software Apps via the Import VPP
Redemtion Codes action.

An Example
In this example an editor shall be provided for Apple iOS and Android. We start with iOS:
1. Select New/App within the Actions area.
2. The platform in this case is Apple iOS.
3. Use the Search function to look for an app within the Apple App Store.
4. We are looking for and will find the iEditor.
5. Select Add app.

* This token will be invalid after 12 month of usage.

4. Software | 110
A link is set within the baramundi database, to the iEditor sources; the editor can be deployed,
now. Under Android, applications will be added as follow:
1. Install the app out of the PlayStore on your device
2. Export the app as APK, i.g. with AppSaver
3. Copy the file into the Android app path (…/MobileDeviceData/Android/App)
4. Select the node Software Apps
5. In there chose New/App and as platform Android
6. Click on Import and select from Add from package file dialog the new ap.
7. Confirm your selection with Next

The application is registered in the database and can be deployed to mobile devices, now.

App-Management
It is possible to prevent/allow certain apps to be installed/executed by using a so-called black-
and whitelist: white-listed apps will be allowed to be installed/executed (not-listed apps
wont); black-listed apps will not be allowed to be installed/executed (not-listed apps will).

Black-/Whitelisting is currently available for Android*, iOS† and Windows Phone‡. !

* with Samsung KNOX 2.1; to prevent installation and execution on Androids, KNOX SDK
5.0 will be needed, that means: if there is a black-listed app already running on a device,
you’ll need KNOX SDK 5.0 to prevent this app from execution by a blacklist. With Samsung
KNOX 2.1 you cannot. Instead, you have to delete this app first.
† from version 9.3 and supervised only
‡ with Windows Phone 8.1

Figure 4.63.: Overview Figure 4.64.: Apps

4. Software | 111
You can create black- and whitelists under the Software App-Management node from the action bar
or within the context menu via New/Blacklist or New/Whitelist. Under Overview give a Name
and a short Description of the list. Under Apps select the app to be listed; afterwards you can
Save your list.
A black- or whitelist can include system apps. Windows Phone allows to execute certain
system relevant apps, automatically—without considering any blacklists. The baramundi Mo-
bile Agent cannot be blacklisted. It will be removed from lists, automatically. If not included in
any whitelist, the baramundi Mobile Agent will be added here as well.
App Management Lists can be deployed via mobile device profiles to compatible devices
(see page 192). In order to do that use the Blacklist or Whitelist profile items. Please consider:
On a certain point of time for a certain device either a whitelist or a blacklist can be valid. But
depending on type, you can assign several lists.

For compliance rules: Not executable apps will be classified as not installed. That means, an i
existing app blocked by a black- or whitelist is no rule violation for an unwanted app. The
same applies vice versa.

4. Software | 112
5
Operating Systems
In this Chapter:
Basic Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
OS Install Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Creating Boot Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Setting Up Operating System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Deploy Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Job Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Job Creation and Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
OS-Cloning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Create Master-Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Deploy Master-Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Driver Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Automatic Driver Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Manual Driver Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Hardware Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Purpose of Hardware Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Good and Poor Hardware Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Creating a Hardware Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Partitioning Hard Disks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
An Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
In-Place-Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Restrictions/Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
How to Use In-Place Upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

The Operating Systems module enables the fully automatic, fast and reliable installation
of operating systems. Devices can be partitioned, formatted, natively installed and con-
figured in just one pass. The operating system and all necessary applications are also installed.
Operating Systems uses the native installation engine provided by Microsoft.
OS-Cloning provides an alternative approach to deploy operating systems. More inform-
ation about OS-Cloning you will find further in this chapter.

Basic Procedure
Operating system installation with baramundi OS Install essentially takes place according
to the Preboot eXecution Environment (PXE) procedure, a method that enables network-
based booting of computers, that means: PXE capable PCs can be booted via a remote server
network, instead of via a local drive.
SERVER (bMS) (5)
?
(1)
PXE -
(2)

(3)
TFTP -
(4) DEVICE (bMA)
?6
(3)

Bootimage PE

6

WAIK/ADK

Figure 5.1.: OS Install Procedure

The process of distributing an OS proceeds as follows: In order to be able to do net-based

booting, the respective device sends a broadcast over the net, and searches for a PXE--Boot
Server (1). This responds (2) and provides the device with the TFTP- server for downloading
the PE Boot images (3). The boot loader is then loaded into the devices system memory and
can be executed (4). Finally, the device will be ready to receive and process jobs (5):
• Partitioning and formating of the hard drive

• Copy Windows Setup

• Restart computer; Continue the Windows installation.

OS Install Preparation
The use of baramundi Operating Systems is tied to specific requirements:
• The operating system to be distributed must already be created in bMC

• A boot image must be provided

• The target system must support PXE

Creating Boot Image

A boot image of this kind is to be created only once and it can be reused by the same server
for future operating system installations.

WAIK/ADK. The installation of Windows Automated Installation Kit (WAIK) or Windows Assess-
ment and Deployment Kits (Windows ADK) is required for creating the PE Boot image. You can

5. Operating Systems | 114

download Microsoft’s WAIK* from Microsoft Download Center. Copy all sources locally and
start installation via StartCD.exe.

Which of the Microsoft toolkits you may need you can decide based on your hardware used. i
Systems with BIOS or those in legacy BIOS mode be operated, need for network boot a WinPE
3.0. This image is generated on the basis of WAIK. For systems that already run fully under
UEFI, a newer PE version is required. For such systems an ADK must be available on the system,
you are working with the Boot Media Wizard. A parallel installation of both programs is
possible.

Boot Media Wizard. It is possible to create a PE Image with the Boot Media Wizard. The Wizard
can be found in the Management Center under Configuration Tools .
The boot medium type must be selected in the first dialog (here Windows PE Network
Boot Image), followed by the selection of the respective server. In the third dialog, Windows
PE settings, the paths to Windows AIK/ADK, to boot.wim as well as to Boot environment are
entered (but it will be detected automatically, usually). In addition, the Architecture (32/64-
Bit and the firmware type (BIOS/UEFI) must be selected. Subsequently, a dialog for driver
selection follows. For BIOS targets it is version 3.0 and expects drivers for Windows 7. For UEFI
targets WinPE 5 usually is used which expects drivers for Windows 8.1. After completion and
the dialog has ended, the boot image is created and is available for future operating system
installation.

If you load a Windows PE boot environment on a Windows device, there is no special authen- j
tication necessary to get access to the system’s local hard drive. A third party will be able gain
access to local user data and system files this way. Therefore, a boot environment has to be

* https://www.microsoft.com/en-us/download

Figure 5.2.: Type Selection Figure 5.3.: Server Selection

5. Operating Systems | 115

set via baramundi Management Center—either automatically by assigning a job or manually
from the Windows device properties.

Setting Up Operating System

The operating system to be distributed (with all rights) is provided and can already be stored
on the DIP (also possible later). From there, it is adopted by baramundi and distributed.
A wizard opens for the creation of a new operating system via Operating Systems Operating Systems
and New/Operating System. Enter the type of integration in the first dialog (Fig. 5.4)—native
is the correct method for Operating Systems . Save the path to the operating system source in the
next dialog (Fig. 5.5) for operating system analysis and integration. A CD/DVD can also be
entered as a source here. In this case, the Wizard copies the data onto the DIP upon request. A

Figure 5.4.: Integration Method Figure 5.5.: Directory Selection

Figure 5.6.: Response File Figure 5.7.: DIP Copy

5. Operating Systems | 116

template for the Unattend.xml will be suggested for automatic an installation.
In case you want to use own settings, copy the suggested template. Edit the template
by using System Image Manager for your Windows version (or newer). Do not edit the (ori-
ginal) standard template. Enter the license key and number of licenses to be used here.
Subsequently, it is possible to select whether or not the operating system should be copied to
the DIP in the settings (Fig. 5.7)—as long as a CD/DVD source is selected. The new OS should
now be ready for distribution.

Deploy Operating Systems

If all preparations have been completed, then the operating systems integrated under Operating Systems
Operating Systems can be distributed.

Job Preparation
• Activate PXE support (server; active by default).
• Activate TFTP support (server).
• Allow operating system installation (device).
• Activate boot environment (device).

Figure 5.8.: Server Settings Figure 5.9.: Device Settings

5. Operating Systems | 117

These requirements are permitted for the server (Fig. 5.8) under Configuration Server PXE Support
by checking the respective PXE server active box as well as the TFTP Server Active box and
permitted for the device (Fig. 5.9) in the device attributes in the General tab by activating the
Allow Operating System installation option and setting the Boot environment (in addition to
selecting WinPE).

Job Creation and Execution

Initially, the management of a respective job is setup via Jobs New/Job for Windows Devices.
After naming the job, Install Operating System is to be selected as a job step. Subsequently,
enter the operating system to be distributed. In addition, there are three options available in
order to e.g. subsequently disable the OS Install feature.

Figure 5.10.: Job Step Selection Figure 5.11.: OS Selection/Partitioning

Figure 5.12.: Network Boot Activation Figure 5.13.: Job Completion

5. Operating Systems | 118

The management of systems with UEFI firmware requires some adjustments. So, there is no
version of Windows PE that can run on UEFI and BIOS systems. For this reason, we recommend,
as long as possible to use the BIOS compatibility mode. If this is not possible for individual
devices, you can create matching Windows PE boot images with the Boot Media Wizard. This
requires an additional Windows ADK installation. Create your own jobs for operating system
installation, which use the corresponding UEFI boot environments. Please also note, that
UEFI systems do not allow cross platform deployment. Always install an OS matching your
processor architecture.
Finally, the network boot must be activated in addition to the respective boot environ-
ment. The job only needs to be completed and is now available under the Jobs node. Now,
assign a device to the job or optionally a device group, then job execution follows—after a
security prompt.

Once, a Windows installation was done successfully, the setup will change the boot order and i
deactivate the network start. You can prevent this behavior by activating the Leave network
boot as first boot option (only UEFI) option within the Deploy Operating System job step.

Hardware Profiles for UEFI Devices

For an OS installation on an UEFI firmware device with native operation mode, a special
hardware profile will be needed. We are going to create such a profile, now:
We assume, that all devices of the same model will be operated within the BIOS compat-
ibility mode, usually. Therefore, we want exclude the profile to be created from automatic
detection.
1. Create a hardware profile and give it a proper name
2. Set the Ignore this profile when autodecting the hardware profile option in the general
profile properties
3. Add a hard disk component
4. Edit the hard disk properties in the hardware profile:
• Configure a partition for 100 percent of capacity

• Set the Partitioning Scheme to GPT

• Activate Create UEFI Service Partition

Now, you can assign this hardware profile to a corresponding test device and check it with an
OS installation. Select a Windows version which supports UEFI.

5. Operating Systems | 119

Figure 5.14.: Job Step Figure 5.15.: Job Options

OS-Cloning
OS-Cloning is—as Operating Systems is—used to install new devices. Unlike a standard OS install-
ation, an already installed and configured device is taken as a reference system, a so-called
master. All its settings, software and so on will be packed into an image which inturn can
be deployed to any other system. Cloning is especially useful if new devices should have a
certain software equipment and configuration right at the start of their operation. In such a
case, just one device is to set up and its configuration can be cloned to any number of other
devices.
In doing so, the steps are pretty much the same as the procedure of an Operating Systems -job.
For general advices, please see into those text sections.

Create Master-Images
Once, you have configured a master system with all the desired components ready to be
cloned to other devices, you’ll need a master image.

Please note: OS-Cloning is not a data backup tool! It is rather a tool to install new devices of !
indentical hardware with a pre-defined configuration.

Creating a master-image has to be handled by a job. This job will be used then, to get the
master-image out of the master-device. The proper job-step to create a master-image is
Create master image of an operating system. Within the next dialog under Image File you can
choose a location for the master-image to be create.
Create Clone OS automatically creates an operating system under Operating Systems Operating Systems
activating option Extended title enlarges the name of operating system to be created with the

5. Operating Systems | 120

name of the master-device and the current date. Under Target folder one could give a certain
(previously added) destination—as a sub-folder of Operating Systems Operating Systems —to put the file
in. Once, the job is created, it will be shown under the Jobs node. Once, a device is properly
configured to serve as a master-device, this job can be applied to that certain device.

Please make sure that the option Allow operating system installation is clicked within the !
masters Properties under the General tab.

Applying that job on the master-device will start the Sysprep-program (Microsoft), which
prepares a system for imaging. In doing so, all kinds of individual settings (PC-name, SID
and so on) will be removed ! If the job has finished successfully, the just build master-image
is saved under Operating Systems Operating Systems . You’ll distinguish Clone images from operating
systems by the different icons. The clone-image is now ready to be deployed.

Licensing: Please make sure to add a license key to the created operating system. i
As far as external images should be integrated within the bMC, a wizard, available under
Operating Systems Operating Systems and New/Operating System, will help. Just choose the option
Cloning within the upcoming dialog. In the next dialog give the path to the clone-image. All
the left settings will be taken over, then. After finishing the procedure, your external images
will be available under Operating Systems Operating Systems .

Deploy Master-Images
Once, a master-image (a file with a .bim-extension) is available as many devices can be cloned
with this master-image.

In this context, it should be noted that the master-machine—once treated with Sysprep—is !
no longer operational. It might be a good idea to clone the master-device, too?

Deploying a master-image is pretty the same, as deploying operating systems the native way,
so, it is business as usual: First, a job is to be edited via Jobs and New/Job for Windows Devices.
After naming the job, choose job step Deploy Operating System. In the following dialog the
Installation selection should be Operating system from image file.
Under Image a clone-image can be chosen. Moreover, a soft- and/or hardware inventory
can be initiated by checking the option SW Inventory and/or HW Inventory. Eventually, within
the next dialog you can choose a fitting boot image.

5. Operating Systems | 121

Figure 5.16.: Deploy OS Figure 5.17.: Boot Image

Driver Integration
Normally, computer components are automatically added to the database via a hardware
scan when the device is created. Occasionally, special hardware components of a target
system are not supported by an operating system to be distributed. In such cases, their driver
is to be created by an administrator before operating system installation in the bMS.
The missing drivers will then be added by the operating system recognized driver data,
and transferred via the Setup to the respective device.

Automatic Driver Integration

The easiest way to integrate drivers is the use of the baramundi Driver Wizard, to find under
under Operating Systems Driver and Automatic Driver Integration.

All drivers must be provided with an inf file, so the baramundi Driver Wizard can recognize i
them, they can be integrated during OS installation and the components can be allocated.

First, enter the directory in the first dialog field (Fig. 5.18), in which the driver data can be
found. After the path has been entered, the driver can be specially selected for a specific
component via the selection button. Optionally, it can be decided whether all drivers or just
the drivers relevant for the managed components should be listed. If the driver data still is
not on the DIP, then this can take place by enabling the final option, Copy drivers file to DIP
structure. The respective drivers that are necessary for the desired components are listed in
the Driver Selection (Fig. 5.19)—relevant drivers must be selected. Confirm the selection in the
next dialog then the driver is listed under Operating Systems Driver . A detailed description of a driver
integration you can find in the appendix.

5. Operating Systems | 122

Figure 5.18.: Directory Description Figure 5.19.: Driver Selection

Manual Driver Integration

In addition to automatic driver integration, manual driver integration is also possible under
Operating Systems Driver . The following settings are possible:
Integrate driver by selecting file The inf file path can be entered directly, remaining settings are then
automatically adopted.
Windows driver This option allows for the manual processing of all driver information.
Textmode driver (txtsetup.oem) Occasionally, drivers are already needed during an installation. The
textmode drivers configurable here are used for this.
Folder To manage driver data clearly, you can create directories listed below the driver node.

Components
Supported components (as PCI, USB, ACPI, HDAUDIO) are in WinPE automatically detected by
the baramundi Management Agent and available after an OS installation in the Inventory/-
Components view within an object tab of a Windows device.
If they are no components, e.g. hardware that must communicate with the computer via
the usb port (like USB sound cards or laptop fingerprint readers), it might be useful to create
components, manually. The question is, whether or not an OS provides a certain driver for the
device. If so, there is no need to integrate it into the bMS Creating of a compnent is possible
via OS Install/Components/New. First, select which component type (hard disks, network cards,
graphic cards, monitors, other components) it concerns.

As a rule, they work with other components here, since the other types are normally auto- i
matically detected by the device scan.

5. Operating Systems | 123

The Manufacturer, Model and Device ID of the respective component must be entered in the
dialog field in the General tab. The first tasks can be freely edited; the Device ID can, as a rule,
be left free unless it is a device ID. In the Driver tab, the respective—previously integrated—
driver must be entered for such a device via the Add button.

When creating a component in the Driver tab that is listed under Driver Assignment in the !
OS column, pay attention to the driver provided for the operating system. If you want to
install an operating system that does not support this driver—i.e. not listed under OS—(you
are installing Windows 7; however, only Windows XP and Windows 2003 are listed under
OS)—the OS Install job fails.

After the components have been completed, they are available under Operating Systems Components .
From there, components can be allocated to individual devices. The components are then
integrated under Hardware Profiles for device groups—and this is exactly what it concerns in
most cases.

Hardware Profiles
Hardware profiles are manually created diagrams of specific hardware components that—
required periodically—are always accessible and enable:
• Automated installations model specific applications

• Fast partitioning of hard disks

• Non-automatically recognized drivers to be assigned

Purpose of Hardware Profiles

The main purpose of a hardware profile is to manage model specifics automatically.

Normal Case. When creating a computer, a current list of installed components is created via
a device scan, and this list can be seen in the Logical Group in the Windows Devices node
Inventory/Components per computer. The recognized components with the respective
(provided) drivers are assigned via the default hardware profile Full Autodetect.

Special Case. Whenever a model needs an installation of applications, driver &c., a hardware
profile could consider it.

Normally, this results in the following procedure: First, the missing components are added
with their driver information under Operating Systems Components . Then, the components required
are provided during the creation of a new hardware profile. The respective hardware profile

5. Operating Systems | 124

Match points HW-Profile A HW-Profile B HW-Profile C
Network Card 5 Realtek Realtek
Graphics Card 5 Matrox Matrox
Sound Card 5 Asus
USB Add-On 5 Digitus Digitus
ISDN Card 5 AVM
Fingerprint 0 IBM IBM IBM

Table 5.1.: Example of Hardware Profile Detection

is assigned when the device is created. As far the components of the device model has been
added as well, the bMS server can detect the correct profile also by itself.

Good and Poor Hardware Profiles

A good hardware profile takes two aspects into account:
1. A sufficient degree of automation, and
2. Consideration of components that are not automatically detected.

Since components will be automatically detected, one might think a hardware profile is only
relevant for components which are not automatically created by the device scan. But working
with multiple hardware profiles, a matching system ensures correct a assignment. Match
points, exclusively calculated via components, are recognized through the device detection.
An example for better understanding: Let’s say there are two hardware profiles with the
following components and their match points (5):
Both hardware profiles A and B are therefore created. Now, a computer with the following
equipment is created: network card (Realtek), graphics card (Matrox), sound card (Asus), the
USB add-on (Digitus) and the fingerprint reader (IBM).
What hardware profile is this computer equipped with? Hardware profile B takes effect
via the total of the match points: It receives 5 points for every component, i.e. 20 points
(because the fingerprint reader is not included in the match point calculation); whereas
hardware profile A only resulted in 15 points. However, the computer is missing a component
of the profile, the ISDN card, and that rules out assignment! This results in the following rules:
• Only components count for match points.

• The computer must have all components of the profile.

• The profile can feature all of the computer components.

In the example, it could have thus led to the assignment of hardware profile A because of the
missing component. If the computer had an ISDN card, then assignment would take place via
the higher number of match points.

5. Operating Systems | 125

Profile C, which only has the component that is not automatically detected by the device
scan, cannot find an equivalent due to the missing match point score.
It is not only smart, but also necessary to integrate hardware profiles, in addition to
components that have not gone through device detection, even the automatically (via
the device scan) detected components, in a hardware profile, in order to reach the highest
possible level of automation. Otherwise, automatic assignment cannot take place.

Creating a Hardware Profile

For example, 11 new devices of the same type should be created and equipped with the
respective hardware profile. All computers have a component—a USB sound card—that is
not recognized by device detection. Some alternative hardware profiles have already been
created.

Preparation. First, one of the new devices is created; the components found via the device scan
are then managed both on the device itself and under Operating System/Components .
The drivers that are required for the components can be selected and integrated via
automatic driver integration ( Operating Systems Driver and Automatic Driver Integration). These can
be found under OS Install/Driver. Components and drivers that are not automatically provided
by device detection—like the USB sound card here—must be manually added to the system.

Profile Processing. There are several ways to create a new hardware profile. We recommend the
easy way of Copy & Paste into the available hardware profile.
1. Access the dialog via Operating Systems Hardware Profiles and New
2. Enter a name in the General tab
3. Close the dialog
4. Highlight the component on the device and drag and drop it into the profile

It should be noted during component selection that the hard drive is not a part of the selec- !
tion*. Otherwise, the copy & paste function is blocked.

Components can also be added/deleted via the dialog and also in the Components tab via the
Add or Remove buttons.
There are two other options to take into consideration in the lower section of the General
tab: Enter domains after operating system installation, for the very improbable case that there
is no network connection to the domain controller during operation system installation and
a domain should only be entered after installation. The second option is Ignore this profile

* This must be manually added to the profile if needed (e.g. hard disk partitioning).

5. Operating Systems | 126

during automatic profile detection, which ensures that a suitable hardware profile is ignored
despite the highest match points. If there are reasons not to use specific profiles, then these
must not be deleted when enabling this option.

Profile Assignment. During automatic device creation, these are assigned the most suitable
hardware profile—in the case above, the profile created previously.
If target systems are manually created in the Management Center, then it is possible to assign
these to the hardware profile previously created via the context menu of the respective
logical group node (New/Windows Device).

Partitioning Hard Disks

It is also possible to set up specific partitioning on hard disks via hardware profiles. Create a
suitable profile or add a profile created via copy & paste to a hard disk (properties).
The drive can now be partitioned in the hard disk properties. The size can be specified
as a value in MB or percent. Please note percentages are always interpreted relative to the
remaining capacity. If you want to set up e.g. half of a drive to host the system partition and
the other half for data, you need to set the first partition to 50 percent while the second one
uses 100 percent (of the remaining drive space). Would you instead set the data partition to
only 50 percent size it would only utilize 25 percent of the drives capacity.
The options Drive Letter and Cluster Size offer
an autoselection of proper values. These
should be given precedence in case no
specific settings is required. For all other
partition options, set as required. The
property page offers also offers partition
alignment. This is intended to use with e.g.
SSD drives. It prevents performance loss due
to mismatching cluster and sector borders.
If Windows drive encryption BitLocker
is to be used, you may create the boot
partition simply by checking the box
labelled Create Bitlocker partition. Make
sure to set the Target partition property
of your operating system objects to
InstallToAvailablePartition!

Figure 5.20.: Partitioning Is there no hard disk component i

contained in a hardware profile,

5. Operating Systems | 127

a single partition using 100 percent capacity of the first drive will be created automatically
during an OS installation.

After the settings have been completed, partitioning takes place during operating system
installation. In addition for an OS Install job, you need to go to the Deploy Operating System
dialog and select According Configuration Client/Hardware Profile under Partitioning (Fig. 5.11).
Although a hardware profile can be used without containing any hardware components at
all—to deliver certain parameters to the operting system setup—we do advise to add at least
a hard disk, gaining the ability to partition such machines.

An Example
To illustrate this, an operating system (Windows 7) should be installed on a group of devices
in the following. The target systems need to be created first and provided with a hardware
profile. Partitioning of the hard disk drive should be considered as well, and in such a way that
two areas of equal size become available. This is with a new server in mind, i.e. a server where
the boot image still needs to be set up.

Setting up Boot Image. First, set up* Windows Automated Installation Kit (WAIK) on the server. WAIK
can be downloaded from Micrsoft webpage, directly. You’ll find a link within the download
area of baramundi forum and in th StartCD.exe of our installation medium.
After WAIK is installed on the server, PE Image can be set up. Use the baramundi Boot
Media Wizard for this.
1. Start the Boot Media Wizard from the start menu.
2. Select Windows PE Network Boot Image (see page 115).
3. Enter the bMS server here (baramundi Server).
4. Adopt the settings referred to in the next dialog.
5. You can add drivers in the next dialog.

Operating System Setup. After the PE-Image is created, the operating system can be set up. A
(Windows) operating system must be available for this.
1. Select OS Install/Operating Systems/New
2. Select the integration method Native in the first dialog
3. Enter the path to the operating system source under Source
4. Enter the path to the response file under Unattended file. (chosen by default)
5. Give the path to store sources on the DIP. This path will be created by the wizard, later
on.
* We assume a system with BIOS or Legacy-BIOS mode, here.

5. Operating Systems | 128

6. Enter the license key under License
7. Enter the number of allowed installations for that particular key under Coun.
8. Now, let the wizard copy the files on the DIP.

After the dialog has been completed, the operating system is located in the bMC under
Operating Systems Operating Systems and is available to get used for jobs.

Creating an OS Job. Preparations have now been completed—a job should be created for distrib-
uting operating systems. Ensure that:
• PXE support is enabled under Configuration Server .
• The respective target systems allow an operation system installation.

If the above is ensured, a new job is created.

1. Select Jobs and New/Job for Windows
2. Select the job step Install Operating System
3. Select your settings for the Operating System and for Partitioning

Select Operating System native that should be distributed under Operating system, which, in
our case, is Windows 7 (DE).

Creating a Hardware Profile. Now, in order to store the components in a hardware profile, a device
must execute a Windows PE job—usually an OS install job.
1. Create a new hardware profile under Operating systems Hardware profile .
2. Open within the device’s object tab Inventury/Components.
3. Highlight all components except the hard drive.
4. Copy your selection and paste it into your profile.

All components detected by the device scan are now part of the profile.

Partitioning Hard Disks. Finally, a hard disk drive must be added to the hardware profile and
partitioned.
1. Open your hardware profile properties dialog.
2. Select Add in the Components tab.
3. Select and apply hard disk drive.
4. Close the properties dialog and double-click on the new drive to partition it.

Creating Devices. There are two ways to create a new target system in the bMC: automatically or
manually.

5. Operating Systems | 129

Manual: To access the respective dialog go to Environment Logical Group and New/Windows
Device (with Hardware Profile and select the suitable hardware profile. When creating devices
manually, you need to know the Mac address (Network) and the host names (General) and
enter them in the dialog in order to make a clear device assignment. Devices created in such a
way can then be grouped in another way.

Automatic: To register a lot of devices at once, you can use the Register MAC address automat-
ically under Configuration Server PXE Support at Unknown Clients. After a server re-start, PXE module
of the bMS server will search for any devices with an unknown MAC address, looking for a
boot source. Such devices will be registered within the logical group root. You can change
name and group afterwards.

Executing Jobs. After all new devices have been registered, named and grouped, it is possible to
assign jobs to them (in our case, first an operating system installation).
1. Create a new job
2. Select the job step Install Operating System
3. In the next dialog select the operating system you want.
4. Under Partitioning select According Configuration Client/Hardware Profile/Hardware
Profile
5. Finalize the job

The job must be assigned to devices via Assign/Devices, and can then be executed as soon as
devices will start from network.

In-Place-Upgrade
In-place upgrades makes it possible automatically to update a Windows OS without rein-
stalling the whole system. The new system will be installed on the old one; all user settings
and files remain unchanged as well as installed programs*.

Restrictions/Requirements
In order to use in-place upgrades, there are some restrictions to be considered:
• In-place upgrades are only available with Windows 7, 8, 8.1, 10.

• There is no edition change possible. («Enterprise»/«Professional» + Evaluation/N-

Edition; 32/64 Bit &c.)

* A full data backup is always recommended.

5. Operating Systems | 130

• Language settings of original and update must be the same.
• The Original OS must already have a valid Windows 10 license or receive a new license
with the update.

In addition, please note the following:

• There must be a native Windows 10 OS object* created in the bMS.

• It is recommended to give the license key.

How to Use In-Place Upgrades

You can deploy in-place upgrades native via bMS job step Deploy operating system. To do so,
proceed as follows:
1. In the Jobs node, select New—Job for Windows devices.
2. Give the new job a name; Next.
3. Select Deploy operating system job step.
4. Under Installation select In-Place Upgrade entry.
5. Select the respective OS object.

You can add other job steps.

Licensing
The bMS license management—in that special case—will behave slightly different to OS
installation. Licenses, assigned to a device within a database, will stay connected because
there is no formatting of the data medium.
If you have activated license management on the OS object to be executed the upgrade,
a license will be reserved for the Windows device. It will be assigned after upgrading. The
license of the system to be upgraded remains unaffected thereby. If a software detection rule
has been connected to the system to be upgraded, this connection will be deleted with the
next software inventory, automatically. Hence the license will be released again. too.
License management of the used OS object does not need to be activated. However, to
prevent problems we recommend to give the volume key of your company.

* see «Setting up Operating System» on page 116

5. Operating Systems | 131

6
Inventory
In this Chapter:
Hardware Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Inventory Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
WMI Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
File Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Software Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Software Inventory Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Software Detection Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Creating a Shortcut . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Inventoried Apps for Mobile Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Inventoried Apps for macOS Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Defining Asset Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Moving, Copying and Referencing Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Asset Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
baramundi Energy Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Data Acquisition and Energy-Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Energy Saving Device Behaviour . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Takeover by the Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Energy Management Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Application Usage Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
baramundi AUT Mode of Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
baramundi AUT in Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
AUT Device Controlling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

An inventory (lat. invenire: to find something) is used to record stocks. But what in a com-
mercial company results in the counting, weighing and measuring of the entire stock is
simply called «Inventory» at baramundi and can be performed in just a few procedures—and
serves the same purpose: i.e. to record in our case the hardware and software data of your IT
landscape.
On the following pages you will learn how to perform a hardware and software inventory
on your target system. Upon completion, the bMS-functions for the management of assets
are presented. Subsequently, this section discusses the baramundi AUT module for assessing
the benefit of applications.

