The Problem Statement
I recently came across a very real problem in an online community post that brought me right back to my SCCM Admin days. The germane portion of that post stated the following (edited for continuity):
“With the continuation of major OS and application upgrades happening now with Windows 10 and Office 365, as well as the new “Evergreen” release model, it is becoming increasingly apparent that organizations need to get their application sets under control, particularly for testing and pilot scoping.
I’ve been involved with quite a few OS migrations and Office upgrades. Every time, another Business Analyst approaches me asking “So, what applications are installed and used by the business?“.
Now, it would be nice if I could point at our SCCM application deployments. I’d say “here“! But of course, unless you have done the groundwork, rationalized your applications, packaged everything for proper deployment, and locked your environment down, this is often not the case.
I’m a fan of the disclaimer that if an application has not been approved by IT, then it is out of scope for testing as part of any future upgrade. Management doesn’t like this answer! We all know that the next step is an export of ALL applications in the environment. This includes the entire Add/Remove Programs portion of the SCCM database. Then it’s all about chopping and filtering it down to a manageable (and hopefully accurate) size. Which, is a MASSIVE task.”
That really struck a chord in my own way-back machine. Like many other administrators, I too used to go through the same process of dumping everything into Excel. I was asked the very question this person’s Business Analyst’s asked of him (“… what applications are installed and used by the business?). In my nightmare scenario, it was usually my senior manager who was preparing to sit down with a vendor for annual license true-up discussions.
My worst example was Microsoft. “Hey, Ed… I’m meeting with our Microsoft rep in two weeks, so go and get me everything we have from Microsoft and get me all the versions out there, and the installed counts. I already have our license data, but I need to know where we are with what’s out there”. I would then spend a solid week trying to remember how to do Excel cross-tabs, pivot tables with my exported SCCM data, and create high-level summaries for him (and pray that the numbers were at least close to being accurate).
This is simply a long-winded intro to tell you that I get I get it!
I’ve been there! Today, I now know that solving the usage problem is trivial. If I’d had the 1E AppClarity product, I could easily answer the “What’s used?” question, at least for those machines in the SCCM inventory. AppClarity does an outstanding job of showing actual usage of every application installed on every machine in SCCM. But SCCM is the keeper of the keys. The amount of accuracy you get is from what’s inside SCCM. We all know that it’s never 100% accurate.
It also doesn’t cover “everything” in the organization (think Windows and UNIX servers; Linux devices, DMZ machines, and so on).
I know that I can use our EDR tool Tachyon to shed light on what’s actually installed. It is designed primarily as a security tool to protect against all sorts of nasty business. However, one of its native capabilities is to instantly (seconds, to minutes) answer the question, “Show me all installed software on all our endpoints, regardless of the OS, or their location”. Tachyon instantly returns a data set listing every piece of software in the entire estate. Plus, the machine(s) it is installed upon, regardless of location or the platform.
From that data set, one can perform any number of specific actions.
This capability is where the SecOps side of the house comes in where they can take immediate remedial action of a wide variety, like hunting exploits or malware and take immediate action against them, for example. If I’d had access to these tools, I could have given my senior manager the answer he was looking for while he stood there! Furthermore, if he’d only have given me his software procurement data, I could run an AppClarity Vendor Compliance license report. That would tell me how badly he was about to get beaten up by his Microsoft rep, while also showing him at the same time how unused software could be removed automatically before that meeting. At least that would minimize the beating!
This blog is already too long so I’ll shut up now, and trust that you too will see simple answers to complex problems with what I’ve given you.