The first step toward software license management and license optimization is to assess what applications are installed and used in your IT environment. This means inventorying all devices (both physical and virtual), determining the applications that have been used and finding out which end users have access to these applications. This seems like it should be an easy task as most organizations have implemented configuration management tools able to discover and inventory devices on the network. But, there are still many challenges in getting an accurate and complete inventory. This is especially true due to the growing use of technologies such as application or desktop virtualization, organizations enabling employees to use their personal devices (BYOD) and heterogeneous, cloud or virtualized datacenter environments. This 3-part blog series will first cover desktop inventory requirements and challenges. The second blog will describe the server environment. Then, a few best practices will be presented in the third blog.
The traditional approach for desktops is to install an agent on each device capable of inventorying the device and collecting usage data. Most of the time, the configuration management tool agents used to deploy software products and perform security and patch management are also capable of inventorying devices and monitoring application usage. Dedicated inventory tools are used when configuration management tools are nonexistent, considered untrustworthy or do not provide the required data.
For the vast majority of the configuration management and inventory tools, hardware inventory is never an issue and can be used not only to identify devices but also perform hardware asset management. There are different data sources on a device that can be used to identify software applications. None of them provide enough data by themselves; they all must be considered to accurately inventory local installations. These data sources are:
- Packaging data: the Add/Remove Programs (aka Programs and Features) entries found on Windows devices, RPM (RedHat Package Manager) on Linux, etc. On Windows devices packaging data provides a very accurate list of software applications installed on the computer. In some instances, additional data may be required to clearly identify the software applications, such as finding the edition installed.
- File data: executable, dll, ini, jar manifest files, etc., on the hard drive. On the Windows platform, the file header sometimes provides information such as the publisher, the version and the name of the application. The size, name, checksum or content of a file can also be used to identify an application.
- Registry information on Windows devices: for instance, the Operating System description, version and edition can be found in the Windows registry.
- ISO tag files: the ISO 19770-2 is probably the best and most accurate way to identify a local software product on a device. It is supposed to provide the name, version and editon of the software product installed, as sold by the publisher. It may also contain the list of the software components and relationships between them. Only a few publishers such as CA, Adobe, Symantec, Flexera Software and Microsoft are using the ISO 19770-2 tag. It applies only to the latest releases of their products.
The raw data from these data sources needs to be filtered and processed to extract the commercial name of the products that require a license. From a license management perspective, patches, service packs, NIC or printer drivers, freeware, hot fixes, add-ons, and OS related installations, etc., should be discarded as they are meaningless. This data represents up to 90% of all inventory data collected in many cases.
Many tools exist and are capable of performing inventory; the key issue is maintaining the accuracy of the inventory. New hardware machines are installed and old ones retired every single day, software products are installed, upgraded or removed on a regular basis. If an organization has 10,000 desktops and laptops for instance, with an average life time of 3 years, 15 computers are retired and 15 are provisioned every working day, on average. A process is needed to remove or disable computers in the configuration management tool when it is physically retired. The same applies to computers not reporting inventory for a long period of time as they should be considered lost or stolen. In this case, the process must consider that users can be disconnected from the network for a long period of time, for instance when they are on leave, travelling or working remotely from their home. Inventory is not performed on all devices at once, but typically on a rolling basis: the picture of the inventory is never 100% accurate on any one day; the challenge is to limit this area of uncertainty.
Discovery and Inventory in Virtual Environments
If traditional desktop/laptop inventory can be resolved with inventory and configuration management tools, application and desktop virtualization technologies may require a different approach. In most cases, virtualized applications leave evidence on a device that can be tracked along with their related usage data from an agent. For instance, this is possible with the latest releases of Microsoft App-V. An alternative solution is to directly query the virtualization technology API and get either the relationship between virtualized applications and users, or the usage data, if available.
The relationship between virtualized applications and users can be extracted from the access rights granted to applications for each user. This dataset does not track the devices where the applications have been used. A user could potentially use the same virtualized application from multiple devices and if this application has a device based metric license, all devices should be accounted for. As the device data is missing, using this dataset implies making some assumptions, such as assigning a primary device per user to that virtualized application, which may result in license compliance inaccuracies. Usage data typically provides this device information, telling us where the virtualized application was used. It is a more reliable data source but may involve additional technologies. For instance, usage tracking for Citrix XenApp virtualized applications can be performed by Citrix EdgeSight. Usage data may be challenged during an audit as the auditors may rely on which users or devices have access to the application rather the ones that have actually used it.
The virtual desktop is the most difficult environment to handle as there may be no tangible evidence of the use of a specific virtual desktop on the endpoint device hard drive. Persistent virtual desktops can be inventoried with configuration management or inventory agents as they are kept on a disk in the datacenter. Session based, or non-persistent, virtual desktops are wiped out after each session. The life span of a virtual desktop can be extremely short, not leaving enough time for a scheduled or session triggered configuration management or inventory tool agent to successfully report inventory and usage data. As for application virtualization, one solution is to query the virtualization infrastructure to get access rights information. Typically, session based virtual desktops are created from templates that can be inventoried; users are granted access rights to these templates.
The biggest difficulty in a virtual desktop environment is to identify endpoint devices using the virtual machine. Again, for applications attached to a device based license metric, this information is needed. There are different techniques that can be used to get this data, but only a handful of tools are able to collect it. The last challenge is metering usage on applications running in the virtual desktop, some of which could be virtualized. In this case virtualized application usage data may need to be matched against the virtual desktop one to clearly identify the endpoint device. The usage monitoring tools for application virtualization typically report usage against the virtual desktop itself rather than the endpoint device.
BYOD and License Management
As of today, very few applications installed on intelligent mobile devices, such as iPads, need license management as they are purchased or installed from an online application store. However, from these devices, virtual desktops or virtual applications can be accessed and this can impact your license position. Most configuration management tools now support the discovery and inventory of intelligent mobile devices. Alternatively, devices connected to Microsoft Exchange can be found using Active Sync. Data can also be extracted from a Mobile Device Management (MDM) tool. License management for these devices is still a work in progress, as publishers try to adapt their licensing metrics and product use rights to these new devices.
Software as a Service Application Inventory
Software as a Service (SaaS) application inventory and usage data metering require using data provided by the service provider or connecting to an API, if it exists, and querying the cloud infrastructure to get this data. Agents monitoring web usage cannot account for use of these applications on devices outside the organization’s control. In many cases, these applications do not need to be tracked for license compliance, as the publishers or service providers often assume this role. However, usage data may be used to optimize the subscription fees and to ensure that you are optimally allocating your licenses to the user community.
Conclusion
Desktop inventory cannot rely solely on traditional configuration management or dedicated inventory tools. When virtualization technologies are used, these tools will likely fall short with regard to accurately reporting inventory or usage data in many scenarios. The solution is to use a combination of inventory tools and adapters to virtualization and cloud technology frameworks to gather data and merge it in a single IT asset management repository for consumption by the software license management and optimization tool.
***
To learn more, please view our on-demand webinar series: Software License Optimization 4-part Webinar Series. Part 2 discusses Discovery, Inventory and Application Recognition.