Hardware Inventory
The hardware inventory forms the basis for managing PC systems and is one of the core
modules of the baramundi Management Suite.
Inventory Templates
A hardware inventory with the Standard Hardware Template uses via the Desktop Manage-
ment Interface (DMI) theBIOS of your system. The data is taken directly from the component
manufacturers’ chip sets.
1. In Jobs select New/Job for Windows Devices
2. Name the job and double-click Perform Inventory
3. Select Standard Hardware Inventory
4. Confirm and close the dialog

Once the job is completed, the collected data you will find in the object view of your Windows
device under … Inventory Inventories Hardware WMI .
It is also possible to create your own template.
To do this, select the Inventory Inventory Templates node, navigate to New in the task area and select
Hardware Inventory Template. To avoid possible problems, parameters can be adjusted for the
hardware scan on the Options tab.
The SpeedStep Support option therefore
allows SpeedStep-capable CPUS from Intel
to be identified. This includes mobile
versions of Pentium III and Pentium M
processors, as well as Pentium 4 and
Pentium D processors. This lets you
determine whether SpeedStep is present
and which mode is in use for the CPU
(Battery-optimized/Full Power). Activating
this option may cause some desktop
computers to crash—therefore, it is
recommended to use this option carefully.
SMBus is a standardized protocol for
querying system data. For older computers,
the query may not return any data. This
makes it possible to assess in advance
to what extent an operating system
Figure 6.1.: Templates
change will work based on the hardware
requirements, whether sufficient hard drive space is available for a new application, whether
there is enough system memory, or whether a processor is too slow, et cetera. Hardware
inventory only takes less than 30 seconds for each device. Since it is performed in the
background, the user is normally not disturbed while the inventory is being carried out.

6. Inventory | 133
WMI Inventory
Information about the hardware inventory of a Windows device you can get also from your
OS itself. Windows offers interfaces to check such hardware data.
WMI (Windows Management Instrumentation) was originally released by Microsoft as
part of Windows NT Service Pack 4. It is the central management service for the Microsoft
Windows operating system and, as a permanent component in current Windows platforms, it
now serves as a system interface that allows various data to be accessed.
The bMS allows you to perform an inventory of hardware and software data on a target
system via the WMI interface. The data accessed there may, however, differ from the standard
hardware inventory. Some differences in scope and depth of detail may be found.
WMI provides the most different data queries. This data includes everything from BIOS

Figure 6.2.: Naming Figure 6.3.: Template Selection

Figure 6.4.: Class Selection Figure 6.5.: Class Attributes

6. Inventory | 134
Figure 6.6.: Additional Properties Figure 6.7.: Completion

entries to registry keys through user-defined settings. This allows you to determine which
data is requested at the WMI interface. To do this, you modify an existing WMI inventory
template or create a new template. To create a new template, select the Inventory Inventory Templates
node.
Create a new WMI template via the New/WMI Inventory Template. After naming the new
template on the General tab, the Classes tab provides a Wizard for adding a WMI template by
clicking New. If you wish to use a reference PC, you will need to define the PC and an author-
ized user. These instructions only include basic techniques, so we will not use a reference PC
at this time. Click Next (Fig. 6.2). You can now decide whether to query a predefined class or
to define a free class via WQL (WMI Query Language). For this, select the WMI Class (Fig. 6.3)
and make the desired entry in the Group menu (Fig. 6.4); activate classes (Fig. 6.5). You can
adjust individual values and define conditions.
It is also possible to define additional properties, e.g. a time limit in which a return value is to
be received or abort on error (Fig. 6.6). The query created can be tested. The result is provided
in the result area (Fig. 6.7). First test the query on reference systems*.
Now, create an inventory job under Jobs and assign it to one or more test systems.

If you do not require Wizard support, you can also click Expert New to create the template. In i
this case, only a single dialog opens where all tasks can be stored.

The result of an inventory you can find in the device view under … Inventory Inventories Hardware
WMI in the object view of a Windows device. Here you can also delete unneeded data sets on
request. The bMS deletes inventory records automatically, also. A nightly maintenance task

* Additional information on WMI can be found on the Microsoft website:

http://technet.microsoft.com/de-de/library/cc787057.aspx.

6. Inventory | 135
deletes all but the last two data sets of an inventory type (Hardware, WMI, or User Defined).
This behavior can be customized through the database maintenance tasks as required.

File Inventory
The bMS offers the possibility to directly access the files of a system to take an inventory. The
corresponding template can be found in the node … Templates under New/Template for File
Inventory in the context menu or the action Bar.
During a file inventory, a larger amount of data can be collected very fastly, which could be an !
expense of your system performance.

Software Inventory
bMS Inventory enables an exact registering of the software, installed on the target systems. In
doing so, also programs are detected that were not distributed via baramundi Software.

Software Inventory Templates

Inventory registers software based of registry information. If needed, new software detection
rules will be created and used, automatically. Rules gives you the opportunity to adjust
display names of detected software or to detect complex software products, later on. If
you add a Perform inventory job step, you’ll be asked for a software inventory template. For
software inventory select Software Inventory (Default).

Inventoried Registry Keys

To detect software on a Windows device, that part of the registry will be read out in which
usually applications for uninstall purposes are registered in. Thus, a regular software inventory
job result will be equal to data of the system control view Programs and Functions. The name
of the key is: HKLM Software Microsoft Windows CurrentVersion Uninstall and for
32 bit software on 64 bit systems: HKLM Software Wow6432Node Microsoft Windows
CurrentVersion Uninstall.

An Example (Software Inventory)

In the following example we want create a job for a software inventory, assign the inventory
to a device check the results in the baramundi Management Center.
1. Open module tab Jobs and there your folder under the Jobs node

6. Inventory | 136
2. Select New/Jobs for Windows Devices from context menu
3. Give an unique name.
4. Add Perform inventory job step
5. Select Software Template (Default) template
6. Finish job creation
7. From object tab which will open, click Assign from action bar and assign the job to a
text device
8. Wait until job has ended
9. Open object tab of your test device. Select Inventory/Software view. There you’ll see
detected software.

Software Inventory Results Software inventory results will be displayed globally as well as in group
and device views. A global overview of inventoried/installed software is to find in the Inventory
module tab under Software/Windows Devices. There you can see which software is known
within your environment and on which devices this software was found on.
A similar view you’ll find in logical and dynamical groups. These views are helpful if you
want to know the number of a certain application at a certain location.
Beside the view already mentioned, you’ll also see software detection rules created by an
inventory. Moreover, you can see all collected raw data, e.g. to:

• Create rules manually

• Find errors
• Extend rules

Raw data of a single system are shown in the object tab under Inventory/Inventories/Registry
or in Inventory module tab.

Software Detection Rules

baramundi Inventory uses software detection rules to detect which software products are
on inventoried devices. To do so, detected raw data will be compared with the existing rules
work. All rules successfully applicable with raw data will be linked with the device. If there is
no fitted data set found, the server will create/link new rule.
Manually you’ll have to deal with two kinds of software detection rules:
Liking Rules In most environments, software won’t deploy by baramundi Management Suite,
exclusively. Therefore, you should link software detection rules to a deployable applic-
ation with the bMS. So, all installations of an application found by Inventory will be
linked to the object, directly. You’ll have an overview of all installations, manually and
automatically. You’ll not only have a reference pint for further maintenance activities

6. Inventory | 137
but also a standard licence calculation basis. Moreover, in case of a manually uninstall
action, Inventory will take care of deleting files and releasing licenses.
Consolidate Rules On Windows devices, complex software products often register itself several
times. As an administrator maybe you don’t care about is. Therefore, you can consolid-
ate rules, to cover complex products with just one rule.

Categories for New Rules

Categories are useful to arrange detection rules, applications, Managed Software and op-
erating systems. All rules newly created by the server will stay uncategorized, displayed
as Not categorized. Consider to give your own category if you create application objects or
detection rules. You’ll see Inventory created rules easily. It will be clear what software of
your environment has been found last times. That assumes that rules will be assigned to
categories.
Inventory data can be easily exported to an Excel sheet if required. i

Creating a Shortcut
Has a first-time inventory been taken after software were previously deployed, there will be
double entries for the same software within your Software tab. This is because Inventory and
Software module data will be displayed separately if they are not linked, which possibly have
an impact e.g. on the clarity.
Select the rule entry to the application you want to link. Then select Assign software action
from context menu or action bar. To this end, you simply need to click on the chain symbol
right to the rule entry. A dialog opens where the associated application can be selected. Once
you have confirmed your selection, the corresponding application will be displayed instead
of the rule. This shortcut must only be created once per application. In doing so, a rule can
always only be allocated to one application! You can also assign a rule directly under Software
Applications via their properties.
You can edit the rules directly under the Software Detection Rules node. Using the Insert
into this Rule action, you can merge several selected rules into a single one. To this end, select
the corresponding rules and move them to the rule that is to remain unchanged.
Whether or not matched rules can be used, you can check by a software inventory. You
also can check the last raw data against the rule work of a certain device. To do so, select
Apply software detection rules within the Extras context menu of a Windows device. Then
check the Software view. You only should see the consolidated entry.
Not matching attributes: If you match attributes of different products in one rule accidentally, i
it could happen that this rule will no longer usable on a device. In such a case, the server
will create new rules for not assignable data, automatically. You can minimize the risk by

6. Inventory | 138
matching rules. Just copy the wanted attributes direct from raw data view of a Windows
device (Inventory/Inventories/Registry). These data can be put into main rule under the
Inventory Software detection rules . Then, you must delete obsolete detection rules, manually.

Inventoried Apps for Mobile Device

The inventory of mobile devices takes place initially analogous to that of Windows devices.
Create a job under Jobs and add as a job step Perform Software Inventory. Assign the job to
your mobile devices, the software status is to be determined.

Software inventories should be performed regularly. They provide important information for i
the system management and are, just in conjunction with the compliance functionality of
baramundi Mobile Devices, an important source of information, also. Such jobs should be
configured for repeated execution.

An overview of inventory found apps is given in the Inventory Software Mobile Devices node. Despite
of the software installed overview of an Android device, system applications will not be given,
here. One can create an uninstall job* for each app displayed in here.

* You can uninstall enterprise apps only from Windows Phone version 8.1.

Figure 6.8.: Inventory Results macOS Devices

6. Inventory | 139
Inventoried Apps for macOS Devices
Here we are dealing with pure inventory objects which has no direct job relations. Therefore,
there is no possibilty to create uninstall jobs or references to install or uninstall jobs in this
view available.

Assets
Asset systems are used to manage assets. In an IT environment, focus is made on:
• Type of assets,

• Maintenance contracts of assets,

• Sites of assets.

when it comes to the accounting of financial interests. This basically concerns the manage-
ment and «locating» of hardware in an IT landscape. baramundi Assets offers some of the
functions of such a system.
The asset functions can be used to manage devices. You can assign properties to print-

Figure 6.9.: Inventory/Assets

6. Inventory | 140
ers, scanners, overhead projectors, etc. and assign them to specific devices or device groups.
This enables system administration to quickly locate devices. A stock function allows you to
determine which of these devices are being used and which are not assigned to a user.
Finally, you can also view acquirement and operating costs via Assets.

Defining Asset Types

Depending on the properties of the device being managed, you must first create a corres-
ponding asset type. Typical devices are already defined, like:
• Overhead Projector

• Digital Camera

• Printer

• External Hard Drive

• Key Card

• Monitor

• Multifunctional Device MUFU

• Scanner

• Smartcard Reader

• Switch (Router)/Active Network Component

All of these types are assigned characteristic properties—visible when you select an asset
type—that describe the device. If another asset type is required, select Inventory Asset Types and
New/Asset Type and enter the information on the new device type in the dialog that opens.
Enter a name on the General tab (Fig. 6.10). You can also select a respective icon*. Details
on the vendor, costs and the like (Fig. 6.11) can be stored on the Defaults tab; technical
information entries are added in the properties of the corresponding asset type. These
properties can be edited in the asset type context menu under New/Properties. You can store
details on the device in this dialog, using a corresponding property type. Several properties
can be set for one device.

Creating Assets
Assets can be assigned to specific devices or Logical Groups. If they are not assigned, the
respective device is transferred to the Asset Stock.

* The image must be saved as an .ico file.

6. Inventory | 141
Creating Assets on the Device
To assign a device to a device or Logical Group, open the view of that certain device. Select
the Inventory Asset view and click New/Asset in the context menu.
The asset type must then be entered in the first dialog (Fig. 6.12) and further details on the
asset and its costs in addition to the name (mandatory) can be added in the following dialogs.
If all tasks are completed and confirmed (the asset property dialog opens), the new device is
listed under the respective device in the Environment Logical Group node.

Asset Stock
baramundi Assets is also assigned a stock function. All devices that are not assigned to any
owner will be listed under Inventory Asset Stock . Asset folders are visible within the tree structure
left, only. This has a two effects:

Creating Assets in the Inventory Assets can be created in the asset stock. In this case, these assets
are not yet assigned to a device, but cannot be ignored by the system administration because
they are being stored. The procedure is the same as above.

Automatic Additions to Stock on Device Deletion All assets assigned to Windows devices and groups
are automatically transferred to the stock after the target system has been deleted so that

Figure 6.10.: Asset Type (General) Figure 6.11.: Standard Values

6. Inventory | 142
Figure 6.12.: New Asset: Type Figure 6.13.: New Asset: Parameter

devices do not remain unused after deletion of a target system or are not omitted from asset
organization. In this sense, a system administration cannot ignore such devices even when a
target system is deleted.

Figure 6.14.: Asset Stock

6. Inventory | 143
Moving, Copying and Referencing Assets
If asset types are defined and assets are created, they can be moved with cut & paste. It is
therefore very easy to move assets from one device to another. As a result, the corresponding
device is removed from the original device and added to the new device.
Assets can also be copied. A program dialog asks Do you want to copy selected asset or
insert it as a reference? The difference between reference and copy is, in this case, the differ-
ence between the «same» and «identical», a device is referenced and is therefore the same
device: an employee from sales can reference his device on a printer (e.g. brand Lennon 65)
in the development department—this is the same printer, i.e. the one in the development
department. The printouts will then have to be collected from there.
A copy, however, is the same device: i.e. another Lennon 65. This (identical) second
device is located in sales though. The advantage of a copy is only to save writing time, be-
cause all the values of the first device can be adopted by the second. A reference asset does
not have a property entry in its context menu; instead it is called: Navigate to Actual Asset,
i.e. to the property dialog of the non-referenced device.

In this respect, an asset cannot be referenced to the same owner. In this case, the device is i
automatically copied. A query does not take place. References in the stock are also unreliable.

Asset Views
The respective views (Fig. 6.14) are available in the Management Center for the purpose of
clear asset management. All available asset types, assets and inventories can be easily viewed
and managed in them. The number of assets and how many of them are in the stock or in
use can be viewed as well as acquirement and operating costs in the asset overview. The
asset types listed are collapsible. Below are the individual devices. The name and the current
location (stock or device allocation) as well as the asset owner is displayed. By clicking on
the owner, the system jumps to the corresponding device and displays its asset list with the
devices contained in it. This is also collapsible and in this condition provides information on
device properties and references. The asset nodes of Windows devices and groups under
Environment and the asset view under the Inventory node are available for asset processing.

baramundi Energy Management

Through the use of baramundi Energy Management, device energy consumption can be
recorded and compared; energy cost savings could be made by decreasing energy use in
times, hardware does not need the full amount of energy power.

6. Inventory | 144
Figure 6.15.: Asset Type (Standard) Figure 6.16.: Asset (Individual)

In order to use baramundi Energy Management, a license must be acquired. i

Data Acquisition and Energy-Assets

Data acquisition for energy saving purposes will be done automatically, once the Energy
Management licence has been activated. As soon as a device’s Management Agent registered
to the server, data will be transmitted. Collected by the baramundi Agent will be times of
operation when a device is:
• On

• Off

• Standby

The calculation of energy consumed (KWh) is based on average consumption values. Those
values will be controlled on so-called energy-management-assets.

Such automatically created assets can not be moved, copied or referenced. i

At the time when it first supplies energy management data to the server, such assets will
be created for PC-systems and connected monitors (labelled by the name of that certain
model). For the first assets of a model, asset-types will be created, too. All these objects
inherits the standard consumption values, given by baramundi. We recommend an update

6. Inventory | 145
Figure 6.17.: Pricing Figure 6.18.: Energy Profile

of these standard values to the values of actual energy consumption to make sure a realistic
calculation. In order to do so go to the Inventory Asset Types node. There are two folders: Monitors
and Systems. In there you’ll find the automatic created asset-types. Information about energy
consumption are available within the asset-type-properties.
Should a single target system energy consumption differentiate from others of the same
model, individual consumption values can be set. That can be done by opening the asset
properties under the Power Consumption tab and deleting the Default tick. Then you can edit
another, more specific, value.
All needed energy data will be provided within the device’s view under the Energy
Consumption tab. The previous work was just about measurement energy data. To archive
improved energy management results, first energy profile have to be created. Such profiles
has to be assigned to energy policies, afterwards.

Energy Saving Device Behaviour

To decrease device item energy consumption, so-called energy profiles are needed. Those
profiles will be build into an energy policy, later on. Such a policy can be deployed to devices,
where it will help effectively increase the units energy efficiency.
To give the whole idea a monetary base, the current price of electricity can be set under
Inventory Energy Management and Properties within the General tab.

6. Inventory | 146
Figure 6.19.: Energy Policies Figure 6.20.: Energy Policies 2

Energy profile. An energy profile is an object which (if used) sets the systems idle timeouts
before activating certain energy saving measures. Such as switching off screens, hard drives
or going to standby mode. Moreover, such a profile even differentiates whether a system is
running on battery power or at the power socket. Under Inventory Energy Management Energy Profiles
and New you can set operation- and idle-times to hardware components. Use the Windows
energy options of your OS or User Defined settings for the Power Switch, Energy-Saving Button
and the When Closing Lid to make sure, your settings does not get overwritten.

Energy policies. Energy policies consists of several energy profiles and defines when and which
energy profile has to be used. For different profiles it is possible to call three conditions:
• User is logged in

• User is logged off

• Desktop is locked

How the device shall react to changes of energy policies can be controlled, too:
• Allow change of energy profile by user

• Suppress change of energy profile by user

Such a behavior controls whether or not an user can chance energy profiles and use them,
afterwards. If the behavior Suppress change of energy profile by user were chosen, the energy

6. Inventory | 147
Figure 6.21.: Job Step Figure 6.22.: Job Step 2

policy can uses energy profiles quit strictly. That means: the baramundi Agent regularly
checks whether or not the profiles are used correctly. Otherwise—in the Allow change of
energy profile by user case—you may use another energy profile, any time.

Takeover by the Device

To assign energy settings to a target system a job is needed. Via job step Deploy Energy Policy
(Fig. 6.21) an energy policy can be assigned to a device (Fig. 6.22). An user can chose between
already defined energy policies or the Windows Energy Profile. Selecting this profile deletes
the installed bdAG energy policy and all energy settings will be set to the previous used
values. Once, the job is done, the device will adapt its energy consumption.

Energy Management Views

Target system and Group View. Information about the monitored device are available within the
device view’s energy node. Energy consumption is shown as a weekly bar chart. Moreover, an
estimated value of consumption per annum is given.

Figure 6.23.: Energy Consumption/Device

6. Inventory | 148
All consumption values are broken down into three possible target system conditions:
• Operating (blue)
• Standby (green)

• Switched off (dark green)

Within the pie-chart, the Runtimes of the Client are shown as:
• Operation days more than 12 hours (red)

• Operation days 8 hours to 12 hours (yellow)

• Operation days less than 8 hours (green)

Under Consumption, the energy consumption costs will be estimated. Within a logical group
there is a cumulative display offered with the same information as in the device’s view. In here,
single assets are listed with their consumption data.

Switch on/off Energy Management Within the client’s properties (Data acquisition tab), you can
switch off the energy management by unchecking the Data acquisition active option under
Energy data acquisition. This option is checked, by default.

SNMP
The SNMP scanner scans in a specific IP range SNMP devices (e.g. printers, switches, routers)
and forms these date on an IT map under Environment IT Map . To do a network scan, proceed as
follows:
1. Download the corresponding detection rules.
The detection rule set is provided as a download job and regularly updated. This already
defined standard detection rule set serves for the general detection of SNMP device types
(printers, switches, routers, &c.) and for data reading. These rules cannot be changed. How-
ever, you have the option to add rules as desired. Devices detection in the rules and calling
values of a SNMP device can be supported by scripts (PowerShell).

2. Create a SNMP-Profil.
Profiles must be defined for scanning under Inventory SNMP Profiles . In these profiles the name
and at least one IP range must be specified, which is then to be scanned. For each IP range
SNMP access parameter, the version and community (so-called credentials) has to be con-
figured to version3. In addition, select the location of the newly detected network devices
into the logical groups.

6. Inventory | 149
3. Create a Perform Network Scan job.
For the scan, use Jobs —New/Job for Windows device and then Perform Network Scan job
step to create the job. In this job step, select a profile which should be scanned. The job
can be customized only on Windows devices which the network scanner have installed.
The network scanner can be installed and updated via MSW and will be provided on our
installation medium.

4. When the job has run successfully, go to Environment node.

After the scan, you’ll find detected network devices in the Logical Groups node. For devices that
were already present before the scan, the collected information will be updated. For Windows
and macOS devices, SNMP data can be found in the device views under … Inventory SNMP .
The IT map itself can be found under Environment IT Map (see 61) and try it out.

Application Usage Tracking

baramundi AUT allows you to generate statistics regarding the use of software in a business.
This enables the system administration to precisely localize potential savings concerning
software that is either not used or not used often and therefore avoid unnecessary license
costs or provide more consistent use.
Moreover, conclusions can be made on the use of comparable applications—e.g. differ-
ent word processing programs. Cost savings can be made using the analysis of such data.
Such usage tracking systems are suspected—sometimes rightfully so—of breaching compan-
ies’ data protection guidelines. These concerns were taken into account in the development
of baramundi; as a result, our module records periods, but not times. That means that the
exact time or the exact number of software applications by a single user are not considered;
it is the period between the first and last use of the respective application that is analyzed.
The intention of baramundi AUT is the exact measurement of the utilization ratio of licensed
software in order to reduce IT operating expenses. AUT is deactivated via default and not
visible as a module in the suite. It can be used only after licensing. A 30-day trial license is a
component of the bMS software package.

baramundi AUT Mode of Operation

We do not record when or how often software is opened for data protection reasons, only the
date of the first and last use. The following applies:
Unknown A program is given the status Unknown (the rate of utilization is not determined) if a
target system has not been active for 30 days or the program is not used for up to five
days after installation.

6. Inventory | 150
Recently used The software receives this status if it was used over the past 30 days.
Not recently used Software is labeled as occasionally used after more than 30, but fewer than 90
days since it was last used.
Unused Software is considered unused since it has not been used in the last 90 days or has not
been accessed for five or more days.
Any time the device logs onto the server, it delivers a list of the applications to be analyzed.
The device thereby checks every minute whether one of these applications is being executed.
Data logged by the device is saved encrypted (plain text is not possible). AUT data (first and
last use) is transferred with the small baramundi Agent inventory that is executed on every
connection. If AUT data is still not provided, the Last Use field remains empty.

baramundi AUT in Use

To log the software use frequency with AUT, the corresponding Enable application usage
tracking option must be activated in the software properties (Fig. 6.25) on the AUT tab. The
agent then checks whether a certain program is currently being used on the target system.
The software is identified based on the usage of executable programs, which must be stated
in this dialog. To specify the analysis criteria, use the Add buttons. Here (Fig. 6.26), in addition

Figure 6.24.: baramundi AUT

6. Inventory | 151
Figure 6.25.: Software Properties/AUT Figure 6.26.: AUT Criteria

to the path to the program itself, further criteria can be added to enable a clear analysis.

If all settings are completed, the results of an AUT analysis can be used in different places on
the baramundi Management Console.

AUT on a Device. The AUT status of applications on target systems can be viewed on the device
(Environment) on the Inventory Software view.

Wildcards are supported here—as well as in other locations in the program. i

AUT on a Application. The evaluation of AUT data can be viewed graphically on the corresponding
application, i.e. for devices that have this software installed. Two statistics are available on
the Use tab. The Overview view provides a pie chart of all devices, divided according to the
respective usage status.
The Trend view on the right presents how many target systems work with this particular AUT
checked software over a specific period. It is possible to filter by use for the status
of current usage*. This is Not Used via default settings, because this state is normally the most
interesting.

* The filtering settings do not effect the diagrams however!

6. Inventory | 152
Figure 6.27.: bMC/Inventory/Application Usage

AUT Global Overview

A global overview (Fig. 6.28) of application usage is provided by the respective nodes under
Inventory. The administrator is provided with an accumulated AUT view of all relevant applica-
tions and their uses here. All AUT activated applications are listed by name. Important inform-
ation in this context follows: on how many devices the respective software is Installed and on
how many devices this software is Unused. The result, combined with the Acquirement Cost
Entries (EUR) in the software properties dialog, determines the Potential Savings as a product
from individual license costs and the number of devices that do not use the corresponding
software. The number of devices is displayed in percentages under Overview. The display
shows whether the analyzed application has been recently used (green), not recently used
(yellow), is unused (red) or has not delivered any data (gray).

AUT Device Controlling

As soon as application tracking is activated for a software, AUT is executed on all of these
periods in the system of activated devices. Two questions therefore remain: what happens
when recording a new device and what happens when specific devices are excluded from
application tracking?

6. Inventory | 153
Figure 6.28.: bMC/Software/Applications/Application—Use

Figure 6.29.: Configuration/AUT Figure 6.30.: Device Properties/AUT

6. Inventory | 154
Pre-setting AUT
In order to activate baramundi AUT on all new devices, you need to set the corresponding
option (Fig. 6.29) under Inventory Settings and Properties/Activate Application Tracking. This
activates application tracking for all target systems recently adopted in the system. These
settings can also be selected when creating new databases.

Excluding Individual Devices from AUT

Sometimes, application tracking should not be executed on specific devices, e.g. sales repres-
entative laptops, customer systems or management’s computers. In such cases, application
tracking can be switched off directly in the device properties on the AUT tab via the Disable
Application Tracking option (Fig. 6.30). In order to delete previously collected AUT data, click
the Reset Acquired Data Button.
The idea behind baramundi AUT is to minimize software licensing costs, by measur-
ing the use of corresponding applications on the devices. The data evaluation required is
executed in such a way that few conclusions can be drawn on the respective users usage
pattern.

6. Inventory | 155
7
Compliance
In this Chapter:
baramundi Compliance Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Compliance for Windows Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Manage Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Compliance Practice: Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Compliance of Mobile and macOS Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

The observance of rules or guidelines of certain regulations are called «Compliance». There-
fore, compliance management could be referred as policy control. The module tab Compliance
includes both, the baramundi Compliance Management for Windows systems as well as com-
pliance for mobile devices and macOS systems. Any such devices could have vulnerabilities,
being attacked.

baramundi Compliance Management

Today’s IT environments are of complex and heterogeneous structures. Every day, companies—
large and small—are using a variety of software products. Each of them with potential
security issues, which can be used for attacks. The security of IT operation and operation
data is a big challenge for administrators. The baramundi Compliance Management module
supports users by providing an overview of the security condition of their network at any
time.
The module provides a vulnerability scanner* as well as a Windows OS configuration
checker†. Among other things, registry values, file versions and properties will be verified.
This, for example, ensures that installed patches are really still in effect, after some software
updates and other changes.
Using baramundi Compliance Management you have all critical data at a single spot.
You’ll see where vulnerabilities are as well as a standardized evaluation of their severity. Each
vulnerability entry gives a number of references to external sources, also. You also will see
all unwanted Windows OS configurations, where you can get further information about the
backgrounds and, if known, approaches to solve the issues. That may be patches or updated

* in accordance with the «Common Vulnerabilities and Exposures» (CVE)

† in accordance with the standards of the «National Institute of Standards and
Technology» (NIST)
version of the product. Should you have Managed Software or Patch Management licensed,
you can take care for even more security.
As an administrator of a regular IT environment, you should be aware that 100 percent of
regulatory compliance will be difficult to achieve. For numerous product CVEs there are no
updates to remedy. In other cases, vendors recommend to cease using critical features. For
some users this is not an option. So it is possible that baramundi Compliance Management
shows some vulnerabilities that are not solvable on short term. Are these problems known,
however—as our belief—allows administrators to estimate hazardous situations better.

A compliance scan may come to different results against a Patch Management scan. Patch !
Management relates data from Windows functions. Once, a Microsoft update is installed, it
will stay valid, even if later made changes to system files and settings. A compliance audit
evaluates much more information, on the other hand, such as file and registry data. Errors in
compliance rules can not be excluded. Testing in individual cases is advisable.

As far as there are vulnerabilities localized, what is to do? Here a couple of general tips:
• Follow—as far as possible—the solution suggestions of your vendor and deploy—as

far as available—the necessary updates. MSW and Patch Management customers can
access to those modules of course. Otherwise, updates can be automated via Deploy,
too.
• If a vulnerability was caused by an OEM component, the corresponding product can be

identified via its paths and files by using diagnose information. Check whether there are
updates available, and if, deploy them.

