Microsoft System Center Configuration Manager 2012 (Beta 1)

Whether your infrastructure consists mostly of physical servers or virtual machines, the lion's share of most IT budgets goes towards managing it all. In Microsoft-centric environments the tools to do that are part of the System Center (SC) family. SC Operations Manager checks on the health of hardware, infrastructure and services, SC Data Protection Manager backs everything up, SC Virtual Machine Manager handles your virtualisation world and SC Configuration Manager keeps tabs on client computers as well as servers.

The final version of SCCM 2012 isn't expected until mid-next year, with the most interesting changes concerning User Centric Management (UCM), a new console, simpler infrastructure and a new security model.

UCM

SCCM works by discovering devices (computers, servers and now smart phones) and installing agent software on each asset. Each device's hardware and software is inventoried and stored in a central database — applications and updates are distributed to devices so that users have the right software to do their job. New computers can have an operating system automatically installed and settings on each device are tracked against company policy to prevent configuration drift. Current versions of SCCM are very much systems management solutions, intended to be mostly invisible to end users. But times are changing, younger employees are "digital natives" and often very tech savvy, they require more control over their IT tools and also often want to bring their own devices to work.

SCCM 2012 thus takes a new approach by involving the user and also allowing the administrator to think "users first" when managing assets. A new concept is Primary Devices, which allows the system to automatically (through usage statistics collection) link a computer/laptop/smartphone to a particular user. This then lets administrators do things like distribute software as a native Windows program to a primary device, but just provide a link to a Terminal Services version of the application if a user access software from someone else's PC. Users can also define their own work hour patterns for their primary devices so that SCCM 2012 doesn't install or update applications during those times. Software Center is the user's part of interacting with SCCM 2012. And there's also the Silverlight based Software Catalog website where they can browse and install software that's been made available to them.

The new Software Center is the end user's one-stop shop for controlling SCCM 2012. (Screenshot by Paul Schnackenburg)

Programs

The current model of using packages to send out applications to devices is being augmented with a new, richer model based on applications. Each application can be deployed in one or more ways: Script Installer, Windows Installer, Microsoft Application Virtualization or Windows Mobile Cabinet.

One application, multiple ways to deploy it — much more logical than multiple packages. (Screenshot by Paul Schnackenburg)

Coming in beta 2 should be support for Remote Desktop App and Nokian Symbian mobile apps. Applications are either required, in which case they'll be automatically installed, or available, in which case the user has to manually install it from the Software Catalog. In SCCM 2007 and earlier, a fair bit of administrative work was involved in creating complex queries to make sure that a particular application was targeted at the right devices/users. In SCCM 2012, new requirement rules make it a lot easier to define things like "only install this application on x64 Windows PCs in Sydney that have more than 2GB free disk space and at least 1 GB of RAM".

Target the application to the right machine with the right rules. (Screenshot by Paul Schnackenburg)

A big improvement for operating systems deployment is that OS images stored on servers can be targeted for Windows security updates, ensuring that they're up to date when they're deployed.

New console

The MMC-based console in SCCM 2007 is known to be slow in larger environments. SCCM 2012 comes with a totally new UI that adopts the Outlook style. In the lower left hand is the wunderbar (yes, that's the official name) that has links for Assets and Compliance, Monitoring, Software Library and Administration.

A new console that's simply wunderbar! (Screenshot by Paul Schnackenburg)

It's a delight to work with and very easy to navigate, with wizards available for almost every task.

Infrastructure improvements

Many SCCM 2007 environments are more complex than they need to be due to limitations in the underlying product. If you want separate administrative control (for instance, have one set of administrators for Sydney and another for Brisbane) you need separate Primary sites. If you want to have separate settings for the client agent software you again have to create separate sites. In SCCM 2012, these issues have been addressed and the only reason for having more than one Primary site is for scale out (one site = about 100 000 devices). Client agent settings can be set at the collection level and security partitioning is managed by Role-Based Access Control (RBAC). These improvements should allow for fewer sites, servers and infrastructure overall. There's a new type of site, the Central Administration Site (CAS) that you only need if you have more than one Primary site. Another bugbear in SCCM 2007 is file based replication; in SCCM 2012 most replication is taken care of by SQL server replication.

SCCM 2012 is 64-bit only and requires Windows Server 2008/2008 R2 and SQL Server 2008 SP1 or later for everything except Distribution Points (DPs).

Migrating, not upgrading

Due to the sweeping changes in the product there's no way to upgrade an existing SCCM 2007 setup directly. Fortunately, Microsoft provides tools in the product to install a new SCCM 2012 environment in parallel and then migrate the old to the new. Migration jobs copy settings over. These can be configured to run at a scheduled time or be manually initiated. During the period of coexistence DPs are shared between SCCM 2007 and SCCM 2012 clients.

What's your role here?

Controlling security for server applications that span enterprises and that are used by numerous people with different access needs is a difficult issue. Traditionally, this is dealt with by setting permissions on individual objects and assigning users to groups with varying levels of access to objects. The need to set permissions makes it labour intensive, resulting in a less-than-ideal security model. Taking a leaf out of the Exchange 2010 book, SCCM 2012 instead adopts RBAC where you define security scopes for access (geographically or for a particular administrative task) and security roles, which are groupings of tasks. The combination of the two controls what a user can do and which objects they can do it to. There are 13 built-in roles in beta 1 and you can easily define your own.

Carve up the administration of SCCM 2012 to suit your company. (Screenshot by Paul Schnackenburg)

The new console is aligned with RBAC so that if there's a section a particular user has no access to, it won't even be visible.

Mobility

There's no doubt that smart phones are a growing part of today's IT world. The goal of SCCM 2012 is to let administrators manage all IT assets (desktops, laptops, smart phones and servers) using the same toolset.

In beta 1, Windows Mobile 6/6.5 is supported; in beta 2, Nokia Symbian devices will be added. Windows Phone 7, iPhone and Android will be given "light administration" support through Exchange Active Sync, but Microsoft is hinting at full management support for these platforms over time.

Settings

In SCCM 2007, Microsoft added a feature called Desired Configuration Management (DCM) that allowed administrators to define configuration baselines and have SCCM report if clients or servers settings were changed. There was, however, no easy way to tell SCCM to "fix it" when settings fell out of compliance. SCCM 2012 goes the last mile and lets you (optionally) put settings back if they're changed.

The most curious omission in this beta is the lack of PowerShell: every other server product from Microsoft for the last three years has been built on PowerShell, but it seems SCCM 2012 isn't.

Summary

This is an early beta with features still to come, but this is definitely a big makeover of the SC flagship product. The simplified hierarchy will appeal to any current SCCM business and role-based security. And the new console and mobile management should appeal to administrators. User centric management aligns config manager with the brave new world of tech-savvy users, while the new flexible application deployment model will appeal to administrators and users alike.

Specifications

(Back to top)