Compliance for Windows Devices

No executable job steps. In the state at delivery, all configuration rules will be still deactiv- !
ated. Before th first scan, please activate the rules first:
1. Select the Compliance Windows Devices Scan Profiles node
2. Doubeclick the scan profile you wish (the rule view opens)
3. Select all rules you wish to acticate (Colum Enabled shows still No)
4. Select in the context menu or in the action bar Activate Rule
The configuration rule set should not used completely, but activated always in small blocks.
Thus, it is possible to analyze reported vulnerabilities and accordingly to develop guidelines
for further usage. The application of the whole regulatory framework could lead to dis-
turbances in the operation result; would certainly have the effect of too much reported
vulnerabilit�es.

The module node Compliance Windows Devices provides an overview of the current state of the
last checked systems at any time. The overview shows the most important information in

7. Compliance | 157
Figure 7.1.: Compliance Management for Windows Devices

different diagrams. Under Evaluated Scan Profiles you’ll get an overview about scans over all
scanned systems in a strip charts.
The ring diagram Vulnerability of the Windows Devices informs about the vulnerability of
managed Windows systems. It shows the percentage of systems no, low, medium and highest
threated. The proportion of systems with no current data is visible, too.
The view Top 5 Violated Configuration Rules shows the five most violated rules of Win-
dows configurations. Here, listed with corresponding rules, as the number of systems affected
and the severity of the infraction.
The view Top 5 Vulnerable Devices lists the five devices vulnerable systems with the gaps
on the current highest degree of danger. These are particularly vulnerable to attacks.
The view Top 5 Systems by Count of Vulnerabilities shows the five systems with the highest
number of vulnerabilities. These are of particular threatened. In addition, a particularly high
number of found vulnerability could be a sign of problems in the update management.
The view Top 5 Vulnerable Products lists those software products with the most and most
serious vulnerabilities. Those products will be shown with their degrees of seriousness and
by their names. The majority of information displayed directly links to views that provide

7. Compliance | 158
additional information. So you can go directly to the description of the vulnerability by
clicking on a CVE title. The Top 5 use the same colour code that you can see at the legend
of the ring diagram Vulnerability of the Windows Systems.

Manage Rules
Under the Compliance Windows devices Manage rules node, you can define and mangage scan profiles—
which are bundles of rules— and rules.

Scan Profiles
The node includes all profiles to detect security vulnerabilities and configuration issues on
Windows systems. The profile can be opened in a object tab and edited there.
Under the … Scan profiles node you can Open profiles in this view via their context menu
or via the action bar. These profile then will be opened in their own view, showing all the rules
contained. A single rules itself can be activated or deactivated (will be not considered in the
scan). Configuration rules additional can be edited, according to their polities.
The baramundi Management Server updates databases security rules. For this, a down-
load job will be created and configured for execution. Data will be imported by the bMS
server service and are then to see in the Compliance tab in Windows Devices/Scan Profiles and
Rules.

Creating Scan Profiles. From user defined rules, you can create any scan profile; under Compliance
Windows Devices Manage rules Scan profiles can be seen, changed and created.
A click on New—Custom scan profile will open a dialog to create a new scan profile.
Herein give a Name for the new profile. There is also a Comment field to describe the new
scan profile.
It is only possible to assign rules to that profile under … Content Custom rules after saving of
the settings of the new scan profile. Once you have saved the profile, rules can be added by
clicking on the Assign rule action. A dialog will appear: move all rules you wish to add to the
profile into the right box.
Before you can use a scan profile, it has to be published, via the Publish action. This
action will export the scan profile into to \\MyServer\bms$\Client\Compliance* From there
the agent will load rules.

Publishing Updates: If you change profiles, their rules or scripts, you must publish that profile i
* The standard path, but you can change it under Compliance/Settings.

7. Compliance | 159
Figure 7.2.: Scan Profiles

again. Profile- or rule-changes will be detected automatically—bMC will show a yellow

warning sign if it happens.
Changes of bDS files will happen without any warnings. Without publishing them again,
all devices will continue using the last published profile version.

Custom Rules
Corporate IT environments are usually subjected to a set of rules, from device types, firmware
settings to software configurations. Defining such rules is one thing, baramundi Compliance
even gives you the possibility to monitor their observance. To achieve this, one can create
rules as bDS scripts to check whether or not current settings are valid to the defined rules.
Such rules can be put together to make individual scan profiles to monitor devices.

Creating Rules. First, you’ll need to define rules, of course. Once, you have all rules defined, for
each and every rule a baramundi Deploy Script* (bDS) has to be created, which will monitor

* See section «Automate» on page 84 for more scripting details.

7. Compliance | 160
a certain rule. To do so, you can use registry values, file contents or output of command line
tools. The crucial factor is in any case the return value of the script. Use the End Script action
within the End with return code mode to set one of the following values:
0 The result of the inspection is positive; the system does work rule-consistent.
1 The result of the inspection is negative; the system doesn’t work rule-consistent.
-1 The inspection has been canceled; an error occurred.

All user defined compliance rules scripts you’ll find on the bMS server within the following
directory \\MyServer\bms$\Scripts\CustomRules.
Once, a script has been created and tested sufficiently , you can create a new rule. To do
this, go to Compliance Windows Devices Manage rules Custom rules and click New—Custom rule action in
action bar or context menu. This will create a new rules object. Within that, there are some
settings to do.
The Rule ID you are asked to give must be unique and within bMS environment. To
guarantee good readable identifier for a long time, you should define a name convention.
If there are already/still IDs from existing rules—just take them over. Another convention
could be consist of company name, rule category (accounts, services, rights &c.) together with
an unique name/number. The Title should be chosen clear and unique as well. Under Script
you give the path to the bDS you want to use to rule-check devices.
Beside those required properties, there are more settings: Depending on internal eval-
uation, you can give a certain severity for rule violation. Under Details you can give some
information to the checked products, a rule category (which you’ll see in a column later on),
platforms to be checked, a description for rules and hints to solve violations.

Showing Scan Results

When you have executed scan profiles via the Execute Compliance Scan job step on devices,
scan results will be shown in several bMC areas.
A first overview you’ll get at the Compliance Windows Devices Configuration Custom view: results of
all rules and all devices.
Besides that, results could be seen directly in the object tab of a logical group in the
Configuration Windows Devices Configuration Custom node. At root group level of the logical group you’ll
see the same data as you see at the Compliance view. Under this top level, only Windows devices
results will be shown.
Eventually, scan results of single systems can be checked in the object view of Windows
devices under the Configuration Windows Devices Configuration Custom node.

7. Compliance | 161
Vulnerabilities
Detected vulnerabilities of Windows devices you’ll find under … Vulnerabilities Detected .

Detected Vulnerabilities
In tabular form, you will find an overview of known vulnerabilities and additional information,
as name, severity or affected products will be given. In the right you can see descriptions
of the vulnerability of the affected products and operating system versions, possible attack
vectors as well as references to external sources.
Via the context menu/action bar function Add exclusion you can leave this rule uncon-
sidered in the result calculation and therefore in the result view. You can specify the rule
exclusion within the dialog following your selection.

Figure 7.3.: Rules

7. Compliance | 162
Figure 7.4.: Add Exclusion

Exclusions

The … Vulnerabilities Exclusions view on logical groups shows, activates/deactivates all exclusions
for devices and groups below. So, you can see (and delete) all valid exclusions within the
Logical Group node.
A «complete» exception permanently excludes a vulnerability of the evaluation, no mat-
ter under which conditions the vulnerability was found. With a «conditional» exception, found
files can be found as condition for an exemption. Through such an exception vulnerabilities
will also excluded from the evaluation, but only as long as the conditions will fulfilled. If a
scan result no longer meets the conditions— e.g. new files found in other directories—the
exception will be evaluated as «partial» and the vulnerability gets reported again.
The comment is obligatory; you can save the exception only when you this field have edited. i
All exclusions will be shown under … Vulnerabilities Exclusions . Exclusions for groups can be
removed for sub-groups. However, you cannot define a new exclusion below such a sub-
group.

To define exclusions, the security profile of an user must have Modify rights to that object. i

Configurations
All configuration violations found will be displayed in this nodes. Additional information
about the results will be given here too. Configuration violations can be deleted within this
views.

7. Compliance | 163
Figure 7.5.: Configurations

Compliance Practice: Windows

The determination of the compliance status is set baramundi typical by means of a job.
Execution can take a few minutes to complete. To create a scan job, proceed as follows:

Perform a Scan

1. Create in the Jobs module a new job

2. Enter an unique name
3. Add the job step Execute Compliance Scan
4. Select the profile baramundi Windows Vulnerability Scan and finished the job
5. Assign one or more target systems to the job
6. The scan results can be viewed at the targets Compliance node

A job should be configured for intervall execution to make sure it is executed repeatedly.
Make rules available locally: Before a target system begins with the vulnerability scan, it i
must always update its local rules. By default it applies updates from bMS server. In multi-
side environments, this can cause to undesired transfer volume on WAN links. Hence, we

7. Compliance | 164
recommend for such environments, the set of rules to store on the DIP instead to the central
bMS server. To do this, change the settings for the Compliance Base Folder under Settings in
the Compliance tab.

Automatic Resolve of a Vulnerability

Take for example a cyclic running job to check the system security. This job shall use the
baramundi Windows Vulnerability Scan profile. After the weekly check routine has finished,
you realize there is a vulnerable version of a Java Runtime Environment.
Let us assume that you don’t have a Managed Software license. Then you will have
manually to download and automate a current Java version; to create an installation job.
Moreover, you will need an automatic assignment to get the job assigned to all devices a
vulnerability scan should be performed. To do so you’ll need the corresponding CVE-ID. An
automated assignment will looks like this:

1 Execute job when all of its conditions are met:

2 Vulnerabilities.CVE Id = CVE-2015-1234

As soon the vulnerability CVE-2015-1234 will be found, the bMS server assigns the job to
install the current Java Runtime, automatically. The only restriction is that this job is not
assigned to a target, yet.
However, you shouldn’t use this job not permanently. Latest with the very next Java
Runtime version this job need to be adapted or substituted. Otherwise you’ll risk the system
security due to an outdated software version, again.

Device Compliance State

If a target system has performed a compliance scan, the results can be seen on the object
view of the corresponding device.
The node … Overview shows data for rapid classification. The Risk Level returns the
highest severity of the vulnerabilities found. The Top 5 Vulnerabilities list the CVE IDs of the
five most serious weaknesses. Under Top 5 Vulnerable Products you’ll see the top five software
applications with the most vulnerabilities. The stripe diagrams of Tested Scan Profiles gives a
quantitave overview about scan rules und their results. A statistic over scans and their results
shows the node Scan State. Not only the type of scan or the scan date will be given, but also
details of the scan results. A list of fond vulnerable software applications you’ll find in the
Vulnerable Products node. A complete overview of all Vulnerabilities found, you will see in the
same node. Here you also get numerous details: CVE-IDs, descriptions of possible attacks and
solutions. Under Configurations you’ll find similar information about found configuration
violations. Since this information is not only for a single system of interest, the same surveys

7. Compliance | 165
Figure 7.6.: Compliance State of a Device

can be found within the logical groups. Here you can see the results of all scan profiles for
each device. This view is also good to identify outdated results by the provided time stamps.

An Example
In your company the usage of an automatic login with a domain user account has become
widespread simply because it is easier. This tendency presents a risk of misuse. Therefore,
a new guideline was established to stop that practice. And so, you—as an administrator—
have to create a script in order to prevent an automatic login on all devices. Once the script
has been executed on all corporate systems, from now on a user defined rule should check
whether automatic logon switched on again or not. What is to do?

Script First, you’ll need a script to achieve this:

1. Start baramundi Automation Studio with an empty script.
2. Add a Set x64 mode action and select Activate explicid x64 mode.
3. Add a Determine variable action with the name AutoLogonPW. As source use Registry.
Set Registry parameter to HKEY_LOCAL_MACHINE, Key to SOFTWARE\Microsoft\Windows

7. Compliance | 166
Figure 7.7.: Script

NT\CurrentVersion\Winlogon and Value to DefaultPassword.

4. Add a End script action. Set Mode to End with return code. Set Return code to 1.
5. Add anEnd script condition (context menu). Set Operand 1 to {AutoLogonPW}. Select as
Relational operator Does not match (with wildcards). Set Operand 2 to NOTFOUND.
6. Add another End script action. Set Mode to End with return code. Set Return code to 0.
7. Save the script under: \\MyServer\bms$\Scripts\CustomRules\CheckAutoLogon.bds

Rule Now you have your bDS check script, an user defined rule has to be created:
1. Open Compliance/Windows Devices/Manage rules/Custom rules.
2. Select New—Custom rule action
3. Give an Rule ID, e.g. Accounts.AutomaticLogin
4. Give a Title, e.g. Deactivate Automatic Login
5. Select the Script you have just created. According to the example above
\\MyServer\bms$\Scripts\CustomRules\CheckAutoLogon.bds
6. Set Severity to High

7. Compliance | 167
Figure 7.8.: Rule

Figure 7.9.: Profile

7. Compliance | 168
Profile Now, a scan profile has to be created to assign the just generated rule to:
1. Open Compliance/Windows Devices/Manage rules/Scan profiles.
2. Select New—Custom scan profile from the action bar.
3. Give a Name, e.g. Deactivate automatic login
4. Under Comment you can describe your profile, e.g. Profile detects automatic logins
on devices..
5. Save the new profile.
6. Under Compliance/Windows Devices/Manage rules/Scan profiles double-click the new
profile, to get into the detail view.
7. Select now Assign rules action.
8. On the right side of the dialog which will appear, select the just created rule Accounts.-
AutomaticLogin. Push the right arrow button to put the rule on the right side of the
view. Then click Assign.
9. Again select Compliance/Windows Devices/Manage rules/Scan profiles and then right-
click your new profile. In the context menu select Publish.

You can now deploy the new scan profile via jobs to detect devices with an automatic login.

Compliance of Mobile and macOS Devices

Under the Compliance module node, rules are to be defined and checked against their compli-
ance scans. Should mobile macOS devices violate one of these rules, they appear graphically
within the view, so that a possible violation of rules quickly can be detected.

Rules
Establishing compliance management, rules must be declared. Such rules have to be created,
managed and verified under Compliance Mobile Devices and macOS Rules . Within Rules-view you can:
• New/Rule (Adds a new rule)

• Edit (Opens the rules properties for changes)

• Delete (Permanently removes a rule)

• Activate Rule (Sets a deactivated rule in action, again)

• Disable Rule (Sets a rule inoperative, without removing it)

• Check Selected Rule(s) (Manually check one rule for violations)

• Check All Rules (Manually check for all rules for violations)

7. Compliance | 169
Create a Rule
To create a rule, select the New/Rule-action and rule type.
Apps The rule type Apps consists of Unwanted app, Required app and Version check. The selec-
tion of unwanted or required apps can be done by a store search or from a list of known
apps. Optionally, one could define a minimum version (from version) and/or maximum
version (Not available for Windows Phone) (up to version).
Jailbreak *Once, the security system of a system has been broken, there is a higher risk of data
loss. Therefore, one could create a rule† which informs the administrator (There must
be a baramundi Management Agent running on iOS-devices to use this function) about
this fact.
OS Here, you can permit different OS-versions.
Inventory Inventory data should be up to date, because such data are the basement of other
compliance rules. Inventory rules define a maximum age in days or weeks for hardware-
and software-data. A similar definition can be made (not for macOS devices) for the Last
contact to the device.
* for iOS and Android only
† To detect such conditions, a baramundi Agent is necessary for iOS devices.

Figure 7.10.: Compliance of Mobile Devices

7. Compliance | 170
Figure 7.11.: Rules of Mobile Devices

For all rule types: To finish a rule, conditions (e.g. platform, manufacturer, model, category,
owner) can be given or taken. If there are several conditions (rows), at least one of them must
be true. Alternatively, you can select that The rule will only be used if none of the conditions
apply. Finally, some information have to be given to meet the violation case. For more inform-
ation see next section.

Violations
When creating a new rule, finally
information on violations will be necessary.
Violations of rules will be measured by their
severity; serverity will be defined within the
last New/Rule dialog:
• Light Violation

• Medium Violation

• Severe Violation

Classification could have an effect to job

execution. For example could jobs with light
Figure 7.17.: Violations

7. Compliance | 171
Figure 7.12.: Rule Types Figure 7.13.: Rule Types

or medium rule violations be executed while job executions with severe violations can not. To
disable an existing rule without deleting it, the validation option active can be unchecked for
being inactive. Moreover, a rule violation could assign job(s), automatically. To do so, just click
Add job and select one or more from a list of already created jobs. A description is generated
automatically. It can, as needed, be changed. The end user should have information why a
policy violation exists. All baramundi Mobile Agents offer a view acute violations of the rules
by which an user gets an overview of current problems of his mobile device. The description
should guide him to correct a rule violation.
Observing violations of rules, the Management Center offers a graphical (1) view under
Compliance Mobile Devices Dashboard as well as (2) a tabular view within the … Violations node. Even
if it’s difficult, if not impossible, to avoid rules violations on mobile devices, at least you can

Figure 7.14.: Rules Figure 7.15.: Rules 2

7. Compliance | 172
Figure 7.16.: Rules Violations

localize them, via baramundi compliance management. Each rule violation is recorded with
date and time of it’s creation and correction, for later reference. It is possible to ignore an
active violation. Such an ignored violation will not be shown at the dashboard. An ignorance
can be undone at any time. Jobs can be assigned, for example to update inventory data. So, a
missing app could be installed, immediately.

7. Compliance | 173
8
Patches
In this Chapter:
Upgrade Paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Combinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Integrated Patches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Basic Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Manage Bulletins & Patches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Distributing Patches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
An Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Controlling the Windows Update Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
WSUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Online Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Example: Perform an Online Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Microsoft regularly updates its products. In order to operate a secure and stable IT environ-
ment, administrators should bring at least once a month systems to the latest version.
Often, just a few days after announcing a security gap, so-called exploits are in circu-
lation that utilize these gaps to obtain user data or to cause damage. For this reason, the
appearance of security-relevant patches rated «critical» by Microsoft require an immediate
reaction from your company.
Based on the technology of our baramundi Management Suite, we have created an
easily operated tool for patch management. This provides your patch policy with more
flexibility, an overview of your computers’ patch status, presenting a significant increase in
the security of your entire network.

Upgrade Paths
The baramundi Management Suite offers two ways to update managed target systems.
Customers can choose between a fully integrated solution and a bMS controlled usage of
the Microsoft channels. The integrated variant offers target systems the entire circumfer-
ence of the Microsoft security patches as well as numerous service packs, security rollups
and similar cumulative updates*. Sources are exclusively provided by the bMS DIPs. This,
of course, provides all comfort features like DIPSync and bBT. Alternatively, the Windows
Update Agent (WUA) can be controlled with a bMS job by the baramundi Update Agent (bMA).

* The extent of the available update is based on the catalog published by Microsoft with
the wsusscn2.cab.
Figure 8.1.: baramundi Patches

Depending on the configuration, sources can be loaded in this situation from a local WSUS or
directly from the Internet* internet. In this way, beside security updates also functional and
third-party updates (e.g. Skype) are available.

Combinations
Upgrading a system using the WUA extends the room for maneuver of the administrator. It
should not be overlooked be that a combined approach of both Patch management techno-
logies can be quite useful. Only the integrated solution will benefit from the full scope of the
bMS functionalities. These include baramundi Background Transfers, DIPSync and detailed
state information, to shorten the duration of a job and to simplify source management. They
provide detailed information about the state of a managed system. In this way, a combination
leading to more effective management.

* Please note that each device downloads the sources, individually. That may lead to a
high volume of data transfer.

8. Patches | 175
Additional Usage
You want to rely on proven processes and operate your existing AD-/WSUS-infrastructure
unchanged? Even then baramundi Patch Management can provide a valuable supplement:
With the WUA control, you can always deploy certain updates to certain targets. The job
control always provides an overview about all update processes.

Required Software: Numerous products set ahead certain system updates for their correct i
function. These are automated to manual and been linked to the corresponding application.
Alternatively, the WUA can be used job-controlled here, also.

Integrated Patches
baramundi software AG publishes the patches usually a short time after Microsoft did. Our
catalogs includes all Microsoft products and languages available as offline security updates*.
Also publications outside the regular cycle are provided in a timely manner. The bara-
mundi Management Server downloads the catalog of available updates from our download
servers. The source files for the actual updates are available directly from Microsoft. If the serv-
ers do not have direct Internet access, a proxy service can (Configuration/Server/Downloader)
can be specified.
• Patch functionality is checked,

• Defective patches are blocked and

• Patch descriptions are adjusted.

The basic procedure for a patch update is briefly illustrated above. As mentioned: Microsoft
provides the published patches for offline processing (wsusscn2.cab). This file is converted to
an XML file called BPMdata.xml and is processed that:
The server downloads both files from baramundi’s website. Patch information is im-
ported into the database. The installation sources are, according to the configured release
method, downloaded and copied to the DIP with BPMdata.xml. Wsusscn2.cab checks on the
target system which patches are missing or need to be updated.
As a result the device updates its local version of Wsusscn2.cab from the baramundi
Management Server during a patch job. After a patch scan, an XML file is created on the
device and sent to the server. The FileConnector module imports this file for each device
and writes the corresponding information into the database. All patches required by the
target system that have been released in the database are distributed. Carried approvals will
be given either automatically or manually.

* Based on the Windows Update Offline Catalog which is also used within the Microsoft
Baseline Security Analyser

8. Patches | 176
baramundi Microsoft
Q B ate
s
Qw PMd Upd
Q
sus ata.
scQ s &
n2. xml ch
e
caQ Pat
bQ s +

Firewall

?
'$

- DIP

&%
SERVER

3 ]J Q Q
k


J QQ
JJ QQ
QQ
JJ QQ
QQ

+

JJ
^ s
Q
Q

DEVICE DEVICE DEVICE DEVICE

Figure 8.2.: Patches Working Procedure

Basic Settings
Several preparations must be made to distribute patches. The necessary download jobs
are already created via default settings. Individually, these are the downloads for the files
Wsusscn2.cab and BPMdata.xml. The jobs can be found under Configuration Download Jobs (see
fig. 8.3).

wsusscn2.cab
URL: https://patchmgmt.bms-downloads.de/wsusscn2.cab
Local name: {bpmFolder}/wsusscn2.cab

BPMdata.xml
URL: http://patchmgmt.bms-downloads.de/bpmdata3_signed.zip
Local name: {BMSPath}/FileImport/bpmdata3.zip*

* The files are transferred compressed.

8. Patches | 177
Figure 8.3.: Download Jobs

Download jobs can be planned for

downloads at specified intervals or
performed immediately using the context
menu of a download job. The execution
interval is set in the properties of the
download job. Settings are made in the
Interval list field—the entry 5:00 in Figure
8.4 stands for daily 5:00 am.
In the State column, you can see
whether a download was successful; an
error message appears if problems arise.
After the download, BPMData3.zip will
automatically be unzipped (BPMData.xml)
and imported into the baramundi database
by the FileConnector module. The progress
of this import is displayed in percentages
Figure 8.4.: Download Job under Configuration Server Module State . Although
the Wsuscan2.cab file can be downloaded

8. Patches | 178
from www.baramundi.de; but this is the original Microsoft file. You can check this via the file
properties on the Digital signatures tab. We only buffer this file, because Microsoft often
makes changes to Wsusscn2.cab outside the normal patch cycles.

Patches Configuration

The basic configuration of Patches is performed here. The following functions are available via
the context menu Properties.

General. All the scan- and folder-settings have to be given in here.

Scan Command: (Fig. 8.5) is the command to initiate a patch scan. This line should generally be
left unchanged.
Patch Base Folder: The UNC path where the file wsusscn2.cab can be found. This line should be left
unchanged, in a case of doubt*.
Set Default Values: Resets both lines to default values

Languages. The languages to be made available for Patch Management can be selected from
the languages (Fig. 8.6) here. The downloadable patches are relatively large, so your selection

* Normally this means a very clear structure in terms of only one possible location.
Otherwise, it would be better to enter the DIP instead of the baramundi Server.

Figure 8.5.: PatchMGT: General Figure 8.6.: PatchMGT: Language

8. Patches | 179
should only include languages that are actually necessary within the infrastructure (normally
the country’s language and English).
• The bulletin descriptions are available in German and English.

• Checked boxes indicate which languages will be downloaded. The selected languages

will be downloaded based on the settings in the configured releases.

English as a super-Language: The English language applies in Patches not only localized for all i
updates to the language itself, but also for all multilingual packages. It must therefore always
remain active!

Products. In this tab (Fig. 8.7) you can define product-related settings and patches downloads.
A distinction has to be made between manual and automatic releases: In case Manual release
is activated, any patch or any bulletin must be released by the user, manually. An Automatic
release does not necessarily mean an immediate update on all affected systems. Installations
are performed only by a patch update job. If prefered, a filter can be set for a multi-stage
installation at the job level, to retain previously released patches, again. For more details
to bulletin filters see «Distributing Patches». In addition, you can decide whether or not
downloads the patch files are to be made On Availability or On Demand. In the second case, a
patch will be downloaded only when a device is determined to be missing this during a scan
and has transferred the result to the bMS. We recommend a download when available.

Figure 8.7.: Products Figure 8.8.: User Criticalities

8. Patches | 180
• Release Mode:
Automatic Patches for the product will be released automatically.
Manual Patches for the product will need to be released manually.

• Download Mode:
On Availability Patches will be downloaded as soon as they are released.
On Demand Patches for this product will be downloaded after released and a patch scan
determines that a patch is missing.
Manual The patch download must take place manually.

User Criticalities. Here, you can create your own criticalities for individual classification of bullet-
ins and baselines. By default, this tab (Fig. 8.8) includes the criticalities that correspond to the
Microsoft categories. Should more criticalities be needed, entries can be added.

Priorities. For group target systems into baselines. The Default priority is available.

SLAs. The priorities and criticalities are used to generate a table that shows the SLAs (Fig. 8.10).
The number in each cell defines the maximum permissible days before a patch of specified
criticality has to be applied to a group of systems in a class. With baselines (done by the
administrator), reports can be made, about the compliance via SLA defined installation times.

Figure 8.9.: Priorities Figure 8.10.: SLAs

8. Patches | 181
Figure 8.11.: Patches

Figure 8.12.: Patch List

8. Patches | 182
• Priorities are shown in columns.
• User criticalities are shown in rows.
• Value in the cells represents the maximum permissible days a patch has to be updated.
If this period expires, all relevant patches will be marked as overdue (red label).

Manage Bulletins & Patches

The term «bulletin» is used by Microsoft to refer to an entry in the patch database. A bulletin
generally relates to several products, which are then provided with different patches. After
successfully importing the BPMData.xml file, all available bulletins can be found in the bMC
under Patches Bulletins & Patches .
After BPMData.xml is updated or if a bulletin is changed, you will need to update the
display via update button within the update bar. The view on the Patch node provides an
overview of the release- and download-state of the patches. Data are grouped into annual
figures. Clicking on an annual figure will take you to a detailed view for that year (Fig. 8.12).
Here you can change the enabled state of entire bulletins. Select the check box of the desired
bulletins, and select one of the actions enabling or revoking a release. Click on the arrow

Figure 8.13.: Patch Description

8. Patches | 183
symbol (Fig. 8.13) to obtain information about each bulletin. Again, it is possible to assign
or revoke approvals, manually. However, only patches can be selected in this view. To edit
bulletins please close the detailed view by clicking again on the arrow icon.

Table View
In the node Bulletins & patches you will find a complete tabular overview of all known bulletins
in the database. The same activities are provided in principle, as in the previously described
Patches node view.
In addition, however, you can lock bulletins or create uninstall applications in this list. To
lock a bulletin a number of devices must be selected for a lock entry is to be generated. As
long as the entry is made, the installation of all associated patches is ignored. An overview of
the current locks you’ll find under Blocked bulletins. Here, the entries can also be deleted.
Creating an uninstall application will put an application object under Software/Windows
Applications the uninstall information to the baramundi Windows Update Manager instruct a
specific bulletin to remove it from the system. Since not all Microsoft updates are removable,
an action can fail in individual cases.

Distributing Patches
Patch jobs are—as usual—saved in the Job area. Select the job step Deploy Microsoft Patches
(Fig. 8.15).

We recommend creating one job for scanning and another job for installing necessary i
patches. You will receive a device state message without interrupting the respective user.

Figure 8.14.: Job Name Figure 8.15.: Patch Job Step

8. Patches | 184
Figure 8.16.: Scan Only Figure 8.17.: Scan and Deploy

In the next dialog, ensure that the action Scan only is selected (Fig. 8.16). In the Scan context
dropdown menu, you can select Configured install user or Local system. We recommend the
use of Local system. Finally, the defined patch scan job will be summarized in a text message.

Figure 8.18.: Bulletin Filter

8. Patches | 185
A second job can be used to install patches onto target systems. You’ll need to run a patch
scan on the target system, first. Missing patches are then reported to the baramundi Manage-
ment Server. The released patches are then installed, based on the applicable settings. A final
reboot is performed, and a new patch scan is started.
Select Scan and deploy (see Fig. 8.17) under this patch job’s Options. In the following dialog
the bulletin filter can be activated. Without information, a patch job will install all the patches
as published that reports a target system as missing and are not exclusive. The bulletin filter
can be used to avoid that automatically released patches are immediately distributed as it is
usual in multi-level patch deliveries. In addition, the bulletin filter must be used to distribute
so-called exclusive bulletins. Here are updates that require an immediate reboot and thus can
not be installed together with other patches. Service packs are exclusive to install, in most
cases. Use them for deployment either as a separate job or give the recurring update job
additional steps.

An Example
For example, only a patch update with subsequent patch installation should be displayed.

Updating Patch Data

Download jobs for Wsusscn2.cab as well as BPMData3.zip are already preinstalled under
Configuration/Download Jobs. A corresponding patch update interval is also included in the
settings. In that respect, this parameter does not need additional administration, unless the
interval is to be changed. This file update should take place manually for the example:
1. Select Download Jobs.
2. Select Execute now in the PatchMgmt BPMData3.zip in the context menu.
3. Select Execute now in the PatchMgmt Wsusscn2.cab in the context menu.

You can monitor the execution of download jobs under Server State. The downloader will dis-
play the download—depending on set intervals—the FileConnector signals the BPMData.xml
import in the database.

Releasing Patches
Here, you can manually change the states of realesed/unleleased bulletins and patches.
1. Select the Patches Bulletins & Patches node
2. First select the corresponding year and
3. bulletins here.
4. You can select and release via Release button.

8. Patches | 186
Figure 8.19.: Releasing Patches

The Release Level can be read in the column

on the Patches node. Releases that have
already been distributed can also be
revoked via Unrelease Bulletin in the action
bar.

Downloading Patches (Microsoft)

After award of shares are usually carried out
the first downloads. However, Patches also
provides alternatives.
1. Select the settings in the Patches tab
and open the node properties.
Within the Products tab, the download
behavior is adjustable. There are three
alternatives to choose from under Download
Mode: The option On Availability ensures
Figure 8.20.: Downloadjob
that the patch is downloaded as soon as

8. Patches | 187
it is released by Microsoft. It is irrelevant if the patch is actually needed or not. Selecting
On Demand will initiate a download only if the patch is reported as needed at least by one
system. By selecting Don’t Download, the patch identified is not downloaded.
This setting is only recommended in environments where bMS server does not have direct
Internet access. Instead, a second bMS server is installed with an internet connection for this
purpose and copied the sources from there to the internal DIP.
2. Make your selection according to the download states.
3. Confirm your selection with OK.

Installing Patches
In the Overview node can be examined the download status. To do this, select the relevant
group of classes of the desired bulletin. Open the expanded view of the test bulletin. The DL
column in the table of patch files contained gives information about the download status.
That the download is still out on this procedure can be followed in the Patches module tab.
Subsequently, the required patches must be installed on the respective target systems.
This normally takes place via jobs:
1. Create a new job Jobs/New—Job for Windows Device.
2. Name the job and select Deploy Microsoft Patches.
3. Select the Scan and deploy entry under Actions and as update source baramundi Patches
4. Leave the bulletin filter settings empty.
5. Complete the job.
6. Assign the job a device.

Controlling the Windows Update Agent

Many companies already use Windows Server Update Service (WSUS) for the care of their
Microsoft products. In general, group policies control installations. This method lacks for
many users, however, to control and transparency over the actual execution. Requirements,
which satisfies a bMS job more effectively. A job controls timing and sequence of updates.
The bMS ensures trouble-free operation, even if several tasks are simultaneously triggered.
The target system draws its sources from the WSUS infrastructure, as before. On request, a
target can be updated online (Windows/Microsoft Update).

Conditions
To install updates from the Windows Update Agent must be either a working installation
of Windows Server Update Service to be present, or the target systems must have a direct

8. Patches | 188
Windows Update access. All target systems must have a valid configuration of the local
Windows Update Agent*. We recommend for this purpose to create an appropriate group
policy. Two settings are relevant:
1. Automatic updates are disabled; Setting: Computer Policy/Policies/Administrative Tem-
plates/Windows Components/Windows Update/Automatic Updates Value: Disabled
2. The URL of the respective WSUS server (if available); Setting: Computer Policy/Policies/Ad-
ministrative Templates/Windows Components/Windows Update/Internal Microsoft Update
Path Value: Activated – HTTP://<YOURSERVER>:<PORT>

baramundi Background transfer (bBT) cannot be used if WSUS is in operation. !

WSUS
The entire configuration—sharing and downloading patches—will be done via the WSUS
management tools. The job step’s filter options will be in favor of adopted guidelines partially
invalid. Needed sources within environments must be provided via local replica servers.

Online Update
To update Microsoft products directly from the Internet, target systems must only be allowed
to access relevant websites. However, it should be considered that in this way a high volume
of data transfer can occur because each system downloads its sources, individually.

The connection between the client an the WSUS should be https instead http to prevent !
manipulations of the system updates in this way.

The End User License Agreement to install updates will be automatically accepted. i

Example: Perform an Online Update

The following are the necessary steps to update via Windows Update described. The test
system used to come in step 8, must meet the above conditions for an online update.
1. Create a new job.
2. Assign an appropriate name.
3. Add Deploy Microsoft Patches job step.
4. Select the update source Windows Update Online – Windows Updates only.
5. Select updates type Important Updates.

* Troubleshooting: Please check, whether local updates are available for installation. If
not, check the local configuration.

8. Patches | 189
6. Select Update, Definition Updates, Important Updates and Security Updates.
7. Change within dialog Job steps the error behavior to Ignore errors and continue job.
8. Finish, assign the job to a test system and check the result.

Error behavior for update jobs: Occurs an error during a job execution, the agent will abort i
the update. We recommend for this kind of job to set Ignore errors and continue job error
behavior. This is both in the Wizard of job creation, as well as possible by subsequent editing.

Configuration
The dialog Select update allows a whole range of settings to customize the update, if required.

Types of Updates. Select whether only important Updates, critical and recommended or optional
updates should be installed. Optional updates must always be used with exclusions. When
you access a WSUS, it does not affect this setting.

Classification. Specify, which types of updates you want to install.

Define Products: Installs exclusively updates to the products mentioned here. Please pay
attention to the correct spelling of the localized product names, for example: «Sprachpaket»
or «Language Pack». The use of wildcards (*,?) is permitted. Multiple entries are separated by
commas.

Additional Updates: If the installation of a KB-number specified on patches, assuming they will
be missing reported. The settings for the Types of Updates, Classification and emphProducts
will be ignored. Multiple entries are separated by commas.

Exclude Products: Installes updates for all products, except for the above mentioned data.
Please pay attention to the correct spelling of the product descriptions. Multiple entries are
separated by commas.

Exclude Updates: Disallow installation of specific patches, regardless of all settings in other-
wise dialogs. Overrides the setting Additional Updates, also. Multiple entries are separated by
commas.

Installation Context
In order to install, job creation offers two different opportunities: Via default LocalSystem is
used to perform the update. In this context, however, can not be carried out all installations.

8. Patches | 190
Drivers or other updates that an interaction needed provide by an user, must spread as
installing user. Also in this context, there are to consider things. Installation shutdown is only
as LocalSystem supported.

Restart Behavior
The installation of patches often requires a restart of Windows. As part of a job for the deploy-
ment of Microsoft patches controls the baramundi Management Agent restarting. Unless any
reboot was suppressed in the job, the agent performs these as needed. There will be as many
updates as possible, cumulated. Only when no further patches can be installed anymore,
or an exclusive update (for example, a service pack) is to install pending, the system will be
restarted by the agent. The actual number of required system startups always depends on the
elements to be installed.
To avoid disruptions, a reboot may supressed in Deploy Microsoft patches dialog. Since
this may cause inconsistencies in the operating system, we do not recommend to activate this
option by default. Try necessary reboot to let run as directly as possible. Jobs own a variety of
settings that you thereby assist. Some examples are mentioned below.
• Target systems can be awakened via WakeOnLAN at night for installation and be shut

down at the request again.

• Jobs can for execution on shutdown (either generally or be instructed by the user)

prepared. Pay attention and make sure to use Local System as Update context. A restart
needs to be suppressed here, as the system in execution is being shut down.
• A job can allow users a pending reboot defer .

8. Patches | 191
9
Extensions
In this Chapter:
Mobile Devices Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Configure End Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
VM Provisioning Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Licence Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Special Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Management View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Reserved Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Crystal Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
amando Miss Marple . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Personal Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
An Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Import/Export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
An Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Personal Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

The extension module is a kind of tool box, containing general functions to get the bara-
mundi Management Suite running.

Mobile Devices Profiles

The baramundi Management Suite offers users of baramundi Mobile Devices to configure
their managed end devices with profiles. A profile is a data object which contains one or more
device settings. Such bMD profiles supports iOS, Android and Windows Phone platforms,
currently. Profiles can be installed and uninstalled via a job at any time.

Configure End Devices

bMD profiles allow universal configurations. You only have to configure a profile for a WLAN
access just one time, even if has to work for different target platforms. That’s way the bMS
server creates the platform specific code only upon delivery to the target. Functions depend-
ing only on a single platform, can be used to supplement.
Figure 9.1.: Create a Profile

The most important Features of bMD profiles are:

• Universal profiles means: Configure once, deploy as often as you want.

• iOS, Android, Samsung Knox* and Windows Phone make universal settings more

complement through individual function features.

• Native IPCU profiles (iPhone Configuration Utility) can be imported and deployed.

Create a Profile

Mobile device profiles can be found in the Extensions node. From this view, you can always
create new profiles. For this purpose, click in the action bar below the tabs on New Profile. This
will open a new view called New Profile. You have to give some information before the actual
configurations can be made. In the profile’s overview you must have a name and a specify
identifier. The name and the identifier must be unique. Therefore, it is recommended to
define a name space for identification. In software development, you will find some examples.
A namespace for profiles in our company might de.baramundi.security.code.short. A
description can be added, additionally.

* An Android extension with extended management features on Samsung devices with

Android 4.0. with KNOX support.

9. Extensions | 193
Figure 9.2.: Configure a Profile

Then profile blocks has to be added and configured. Eventually, save your profile via the
Save button at the bottom right. If you try to save an unsaved profile, a message appears.

Configurable Settings
bMD profiles divide settings into building blocks. Depending on the options a block can
included to a profile once or be added multiple times. The following blocks can be selected:
Restrictions This block contains settings for system functions, such as turning off a camera. This
block contains no universal settings. A constraint block can be added just one time.
Security Policies This block contains password protect settings of mobile devices. Here
—among other—standards for strong passwords can be set, as well as time frames for
automatic screen locks. A security guideline block can be added to a profile just once.
Blacklist With a blacklist you’re able to prevent apps to be installed/executed under iOS*,
Android† and Windows Phone‡. A blacklist has similar effects to Android and Windows
Phone devices.
* from version 9.3 and supervised only
† with Samsung KNOX 2.1; see also page 111
‡ with Windows Phone 8.1; see also page 111

9. Extensions | 194
Whitelist With a whitelist you’re able to allow apps to be installed/executed under iOS*, An-
droid† and Windows Phone‡.
Other Settings This settings contain options to manage a mobile device itself.
Webclip With webclips you can link web apps or websites to user defined icons on iOS home
screens.
Exchange Account With this configuration block, the information necessary to configure a profile
for Microsoft Exchange Email will be created. It is recommended to use variables*.
WiFi Access data to WLAN networks can be deployed by a WiFi configuration block. This Block
type can be added multiple times to a profile.
VPN This module contains all necessary settings to configure VPN connections. The universal
settings apply to iOS and Android devices with Samsung Safe, only. A VPN block can be
added multiple times to a profile.
APN Mobile devices need to have Access Point Names APN to connect theirself into a mobile
data net. This profile module saves a configurations of a provider for a public or private
APN.
SCEP This configuation is to define which SCEP interface† should be used by a device to
establish a connection for requesting a new certificate for an exchange account.
Certificate Via this profile item you can deploy certificates directly to mobile devices.
You can deploy signed profiles if there is an official code signing certificate under Configuration i
Mobile Devices (see page 225) available. You can buy such certificates from several providers
e.g. VeriSign. Because iOS devices trust the root certificates of such such companies, a bMS
deployed and signed profile will be trusted, too.

Deploy IPCU profiles. A click to New Profile opens a drop down menu, the action import iOS Profile
contains. Then, select via browse dialog the Mobile Config File you wish. To use variables in
your IPCU profiles, make sure to export them unsigned.
If you want to import an IPCU profile which contains a SCEP configuration block, such a
block will be rebuilt that all device requests are sent to the bMS server, first. This will be work
for unsigned profiles, only. Therefore, you prevent the substitution of a profile by signing it.
During an import, the bMC looks for a matching SCEP instance in bMS configuration. If it
finds one, it adds the bMS server instead of the actual endpoint. Access then runs not directly
on the PKI, but is passed through the bMS server. This ensures, that only hits by bMS managed
devices are made. Then the PKI can be set, that it no longer communicates with any other IPs.

* The variables, used within Exchange profiles, are based on AD synchronization data. It
is therefore assumed that a comparison of data with AD is held and managed devices are
assigned to an AD user. Otherwise, the Exchange account setup will faul!
† Network Device Enrollment Service

9. Extensions | 195
Managing Mobile Device Profiles
You will find an overview of all known profiles in the Extensions tab under Mobile Devices
Profiles. The table shows besides the profile’s name and the identifier the following data:
Signed IPCU created iOS profiles can be signed and then exported. The properties will be
shown in such a case.
Type Profiles can be assigned to Configuration type either or to Security type. Security profiles
will be created by IPCU, afterwards.
Editable Profile, created in the baramundi Management Center are editable at any time. Impor-
ted iOS profiles must be edited via the IPCU. Once, your changes has been done, it must
be imported, again.
Used Shows, in how many jobs the profile has been used.

Jobs for installing and uninstalling of mobile device profiles can be created directly from the
profile management. Select the desired profile and then in the action bar the Create Install
Job. The action of applying an uninstall job can be found in the drop down menu.

Example: A Security Profile

1. Open the Extensions view.
2. Click on the Mobile Devices Profiles node and there on the New Profile button.
3. Give your profile an unique name
4. Give your profile an unique identifier
5. Click on Add
6. Select Security policies type
a) Set a minimum password length of five characters
b) The password quality should be numeric
c) Leave blank Password Validity
d) The Pasword History should have five entries
e) The Display Timeout is 90 seconds until activation
f) Ten Password Retries before Wipe should be allowed before the device is set back.
7. Click on Save.
8. Create a job to install the profile. Assign the job to a test device.

Profile Consistence
Since only iOS provides an integrated profile management, only these profiles remain consist-
ent. On this platform, installed profiles can always be inventoried or uninstalled. On all other
platforms, profiles can be simulated. For installation and removal, in the profile contained

9. Extensions | 196
settings will be used and rolled back. An inventory of installed profiles is not possible. A
configured data block will be always fully applied. Therefore, configure these blocks always
complete.
For Android and Windows Phone there are no profiles under the Profiles installed node. But i
you can find your active device configuration settings in the Inventory/Device inventory
node of your end device.

An example shall explain this more

detailed: You create and deploy a profile
to force users to a password with a certain
minimum length. Then, you create a second
profile, that only make requirements for the
password quality under Android. A device
on which the second profile is deployed
loses the configured minimum length for
passwords.

VM Provisioning Profiles
New VM provisioning profiles can be created
here*. These profiles are used to create
a new virtual machine within a VMware
vCenter.
Figure 9.3.: Special Rights

Licence Management
Within the bMS there are several objects
able to use user defined licences:
• Applications

• Operating Systems

• Managed Software

Special Rights
All users are allowed to manage licences with Modify-rights (see Fig. 9.3) on a certain object.
However, such a right gives access to other properties, too. Therefore, giving Modify-rights

* see page 65

9. Extensions | 197
Figure 9.4.: Example Profile

to technically not qualified personnel requires a constant critical eye on what they do (an
unthought or incorrect change could lead to applications which can not longer be installed
or uninstalled, for example). The Manage Licences right offers a solution: Via this right, exclus-
ively new licences can be registered or existing ones edited or deleted.

Management View
There is a special root node in the Extensions view to simplify licence maintenance: Licence
Management. All licence management activated objects can be watched there. These object
properties are restricted to there licence properties, so, that you can just open the licence
properties, only. Via context menu an user can change to a main object in order to see all
properties.

Reserved Licenses
For all jobs in which an application with active license management is to be distributed, a
license will be reserved from the license pool during execution of the job. The license can

9. Extensions | 198
be viewed in this list. This prevents a single license from being used for multiple job targets*
simultaneously. In addition, this prevents inconsistencies from occurring in the license count.
After successfully completing the job, the license will then be removed from this list and
assigned to a target system. If the job is not successfully completed, the reservation entry will
remain in the database and the license will not be available for further use.

Reporting
In the Extensions Reporting Management Suite node, baramundi Management Suite allows you to
create comprehensive reports about the status of your network. The included reports offer
information about hardware, software and about the compliance of managed end devices.

* A job target refers to the assignment of a job to a single device.

Figure 9.5.: Reporting

9. Extensions | 199
Crystal Reports
Crystal Reports is a SAP software for creating reports. To display reports, you’ll find the Crystal
Reports Viewer at our installation medium. It’s piossible to create own reports. However, to do
so, you’ll need a Crystal Reports full version.

amando Miss Marple

Reports of the Software Asset Management (SAM) solution Miss Marple by amando software
GmbH will be dispayed—after configuration*—within our bMS. These reports are based on
MS SQL Server Reporting Services.

Figure 9.6.: amando Miss Marple Reports

You’ll see the reports under Extensions Reporting amando Miss Marple only if amando Miss Marple was
configured; otherwise this node will not be visible.
To display reports (grid and tab), bMC connects directly to the SQL reporting server. Hence the !
reporting server must be available for the bMC.

* see page 243

9. Extensions | 200
Recovery
Recovery is a solution used to backup and recover practically any workstation environment at
any location. Whether the data loss is the result of accidental operating errors by the user
or system failures—you will save valuable time in the complex troubleshooting process.
Currently, recovery is made up of both the Disaster Recovery and Personal Backup concepts.

Disaster Recovery
Disaster Recovery serves to restore a Windows partition after an emergency (such as a corrup-
ted file system or a defective hard disk). The baramundi … Recovery module is able to create
an exact copy of selected volumes. System backup is completed based on occupied sectors. It
can run in the background while the user continues working at his/her workstation.
The backup data can be compressed and stored on a network or at the local computer.
Reinstallation is completed centrally, with all system settings and necessary applications.

Working Procedure

'$
(1) - (3) -
Job bdi DIP
bMS bMA
&%
6
(2)
'$

HDD

&%

Figure 9.7.: Recovery: Backup Personal files

'$
(1) - (2)
PXE bdi DIP
bMS Bootclient
&%
(3)
'? $

HDD

&%

Figure 9.8.: Recovery: Data Recovery

9. Extensions | 201
The backup of drives with Disaster Recovery takes place as follows:
The server (bMS) instructs the target system (bMA) to (1) export the data of a hard disk
and to (2) save them on the DIP as a file (3).
Backups are performed as a job step by bMS/bMA. The job step backs up a volume (i.e., a
partition). Multiple volumes can be backed up by performing several subsequent job steps (in
different files). Data recovery functions in reverse:
The device is started via PXE from the server (1), because we have to assume that no
bootable operating system is present. This retrieves the data backup file from DIP (2) via a job
and restores it to the target system (3).

Disk Backup
Create a job and select the Create image backup job step (Fig. 9.9). First, enter the drive to back
up (Fig. 9.10). If the priority is set to Low, backup can take place during operation.
The path is set up according to the {DIP} Backup {Client} {Client}.bim pattern.
Change file name if you want to backup several voluemes of a device. Add the drive letter, for
example. The Date variable can also be used. It is important that the file location is accessible
from the perspective of the device and that the server name can be resolved. You also have
the option of using a local drive if a second partition or a second disk is present on a system.

Figure 9.9.: Job Steps Figure 9.10.: Settings

Restoring Disks
Create a job and select the Restore drive from image job step. Enter the location of the image,
as seen from the perspective of the device (Fig. 9.11). When backing up, information about
the backed up partition will be included in the copy. If you would like to use another partition,

9. Extensions | 202
Figure 9.11.: Restore Partition Figure 9.12.: Boot Imgage

this can be specified. Disks are counted from zero upwards, partitions start with one.
Partition Harddisc Creates a partition based on the hardware profile assigned to the device.
Partitioning for a system restore is typically only required if the disk was replaced.
Partitioning will be done using the configured settings—caution should be exercised
here—and may delete all data on the disk.
Write Master Boot Record (MBR) The Master Boot Record can be overwritten with a standard Master
Boot Record.
Restore Signature The signature of the operating system will be restored based on the data. This
is required for the restore Windows Vista or later.
Set the standard entry in the Windows boot configuration Corrects boot loader errors after restoring on a
hard disc with different configuration (e.g. partition alignment).
Verify if image exists before execution
The following setting selections are provided in the next dialog Boot image:
Activate Network Boot By selecting Activate Network Boot, the PXE Boot option is automatically
activated in the properties of an assigned target system.
Environment Windows PE-based boot environments are available under Configuration Boot Environments .
Server Initiates Reboot If the target system is in use, a system reboot will be initiated by the server.

Disk data is saved and restored in bim files (baramundi Imageing). These bim files are normally
on the DIP in the directories provided by the dialogs according to backup/recovery. The
variable LatestDate takes care of multiple backups for restoring the current version.
Restoring is always performed in a Windows PE boot client (even if the restore is not a
system partition). For this reason, some points must be considered:
• For local images saved to the client, not all variable substitutions will work (such as

LatestDate).

9. Extensions | 203
• The partition on which the restore is performed must be at least as large as the partition
that was used for the backup. If the target partition is larger, the file system will be
expanded, subsequently.

To view or copy files of a backup image with creating a certain job, you can use baramundi i
ImageMount-Tool. It is part of our installation-DVD under baramundi/baramundi Image
Mount. Once, this tool is installed, you’ll find it within the baramundi menu under Tools.

Personal Backup
Personal Backup works mainly like Recovery, with one difference: files and registry contents
are backed up via Personal Backup. However, no drives will be backed up.

Working Procedure

'$
(1) - (3) -
Job zip DIP
bMS bMA
&%
6
(2)
'$
Files
Registry
&c.
&%

Figure 9.13.: Personal Backup: Backup personal files

Since a system is backed up with all data and restored via Discover Recovery, Personal Backup is
limited to user specific data.
The server (bMS) instructs the device (bMA) to (1) export the directory data and to (2)
save on the DIP after compression (3). Backups are performed as a job step by bMA. Data
recovery functions in reverse:

Via a job the server instructs the device (1) to restore the data and (2) obtains the data backup
file from the DIP (3) to this end.

Requirements and Limitations

The baramundi Personal Backup software is primarily intended for back up user-settings and
-data with either an identical application installation or a similar new installation of the same
application version.

9. Extensions | 204
'$
(1) - (2)
Job zip DIP
bMS bMA
&%
(3)
'? $
Files
Registry
&c.
&%

Figure 9.14.: Recovery: Data recovery

• Normally, migration to a newer application version is not possible—but this depends

on the application to back up. If you are not sure about this, please contact the vendor.
• Migration between various users is not possible with Personal Backup.
• Personal Backup software lets you backup and restore a defined set of files and/or
registry entries. The amount of data to back up is therefore manageable. Personal
Backup is not intended for backing up large amounts of data. If the uncompressed
data volume is more than 2 GB, problems may occur when restoring the saved data.

Personal Backup Templates

Backups of user-specific settings and files are based on Personal Backup templates, which
define what is to be backed up. Due to the various possibilities and requirements for various
applications, we recommend creating and using various backup templates. A selection of
predefined backup templates is included with the software. These templates can be seen
under the Recovery/Personal Backup Templates node in the Extensions view. You can also
create new Personal Backup templates and add them to the system at any time (Fig. 9.15).
To create a new Personal Backup template, select the New/Backup Template item in the
action bar of the Personal Backup Template node. Enter a suitable Name for the new template
on the General tab and insert a description in the Comment field.
The other Files and Registry tabs contain a list of file templates as well as registry keys
and values. When entering files, ? and * can be used as wildcards in directories and file-
names. Environment variables are to be used in the format %<Variable name>%, meaning
e.g. %ProgramFiles%\baramundi*. These are resolved for the baramundi Management Agent
service* except for the variables AppData and UserProfile. This means that Temp is generally
resolved to C: Windows temp and not to %userprofile% AppData Local Temp When
performing a backup, the program differentiates between general data and user-specific
data. Everything that is actually contained (not resolved) in the directories %AppData% or

* It is SYSTEM, since this normally runs as system service.

9. Extensions | 205
Figure 9.15.: Personal Backup Templates

Figure 9.16.: Backup Template Figure 9.17.: Backup Template 2

9. Extensions | 206
Figure 9.18.: Backup Personal Files Figure 9.19.: Perform Personal Backup

%UserProfile% is considered user-specific.

A template can be used recursively via the Include Subdirectories option. Templates can
be created that are to be included in a backup or excluded from the backup. The program first
starts by creating a list of files that meet the inclusion criteria. The files that meet the exclu-
sion criteria are then removed. The Include/Exclude buttons add the selected file template to
the list—Include: the file template is to be backed up; Exclude: the file template should not
be backed up. A green checkmark next to the list entry means that the files recognized by this
file template will be included in a backup. A red X means that the files recognized by the file
template will be excluded from backup. If registry paths are to be backed up, you can make
a selection—as with files—using the button with the ellipsis. Click Include to add the path to
the list. During a backup job, one or more backup templates and a save location are selected.
For a restore job, the backup set to be restored is specified. You can also determine whether
all files should be restored to their most current version or whether specific selections should
be made. For a specific selection, you will need to select a specific backup set (for a specific
computer/user). From this set, you can select the data, optionally.

Backing up Data
To backup personal data, create a job with a matching name. Select the job step Execute
Backup (Fig. 9.18). Enter a backup location that can be accessed by the device. A high priority
may overload the system to such an extent that an active user cannot work normally. There-
fore, the default setting should be kept. You can also specify whether the system is only to
perform an Incremental backup (Fig. 9.19)—only changes that are detected on the set archive
bit will be backed up—and whether the Reset archive bit function should be executed during
backup.

9. Extensions | 207
Figure 9.20.: Data Recovery Figure 9.21.: Data Recovery 2

Restoring Backups
Create a new job. Select the job step Restore data from Personal Backup (Fig. 9.20), path and
name of the image file to be created. Select a target folder for the restored data. If you would
like to restore the data to their original storage location, leave this entry empty (Restore to
Folder). If files are already present at the target location, you can specify what the system
should do (Overwrite Older, Overwrite Always, Never Overwrite). For existing registry keys, you
can Merge with Saved Values, Completely Overwrite, or Never Overwrite.
The lower dialog offers three options: Restore the latest version of each file for all users
ensures just that. Select files to restore manually: Here, the backup set will be selected and
imported. The security catalogue must exist on the primary DIP to do so. A list of all values al-
lows you to select which entries should be taken into consideration. Rebuild Catalog: catalog
files can be recreated here.

Settings
No data are displayed under the Settings node. The context menu for the nodes gives you
access to basic Personal Backup settings. The Backup set Folder is the UNC path to be used for
saving backups. You can also use bMS variables in the path name. Password for Backups: If
necessary, protects backup from unauthorized access with a password (at least 16 characters
long). Blacklisted User: If you do not want to create backups of settings and files for certain
user profiles, such as the administrators, you can enter domains and users that should not be
backed up.

9. Extensions | 208
An Example
The baramundi Personal Backup method is explained below via a short, private example.
Imagine that your hard disk covers two vers rare versions of «Love Me Tender» that the King
sang for your mother personally on a tape, back in the days in Bad Nauheim—priceless, and
therefore worthy of being backed up! The digitalized recordings lovemetender1.mp3 and
lovemetender2.mp3 are located in the Elvis directory and should be backed up (your Labrador
ate the original tape two years ago). Now, the rare items should be backed up and recovered.
This should take place on the same disk, which actually is not secure enough for operational
requirements.

Preparations. Create three directories for the music (both files are stored in this directory, for
backup and one for data recovery.)

Create Backup Template. First, a respective backup template must be created, since only a single
directory should be backed up:
1. Select from the Recovery/Personal Backup Backup Template in the Extensions view the
New action in the action bar.
2. Name the template on the General tab.
3. Select the path to the Music folder on the Files tab.
4. Press Include to load the title
5. and close the dialog.

Thus, the new template is available under Extensions Recovery Backup Templates .

Backup Personal Files. Now, a compressed backup file should be created:

1. Create a job with the job step Backup Personal Files.
2. Select the path to the Backup directory under Backup Set.
3. Select a template in the lower dialog area and complete the job.
4. Assign the job to a respective target system.

The result is that your Backup directory now features an xml as well as zip file with backup
data. Let’s perform a proper test: now delete the music folder!

Recovering Data. The data that has been deleted should now be recovered from the backup file
just created:
1. Create a job with the job step Restore data from Personal Backup.
2. Select the path to the Backup directory under Backup Set.

9. Extensions | 209
3. Select the path to the Recovery directory under Restore to folder.
4. Complete the job and allocate the job to the respective target system.

After the job has been successfully completed, the priceless data is once again available in the
Recovery directory. So, love us tender …

Import/Export
Under the Extensions Import/Export node you can exchange data between bMS installations of the
same version. Except software detection rules, one or more objects can be copied and pasted
into export container. Such a container (bDX files) can be opened with a bMC of another bMS
system to import the container content. The file contains object information as well as DIP
sources. Container can include:
• Software

• Windows Jobs

• Hardware Profiles

• Componentes

• SW Inventury Template

• Drivers

• Dynamic Groups

• Compliance Rules

• Operating Systems

• SNMPProfile/NetworkScan

• SW Bundles (via Job)

• Boot Environments (via Job)

• Variables (via Job)

• MSW (MSW projects must be available on the source- and target-system and package

download must be done)

If an object added to a container, automatically all links (jobs, apps, rules) will be added as
well. Dependencies will be resolved hierarchically: A job takes everything that is contained
within the job (except for a job with unsupported job steps). Has only an application been
added, everything that belongs to this application will be taken &c.
For all non restricted container elements (Software to NetworkScan in the list above)
you’ll find entries in the action bar for getting elements into the container.

bMC only allows bDX file import for files, created with the same bMS version. !

9. Extensions | 210
Figure 9.22.: BDX Container

An Example
For example, if you are managing the IT of two companies, one in Munich and the other in
Hamburg. Now a job that has been run successfully in Munich needs to be made available to
the administrator in Hamburg so that it can be run there too.

Export
(Munich) First, the job and the corresponding application must be loaded into an export
container: … Import/Export and New/bDX Container.
1. Configure a deploy job for a software (for example Notepad ++).
2. Add this job to the container.
3. The export mechanism automatically detects which objects should be exported and
offers—e.g. if an application is going to exported—other options like license export,
variabes export &c.
4. Export the container. This will automatically export all the objects needed for a job.
5. Enter the save path and save the job and application as bdx.

9. Extensions | 211
This converts the exchange data into the compressed file bdx- format. i
Import
(Hamburg) In Hamburg, the storage location is accessed and the bdx will be load to import.
1. Select … Import/Export and New/Open bDX container.
2. Highlight the appropriate bdx file and confirm your selection. (the file will then be
located under … Import/Export —brown package icon).
3. Select to container to be imported.
4. Click Import in the action bar.

An data exchange between different bMS versions is not supported. !

Personal Preferences
The basic settings of the current user can be adjusted in the Properties of the Personal prefer-
ences. In particular, the user can continue to edit jobs here in the General tab that are already
active. This bypasses the restriction that prevents users from continuing to edit jobs that have
already been distributed to devices. However, this action could prove problematic if jobs have
an impact on several target systems: some of these devices would then run a different job
to the rest. System transparency would be called into question if this were the case, so you
should exercise caution here! In the lower regions of the dialog, a directory can be chosen as
Default Job Folder. This is the storage location for new—wizard created—jobs.
The second tab Custom Commands is to extend the GUI for new commands. These can
be all commands the command line has to offer.

9. Extensions | 212
10
Configuration
In this Chapter:
Server Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Base Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Executing Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Webserver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Downloader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
PXE Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
OS Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
E-Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Enrollment Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Certificate Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Certification Authorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Domain Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
amando Miss Marple . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Security Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Security Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Windows Users and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
An Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
IP Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
DIP Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Install and Configure baraDIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Creating DIPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Active Directory Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
User Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Machine Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Lock Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Event Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Boot Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Database Maintenance Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Download Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Audit Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

This chapter is dedicated to the management of the bMS and mainly follows the content
of the Configuration node in the Management Center. Depending on how common the
settings in the dialogs are, these will be described accordingly. First of all, the server settings
are explained and then important settings in the nodes below.
Maintenance Mode Via maintenance mode you use the bMS via bMC without activating the
operational bMS parts. This makes it possible—e.g. after an update—to configure new
settings, without to risk adverse effects to any existing systems. How to switch in that mode:
• Go to status site: Server status and there, within the scroll menu of a server, click the

Restart in maintenance mode entry.

• It can occur automatically if the database manager has changed database configuration

• Switch at bMS start from bMC login site

• Maintenance mode can be switched on/off via registry value

If the bServer got re-started in maintenance mode, it will re-start in maintenance mode again.

Server Management
The Server node includes all settings relevant for operating baramundi Management Server
itself or directly related to the system infrastructure.

Figure 10.1.: baramundi Server Settings

10. Configuration | 214

Base Settings
(Fig. 10.2) First, the base settings will be briefly presented and explained. These have to be set
in the Base settings dialog.
Role The first server to be installed is configured as the master server; additional servers are
configured as PXE relays.
Binary Path Enter the path to the baramundi Server program files or the server share here.
Shutdown Timeout When the bMS is ended, it shuts down every module. To this end, the set
shutdown time here is assigned to shut itself down. If this time is exceeded, baramundi
Server will actively close the module without giving it any more time.
Primary DIP You can have a directory or file searched at various places (button with ellipsis). If
the variable {DIP} is included in the defined path, this is replaced by the value given
here prior to searching. After the search, the variable is replaced.
Domain Model Windows 2000 or above (Active directory) or NT 4.0 LAN Manager.
Database Connections Number of permitted database connections.

Read permissions for access and directory authorization for bMS$-Share should be given to
every user.

Figure 10.2.: General Figure 10.3.: Device Identification

10. Configuration | 215

Device Identification
(Fig. 10.3) The bMS identifies Windows devices usually via unique device certificates. These
certificates will be created at the first start of the baramundi Agent, encrypted and saved into
the %ProgramData% baramundi directory. To do so, there must be a connection between
agent and server. In case of a PXE contact or via the baramundi Kiosk, the server must identify
a device by other criteria. Several characteristics can be used for device identification: Usually
hostname or MAC address will be used. Other options are reserved for special cases.
Hostname Device hostname
MAC Device MAC adress
LA: Logical MAC address of the device
IP Device IP address
FQDN Fully Qualified Domain Name

You can ignore MAC or IP addresses. This can be necessary if devices are incorrectly identified,
for example during the presence of virtual machines or VPN interfaces. These interfaces
generally use single-pool IP or MAC addresses. Changes or duplicate entries can cause job exe-
cution errors. Therefore, device identification must ignore these areas. You can also use * as a
wildcard: 192.168.* in order to ignore all IP addresses from 192.168.0.1 to 192.168.255.254.

Communication
(Fig. 10.4) Server configuration settings on this tab allow you to define the communication
path for the boot device, TCP/IP port addresses and timeouts for the boot device and Man-
agement Agent connection as well as the kind of installation of the baramundi management
Agent for Windows devices.

Management Agent
(Fig. 10.5) Here, you can define the source path for installing baramundi Management Agent,
its files and its menu settings on a network device.

Licenses
bMS-licenses are entered under Licenses (Fig. 10.6). Should an existing license need to be
replaced, e.g. because it has expired or it is a demo license, proceed as follows:
1. Select the license to be removed, then select remove.
2. Confirm this action when prompted.
3. Close the license window by clicking Ok.

10. Configuration | 216

Figure 10.4.: Communication Figure 10.5.: Management Agent

Figure 10.7.: Job Execution

Figure 10.6.: Licenses Figure

10. Configuration | 217

Figure 10.8.: Webserver Figure 10.9.: PXE-Support

4. Open the license window again and enter your license number.

To order additional licenses, we have to know: (a) the company that is listed on the licensing
and (b) the computer name that the baramundi Server is installed on. Enter the name of your
company and the activation code to unlock your bMS license on the Global Variables tab. Be
certain to type your entries exactly as shown in your license confirmation. Information must
be provided upon the end of the respective service sequence.

Executing Jobs
On the General tab (Fig. 10.7), define the basic parameters for executing the job.

Webserver
For the integration of the baramundi Kiosk, a webserver module (Fig. 10.8) is integrated in
the baramundi Server. Determine which webserver services are to be made available. A
web browser is required to use the baramundi Kiosk. The address of the Software Kiosk is
as follows: http://<baramundiManagementServer>:<Port> Example: http://barasrv:10080.

10. Configuration | 218

Downloader
The Downloader can download files from the Internet or from other sources:
• Downloading the bpmData.zip and Wsusscn2.cab for Patches module,

• Downloading the current device definitions,

• Communication with Google Push Services.

If necessary, a proxy server with a login can be configured for the Downloader module. In this
case, activate the checkbox and enter the necessary data. It is mandatory to enter the port, for
example: proxy.baramundi.net:8089

PXE Support
PXE (Preboot Execution Environment) is a procedure*. that enables a computer to boot from
the network. PXE expansion (Fig. 10.9) to DHCP allows operating systems to be installed from a
remote server to a local hard disk of a network device. The PXE technology uses the TCP/IP and
TFTP protocol as well as the DHCP service to send information to systems that can be booted
over the network. The following settings apply to PXE support of the bMS.

PXE is an extension to the DHCP protocol—which comes with no authentication at all. So, j
there is no way to make sure whether or not data will be transmitted either from a device to
the PXE server or vice versa. If a hacker has access to a internal network with via PXE installed
devices, several attack scenarios are imaginable.
To reduce such risk, OS installations should only be done within secure networks. Alternat-
ively, you can create WinPE copies as an ISO (via our Boot Media Wizard). Such copies can be
used on optical or USB drives and to boot a system, respective.

General Tab
Server access via PXE is naturally not possible if no servers are active. In this respect, ensure
that the base settings for PXE support are activated on the General tab.

After the blacklist settings have been checked on the Access tab, settings are also still checked i
under General. Thus, the values stored here must not contradict those settings governed
under access! But if this is nevertheless the case, the settings under Access are ineffective.

PXE Server Active Check this box if you want baramundi Server to process incoming PXE requests.

* For more detailed technical information regarding PXE, please refer to the document
«Preboot Execution Environment (PXE) Specification», Version 2.1 from Intel Corporation of
September 20, 1999 (http://pix.net/software/pxeboot/archive/pxespec.pdf)

10. Configuration | 219

Mode The baramundi Management Server PXE module will process all relevant PXE tasks.
Shared (only port 4011): The baramundi Management Server PXE module is operated
in conjunction with a DHCP server on which the expanded PXE option 67 (PXE device) is
define.
Bootstrap Loader If you select <internal>, the network card’s bootstrap loader will be used. Or you
can use the BSTRAP.0 file provided in the TFTP directory.
Boot Prompt Duration (sec.) When the Network Based Booting Process is initiated, the F8 key can
be used to call up a boot prompt on the requesting system. If the key is not pressed,
default selection starts after the time setting to be determined here.
Server Discovery Server discovery specifies the method used to determine the PXE server address.
Unknown Devices This determines how requests originating from MAC addresses that are not
present in baramundi Repository are processed.
Ignore Interfaces A list of local server IP addresses, delimited by semicolons, for which PXE queries
are not to be answered. By default, the server will respond to all interfaces.
Boot Counting Active If this option is activated, the target system’s boot counter will increase by 1
every time a PXE boot is performed.
TFTP Server Active Check this box if you want baramundi Deploy Server to process incoming TFTP
requests.
TFTP Root Folder Complete path name of the directory to which the files are to be downloaded.

VLAN Configuration. The bMS PXE module listen to network boot queries of Windows devices—
quite similar to DHCP servers. Such queries will be sent as broadcasts. In case a server received
a query, it will send valid start information back to the device. However, the spreading of
broadcast signals is limited within segmented (VLAN) networks. But, you can allow to forward
signals to certain devices by using so-called IP Helper. In doing so, you’ll give DHCP servers to
provide from a single system all devices of one location with IP addresses.

Integration baramundi PXE: To make sure, that all devices get network boot information by the
bMS,
• the bMS server must have an IP Helper entry or

• a baramundi PXE Relay has to be installed* on the DHCP server.

Alternate Bootloader: Should the kind of integration a baramundi PXE server described above
doesn’t work, you can provide a boot loader via DHCP options. In the Bootloader tab, you
can select an UEFI bootloader. Detailed information you’ll find in our online reference on
https://forum.baramundi.de/index.php?threads/5339.

* for Windows server only

10. Configuration | 220

Access Tab
There are two options here for limiting access: The definition of a blacklist, i.e. all MAC ad-
dresses listed are ignored and those not listed are allowed to pass or the definition of a
so-called white list, i.e. exclusively listed MAC addresses are accepted and the rest are ignored.
Let us assume that you want to list three MAC addresses, for example, one white, one black.

Blacklisting & Whitelisting. Click both icons on the left side and the cursor will jump into the
list field. Enter your MAC addresses. You can omit the standard nomenclature: write the 12
characters in succession; clicking in the list field formats values accordingly. Click Apply to
save the MAC addresses.
First, the options available for selection are determined, depending on whether it is a blacklist
or white list: Allow all MAC addresses access means black-listed, since all addresses can pass,
except the ones listed here. The following applies: Deny all MAC addresses access means
white-listed—since only the here listed ones are allowed to pass. Denied MAC addresses
will be simply ignored and only a note is generated from the failed attempt in the baramundi
Management Suite log.
MAC addresses often contain specific extensions, thus some hardware manufacturers
use specific strings. The address 00:07:E9:xx:xx:xx used in the figure, for example, identifies
Intel. In order to easily edit such patterns without much typing, so-called wildcards are useful.
Two very powerful ones can be used when filling in lists: the star * for all possible characters
and the question mark ? for a possible character. If you would like to blacklist all company
MAC addresses in our example, that would be easily possible with the list entry 00:07:E9* and
result in exactly the same result as the entry above.
List entries can of course be changed or deleted. The latter can be quickly managed via
the small icon with the cross (even faster with the delete key) and to change, simply double-
click the respective entry.

Operating under the General and Access Tabs: How are the criteria to be set under the General and
Access tabs interconnected? It is important to know that the entries on the Access tab are read
first by the system. The data is then evaluated on the General tab. If nothing is omitted in this
constellation, the system handles both entries as logical and linked. An example:

Case 1. On the Access tab, Deny all MAC addresses access is activated; but the MAC address
of the accessing computer is listed as «white». The following applies on the General tab:
Unknown clients—ignore request.
Result: The Access tab allows the request, but the General tab denies the MAC address as
unknown—no access as a result! What happens in the reverse case?

10. Configuration | 221

Case 2. On the Access tab, the following applies: Allow all MAC addresses access, but the MAC
address of the accessing computer is «black» listed; General tab: Unknown clients—Register
automatically.
Result: The MAC address is already retained from the first Access instance. Whether or
not the second General instance accepts the request is irrelevant—the PXE request is ignored!

Bootloader
In the Bootloader tab eventually you can select bootloader for UEFI devices: Either the Mi-
crosoft PE Loader (standard) or the baramundi UEFI Boot Loader for DHCP based configurations;
you also can activate an alternate boot loader for BIOS systems (see page 220).

Mobile Devices
Before you can start managing mobile devices via bMS, you have to set some basic paramet-
ers, under Configuration Mobile Devices .
Before you start, you should set an individual and encrypted database password. So, an j
unauthorised access to your saved certificates will be best avoided. Otherwise, so-called

Figure 10.10.: Configuration/Mobile Devices

10. Configuration | 222

«Man-in-the-Middle-Attacks» to managed devices and the baramundi Management Server
could be executed by hackers.
But please consider: Please keep the password in a safe place to which unauthorised
persons have no access. In case your password get lost, all managed devices will have to be
newly registered.

Certificates
Mobile Devices provides for each managed device an individual certificate, during the regis-
tration process. So, it can later clearly be identified. To do so, a root certification authority will
be necessary. That’s why the bMS issues an own certificate at the first start. The certificate will
show bMD Certificate Authority as candidate and issuer.

SSL Certificate
Communication between two managed devices is secured by a SSL encryption. You can
encrypt such connections either via a bMS generated SSL server certificate or via a third party
certificates.
baramundi SSL Server Certificate If there is no certificate bound yet on the configured port neither
the usage of a third party certificate is configured, a new, self-signed certificate will be
created at the server start. It will be imported into the certificate storage and bound
on the primary FQDN of the local system. In case the FQDN is not be solvable for end-
devices, you can configure an alternative FQDN on the configuration site. During the
next server start a certificate will be created and configured.
Third Party SSL Certificate To use a third party certificate, import the root certificate of it:
1. Check the Use third party SSL certificate option.
2. Open the import dialog with a click on the icon on the right.

The root certificate you want import you’ll get from your third party certificate authority. You
can grant the baramundi Management Server’s trustworthiness—even before the enrollment
starts: Just check the Activate verification of the server identity on the first connection option.
This will validate the server by its certificate fingerprint.

If a third party certificate is to be used, this certifcate must be imported via the import function i
on the field Server SSL certificate for a pure server operation. When operating with bara-
mundi gateway, this must be set in the Gateway SSL certificate in the baramundi Gateway
section. The subject’s name of the certificate must be the hostname of the configured device*.
The option will work with mobile agents as of version 14.2.x. Older mobile agents cannot be !
activated by this option.

* certificates will be supported

10. Configuration | 223

Parallel operation with other applications: The bMD default port for HTTPS (443) can be
customized if other applications on the same server require it. Customizations have to be
made to the config files of the baramundi Management Servers.net and—if available—to the
baramundi Management gateway. When binding the SSL server certificates from third party
vendors, you also have to change ports..

SSL Communication
Establishing a standard SSL connection, an exchange of a list of so-called «Trusted Root
Certification Authorities» between server and mobile device takes place, usually. Because of a
bug in all Windows Server versions* until and including 2008 R2, that list will be cut off after
reaching a certain length. Already a standard installation could exceed this length. Hence, this
bug could lead to connection errors between server and mobile device.
In order to negotiate that problem, sending of this list of Trusted Root Certification Author-
ities could be prevented, completely. In order to do so, the following registry value has to be
set (if necessary created before): HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
\SecurityProviders\SCHANNEL”SendTrustedIssuerList”=dword:00000000
We recommend this workaround. Verify negative impacts to third party applications.

OS Configurations
The Mobile Device Management requires some platform-related settings. Android and iOS for
example, offer so-called push services, to contact devices. To use such services, the server has
to have appropriate certificates.
Set Encryption Password: This switch allows a strong encryption of certificate information i
within the database. After a database restore, the password has to be re-entered via Restore
Encryption Password switch to read the configuration again.
For a new database encryption password, the bMS generates automatically a new key (28
characters within dot-separated 4-blocks). The password can be copied into the clipboard via
the copy-icon (on the right). You should save that password from clipboard to some editor or
even better in a password manager, because: As soon as you click on OK the clipboard will
be deleted. However, with the next dialog you’ll be asked to give that password to confirm all
changes! If you cannot, you have to cancel the procedure and start again.

Apple iOS
In here, you have to configure all settings to manage iOS devices. This includes a directory for
local app-sources and the Apple Push Certificate.

* Here is the same problem described for Microsoft Exchange:

http://support.microsoft.com/kb/2464556/en-us

10. Configuration | 224

App Depot Path. Edit here the path to your directory — that folder in which you have all your
app sources (ipa-files): for example C: MobileDeviceData iOS App.

Apple Push Certificate. To get a certificate, follow the next steps:

1. Create a new certificate with a click on Create APN CSR.
2. Save the created bCert-file.
3. Send this file to: [email protected]

Your file will be signed by baramundi (as MDM-Vendor) and sent back to you. The signed
file (.bin) is to be used for further processing on Apple’s website. In order to get into that
procedure you’ll need to have an Apple-ID (if you already have such an ID, go forward to 6):
4. Browse to https://appleid.apple.com
5. Please fill out the fields and confirm your account details and if you have an Apple-ID,
6. Browse to https://identity.apple.com/pushcert and
7. Log on at the website.
8. Click on Create a Certificate.
9. Accept the «Terms of Use» and
10. Upload your baramundi-signed .bin-file to the Apple server.
11. Then, download* the certificate.
12. Import the .pem-file via Import APN certificate at Apple Push Certificate.
13. Save your settings and restart bServer.

Via those arrow-buttons, an APN-certificate can be exported for backup purposes (recommen-
ded). A re-import can be done via browse-button.

Profile Signing Certificate. Here you can import a code signing certificate you can sign all iOS
profiles with. In this case a device won’t warn you anymore if a valid signature is missing.
However, you must buy such a certificate from an official certificate authority.

* You can download the file from this site at any time again.

Figure 10.11.: Apple iOS

10. Configuration | 225

Renew APN-Certificate. An Apple-Push-Certificate is valid for 12 month, per default. Before the
expiry of that period, the certificate has to be renewed. Your bMC will warn you 60 days
before expiring. Should the certificate expire, all managed devices have to be re-enrolled!
1. Within the bMC, create a new certificate by clicking Create APN CSR.
2. Save the created bCert-file
3. Send the saved file to: [email protected]
4. Via email, you’ll get a signed bin-file back. This is the baramundi (as «Mobile Device
Management Vendor») signed certificate.
5. Browse https://identity.apple.com/pushcert and login with your Apple-ID.

The soon expiring certificate should be visible here. It must be the same Apple-ID with which
the APN certificate was originally created.
5. Click on Renew.
6. Upload the bin-file, sent from baramundi. Apples website will stop, afterwards. Click
Cancel to leave the page.
7. This certificate (.pem) is now downloadable (via Download button).
8. Import the pem-file within the bMC via Import APN-Certificate.
9. Restart the bMS-service.
10. Click Save to write the renewed certificate into the database.

baramundi Mobile Devices operates during the renewal with the old certificate on. The
functions of the module can continue to be used without restriction.

Apple Volume Puchase Program (VPP)

With Apple’s VPP, companies can order apps in large quantities and deploy them to their user.
To use VPP, you have to do some preadjustmants.

VPP Managed Distribution is supported starting from iOS 9. To identity the plattform a !
hardware inventory have to be done, first.

Import Token. In order to participate in VPP, your company must be registered under deploy.
apple.com. Within the registering process, several administrators can be created. These
admins are permitted to login to Apple’s ordering services and to VPP store (vpp.itunes.
apple.com). On this side, a so-called token has to be downloaded.

10. Configuration | 226

Figure 10.12.: VPP Settings

Figure 10.13.: VPP Selection Dialog

10. Configuration | 227

1. In the bMC select Configuration and within the Apple Volume Purchase Program
Mobile Devices
(VPP) area the Import Token link.
2. Click Select folder for new VPP apps to save your VPP apps on that location
3. Save your settings

In the Software Apps node, you can create own folders for your VPP apps. i
You’ll find all the ordered VPP apps in the Software Apps node, respective in the folders you
created by your own.

Apple Device Enrollment Program

To use Apple’s DEP*, this service has to be configured: (1) Connect your real server with the
virtual one of your DEP account, (2) update your device state and (3) configure the settings for
user based registering of your DEP devices.

First, you must create a DEP server. Otherwise, you cannot use this service. !

Create a Virtual Server. Via token, connect server to DEP account. It will be available under Configuration
Enrollment-Profile for configuration purposes.
1. Under Server-Token select Generate Public Key.
2. Save this file (the link Import Token will be activated).
3. Login your DEP account†
a) Within your account, Click on the Device Enrollment Program link.
b) There, select Manage Server
c) Select Add MDM-Server

* See page 55
† https://www.apple.com/education/docs/DEP_Guide.pdf

Figure 10.14.: Apple DEP

10. Configuration | 228

d) Name the server
e) Upload the previous generated public key.
f) Click on Your Server-Token* (will download a .p7m-file).
4. (back in the bMC) Click on Import Token and select the just downloaded .p7m-file.

Now, the standard profile or DEP devices will be available under Configuration Enrollment-Profile .

Update Devices. The DEP registered devices view will be updated automatically every five
minutes. To get the view updated in between, use the Update Devices link.

Initial Settings. In here, you can already set the logical group of new devices, the user authentic-
ation and the bMD agent preallocation of DEP registered devices.

Google Android
The basic settings for managing Android devices include, in addition to a directory specific-
ation for local app-sources, the indication authentication information for the Google push
services. This information is not mandatory. Within a configured interval, the baramundi
Mobile Agent will establish server connection, independently.

App-Depot-Path. Enter the path to your local Android app directory, the folder, you put all app
sources (apk-files): e.g. C: MobileDeviceData Android App. The directory must already
exist.

Firebase Cloud Messaging (FCM). To execute jobs on Android devices, push messages will be sent via
Firebase† web service. To be able to use this service credentials are required.

baramundi Mobile Agent for Android is able to establish push- and pull-connections. The i
agent will pull-requests regularly and establishes a Management Server connection, automat-
ically. In doing so, you also can internal operate mobile devices.

* Note the validity date above

† A Google subsidiary

Figure 10.15.: Google Android

10. Configuration | 229

You’ll need an extra Google account to create a Firebase Cloud Messaging project. This will
provide access data for Firebase Cloud Messaging (FCM). To do so, proceed as follows:
1. Open https://firebase.google.com/.
2. Logon with your Google account.
3. Click Go to console.
4. If you didn’t have a FCM project before for your Google account, create here a new
project.
5. Give a name and the country, you’ll operate your bMS service.
6. Within console: Click gear symbol to open settings. Select drop-down menu Project
settings.
7. Switch to Cloud Messaging.
8. Write down Server key and Sender ID values (Abb. 10.16).
9. Enter these values with bMC in Configuration Mobile Devices under Google Android section.
10. Restart bServer service to apply the new values.

Figure 10.16.: Firebase Settings

If a proxy has already been configured for the downloader, bMS will use it to establish a
connection to the push devices, automatically.

Windows Phone
To get a Windows Phone device bMS-managed, it has to be assigned to an existing Active
Directory user. This requires first a synchronization of the data from the AD. The basic settings
for Windows Phone includes specifying the source path for local apps sources, the polling
interval and the information for deployment of self developed apps.

10. Configuration | 230

Figure 10.17.: Microsoft Windows Phone

Edit under App-Depot the path to your directory for local app-sources (.xap), by default, C:
MobileDeviceData WP8 App. The communication between the baramundi Management
Server/native company agent and the Mobile Agent take place exclusively by a regular
connection establishment of the device. Polling interval is indicated in the according field.

Deploy Self Developed Apps. Activate Using Enterprise kiosk, option to distribute apps, self-developed.
The values of Application Enrollment Token and Publisher Id must be specified in this case, in
addition. To get your AET data import your .aet file.
Without an own AE token or in case that you won’t deploy own enterprise apps, you
can import the AE token, provided in our baramundi forum to make an extended software
inventory on WP 8.1 devices*.

E-Mail
In order to edit the required information to register an user via email, your email data has to
be given, here. First, the email option has to be activated by clicking on Enable Email. The
address for your company’s SMTP Server has to be given within the next field. If you want to

* no longer valid for W10 Mobile

Figure 10.18.: Email

10. Configuration | 231

use a secure connection please check Use SSL Encryption. Eventually give the Sender Address,
User Name and Password. Once, you finished your email settings you can Check Configuration.
You’ll receive a message to the given address.
Within the installation directory of the bMS server under … MailTemplates you will find i
(adjustable) templates to send enrollment mails.

Gateway
To manage web-connected mobile and Windows devices, a dedicated server acting as gate-
way* is necessary. A bMS server accessible from outside is an attractive target for cyber
criminals—thus, a gateway serves to get your internal infrastructure secure. Once a gateway
is implemented, all connections between mobile devices and the bMS will be established via
such a system. Therefore, access must be ensured in both directions, internally and externally.
The server, baramundi gateway service will be running on, should be localized within a !
seperated DMZ. It shouln’t be a member of an internal domain, either.
If you decide to use a gateway for mobile devices already managed via bMS, all these devices !
must be registered again!

* To run gateway operations, Microsoft .NET 4.6 must be installed.

Figure 10.19.: Gateway

10. Configuration | 232

Within the gateway configuration, you’ll find the Enrollment via Gateway option. The j
disadvantage is the risk that the detection interface for mobile devices is not only available
just for internal users but for anyone. Each and every person can do so by trying out (with
generated tokens) to get registered to the server on and to receive a client certificate.
If you have continuing security concerning, simply do not use this option. Just register new
devices in the internal network, only.
If you want to use the gateway registering for new devices, we recommend to activate
the Activate verification of the server identity on the first connection option. If active,
the server stores the certificate fingerprint along with the enrollment code in the QR code.
A mobile device will verify the fingerprint before enrolling to a management server. If the
fingerprints do not match, the user will be prompted to confirm or deny to trust the server
(Pinning).

Configuration
To operate a gateway, you have to configure baramundi Gateway in the bMS server and to
setup a gateway on a separate Windows server. Proceed as follows:

The following settings will have an immediate effect on you system. !

1. Open in Configuration module tab the Mobile Devices view.
2. When using third-party certificates activate the Use third party SSL certificate on the top
under bMD Server.
3. Under Gateway set Gateway mode to baramundi Gateway.
4. Under Gateway hostname enter the name at which the gateway/firewall will be reacheable
from the managed devices.
5. Under Internet DIP server (URL) give the URL* for the DIP server, its baraDIP will be used
for data transfers by the gateway.
If you do not use an external created SSL certificates for your gateway, the Gateway SSL
certificate entry will be filled by the system, automatically. In that case the field stays inactive.
If you want use an SSL certificate of a public or company internal CA, import via Import button.
The gateway client certificate will be created by bMD root CA.
5. Activate Gateway commissioning option; this will generate the Gateway enrollment token
you’ll have to enter in the gateway settings, later on. Hence:
6. Write down the generated Gateway enrollment token.
7. Save you configuration and start the server service again. Restart the server service
activates the enrollment interface to operate the gateway.
The bMS server configuration is completed. Next, we’ll need an access to the Windows server
which will provide the gateway service.

* http://MeinServer.domain.local:123456

10. Configuration | 233

Installation
1. Install baramundi Gateway*.
2. Start Gateway Enrollment Wizard, as suggested by the setup.
3. Give a name for the bMS servers, a port for SSL accesses and the previously generated
one-time-token.
4. Ensure whether the wizard displays SSL certificate data of the server; in that case, the
server identity could not be checked, automatically. If the settings are correct, confirm.
Check the bMD certificates data. If correct, confirm.
5. Wait until the wizard has been completed registration.
6. Start again bServer and logon again. This bServer restart will shut down the enrollment
interface to operate the gateway for security purposes.

bMC will tell you whether or not registration was successful: Look to Gateway enrollment state
within the gateway configuration view. There, you should see Successfully enrolled. If so, the
gateway is ready to work. Make sure that your system will be available on port 443.
Router/Firewall: To operate CEM effectively, you should make sure the bMA can reach the i
gateway via port-forewarding on port 443. That’s why this port will be unblocked most
probably for outgoing data traffic within external networks (hotels, home offices).

Enrollment via Gateway. Generally, we recommend to do enrollments via your internal network,
only. Nevertheless, it is possible to do an enrollment via Internet by enabling the Enable
Gateway Enrollment option.
If you have the option Enrollment via Gateway started retrospectively, first the bServer
service and then the Gateway must be re-enrolled.

The gateway must be restarted if: i

• the server port changes after commissioning
• the hostaname of the gateway changes

A new enrollment of end-devices is always necessary if the basic communication address i

changes, which an end-device is communucate with, after the enrollment. That’s the case† if:
• the port of the external interface with which devices communicate, changes
• you change from a baramundi certificate to a certificate of another root CA‡
• host name or web address with which a device communicate changes
• the hostname in the certificate no longer matches the name, with the name the server
logs in to the device

* you’ll find the sources at the bMS-ISOs: …\baramundi\bMD-Gateway\Setup.exe

† it doesn’t whether gateway or server mode
‡ e.g. self-signed baramundi to third-party provider or the other way round

10. Configuration | 234

Figure 10.20.: MDM Security Settings

Security Settings
On the bottom of the view you’ll find buttons to validate some core data of your mobile
devices configuration. Via Verify Values you can clarify some gateway settings. There’re three
possible conditions: Successful with no need for action and Warning and Error with a indirect
and direct need for action.

Enrollment Profile
This node contains a DEP profile. Such a DEP profile can define the behavior of a DEP registered
device. To set values switch to Edit Mode, just to show your settings switch off Edit Mode.

Before you going to edit Suppressed dialogs during device activation, take in consideration !
that the dialogs here tagged will not appear when an user switch on the device for the first
time—instead the default values of the device shall apply. If you—for example—supress the
location services, some apps will not work on no device. Not all settings can be configure via
mobile device profiles(see p. 192), subsequently!

10. Configuration | 235

Figure 10.21.: DEP Profile

You cannot create DEP profiles* neither you can delete a profile, here.

Interfaces
Within the Interfaces node, you’ll see connection data of bConnect—an interface for external
access to bMS functions, and of bLioskConnector—an interface to the Windows 8.1/10 Kiosk
app. Press Edit button to get into the Interfaces object tab to set the interfaces active, select
the port to communicate and—for the bKioskConnector—the kind of authenticication.

Certificate Management
Within the Certificate Management node you’re able to import certificates into the bMS. Such
certificates can be deployed later on—via a profile—and refer to other bMS configurations,
then. This will help to decrease errors while transferring data.

* How to do that you’ll find at page 228.

10. Configuration | 236

Certificates
Here you can:
• Import server- and CA certificates

• Deploy server- and CA certificates via Mobile Devices profiles

• Select CA certificates directly while creating a SCEP certificate authority

So, you don’t have to transfer certificate authorities and SHA1 hashes, manually.
While importing certificates, only the public part of a certificate will be saved. Per default
the system uses the filename (without the file extension) as display name.
You can import .cer, .crt, .pfx and .p12 files. i
You only can export the public part of a certificate. If you import a certificate already saved
in a database (same public key), all data in the database will be updated. That’s why a saved
certificate can be updated for a certificate extension.

An user need to have Edit rights, because an already existing object is to be modified. i
Take in consideration: A tiny typo could mean that a service or a function just does not work or !
even a complex troubleshooting process will be required!

Figure 10.22.: Certificates

10. Configuration | 237

Deploy Certificates to Mobile Devices
Mobile devices uses sometimes services to secure their communication with or to authentic-
ate itself via certificates. In such cases, mobile devices warn users if the issued CA is unknown.
Via a profile item you can prevent such warnings by making those CAs (or the server-
and device-certificates) trusted. Imported certificates can be deployed therefore under
Extensions Profiles for Mobile Devices by selecting New/Profile and the profile item Certificate.
To deploy certificates follow this little procedure:
1. Import the certificate to be deployed
2. Create a profile for mobile devices
3. Add the profile item Certificate
4. Select the imported certificate
5. Create a job and deploy the certificate to mobile devices

Certification Authorities
You can issue certificates automatically to mobile devices, to authentificate them against com-
pany services (e.g. Exchange). To do so, you have to have a baramundi known certification
authority, before. To issue certificates, this CA must use a Simple Certificate Enrollment Protocol

Figure 10.23.: Certification Authorities

10. Configuration | 238

(SCEP). Currently, we support Microsoft’s Network Device Enrollment Service (NDES). You’ll find
informationen about this service on internet at:
1. https://technet.microsoft.com/en-us/library/hh831498.aspx
2. http://social.technet.microsoft.com/wiki/contents/articles/9063.network-
device-enrollment-service-ndes-in-active-directory-certificate-services-ad-
cs.aspx

Please note that the registration button UseSinglePassword* has to be activated for bMS
usage. The created main key for NDES authentication has to be given as registration key for
the CA (PSK).

Restrict NDES Access: If you only issue certificates via bMS, you can restrict NDES access via i
IIS to certain IP addresses. Define the IP address of your bMS server as valid—so, you block all
calls from unauthorized systems.

Custom Defined Encryption. On request, the default password for encryption in the database i
can be replaced by a self-chosen password. To do this, use the Button Set encryption pass-
word in the lower range of the node Configuration Mobile Devices . In case of a database restore this
password must be reentered via Restore encryption password. Otherwise there will be not
access to encrypted information any longer.

General Settings
To create a root certification, you have to set some general information, first:
Name bMS display name of a root certification
Certificate Selection of imported certificates
Import Certificate import
Identity of the root certification Unique ID of a root certification on the SCEP server
Fingerprint (SHA1) of certification authority SHA1 fingerprint identity of a certification authority (CA)—
here, you’ll be asked for the SHA1 fingerprint given in the CA†.

SCEP Settings
Here, new SCEP services‡ can be announced and managed:
SCEP Url Address the service is available; several identities can be linked to one address.
Registration Key (PSK) Main key for issuing certificates at the root certification
Validity of the baramundi token (bOTT) in min. Maximum time to call a certificate since a job has started

* which you’ll find via the keyword «Reusing a password for multiple devices» on the
second link given above
† just needed for Window Phone 8.1
‡ Information about IPCU import of SCEP configuration blocks you’ll find on page 195.

10. Configuration | 239

Direct Communication with SCEP Server Tells the device to get connected to the SCEP service, directly.
So, the bOT token is obsolete. Within this mode, the SCEP service must be available for
all devices, directly!

Renewing certificates via SCEP is not supported. i

Domain Configuration
Install-, network- and administrative users for domains to be managed are configured here. A
different install user can be created for each domain. This means that the administrative user
installs the baramundi Management Agent; the install user, in comparison, is used to execute
jobs. The install user requires administrative rights to the target system; the administrative
user requires administrative rights in the domain.

Figure 10.24.: Domain Cofiguration

10. Configuration | 240

General

New domains can be created in the New/Domain context menu under Configuration Domains . First,
the Name of the domain (Fig. 10.24) has to be entered. The use of the wildcards * and ? is
permitted in order to compile multiple names.
Type determines the type of domain. The Any Type setting also applies here. This special
type allows for a domain to be assigned without specifying a type. By default, this domain
setting is marked with a * (however, a permanent usage is not recommended). The adminis-
trator account for the domains (Administrator), this administrator account password (Admin
Password), the account for install user (Install User) and this account password (InstallUser
Password) are to be entered under Access accounts.
Click Check accounts to ensure that the account information is correct. The account and
corresponding password will be checked. The check will not determine whether the group
or account have sufficient rights. If name resolution for an external domain is not properly
configured, the result of the query may return an error.

Management User Accounts

To manage Windows devices, several user accounts are necessary. You’ll need those accounts
to execute administrative tasks, automatically. They are:

Administration User.
• Installs agents on Windows devices

• Saves downloaded files of download jobs:

– MSW and patches on the primary DIP$

– Compliance rule set to the configured storage location
– Updated files for database import purposes into the FileImport directory of the
server
• Creates computer accounts (OS-Install)

• Reads baramundi Deploy scripts at the primary DIP to prepare bMS jobs

• Executes AD-Syncs

Installation User. This user will be used to execute jobs with server side actions within an user
context.
• Executes jobs with server side actions

– Executes such jobs on the server

– Accesses for SSA to the DIP$
– Draws for Windows device access on the client while executing the the SSA step

10. Configuration | 241

Local Installation User. There is no need to create this user manually—it will be created by the
agent on Windows systems. This user will be named baraInstLocal,
• Executes Deploy-, Patch-, Inventory jobs on Windows devices (but does not accesses to

the network) if configured

Network User. This user will be used to access on network resources during a job execution.
• Will be used for each bMA network access if the execution context LocalSystem, Local

Install User or Install User has been selected (applies also for accesses to DIP$ and BMS$)
• bMA authentication to the baraDIP for bBT transmissions (for all execution contexts)

• Will be used for DIP synchronization purposes

If the specified user is not member of the domain administrator group, the database manager
returns an appropriate message. If you, however, the above rights have granted, this is not a
problem. For some job steps, you’ll need write rights on the DIP. These are:
• Create Master Image of an Operating System

• Wipe Hard Disc

• Execute Backup

• Create Image Backup

Moreover, the job steps Install Software and Deinstall Application can write on the DIP too,
depending on user defined commands and scripts. If not absolutely necessary, you should
not use write rights due to security concerns.

Actions
The Windows search service (Fig. 10.24) can be used to identify new workstations and servers.
New systems can be automatically added to a defined logical group. The option Immediately
Install Agent installs baramundi Management Agent onto a system immediately after the
system is detected.
After a version update, the agent version will not be updated until the first job is ex-
ecuted. Use different nodes for the administrative and install user. Please ensure that the ad-
ministrative user account is activated. Please make sure that the administration-user-account
has the AD right to create and delete computer accounts within the computer container.

Virtualization
Configure basic settings for virtual environments, here. This requires a restart of the modules
Virtualization Inventory and Virtualization Server-Side Action Executor.

10. Configuration | 242

Hypervisor inventory (Number of max. parallel inventories) Maximum number of parallel hypervisor invent-
ories; Minimum: 1. Additional hypervisor inventories will be added to the queue.
Jobs (Number of max. parallel jobs) Maximum number of parallel jobs from job type Manage virtual
machine; Minimum: 1. Additional jobs will be added to the queue.

amando Miss Marple

Miss Marple is a SAM solution by amando software GmbH. To display reports of an already
existing Miss Marple installation, configure connection data unter Configuration amando Miss Marple .
Afterwards, you can view the reports in Extensions Reporting amando Miss Marple .

Configuration
1. Under Configuration click Edit in the action bar.
amando Miss Marple
2. To connect to the SQL Reporting Server, the Web Service URL must be entered. If the
configured port differs from the default (443), the port must be included in the URL.
3. Under Username and Password enter your access data.

Figure 10.25.: amando Miss Marple Configuration

10. Configuration | 243

4. The report directory will be selected automatically depending on the bMC language.
On German systems, reports will be loaded from the report directory for German
reports. The relative path to this directory needs to be entered into Path to German
Reports.
5. In all other cases, the bMC will list all reports of the directory for English reports. The
relative path needs to be entered into Path to English Reports*

For security reasons, only HTTPS is supported for communication with the reporting server. !
Additionally, the reporting server must offer authentication via Negotiate. Both of these
requirements need to be configured on the SQL Reporting server.

To establish a HTTPS connection successfully, the server certificate must be available within !
the Windows certificate storage. Please note: The bMC, and not the server establishes the
connection to the MS SQL Reporting Server†.

The configured user must have read access to the report directories and the contained reports. !

Installation
ReportViewer-Runtime 2015 and System Types for SQL Server 2014 must be installed on the
system the bMC is running on. These components can be installed optionally by the Managa-
ment Suite setup. If you don’t install these components, you’ll get an error message opening
amando reports.

SQL Server Reporting Services 2008 is supported by amando Miss Marple, but not compat- !
ible with baramundi. SQL Server Reporting Services 2008 R2 and higher are supported in
the Management Suite.

baramundi supports SQL Reporting Server only in native mode but not in SharePoint mode. !

You’ll find more Information about using amando Miss Marple reports in chapter «Extensions»
on page 200.

Security Management
The security management is to find under Configuration Security Management . In here, new security
profiles can be created and assigned to Windows users and groups.

* Known amando restriction: Although the content of these reports will be in English, the
report names will remain in German.
† certificate storage of that device bMC is running on.

10. Configuration | 244

Security Profiles
Selecting an authorized user is first a basic rule as a global setting. From now on, specific
security profiles can be transferred from these that ensure that specific users are allocated for
security-relevant restrictions.
You can select the respective area that should not be made available during system start
via Security Management Security Profile in the New/Security Profile context menu. The respective Suite
areas that are not activated in this setting are not even displayed for a specific user in the
baramundi Management Center. The new security profile is created under the node of the
same name after these settings have been confirmed and can be allocated users.

Windows Users and Groups

In the Security Management/Users and Groups node you can assign security profiles to users and groups
from the Active Directory as well as from local accounts. The New context menu offers the
choice between Windows User or Group and User or Group (direct entry). In the first case,
known groups or users can be searched.
You can determine whether it concerns
the rights distribution for users, groups or both
via the Object types button (Fig. 10.26). The
paths, where the respective people are available
and specific rights should apply, can also be
entered. Specific names are to be entered in
the lower list field and you can see if they exist
with Check Names: If the name is known, this
Figure 10.26.: User is supplemented in the search path; if a dialog
Name is not found, a New entry prompt appears. You can refine your entry via the Advanced
button. It is possible to transfer a group or user name directly to the system with direct entry
via a list field. Users can be allocated by clicking the Security profile (Fig. 10.27) or multiple
profiles there Configuration Security Management User and Groups via the Properties context menu.

Setting Authorizations
After you have defined security profiles, basic rules, which are visible as elements of the bMS
tree structure, can be allowed and/or revoked from remaining areas or objects of rights:
Full (full) Full rights, no limitations,
Re (read) Reading rights,
Mo (modify) Modification rights,
Del (delete) Deletion rights.

10. Configuration | 245

Figure 10.27.: Security Profile Figure 10.28.: Rights

If an user has been assigned multiple security profiles, maximum authorization will be applied—
in the same way as user rights are handled in Windows.
The first right Full allows not only reading, modification and deletion, but also changing the i
right itself! As long as Rw+Mo+Del is activated, it is not the same as Full.

Select one of the entry Properties nodes in the context menu for this and authorize the
Rights tab. Security profiles can be first added and removed in this dialog via the Add and
Remove buttons and the same via the Option fields that accept or deny the above reading,
modification and deletion rights. You can also prevent sub nodes (OrgUnit) or sub objects
(Subobject) from being created by deactivating the respective options under Special. In all
nodes in which sub nodes can be created, authorization diagrams of the above nodes can be
adopted via the Inherit rights option. This can then be edited (Fig. 10.28).
If only a profile has been created and allocated according to the respective user, delete
the star user. This concerns a default profile that grants rights to any user. If the star profile
will be kept, changes cannot become effective. Delete easily via the delete key.
However, before deleting the star user ensure that you entered in the Database Manager !
under Security profiles an administrator, who is allowed to do anything. Database Manager
is an administration tool that should only be available for administrators.

Or, click this to delete a profile and select Delete in the context menu. After the bMS response
has been confirmed, the profile is permanently deleted. Your security settings come into
effect after the server reboots via the context entry of the top most bMS node Start Server.

10. Configuration | 246

An Example
We would like to clarify bMS security settings with an example. Let us assume you would like
to manage the Inventory module area, for data protection reasons. Let us also assume all of
your colleagues should have full access to the Suite; except for Inventory: They should only be
able to see the settings, but not modify them.
Security Profile According to the above assumption, a security profile must be created which is
blocked from general editing by the Inventory module. Inventory is not displayed as an
entry in the baramundi Management Center at all after profile creation.
1. Open the dialog for creating a new security profile.
2. Name the profile: No inventory.
3. Deactivate the Inventory Inventory option.
Assigning Groups The security profile just created is still to be allocated to the an user group.
4. Select the context menu entry New/Windows User or Group under Configuration
Security Management User and Groups .
5. In the dialog, classify and name (Withoutinv) the respective group/user that
should be excluded from using the inventory.
6. Select the item Properties in the context menu of the group created (Withoutinv).
Mark the No inventory option therein.
Managing Rights The Management node is still to be limited and in such a way that the group has
all reading rights on the node. Then restart the bMS Server.

IP Networks
If your network includes multiple IP networks, it may be helpful to use multiple DIP servers
to reduce the network load on WAN connections, which generally have lower bandwidth. In
addition to Name, meaning the clear identification of the new network, the UNC paths to mul-
tiple DIP servers can be stored under DIPS. The DIP servers are separated with semicolons. If
this field is empty, the DIP server of the associated logical group will be used. If the GroupDIPs
variable is entered, the system will attempt to contact the DIP server of the logical group if the
DIP server entered here is unavailable.
Job Execution itself is controllable via three options:
• Always allow job execution

• Always deny job execution

• Check network bandwidth for job execution

By choosing the last option, a Network bandwidth have to be given. Moreover, one can reach
remote computers via WakeOnLane relay.

10. Configuration | 247

Figure 10.29.: IP-Network Figure 10.30.: Boot Environment

DIP Management
Providing all the applications which are to be deployed via our baramundi Management Suite,
installation sources are to be stored on so-called DIP servers (Distribution Installation Points.
To make sure the provided software’s stage is up to date, each target-DIP server has to be
synchronised with a source-DIP server, regulary. Any number of source-DIPs is possible and
can be synchronised, automatically. The last one however—the so-called «Master»—has to be
managed by an administrator, manually.

Install and Configure baraDIP

In order to use baramundi DIPSync, the baraDIP service module has to be installed on each DIP
server. Thus, the first step to DIP synchronization is the baraDIP-Installation. You can do this
manually or simply by using a bMS job.
In general, baraDIP installation/configuration can be done in a few steps:
Installation For providing the bBT installation sources, just execute the baramundi baraDIP
setup.exe on our installation medium. Select your Language and accept the license
compliance. Then, via Next, click through the dialogs to the configuration section.
Configuration Usually, information about the ports and DIP can be accepted. Enter the bMS
server name and the name of the network user plus password and confirm. Please

10. Configuration | 248

consider: The dialog will accept only lower case letters! This should prevent webserver
login problems, later on.
Encryption The baraDIP can communicate with DIPs via HTTP or HTTPS (recommended/default).
Various scenarios can be envisaged.

HTTP/HTTPS Settings
To encrypt all connections of a DIP, baraDIP uses HTTPS. Whichever way you choose: Whether
to set up a new system (NEW), update an existing system (UPDATE), data transfer unencrypted
(HTTP) or encrypted (HTTPS)—one of the following procedures should be selected:

HTTP HTTPS
NEW
1. Under baramundi baraDIP execute 1. Under baramundi baraDIP execute
setup.exe. setup.exe.
2. Open in console (cmd) the 2. Open the configuration tool (baraDIPConfig)
configuration tool (baraDIPConfig) with and get your configuration settings done.
/Communication=HTTP parameter and 3. In Configuration DIP Management DIP Server
get your configuration settings done. select a DIP and click Switch to HTTPS in the
context menu (or in the action bar).

UPDATE
1. Under baramundi baraDIP execute 1. Under baramundi baraDIP execute
setup.exe. setup.exe.
2. In Configuration DIP Management DIP Server
select a DIP and click Switch to HTTPS in the
context menu (or in the action bar).

If you have had a HTTPS connection already set manually, select the procedure UPDATE/HTTPS.
If you should have reasons to switch from an already existing HTTPS connection to a HTTP:
1. Open in console (cmd) the configuration tool (baraDIPConfig) with /Communication=HTTP
parameter and leave your configuration settings untouched.
2. Restart baraDIP.
3. Deactivate Use HTTPS option in the DIP properties dialog (Edit).

The baraDIP installation is also available via Managed Software. HTTP and HTTPS settings can
be edited easily using the configurable Parameters under Software Managed Software baramundi Management Suite
baraDIP — Edit — Configurable Parameters. For further information on this topic, please take a
look to corresponding guide in the baramundi Forum.

10. Configuration | 249

Creating DIPs
Once the baraDIP service is running on all DIPs, those DIPs can be created within the bara-
mundi Management Center.
For that purpose, just chose the Configuration
DIP Management node and within the task area
the New DIP task. On the General tab, for all
DIPs the Hostname- (FQND is recommended)
and Domain-section has to be edited as
well as the Port of the webserver and an
interval to check for updates. Automatic
indexing controls the automatic monitoring
of changes on the DIP. After a change is
detected, a new index will be made. Hence,
the bMS server will initiate all lower-levelled
target-DIPs, too. This option is active by
default.
Once, you have closed the dialog,
Switch to HTTPS by clicking the so-called
buttom in the action bar, if you want to
operate in this secured mode (what you
Figure 10.31.: New DIP
should).

Figure 10.32.: Switch to HTTPS

In the opening dialog, important information will be given. Please, read them carefully before
you Accept.

10. Configuration | 250

Figure 10.33.: Synchronization Figure 10.34.: Bandwitdh

Source DIP
Within the cascading synchronization structure there can be a number of source DIPs. These
can be target DIPs by themselves to another source. In most cases however there will be at
least one source, called master DIP, that is maintained manually. Therefore a DIP does not
necessarily have a source configured. A source DIP is recognized by it’s indentation. All DIPs
are shown in a tree structure. All targets of a given source are indented to this server.

Target DIPs
Any server having a source DIP is a target and needs a synchronization mode to be selected
from the Synchronization tab.

Mode. Here, a synchronization method has to be chosen. Via Synchronization Using a Job a
manual synchronization will be performed. That means, SyncJobs are to be created manually.
Automatic Synchronization on the other hand means that synchronization runs without any
user intervention. Even the needed SyncJobs will be created by the system*. The Automatic
Synchronization (exact copy) option, exactly that will happen: The target-DIP becomes an
exact copy of the source-DIP—and deletes all local differences!

* and stored for a given number of days.

10. Configuration | 251

Source. Here, the source-DIP has to be given. At all times this particular target-server will
query only the given source for changes. In doing so the target also detects a synchronization
in progess by the source-server itself. On such an occasion it will defer it´s own task until the
source is up to date. The source DIP has to be an already existent DIP server.

For as long as a DIP is another one’s source it can not be deleted. Neither can DIPs which have !
still active SyncJobs or that are currently busy refreshing their index.

Includes/Excludes. Rules here are very similar to blacklisting-rules (all path information are
relative): Via Includes not listed content of a source-DIP will not be synchronised; Excludes
asks for the whole source-DIP files, except software listed under Excludes*. Both options can
be combined as well.

Synchronization Bandwidth. In that tab you can define times and band widths to execute SyncJobs.
In doing so, synchronization can be done with least disturbance to other network traffic.

Synchronization Jobs
In general, SyncJobs can be done automatically or by hand. Each procedure has its own
advantages and restrictions.

Automatic. To run SyncJobs automatically, all you have to do is a click on Automatic Synchron-
ization within the DIP properties of the Synchronization tab under Mode. Such a job will be
created by the system and executed if needed. This is probably the most comfortable method.
However, there is no possibility to change the contents. Such a job will always take changes
to any included contents into account.

Manually. You can create jobs manually as well under Configuration DIP Management Synchronization Jobs
an in the action bar New/Create New Job. First you have to decide, which of the managed
DIPs should be matched. For those jobs, a time interval to check for updates can be defined.
The main advantage here is the possibility to create several SyncJobs for different areas of
synchronization. So created SyncJobs can be used to set times and bandwidths.

DIP Administration
For DIP-synchronization certain global excludes (such as backup or local) are set. Such global
excludes (and more) can be changed by editing the property node of Configuration DIP Management .

* Allows the usage of wildcards as asterisks (*) or question marks (?)

10. Configuration | 252

Figure 10.35.: SyncJob, manually Figure 10.36.: DIP-Server Properties

Under General tab, intervals can be set: Interval for status update during idle state (sec.) sets a
time interval within the target-DIP to check for updates when the system is idle; Interval for
status update during job execution (sec.) checks for updates while synchronization is running.
History for auto synchronization jobs (Number of entries) sets a period how many results of
system-created jobs will be available on the system. Minimum available storage space after syn-
chronization: If the needed «AfterSync» disk space on a target-DIP is smaller then the currently
available, the system will come with a message and the job does not run. Setting Minimum
interval between auto synchronization jobs (sec.) is to avoid synchronization overflows.

Active Directory Synchronization

With baramundis Management Suite it is possible to take over people out from the Active
Directory service as well as computers.

User Synchronization
In order to depoy software in a user specific way, everone concerned must first be entered
into the system. These can be accessed via the AD directory service. A synchronization job is
set up for user data transfer. The information is provided in the context menu dialog under
Configuration AD Synchronization , New/User Synchronization Job.

10. Configuration | 253

Figure 10.37.: Active Directory Synchronization

Name Give the job (as usual) an unique name

Source LDAP-path to root organization unit
Interval This is where you can set an interval for refreshing user data: either as a time,
e.g. 6.00 pm with a day Monday to Sunday, optionally. You may use / and ;
e.g. 15:00/Mon; 18:00/Tue for Mondays at 3 pm and Tuesdays at 6 pm.
Skip empty organizational units Empty organizational units will be ignored during synchronization.
Once you have finished and clicked Ok to confirm your entries, the job is stored under Configuration
AD Synchronization . From here you need to select the entry Execute now from the job context
menu or choose to wait for the interval just set before starting synchronization.
The users and groups are then entered under Environment Users and Groups . By accepting this
AD user data, it is now possible to carry out jobs in a user-related manner.

Machine Synchronization
With Machine Synchronization you can import computer data from AD.
• Importing new devices from AD,

• Updating devices and device groups,

• Marking computers which are deleted within the AD.

10. Configuration | 254

General
A machine synchronization job—at first—needs a Name. Besides that, a Source as a LDAP-path
must be given. All devices below the given source-path will be considered. Under Target
please state a logical group, in which new devices and device groups shall be created. An
Interval can be set, by which an AD-synchronization job should be repeated.
Also repeat in case of errors This option refers to the interval control. If this option is activated, an
AD-synchronization job will be planned newly, even the last job runs on an error.
Add With this options, new devices and logical groups can be created within the bMS. Note,
for groups that will only work, if the option Synchronize Flat remains inactive. Com-
puters which are deactivated within the AD service can not be created.
Move Moves devices and logical groups, which can be assigned to computers or org units.
Note, that this will only work, if the option Synchronize Flat remains inactive.
Update Using this option, devices and logical groups will be updated. For logical groups that
will only work if the option Synchronize Flat remains inactive. However, the LinkId will be
updated in any case.
Delete This option deletes each device or logical group, which are not assigned to computers
or organizational units below the source path. In detail:
• Logical groups will be deleted from database.

• Devices will be moved in the device trash (not deleted or deactivated from DB).

Client Trash Here, deleted devices will be moved. There are some particularities:
• The chosen group can not be identical the group, which is selected as synchroniza-

tion target.
• The chosen group will never be deleted by an AD synchronization job.

• The chosen group can be deleted manually, using bMC. All devices deleted by an

AD synchronization job, will be deleted as well.

The device trash should be created below the group, witch is chosen as synchronization
target. In case a logical group is not created manually, all attempts to get a target
system into the Client trash will fail for following synchronisations.
Synchronize Flat: This is a data import with no consideration of their structure. Hence, neither
the group structure within the bMC will be changed, nor AD computer’s hierarchy. That
means, the synchronization target is the fathers group of all computers. That option can
not be used with the Delete action, together. This is, because the bMC group structure
would be changed (namely deleted).
Synchronize empty organizational units Using this option, empty organizational units will also be
considered as synchronization targets. Empty organizational units are organizational
units (AD), which have no computers as child nodes.
• If this option is deselected, groups (bMC) assigned to empty organizational units,

will be deleted.

10. Configuration | 255

• Such groups will be deleted, even if Delete action is not active.
• Self-created groups, not assigned to an organizational unit, will not delete.
Ignore Errors Using this option, errors, which occur while a synchronization job is executing, will
be ignored. It does not mean, that such a job will be canceled—just ignored.

Variables Assignment.
With ADSync, AD attributes can be synchronized. Using baramundi variables, this is possible
for computers and groups: Computer attributes are synchronized by client variables; organ-
isation attributes with group variables. Not synchronized can be attributes, which occurs
multiple times per object. The attribute Class for example, is an array data type. Therefore, it
is impossible to synchronise this attribute via variable synchronization. Object data types can
not be synchronized, neither.

In order to get a word wrap, just use Ctrl + ←- . i

An Example. The computer attribute whenChanged should be synchronized. To do so, firstly we
need a client variable (synchronization target). Assign such a variable (Fig. 10.38). The name
of this new variable is whenChanged as well. Within the Properties of the AD synchronization
job, the bMS variable has to be assigned (Fig. 10.39). Here, the baramundi client variable
Other.whenChanged is to specify.

Figure 10.38.: Creating Variable Figure 10.39.: Assigning Variable

10. Configuration | 256

AD attributes can be optional. If the system does not find the object (computer or organiza- !
tional unit) to a certain variable, the job will run on an error.

The notation for a variable assignment is CATEGORY.NAME = NAME for Clients and Groups.

Lock Manager
If the properties for a node have been modified, an entry will be created in the Lock manager.
This blocks other users from editing the node. If a locked node cannot be saved properly, this
may result in an entry for the node remaining in Lock manager and the node being blocked
for any further processing. Should such entries be provided in this list, you can delete them.
System Name of the device for which the lock was activated
User Name of the user on the device that caused the lock
Instance Numerical value
Time Date and time at which the entity was locked
Node Numerical value
Key Primary key in the database

Event Viewer
The Event viewer displays server process information.

Variables
Variables allow you to store various pieces of information for an object. New variables can be
added via context menu New/Variable under Configuration Variables . The scope defines objects.
String Any text without quotation marks or apostrophes
Number Any whole number
On/Off Field Checkbox
Editable drop down box Either select one of the specified values or enter a custom string. Use the |
(pipe) character to separate the values, e.g. Quarter1|Quarter2|Quarter3|Quarter4.
Drop Down List Only one option from the specified range may be selected. Use the | (pipe)
character to separate the values, e.g. Quarter1|Quarter2|Quarter3|Quarter4.
Date Enter a date using the selection dialog.
File Name Can be selected with a file selection dialog
Directory Name Can be identified via the directory selection dialog
Password A string field; its content will be displayed masked within the GUI.

10. Configuration | 257

Figure 10.40.: Variables

Boot Environments
To install an OS or load an image file, you will need to load a small operating system into
the system memory of a target system. This will enable the desired actions to be performed
automatically. By default, different boot environments are used: a DOS environment and
Windows PE (32 and 64 bit). For the boot environments to be loaded by a target system, the
target system will need a PXE-capable network card and at least 512 MB RAM for Windows
PE. Creating boot environments is described in the previous chapter «Operating Systems».
The following settings are available depending on which boot environment is selected under
Configuration Boot Environments in the context menu New:
Show in boot menu Specifies whether the entry appears in the boot menu if displayed.
Boot image/Boot path Name of the boot image to be loaded. Enter the name of the boot image
that has been saved under C: Programme bsAG bms TFTPRoot.
System will be reinstalled Without errors during a WinPE session after a job step has started, the
server assumes a successful OS reinstall. A list of software installed will be set back.
Step will not be confirmed No confirmation will be given after the image is started. The step will
automatically be marked as successful at the next boot.
Comment: Allows you to enter a comment.

10. Configuration | 258

Figure 10.41.: Database Maintenance Jobs

Database Maintenance Jobs

There are a number of tasks that can be performed regularly to maintain a well-organized
database. First, a maintenance task must be named. The following settings apply under Type:
Reduce Log Size Reduces the size of log tables. The {KeepHours} variable determines the number
of hours before the current time that are not to be deleted from the log.
Clean up hardware/software/WMI and user-defined inventories Deletes old inventories. The {KeepScans}
variable determines the number of recent scans that are not to be deleted (Default = 2).
Execute SQL Executes any SQL statements. The SQL<n> variable follows the statement that is to
be executed, where n is any number between 1 and 32767 and must be continuously
declared. The {Date} and {DateTime} variables can be used for the current date, with or
without the current time.
Export Objects Exports bMS objects to backup files for security purposes. The <Objects> vari-
able refers to the name of the file to which the objects are exported. The {Date} and
{DateTime} variables can be used in filenames for the current date, with or without the
current time. <Objects> can include the following: components, hardware profiles,
install engines, drivers, OSs, applications, bundles, devices or dynamic groups. After
exporting, the files can be re-opened using the import interface.

10. Configuration | 259

Apply software inventory rules Rules, for software inverntory
Export Audit Log Exports and deletes the entire audit log. The {Date} and {DateTime} variables
can be used in file names for the current date, with or without the current time.
It is advisable to keep all DB maintenance jobs untouched. This applies in particular to the i
logging table. If you deactivate/remove the DB maintenance job to delete old logging table
entries, you will have table space violations which causes database errors.

Maintenance tasks can also be executed in intervals. Examples: 14:00 (2 pm daily), 14:30/Mon
(every Monday at 2.30 pm), 15:00/Mon/Tue;18:00/Wed/Thur (every Monday and Tuesday at
3 pm; every Wednesday and Thursday at 6 pm).

Download Jobs
To keep the information in baramundi
Management Server up to date, the intervals
for downloading definition files has to be
defined. At these intervals, the definitions
will be downloaded from the Internet and
imported into the database. The Download
Jobs for updating Patch Management and
Managed Software files and updating the pci
database are predefined. It is recommended
to check interval settings.
Aside from the interval, no further changes
to the predefined jobs should be necessary.
The context menu for a certain Download
Job (Fig. 10.42) enables immediate job
execution.

Figure 10.42.: Download Job

Optimization of automatically i
executed Download Jobs: For
all automatically Download Jobs applies: Files will only be downloaded if they have been
actually changed. So, unnecessary data transfers will be prevented and thus network load
reduced. This works to all Download Jobs of baramundi servers, except Managed Software
Data. When using other web servers, they must support the ETag functionality (entity tag) to
offer this service. However, if a download job is performed manually, the corresponding file
will be always downloaded, independent whether it has changed or not.

10. Configuration | 260

Audit Log
The baramundi Management Center gives you the option of creating a log of all actions that
cause changes to objects in the database. There are three types of changes:
1. Creation of an object,
2. Modification of an object,
3. Deletion of an object.

Every detail of every change is entered into the log, meaning that the object will be saved to a
table in the database before and after the change. The XML format is used for this. Please note
that the audit log significantly reduces the performance of the MOC server when active (the
server is slowed to approximately 50 percent). For security, data are saved to the database in
an encrypted form.

10. Configuration | 261

11
Suite Help
In this Chapter:
Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Patches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Others . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Problems Register . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Log Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Checking Accessibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
bMS-Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
baramundi Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
baramundi Guides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272

Now, since the main components and modules of baramundi Management Suite have been
covered, this last chapter will concentrate on continued help, frequently occurring errors and
known sources of errors, and tips on how to work with our software.
Errors can occur in any software system, even ours. Some common problems when
working with baramundi Management Suite: Jobs are not executed on target systems or
are stopped prematurely due to an error. First we will present the causes of errors that occur
more frequently with baramundi Consulting. This will hopefully help you to solve a problem
quickly.
The first challenge when resolving problems is to find their cause. We will also go into
troubleshooting. The best place to start tracing the roots of problems is often with an analysis
of the log files.
We will also cover baramundi Management Suite updates, because these will be pro-
duced regularly—as the Suite evolves. This chapter will also explain how to work with these
updates and what to consider when doing so; it will provide details on how to contact bara-
mundi support.

Error Messages
In this section, we’ll outline the frequently occurring errors, unless they have already been
covered by other chapters, and give you tips on how to fix them.
Configuration
A number of Management Suite problems are linked with the configuration. We will show
you some of these errors below.

«Connection Failed»
1. Check the server settings within the server view (botton/left) and enter the correct
information for the baramundi Management Server in the connection credentials. If the
connection can be established successfully, save the configuration.
2. Have all services been started? Check the database Server and the baramundi Manage-
ment Object Connector.
3. Was the console also updated during an update? You can easily check this by com-
paring the current version of the baramundi Management Servers with the installed
version of the local baramundi Management Center.

The bMS will check the server certificate each time it is logged in the bMS. If the certificate
has changed since the last login, there will be a message displayed: You can either accept the
new certificate or refuse to accept it. Just in case, please take into account that a changed
server certificate could be caused by a so-called «Man in the Middle» attack! Thereby it is
attempted to bring you on a wrong server to get logins, passwords &c. There could also be a
new database on the bMS server. Moreover, with PXE servers it is a standard behavior because
it generates a new cerificate for each service start. So, just be sceptical about changed server
certificates.

No bServer Service Available

Another popular problem is this error message:

No connection could be made because the target machine actively refused it.

This error message occurs when the .NET service is not available. So, just switch on the .NET
service or—if you don’t have enough permissions—ask your administrator to do it.

Version Conflict: bMC and bMS-Server

If you use different versions of the Management Center and baramundi Management Server,
you’ll receive this error message:

The socket connection was aborted. This could be caused by an error processing

11. Suite Help | 263

your message or a receive timeout being exceeded by the remote host, or an underly-
ing network resource issue.

To solve this problem, please install the same versions.

Performance Problems
In some cases, the baramundi Management Server may behave and react slowly. This can be
due to one of the following causes:
1. If the databse server runs on the same system, check whether there is enough physical
memory available on the hard disk. Check whether or not the database- and log-files
are being reduced in size, regularly. There are database maintenance jobs pre-defined,
to do this.
2. Check how much memory the current processes are using. The easiest way to do this is
to use the Task Manager. Check the Object Connector (moc.exe). If it is using too much
memory, restart the services.

The Database Manager Cannot Find the Database

If the Database Manager cannot find the SQL Server, the reason is possibly an instanced SQL
Server installation. In this case, enter the name of the database server followed by a backslash
and the instance name: Servername/SQLExpress.

Patches
In most cases errors in patch management are caused by conflicting actions run by end users
(for instance, the machine going into standby mode or being shut down during a job). Such
problems can usually be resolved by restarting the jobs.

«The patch database on the server differs from the patch database used on client side»
Both files, the wsusscn2.cab (patch catalog for the
Windows Update Agent) and BPMData.xml (patch
catalog for the bMS database) must have an identical
time stamp. Otherwise you’ll see the warning
mentioned above.
Usually the file update will be done
Figure 11.1.: Scan State automatically. However, restrictive proxy or firewall
settings and so on can sometimes prevent the system to update these files by itself. That can
cause that both files have different time stamps and you’ll have the warning above.

11. Suite Help | 264

In such a case, please check the Configuration Downloadjobs settings. Check also you synchron-
ization to other localizations: Do the clients have the up to date wsusscn2.cab version? If not,
make the necessary corrections and restart your jobs.

Others
Now we would like to outline some other sources of errors outside of the configuration
process. Support are often contacted about these errors too, which are simple to resolve.

«The job does not contain any executable job steps»

You may encounter this error message occasionally. The message in itself is not helpful, so
here are the main causes for this error.
You are going to install an application The application to be installed does not support the operating
system (see General tab within the applications).
You are going to install an application According to your data base, this application has been installed,
already. That’s the reason why the install option Reinstall Allowed is not active and the
server blocks that job step execution.
You are going to uninstall an application According to your data base, this application has not been
installed, yet. That’s the reason why the uninstall option Uninstall Unknown Software is
not active and the server blocks that job step execution.
You are going to install an application Running a job to install a Managed Software product line will fail,
if there is a version of that product line already installed.

This error message will only appear, if the job can not execute a single configured job step.
Otherwise, job steps which meet the conditions above will be skipped without any message.

Shutting Down baramundi Management Server

Depending on how many sessions are open in baramundi Management Server at the time of
shutting down, delays due to timeouts can occur. In general, baramundi Management Server
attempts to terminate all sessions when shutting down. This can cause delays if there is a
large number of pending/running jobs or job targets.

Job Cannot Be Executed Properly

If jobs are not executed as you would like, there are several possible causes. For example, a
baramundi Management Server service has not started. In this case, check the Server Status
within the start menu. The bServer service must have a green check symbol. Otherwise, you

11. Suite Help | 265

can view potential error messages in the baramundi Log under \\Server\bms$\Logs or in the
Event viewer.
If there are problems on the client side, check that communication is fully intact between
the server and the client. Does a ping work from server to client and back? Is the name
resolution correct? Was it possible to update baramundi Management Agent? The cor-
responding error messages can be found in the Windows Event viewer or in the bfcrx.log
%windir%\System32 or %windir%\SysWOW64\System32\tempbfcrx.
If network problems have been ruled out and all baramundi components are the same
version, verify each step in baramundi Management Center once again and, if necessary,
check the settings for details such as job intervals, validities, automatic assignments &c.

Client Certificate Does Not Fit the Public Key

If the client certificate of a Windows device doesn’t match with the pinned public key within
the bMS database, no jobs will be executed on such a machine. The server will display a
message about the failed identification. In doing so it will try to identify the Windows device
by its Client Identification characteristics (e.g. host name, MAC). Those are set undet Configuration
Server Base Settings . In case the stored public key is no longer valid, delete it from the Windows
device properties. The new key will be pinned on the next connection.

Assignment Problems: Virtual Machines— Client

For inventory purposes, vCenter Server as well as vSphere Hypervisor (ESXi) Server can be
inventoried. Is the vCenter managing a vSphere Hypervisor, it can be inventoried directly
or via vCenter. In case vCenter Server and managed vSphere Hypervisors had been bMS
registered, virtual machines will register twice. And this causes troubles in assigning one
virtual machine to one bMS managed client.
To avoid such kind of problems, an inventory job will display the following error message
to a vSphere Hypervisor (ESXi): This server is currently being managed by the VMware vCenter
Server with the IP address XX.XX.XX.XX. Please add the VMware vCenter Server instead of the single
host.

Troubleshooting
Just as is the case with manual installations, errors can also occur during automatic software
distribution. This means that jobs are not performed on target systems or are stopped pre-
maturely due to an error. In these cases, you can find information about the problem in a
number of different places. The error messages that assist your analysis are generally self-

11. Suite Help | 266

Figure 11.2.: Failed Tab

explanatory. The message itself usually explains why and where the specific error occurred.
These problems are often due to incorrect syntax in a job definition, invalid installation files or
insufficient access rights, incorrect or failed name resolution or permission problems with
shares or domain accounts. The error message usually contains meaningful information
about the cause of an error. If you have problems with troubleshooting, our Support team
will be glad to help.

Problems Register
Failed views you will find on job folders and logical groups. For detailed information, follow
the links to have a closer loss to error messages.

Log Tab
The Log is an additional source of information for troubleshooting. The tab can be found in
the view in all Windows devices. The Log tab shows you which tasks were last performed by
the server on the target system (successfully), the modules involved with the job and the user
context used to perform them. You can configure the top of the page to show the time of the
messages displayed, the number of messages displayed, and other settings.

11. Suite Help | 267

Figure 11.3.: Log Tab

Checking Accessibility
There are many reasons, why a system cannot be accessed. For example, it is not possible
to install the baramundi Management Agent on a system running Windows with activated
firewall, because the firewall will block access to the system.
To check whether the target system can be accessed, you can perform a ping from
baramundi Management Center, via action bar or the context menu.
Old entries are sometimes present in the DNS database when name resolution is per-
formed via DNS. If you are sure that the target system should be accessible, use nslookup
(from the command line) to check whether the entry is up to date and check the IP address.
Information regarding methods and diagnostics for name resolution (Netbios, WINS, DNS,
MAC addresses, IP addresses) can be found in your operating system manuals or documenta-
tion for TCP/IP networks.

A working name resolution system is required for all baramundi Management Suite features. i

11. Suite Help | 268

Log Files
By default, log files about the activities of individual components and modules are created
on both target systems running baramundi Management Agent, and the baramundi Manage-
ment Server. The baramundi Management Agent log file is located in the installation folder.
This is usually located in %Programfiles% baramundi bma. Here you will find a file called
bma.log.
This file is a simple text file with entries for date and time. You can open this log file with
any text editor. If you would like to view the log file of a target system, you can download it
with baramundi Management Center by selecting Management Agent Log from the task area
of the target system. For analysis purposes, you can also access the system drive of the target
system using the Explorer Drive C function. Because the client generally performs relatively
few actions, this log file is usually just a few kilobytes in size. Additional log files are also
located on the server. They are usually located at C:\ProgramData baramundi Logs.
BMC - Date.log This is the log file for the baramundi Management Center MOC
MOC - Date.log This is the log file for the baramundi Management Object Connector BMS
bServer - Date.log This is the log file for the baramundi Management Server

Please have these log files ready when contacting our Support team. Your contact person will
tell you the information that is needed from the log files.

Figure 11.4.: BMA.log

11. Suite Help | 269

bMS-Updates
New versions of baramundi Management Suite are made available in the baramundi Cus-
tomer Forum http://baramundi.de/forum. Every new version will be published as a new
thread, regardless of whether the new version is a patch, service pack, or new release. If you
have subscribed to the forum, you will automatically receive an e-mail informing you that a
new version has been posted.
In the user forum you will also find an update guide, extensively addresses the updating
of a bMS environment. There you will also find numerous version-specific instructions. The
Release Notes should be read in any case before an update take place.
When updating the server, proceed as follows:
1. Create a backup of baramundi Management Server and the database. Be sure to back
up files that you have manually adjusted, such as the PXE boot image or startup.ini.
2. Close Management Server, the baramundi Management Server .NET and Management
Object Connector.
3. If you are still using a version 8.9 or older: Uninstall the previous version. Update
installations are not supported by Setup.
4. Run the setup (bms_setup) from the local server console and follow the instructions.

During the setup, you may be asked to restart your system. Please make sure you do this. Start !
the setup again so that the missing components can be installed.

5. After you are finished, start the database manager and select the option Update Data-
base to keep your database up to date.
6. Restore files that you have changed, which you backed up as described in section 1
7. Update (after you have uninstalled the previous version) the Relay server, bMC and bara
DIP installations.
8. Start baramundi Management Server.

After a server update, baramundi Management Agent will also need to be updated. If the
Automatic update setting is enabled Configuration Server Basic Settings and Properties/Management
Agent), bMA will be updated on target systems when a job is to be performed on the target
system in question. The existing version of bMA needs to be uninstalled for this and the new
version installed. If automatic update is disabled, Agent update will need to be performed
manually. This can be performed via the view of the respective client or from the context
menu of a parent logical group. In this case, all subordinate target systems will be updated.

Error: Server Service No Longer Starts. Has a verifiable user context been entered in the domain
configuration? The user name and password for the user will then need to be resolved.

11. Suite Help | 270

The domain configuration should at least contain the domains that belong to baramundi
Management Server.
Check to see whether the license has expired. In this case, a warning should appear
when you log onto the console.

Error: Agent Cannot Be Updated or Cannot Be Distributed.

1. Ensure that a firewall is not activated on the target system. This will prevent the Agent
installation.
2. Does the administrative user have administrative rights on the target system?
3. Is there a firewall between baramundi Server and the target system for which the
necessary ports are not open?
a) If the Agent is to be updated at an external location that only has a low-bandwidth
connection to the baramundi Server network, the server may return the following
error message: Agent could not be installed/updated.
b) If all other settings are correct, the problem is likely due to the server not waiting
long enough for the confirmation message from the target system. This means
that the transmission of the installation files took too long (Timeout). In this case,
the Agent will still be installed successfully. This can be seen in the object view of
a Windows device. If the correct Agent version is displayed after some time, the
update has been performed well.
c) Pending update jobs will be rescheduled after a timeout (approx. 15 minutes later),
as the job cannot be assigned. If the Agent update has been completed by then,
the job will still be executed.
4. Check whether the path to the installation files has been correctly resolved in the Agent
log (%windir%\<system32|SysWOW64>[\tempbfcrx]\bfcrx.log). If necessary, correct:
Configuration Server Basic Settings and Edit/Management Agent/Installation Command.
5. If you are using the bMA installation mode with LocalSystem, please check whether or
not an access to the used share in the context of the system is possible. Change the
kind of installation Configuration Server Basic Settings /Communication to Push-Transfer and
check the installation again.

Damaged Sources (Patch Management). Should an error message 0x8007000d The data is invalid occur,
while you installing updates, it is probably due to corrupt installation sources. When it comes
from an online source, please start the process again. When you upgrade comes from WSUS,
all files should be deleted and re-downloaded.
General note to the cause search on controlled WUA installation: You can find extensive
information about the complete update process in the logs of the bMA as well the WUA. The
default locations are:

11. Suite Help | 271

%programfiles(x86)%\baramundi\BMA\bma.exe (64-bit)
%programfiles%\baramundi\BMA\bma.exe (32-bit)
%Windir%\WindowsUpdate.log

baramundi Support
You can contact us weekdays from 9 am to 5 pm via e-mail to [email protected] or by
phone on +49-821-56 70 85 00. If you want to contact baramundi Support, have your error
message—ideally plus screenshot—plus the relevant sections of the log files ready.
We also have an online user forum here http://baramundi.de/forum, where developers
and users can regularly exchange experiences/information. It is generally a good idea to have
a look at the information already posted there.

baramundi Guides
For special functions of our suite, most current contents and so on, we offer you guide lines.
You can call the baramundi support service for current papers. Moreover, there is a possibillity
to download baramundi white papers here: https://forum.baramundi.de/index.php?
forums/84.

11. Suite Help | 272

A
Appendix
In this Chapter:
Communication Diagram and Port Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Communication Diagram bMD Basic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Communication Diagram bMD Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Communication Diagram macOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Communication Diagram Cloud-enabled endpoint management . . . . . . . . . . . . . . . . . . . . . . . 278
Communication Diagram Extended mode Cloud-enabled endpoint management . . . . . . . . . . . . . 279
Flow Chart of Scripting in Automation Studio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
The MSI Error Values and Their Meaning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
baramundi Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Frequently Used Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Standard Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Variablen for Mobile and Windows Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Variables for Mobile and macOS Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Custom Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Driver Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Cipher List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

This appendix will cover a few extra subjects.

First, there is a diagram of how the components of the baramundi Management Suite
communication interact. The diagram should provide a better understanding of the pro-
cesses whithin the baramundi Management Suite network.
From time to time, users receive MSI error values in the error messages. To save you
having to spend a long time looking, a list of these error codes and their meaning is also
provided.
Using baramundi variables is an efficient way of automating management tasks.
A bulleted list, classification and a small example should provide a good introduction on how
to work with variables.
Communication Diagram and Port Assignment

Figure A.1.: Communication Diagram

A. Appendix | 274
Communication Diagram bMD Basic

Figure A.2.: Communication Diagram BMD Basic

A. Appendix | 275
Communication Diagram bMD Gateway

Figure A.3.: Communication Diagram bMD Gateway

A. Appendix | 276
Communication Diagram macOS

Figure A.4.: Communication Diagram macOS

A. Appendix | 277
Communication Diagram Cloud-enabled endpoint management

Figure A.5.: Communication Diagram Cloud-enabled endpoint management

A. Appendix | 278
Communication Diagram Extended mode Cloud-enabled endpoint management

Figure A.6.: Communication Diagram Extended mode Cloud-enabled endpoint management

A. Appendix | 279
Devices Port Direction Description Target outgoing
Devices
bma.exe 10086 TCP/UDP outgoing (Jobtransfer, Inventory/Messages) bServer)
bma.exe 10080 TCP outgoing (Kiosk) bServer)
bma.exe 10083 TCP outgoing (bBT) DIP Server (Apache)
bma.exe 10098+x (x configurable) outgoing (bRemote inventation) bRemote Viewer
bma.exe 10092 TCP outgoing (HTTPS) bServer
bma.exe 10087 UDP incoming (Server Push)
bma.exe 11000,11001 TCP incoming/outgoing (localhost) Traynotifier to Localhost (only local relaese to client itself)
bma.exe 11000,11002 TCP incoming/outgoing (localhost) ShutdownJobController to Localhost (only local relaese to
client itself)
bma.exe 11000 TCP incoming (localhost) BMACmd to Localhost (only local relaese to client itself)
Windows 7777* UDP incoming (WOL)
Windows SMB Ports incoming/outgoing (admin$ ing./DIP$, BMS$ outg.) bServer/DIP Server
Windows 3389 RDP incoming (bRemote)
Windows 7424,7425,7427 TCP (nur XP/2003) incoming (bRemote)
Windows 5900 TCP incoming (bRemote)
Windows 5900 TCP incoming (bRemote from Vista and higher,
port range can be configured, see
https://support.microsoft.com/en-us/kb/929851)
Windows 67, 69, 4011 UDP outgoing PXE Prot. (Boot Server, TFTP) bServer
Windows 68 UDP incoming PXE Prot. (DHCP)
bfcrx 10099 TCP incoming (Agent Installation)
NetworkscannerAgent.exe random UDP port ausgehend Network-Scan Jobschritt, Port für SNMP-Requests

Server
bMS:
Windows 80/443 TCP outgoing Internet
Windows Active Directory Zugriff outgoing Active Directory
Windows SMB Ports incoming/outgoing (BMS$ ing./DIP$ outg.) DIP$
Windows 1433 TCP outgoing database databaseserver
Windows 443 TCP outgoing baramundi Virtual: Communication port to VMware Modul baramundi Virtual: vSphere Environment (Port is
configurable; default 443) Communication with VMware
vSphere
baranet.exe 10081 TCP incoming HTTPMOC
bServiceHost.exe 67, 69, 4011 UDP incoming (outgoing source port of the client) PXE Prot. (Boot Server, TFTP)

A. Appendix | 280
bServiceHost.exe 68 UDP outgoing PXE Prot. (DHCP) Client
bServiceHost.exe 7777* UDP outgoing (WOL) Client
bServiceHost.exe 10080 TCP incoming Kiosk (Client)
bServiceHost.exe 10083 TCP outgoing DIPSync DIP-Server (Apache)
bServiceHost.exe 10086 TCP incoming Windows-Client communication
bServiceHost.exe 10086 UDP incoming WOL- und PXE-Relay
bServiceHost.exe 10086 UDP outgoing WOL- und PXE-Relay PXE Relay Server
bServiceHost.exe 10087 UDP outgoing (Server Push) Client
bServiceHost.exe 10088 TCP incoming bRemote
bServiceHost.exe 10092 TCP incoming HTTPS (UBDS, Status updates)
bServiceHost.exe 10099 TCP outgoing (Agent Installation) Client (bfcrx)
bServer.exe 80 TCP incoming bMD Crl Download (only Windows Phone and necessary
without GW) Not longer needed if started with bMD
2016R1.
bServer.exe 443 TCP incoming bConnect, bMD
bServer.exe 10085 TCP incoming bMC, bRemoteViewer, bMOL, Boot Media Wizard, bMC
SNMPScanner
bServer.exe 10091 TCP incoming Database manager (localhost)
DIP Server:
Windows SMB Ports incoming DIP$ Release
baraDIP.exe 10083 TCP incoming/outgoing DIPSync baraDIP
baraDIP.exe 10084 TCP incoming Apache access
Apache 10084 TCP outgoing baraDIP
Apache 10083 TCP incoming bBT
PXE Relay:
bServer.exe 10086 UDP incoming WOL with PXE Relay
bServer.exe 67, 69, 4011 UDP incoming (outgoing source port of client) PXE Prot. (Boot Server, TFTP)
bServer.exe 68 UDP outgoing PXE Prot. (DHCP) Client
Windows 7777* UDP incoming (WOL)
Windows 1433 TCP outgoing database database server

Management Components
bMC:
bMC
bServer.exe 10085 TCP outgoing Management bServer
bServer.exe SMB Ports outgoing bServer, DIP Server
bServer.exe 1433 TCP outgoing Reports database server

A. Appendix | 281
bMC.exe 443 TCP outgoing Ramando reports, port for access to SQL reporting server, database server
default 443
bRemote Viewer
bRemoteViewer.exe 10085 TCP outgoing Connection to bServer
bRemoteViewer.exe 10098 to 10098+x (x configurable) incoming (bRemote inventation)
bRemoteViewer.exe 3389 RDP incoming (bRemote)
bRemoteViewer.exe 7424,7425,7427 TCP (nur XP/2003) incoming (bRemote)
bRemoteViewer.exe 5900 TCP incoming (bRemote)

Mobile Devices (iOS, Android, Windows Phone)

bMS:
bServer.exe 443 TCP incoming bMD communication
bServer.exe 80 TCP incoming bMD Crl Download (only Windows Phone and necessary
without GW). Not longer needed if started with bMD
2016R1.
bServer.exe 443 TCP outgoing Android Push Google Cloud
bServer.exe 2196,2195 TCP outgoing Apple Push Apple Cloud
bMD Gateway:
bGateway.exe 443 TCP incoming/outgoing Communication bMD bServer
bGateway.exe 80 TCP incoming bMD Crl Download (Windows Phone only). Not longer bServer
needed if started with bMD 2016R1.
Mobile Devices:
All platforms 443 TCP outgoing Communication bMD bServer/bMD Gateway
Windows Phone 80 TCP outgoing CRL Download (with 2016R1 not longer needed) bServer/bMD Gateway
Android 5228,5229,5230 TCP outgoing Connection to Google Push Service Google Cloud
iOS 5223 TCP outgoing Connection to Apple Push Service Apple Cloud

Cloud-Enabled Endpoint Management

bServer:
bServer.exe 443 TCP incoming Communication with baramundi Gateway
bServiceHost.exe 10092 TCP incoming Communication with baramundi Gateway
Gateway
bGateway.exe 443 TCP incoming Communication with devices in Internet mode bServer
bGateway.exe 10092 TCP outgoing Forwarding job/file transfer and control messages (to
bServiceHost.exe)
bGateway.exe 10083 TCP outgoing Communication with Apache (bBT)
bGateway.exe 443 TCP outgoing Communication with bServer.exe bServer

A. Appendix | 282
DIP Server
Apache 10083 TCP incoming bBT via Gateway
Client
bma.exe 443 TCP outgoing Job transfer/control messages/CRL download
bma.exe 80 TCP outgoing CRL download (depending on certification authority, not
neccessary for default with bMS certificates)
Windows (BITS) 443 TCP outgoing Job transfer (bBT)/CRL download
Windows (BITS) 80 TCP outgoing CRL download (depending on certification authority, not
neccessary for default with bMS certificates)
Client (Extended mode)
bma.exe 443 TCP outgoing Job transfer/control messages
bma.exe SMB-Ports outgoing File transfer
Windows (BITS) 10083 TCP outgoing File transfer (bBT)

A. Appendix | 283
Flow Chart of Scripting in Automation Studio

Figure A.7.: Script schema

A. Appendix | 284
The MSI Error Values and Their Meaning
Users receive MSI errors. These errors are listed below*.

The error codes indicated are decimal values; sometimes the value needs to be determined !
from the return code: the 16 bits of the error message below must therefore be converted to a
decimal value.

Example: 0x8007000D => 000D => 13 = ERROR_INVALID_DATA

ERROR_SUCCESS (error code 0) Action completed successfully (no error).

ERROR_INVALID_DATA (error code 13) The data is invalid.
ERROR_INVALID_PARAMETER (error code 87) One of the parameters was invalid.
ERROR_INSTALL_SERVICE_FAILURE error code 1601 Windows Installer service could not be
accessed. Contact your support personnel to verify that the Windows Installer service is
properly registered.
ERROR_INSTALL_USEREXIT (error code 1602) User cancelled installation.
ERROR_INSTALL_FAILURE (error code 1603) Fatal error during installation.
ERROR_INSTALL_SUSPEND (error code 1604) Installation suspended, incomplete.
ERROR_UNKNOWN_PRODUCT (Fehlercode 1605) This action is only valid for products that are
currently installed.
ERROR_UNKNOWN_FEATURE (error code 1606) Feature ID not registered.
ERROR_UNKNOWN_COMPONENT (error code 1607) Component ID not registered.
ERROR_UNKNOWN_PROPERTY (error code 1608) Unknown property
ERROR_INVALID_HANDLE_STATE (error code 1609) Handle is in an invalid state.
ERROR_BAD_CONFIGURATION (error code 1610) The configuration data for this product is corrupt.
Contact Support.
ERROR_INDEX_ABSENT (error code 1611) Component qualifier not present.
ERROR_INSTALL_SOURCE_ABSENT (error code 1612) Installation source for this product is not
present. Verify that the source exists and that you can access it.
ERROR_INSTALL_PACKAGE_VERSION (error code1613) This installation package cannot be
installed by the Windows Installer service. You must install a Windows Service Pack
that contains a newer version of the Windows Installer service.
ERROR_PRODUCT_UNINSTALLED (error code 1614) The product is uninstalled.
ERROR_BAD_QUERY_SYNTAX (error code 1615) SQL-query syntax is invalid or not supported.
ERROR_INVALID_FIELD (error code 1616) Record field does not exist.
ERROR_INSTALL_ALREADY_RUNNING (error code 1618) Another installation is already in progress.
Complete that installation before proceeding with this install.

* Source: http://support.microsoft.com/kb/290158/de

A. Appendix | 285
ERROR_INSTALL_PACKAGE_OPEN_FAILED (error code 1619) Installation package could not
be opened. Verify that the package exists and that you can access it, or contact the
application vendor to verify that this is a valid Windows Installer package.
ERROR_INSTALL_PACKAGE_INVALID (error code 1620) This installation package could not be
opened. Contact the application vendor to verify that this is a valid Windows Installer
package.
ERROR_INSTALL_UI_FAILURE error code 1621 There was an error starting the Windows Installer
service user interface. Contact Support.
ERROR_INSTALL_LOG_FAILURE error code 1622 Error opening installation log file. Verify that the
specified log file location exists and that you can write to it.
ERROR_INSTALL_LANGUAGE_UNSUPPORTED (error code 1623) The language of this installation
package is not supported by your system.
ERROR_INSTALL_TRANSFORM_FAILURE (error code 1624) Error applying transforms. Verify that
the specified transform paths are valid.
ERROR_INSTALL_PACKAGE_ REJECTED (error code 1625) This installation is forbidden by system
policy. Contact your system administrator.
ERROR_FUNCTION_NOT_CALLED (error code 1626) Function could not be executed.
ERROR_FUNCTION_FAILED (error code 1627) Function failed during execution.
ERROR_INVALID_TABLE (error code 1628) Invalid or unknown table specified.
ERROR_DATATYPE_MISMATCH (error code 1629) Data supplied is of wrong type.
ERROR_UNSUPPORTED_TYPE (error code 1630) Data of this type is not supported.
ERROR_CREATE_FAILED (error code 1631) The Windows Installer service failed to start. Contact
your support personnel.
ERROR_INSTALL_TEMP_UNWRITABLE (error code 1632) The temp folder is either full or inaccess-
ible. Verify that the temp folder exists and that you can write to it.
ERROR_INSTALL_PLATFORM_UNSUPPORTED (error code 1633) This installation package is not
supported on this platform. Contact your application vendor.
ERROR_INSTALL_NOTUSED (error code 1634) Component not used on this machine.
ERROR_PATCH_PACKAGE_OPEN_FAILED (error code 1635) This patch package could not be
opened. Verify that the patch package exists and that you can access it, or contact the
application vendor to verify that this is a valid Windows Installer patch package.
ERROR_PATCH_PACKAGE_INVALID (error code 1636) This patch package could not be opened.
Contact the application vendor to verify that this is a valid Windows Installer patch
package.
ERROR_PATCH_PACKAGE_UNSUPPORTED (error code 1637) This patch package cannot be pro-
cessed by the Windows Installer service. You must install a Windows Service Pack that
contains a newer version of the Windows Installer service.

A. Appendix | 286
ERROR_PRODUCT_VERSION (error code 1638) Another version of this product is already installed.
Installation of this version cannot continue. To configure or remove the existing version
of this product, use Add/Remove Programs on the Control Panel.
ERROR_INVALID_COMMAND_LINE (error code 1639) Invalid command line argument. Consult the
Windows Installer SDK for detailed command line help.
ERROR_INSTALL_REMOTE_DISALLOWED (error code 1640) Installation from a Terminal Server
device session not permitted for current user.
ERROR_SUCCESS_REBOOT_INITIATED (error code 1641) The installer has started a reboot. This
error code not available on Windows Installer version 1.0.
ERROR_PATCH_TARGET_NOT_FOUND (error code 1642) The installer cannot install the upgrade
patch because the program being upgraded may be missing, or the upgrade patch
updates a different version of the program. Verify that the program to be upgraded
exists on your computer and that you have the correct upgrade patch. This error code is
not available on Windows Installer version 1.0.
ERROR_SUCCESS_REBOOT_REQUIRED (error code 3010) A restart is required to complete the
install. This does not include installs where the ForceReboot action is run. Note that
this error will not be available until future version of the installer.

baramundi Variables
Variables are a type of placeholder for entries that do not define any set value, but rather a
selection of input options. In Management Suite variables are always set in curly brackets,
as used in the {VARIABLE} form. Depending on the application, variables for baramundi
Management Suite can be divided into the following categories:
• Standard Variables

– Server Variables
– Client Variables

• Custom Variables
– Device
– Organizational unit
– ADS user or group
– Hardware profile
– Software
– Component
– Patch bulletin
– Job

A. Appendix | 287
Variables can be used in baramundi Deploy scripts, or in Jobs and in the Software and Operating Systems
modules—usually via the tabs. The following notation applies here:

{Area.Category.Name} for custom baramundi variables,

{%Name%} for Windows variables (in percent signs).

Frequently Used Variables

Before you study that huge list of baramundi variables, the following top ten of frequently
used ones may help.
Client Contains the host name of a target system. This value is often used for configurations or
to create log-files on central file storage locations. Example: A log-path could be given
like that: ”{DIP}\logs\{Client}\MYLOGFILE.LOG”
Arch The architecture variable gives you one of two values, depending whether you are
running a x86 or x64 system. This variable is used for a dynamical directory selection
of architecture specific sources, often. Example: Names of MSI-files for different architec-
tures can be set within the bMS using this form: FILENAME-{Arch}.MSI
bMAPath This variable refers to the folder where the baramundi agent is. This directory is
preferably used to save log-files. Please ensure the appropriate application of quotation
marks, because this path to the correct operating system usually contains blank spaces.
Example: A log-path can be given like this: ”{bmapath}\MYLOGFILE.LOG”
OSType Contains an ID to identify the OS-version. This variable is used to set script conditions.
It is also possible to chose different installation sources with this variable. Example: The
path to an installation source could be given like this:
{DIP}\APL\VENDOR\PRODUKT\{OSType}\SETUP.EXE
Software.Name Returns the content of the field Name of the related application; is often used to
define log-filenames. Example: A log-path could look like this:
”{bMAPath}\{Software.Vendor}-{Software.Name}_{mode}.log”
Software.Vendor Contains the return of the field vendor for the related application; is often used
to define log-filenames. Example: A log-path could look like this:
”{bMAPath}\{Software.Vendor}-{Software.Name}_{mode}.log”
LCID Contains the decimal language code, defined by Microsoft. This variable is often used to
differentiate configurations, within scripts, as condition or into files- and folder-names
for a dynamical selection of an appropriate source. Example: A path to such an installa-
tion source of an application could look like this:
{DIP}\APL\VENDOR\PRODUCT\{LCID}\SETUP.EXE
PrimaryIP Contains the primary IP, sent by the agent. Often used as user defined bMC-command
alternative for the Client variable within environments without reliably DNS-resolution.
Example: The ping-command could be given as:ping {primaryIP}

A. Appendix | 288
Username Contains the complete user name of the current or last logged user. This could be
helpful to communicate with an interactive logged on user, because environment
variables refer to the installation user context during job execution.
Mode Contains one of the two variables Install or Uninstall. This variable can be either used
to differentiate log-files or to find out in which kind of action scripts are executed right
now. That is especially helpful for scripts which are included into other scripts. Example:
A LPG-path could be given like this:
”{bMAPath}\{Software.Vendor}-{Software.Name}_{mode}.log”

Standard Variables
Global variables are used by the system, are set by the system and are not run in the database.
As a rule, global variables are used in connection with baramundi Deploy scripts. Other uses
are mentioned in the following overview.

Variable Category Used by Description

{Server} Server Software IP/Name/FQDN of the Management Server from
the device standpoint.
{ServerHostname} Server Software Host name of the Management Server from the
device standpoint
{ServerKey} Server Software Public key of the bMS server’s TLS certicicate
{PrimaryServer} Server Software Name of the primary Management Server
{DIP} Server Software, Full path to dip from device standpoint
Agent-Installation
{Depot} Server Software, Alias* for {DIP}
Agent-Installation
{CDROM} Client Software Pseudo variable, if used in the installation
command, the drive letter of the CD drive is
used.† (Not used in baramundi Deploy scripts)
{BMSPath} Server, Device Software Installation directory of bMS; path to bMS
{baramundiPath} Server, Device Software Alias of {BMSPath}
{BMAPath} Device Software Agent installation directory on the device
{GUIDClient} Device Software Device’s GUID in the baramundi Management Suite
{GUIDJob} Device Software Job’s GUID in the baramundi Management Suite

* Usually the second name of a variable for historical reasons.

† Example: If the installation command for an application is «CDROM\setup.exe», then
«D:\setup.exe» is run if the CD-ROM drive on the client is labeled «D:».

A. Appendix | 289
{HWProfile} Device Software Device hardware profile
{InstallEngine Device Software Name of the installation engine*
File}

{Script} Device Software Alias for InstallEngineFile

{InstallTarget Device Software Path to target directory
Path}
{Licence} Device Software und License key
Operating
Systems
{LocalbMCPath} Device Software und Local installation path of the baramundi
Operating Management Center
Systems
{LocalEMSCCPath} Device Software und Alias of {LocalbMCPath}
Operating
Systems
{License} Device Software und License key
Operating
Systems
{Company} Server, Device Software Name of company using the license
{Username} Device Software Windows user currently logged on to the device
{GroupDIPs} Device Software List of DIPs in a group
{InstallUserName} Device Operating Name of the installation user† (Not used in
Systems baramundi Deploy scripts
{InstallUser Device Operating Password of the installation user*. (Not used in
Password} Systems baramundi Deploy scripts)
{InstallUser Device Operating Account of the installation user* (Not used in
Account} Systems baramundi Deploy scripts)
{AdminUserName} Device Operating Name of the administrator*(Not used in baramundi
Systems Deploy scripts)
{AdminUser Device Operating Password of the administrator* (Not used in
Password} Systems baramundi Deploy scripts)
{AdminUser Account} Device Operating Account of the administrator* (Not used in
Systems baramundi Deploy scripts)

* In the application properties of the Installation/Engine tab.

† Provided during the run of an operating system installation to integrate the data
required from the installation and administration users in the Unattended File.

A. Appendix | 290
{LCID} Device Current language set on the device as a numeric
code
{LangID} Device Alias for {LCID}
{Domain} Device Software, Device domain
Agent-Installation
{Client} Device Software, Device host name
Agent-Installation
{Machine} Device Software, Alias for {Client}
Agent-Installation
{OSType} Device Software, Device operating system*
Agent-Installation
{RegisteredUser} Device Software Name of registered user
{Client:IP} Device Software Primary device IP address
{PrimaryIP} Client Software Alias for {Device:IP}
{Client:MAC} Device Software Primary device MAC-address
{PrimaryMAC} Device Software Alias for {Client:MAC}
{Group} Device Software Logical device group
{Architecture} Device Software Device hardware architecture (32-/64-Bit)
{Arch} Device Software Alias for {Architecture}
{ServerPort} Device Agent-Installation Server TCP/UDP port

Windows 2000 : W2000

Windows XP : XP
Windows XP, 64 Bit : XP_x64
Windows Server 2003 : W2003
Windows Server 2003, 64 Bit : W2003_x64
Windows Vista : Vista
Windows Vista, 64 Bit : Vista_x64
Windows Server 2008 : W2008
Windows Server 2008, 64 Bit : W2008_x64
* Windows 7 : Win7
Windows 7, 64 Bit : Win7_x64
Windows Server 2008 R2, 64 Bit : W2008R2_x64
Windows 8 : Win8
Windows 8, 64 Bit : Win8_x64
Windows Server 2012 : W2012_x64
Windows 10 : Win10
Windows 10, 64 Bit : Win10_x64
Windows Server 2016 : W2016_x64
macOS 10.10 : AppleOsx

A. Appendix | 291
{ClientPort} Device Agent-Installation Device TCP/UDP port
{Job.Name} Device Software Name of the current job
{Job.Creator} Device Software Name of whom created the job
{Job.OSInstall. Job Operating After creation under Configuration/Variables it can
PathClient} Systems be used for jobs with an UNC path to represent a
bMA source. This variable is only for OS install jobs.
{Job.Initiator} Device Software User name of the current job-initiator
{AgentOptions} Device Agent-Installation Agent options: numerically coded value
{UnattendedFile} Device Operating Gives the answer file for an OS, to be installed.(The
Systems variable only exists if the bDS is running as part of an
OS Install job)
{BPMFolder} Device Patch Path to patch management files from the device
Management standpoint
{ScanResult} Device Inventory Result of a patch scan
{UniqueClient Device Operating Temporary file store during an operating system
Directory} Systems installation
{OSTargetDrive} Device Operating Drive of an operating system installation
Systems
{ResponseFile} Device Software Name of the response file during the installation
{Mode} Gives values of Install or Deinstall, depending
whether or not a installation or uninstallation is
executed.
{UserLCID} Gives the language ID for the current user.
Differentiates between user- or system-language.

A. Appendix | 292
Variablen for Mobile and Windows Devices

Variable Description
{RegisteredUser.CommonName} Name of the Registered AD User
{RegisteredUser.DistinguishedName} Distinguished AD Name
{RegisteredUser.FirstName} First Name of the Registered User
{RegisteredUser.LastName} Family Name of the Registered User
{RegisteredUser.MailDomain} baramundi’s Email Domain = baramundi.de
{RegisteredUser.MailLocalPart} e.g. Nathan.Nabbensmith
{RegisteredUser.OrganizationalUnit} Department of the Registered User

Variables for Mobile and macOS Devices

For all bMD- and macOS jobs the variables below can be used, in such a syntax: {Scope.Variable}
or as Alias just {Variable}.

Variable Description
{Machine.UDID} Unique Device ID
{Machine.Name} Device Name
{Client} Alias of {Machine.Name}
{Machine.Manufacturer} Manufacturer
{Machine.OS} Operating System
{OSType} Alias of {Machine.OS}
{Machine.OSVersion} Operating System Version
{OSVersion} Alias of {Machine.OSVersion}
{Machine.Comment} Comment
{Machine.User} User Name
{Machine.Category} User Category
{Machine.Owner} Company/Private
{Machine.ModelName} Model Name
{Machine.PrimaryMAC} MAC Address
{PrimaryMAC} Alias of {Machine.PrimaryMAC}
{MAC-Address} Alias of {Machine.PrimaryMAC}

A. Appendix | 293
{Machine.PrimaryIP} IP Address
{PrimaryIP} Alias of {Machine.PrimaryIP}
{Machine.EndpointGUID} Datebase GUID
{Machine.ComplianceState} Unknown, Compliant, LightViolation,
MediumViolation, SevereViolation,
ComplianceInactive
{Machine.ConfiguredComplianceCheckCategory} Active, Inactive, TemporarilyInactive
{Machine.PhoneNumber} Phone Number of a Device (Android only)
{Machine.SamsungSafeVersion} Samsung Knox Version
{RegisteredUser.Displayname} Display Name of a Profile
{RegisteredUser.Principalname} User Name of an Exchange Account (fully qualified)
{RegisteredUser} Alias of {Machine.Principalname}
{RegisteredUser.UserLogonName} like Principalname, but without domain
{RegisteredUser.Mail} Mail Address
{RegisteredUser.Domain} Domain
{RegisteredUser.Name} Name
{RegisteredUser.Comment} Comment
{Group} Group Name
{Group.Domain} Group Domain
{Group.GUID} Group GUID

There are the following variables for iOS devices only:

Variable Description
{Machine.DeviceInformation.AvailableDeviceCapacity} Free Device Memory
{Machine.DeviceInformation.BatteryLevel } Battery Power Level in Percent
{Machine.DeviceInformation.BluetoothMAC} Bluetooth Mac Address
{Machine.DeviceInformation.BuildVersion} OS Build Number of a Device
{Machine.DeviceInformation.CarrierSettingsVersion} A Device’s Provider Settings Version
{Machine.DeviceInformation.CellularTechnology} none, GSM, CDMA, both
{Machine.DeviceInformation.CurrentCarrierNetwork} Name of Provider Network
{Machine.DeviceInformation.CurrentMCC} Current Mobile Country Code

A. Appendix | 294
{Machine.DeviceInformation.CurrentMNC} Current Mobile Network Code
{Machine.DeviceInformation.DataRoamingEnabled} Data Roaming active? true/false
{Machine.DeviceInformation.DeviceCapacity} Total memory of a Device
{Machine.DeviceInformation.DeviceName} Actual Name of a Device
{Machine.DeviceInformation.EASDeviceIdentifier} Device Identifier string reported to Exchange Active
Sync (EAS)
{Machine.DeviceInformation.EthernetMACs} LAN MAC Address
{Machine.DeviceInformation.ICCID} ICC Identifier for the Installed SIM Card
{Machine.DeviceInformation.IMEI} The Device’s IMEI Number
{Machine.DeviceInformation.IsActivationLockEnabled} Is there an activation lock running?
{Machine.DeviceInformation.IsCloudBackupEnabled} Cloud backups allowed?
{Machine.DeviceInformation.IsDeviceLocatorServiceEnabled} Is e.g. «Find my IPhone» activated?
{Machine.DeviceInformation.IsDoNotDisturbInEffect} «Do not disturb» effect activated?
{Machine.DeviceInformation.IsMDMLostModeEnabled} LostMode activated?
{Machine.DeviceInformation.IsRoaming} Is the device in the provider’s network?
{Machine.DeviceInformation.IsSupervised} Is the device supervised?
{Machine.DeviceInformation.iTunesStoreAccountHash} Hash of the iTunes Store Account
{Machine.DeviceInformation.iTunesStoreAccountIsActive} Is an iTunes Store Account signed on the device?
{Machine.DeviceInformation.Languages} Available languages on a divice (the first in the list
is the one currently used)
{Machine.DeviceInformation.LastCloudBackupDate} Last iCloud Backup
{Machine.DeviceInformation.Locales} Regions set on the device (the first in the list is the
one currently used)
{Machine.DeviceInformation.MaximumResidentUsers} In the Shared-iPad mode: Maximale number of
users who can use iPhones
{Machine.DeviceInformation.MEID} Device’s MEID number
{Machine.DeviceInformation.Model} Device Model e.g. MC319LL
{Machine.DeviceInformation.ModelName} Name of Device Model e.g. MacBook Pro,
iPhone des Geräte-7 Plus
{Machine.DeviceInformation.ModemFirmwareVersion} Baseband Firmware Version
{Machine.DeviceInformation.OSVersion} OS Version
{Machine.DeviceInformation.PersonalHotspotEnabled} Personal Hotspot activated?

A. Appendix | 295
{Machine.DeviceInformation.PhoneNumber} Telefon Nummer, if available
{Machine.DeviceInformation.ProductName} Model Code for a Device (iPhone3,1, for example)
{Machine.DeviceInformation.SerialNumber} Serial Number
{Machine.DeviceInformation.SubscriberCarrierNetwork} Name of the Home Carrier Network, e.g. O2
{Machine.DeviceInformation.SubscriberMCC} Home Mobile Country Code (numeric string)
{Machine.DeviceInformation.SubscriberMNC} Home Mobile Network Code (numeric string)
{Machine.DeviceInformation.UDID} Unique Device ID
{Machine.DeviceInformation.VoiceRoamingEnabled} Current Setting of the Voice Roaming Setting
{Machine.DeviceInformation.WiFiMAC} WiFi MAC Address
{Machine.Manufacturer} Device Vendor (e.g. Apple)
{Machine.SerialNumber} Serial Number

For enrollment emails, additional variables can be exchanged:

Variable Description
{Machine.EnrollmentMailSubject} Subject Line for Enrollment-Email
{Machine.AndroidAgentDownloadLink} Android Agent Download Link
{Machine.EnrollmentLink} Enrollment Link for Native MDM
{Machine.EnrollmentLinkAgent} Enrollment Link for Agent
{Machine.EnrollmentServer} Enrollment Server
{Machine.EnrollmentToken} Enrollment Token
{Machine.AttachEnrollmentBinary} Marker; Enrollment-Binary bma.pkg Mail
Attachement (for macOS only): The variable
itself will be substituted by an empty string.
{Machine.EmailRecipient.Name} Name of Email Recipient
{Machine.EmailRecipient.EmailAddress} Email Address of Email Recipient

Within SSA (bMD + Mac) and Mac jobs the following variables can be substituted, additionally:

Variable Description
{Company} Company
{Server} Server Address

A. Appendix | 296
{ServerHostname} Host Name of Server
{DIP} DIP
{JobDefinition.Name} Name of Job
{JobDefinition.GUID} GUID of Job
{JobDefinition.Comment} Comment of Job
{JobInstance.Initiator} Initiator of Job Instance
{JobInstance.Guid} GUID ofg Job Instance

Custom Variables
You also define your own variables. Depending on the specified area, variables generated
in this way are run in the property dialogs of the object on the Variables tab. An example is
given here to illustrate the use of custom variables: All the computers in a network need to be
allocated to particular cost units, in order to assemble device groups with the same cost unit
number into dynamic groups and allocate jobs to them jointly.

Figure A.8.: Variables Figure A.9.: Variables on the Device

A. Appendix | 297
Figure A.10.: Condition Figure A.11.: Variables

Defining Variables

First you need to create the variable. Select Configuration Variables and New/Variables (see Fig. A.8)
and enter the data in this dialog. The example is given for the Client area, as the variable has
an effect on the target systems. You can choose the Category and Name, in our case this is
General and cost unit. The Type is a term, in other words a string.
Once, all the entries have been completed, the new variable and its category is available
in the device properties (Fig. A.9) and data can be allocated to it—in the example B5-3.

Using Custom Variables

If you now want to assign the same value to different target systems using their properties
on the cost unit’s Variables tab, you can form dynamic groups from the devices that have this
variable. Select Environment Dynamic Groups and New/Dynamic Group and give this a meaningful
name (All clients for cost unit B5-3). In the selector button under Conditions, click Add new
condition and the rather curious-looking string * = * appears in the result. Click on the first
expression and select Custom Variables/General/Cost unit (Fig. A.10).
You must then enter the variable value in the right-hand expression (Fig. A.11), i.e. B5-3.
The new dynamic group is now available under the node of that name and you can now
assign jobs to it.

A. Appendix | 298
Driver Integration

Figure A.12.: Driver Integration Step 1

The need to integrate drivers varies depending of the operating system used. In order to
avoid unnecessary effort, please follow the process given below.
Having a new hardware model with an installed operating system, pre-installed devices
can be used as a reference. Such devices provide a good overview of components, installed.
Based on this information it is to decide which component drivers have to be integrated.
Although an export of the complete driver installation is possible, it is not recommended,

A. Appendix | 299
Figure A.13.: Driver Wizard Figure A.14.: Driver Selection

because some drivers will be installed by the operating system, already. Instead, vendor’s
original drivers should be integrated and checked, step by step.
Without original installation (or installation analysis), the first step is to start an OS
installation via baramundi. At best, such a baramundi installation works and can be done
successfully and without any problems. Afterwards, the device manager will show all compon-
ents without driver support.
In case the installation does not start, needed drivers has to be integrated within WinPE
already. See the sequence diagram below:
If the OS installation starts, but Windows installation can not be done successfully,
network card drivers and/or mass storage controller drivers have to be integrated first. In
order to do so follow the steps described below.
After a device manager check and (if desired) a baramundi hardware profile has been
created, missing drivers have to be tested. You should use the most current drivers, provided
by your vendor. After the installation process has been successfully completed, drivers can
be integrated within baramundi. In case, drivers are available via setup only, you should try
to extract executive files by using some extraction software (7-Zip or similar applications).
If possible and there are inf -drivers included, use these drivers. If not, you could create an
application to install a driver and link this application to a certain component. If you are
going to integrate inf -drivers, it is recommended to use the driver wizard for an automatic
driver integration. The wizard is available within the baramundi management Center under
Operating Systems Drivers . First, you have to give the driver’s source path.
The following options are available:
List all drivers Using this option, the wizard will look for potential drivers. All drivers found will
be integrated. That means, the wizard integrates drivers not known by baramundi, also.
Therefore, this option should be used carefully to avoid copies of unneeded drivers.

A. Appendix | 300
List drivers for managed components Here, only drivers will be integrated with at least one baramundi
known component. For the procedure described above, this option is the best choice.
Copy drivers file to DIP structure By now, there are no drivers data saved on the DIP, yet. By using
this option, the wizard will create folders automatically to save drivers in there. Folders
names will be clearly understandable.

Figure A.15.: Driver Integration Step 2

A. Appendix | 301
Then, the wizard reads the directory with all sub-diractories and givs a list of drivers, detec-
ted. Drivers can be selected or deselected in here. If you see driver duplicates consider the
following indications:
1. There could be more than one INF-file of different definition in a directory. Select the
INF-file with the most device entries, because that devices will be linked automatically.
2. If there are more drivers found within sub directories you should use them. Examples:
a) Graphic card drivers, which includes HDMI-devices
b) Chip set drivers of different components

Each driver will be copied with all of its sub-folders. Delete any not needed data, especially !
when using a driver-CD.

Figure A.16.: Driver Integration Step 3

A. Appendix | 302
Once all drivers are imported successfully, it is to check whether the drivers are linked cor-
rectly to the components of the new hardware model. In order to do this open the component-
view of your test-device. Then open the context menu of a component and click on Goto
Component. There you can check whether the imported driver is linked, correctly. If not, link
the driver manually. See another sequence diagram below.
Once all drivers and components have been linked, another test installation can be done.
Ideally all drivers will be copied and installed, successfully (can be checked by the device
manager). The integration work would thus be out of the way for this model.
If there are still shown devices without drivers, you should find out whether the driver
links within the baramundi Management Suite are correct or the driver itself could not be
installed. Should even the manual installation be impossible, the vendor have to be contacted
for an alternative driver. Such a driver have to be tested like described above.

Cipher List

Modern Min TLS Version AU Enc Kx Mac

ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 ECDH ECDSA AESGCM(256) AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH RSA AESGCM(256) AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 ECDH ECDSA AESGCM(128) AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH RSA AESGCM(128) AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 ECDH ECDSA AES(256) SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH RSA AES(256) SHA384
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 ECDH ECDSA AES(128) SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH RSA AES(128) SHA256

Downward compatible Min TLS Version AU Enc Kx Mac

DHE-RSA-AES256-GCM-SHA384 TLSv1.2 DH RSA AESGCM(256) AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 DH RSA AESGCM(128) AEAD
ECDHE-ECDSA-AES256-SHA SSLv3 ECDH ECDSA AES(256) SHA1
ECDHE-RSA-AES256-SHA SSLv3 ECDH RSA AES(256) SHA1
ECDHE-ECDSA-AES128-SHA SSLv3 ECDH ECDSA AES(128) SHA1
ECDHE-RSA-AES128-SHA SSLv3 ECDH RSA AES(128) SHA1
DHE-RSA-AES256-SHA256 TLSv1.2 DH RSA AES(256) SHA256
DHE-RSA-AES256-SHA SSLv3 DH RSA AES(256) SHA1
DHE-RSA-AES128-SHA256 TLSv1.2 DH RSA AES(128) SHA256
DHE-RSA-AES128-SHA SSLv3 DH RSA AES(128) SHA1
ECDHE-ECDSA-DES-CBC3-SHA SSLv3 ECDH ECDSA 3DES(168) SHA1
ECDHE-RSA-DES-CBC3-SHA SSLv3 ECDH RSA 3DES(168) SHA1

A. Appendix | 303
EDH-RSA-DES-CBC3-SHA SSLv3 DH RSA 3DES(168) SHA1
AES256-GCM-SHA384 TLSv1.2 RSA RSA AESGCM(256) AEAD
AES128-GCM-SHA256 TLSv1.2 RSA RSA AESGCM(128) AEAD
AES256-SHA256 TLSv1.2 RSA RSA AES(256) SHA256
AES128-SHA256 TLSv1.2 RSA RSA AES(128) SHA256
AES256-SHA SSLv3 RSA RSA AES(256) SHA1
AES128-SHA SSLv3 RSA RSA AES(128) SHA1
DES-CBC3-SHA SSLv3 RSA RSA 3DES(168) SHA1

A. Appendix | 304
A. Appendix | 312