Computer networks at enterprises are often managed by system administrators. Typically, each workstation in the network is equipped with a software deployment. The system administrator may select programs and documents that make up the software deployment. To verify the status of the software deployment at each workstation, the system administrator may request a status update from each workstation. However, as more workstations are added to the network, deployment verification may become a time-consuming task for the system administrator.
Systems and methods of configuration reporting are disclosed. A policy service may receive configuration metadata from a software developer. The configuration metadata may include information about configurable parameters of hardware and software products that can be deployed to managed computing devices. A system administrator may define desired (e.g., recommended) or required values and constraints for the parameters. The policy service may transmit a configuration policy that reflects the desired values to the managed computing devices. A particular configuration policy may be transmitted to one or more managed computing devices, and each managed computing device may receive one or more configuration policies. Each managed computing device may execute a policy agent that retrieves configuration policies from the policy service and processes the configuration policies. The policy agent also transmits report data that includes the results of processing the configuration policy to the policy service. For example, the configuration policy may identify a subset of configuration parameters to be reported back to the policy service, and the report data from each managed computing device may include values of the subset of configuration parameters at that particular managed computing device. The policy service may aggregate the report data received from various managed computing devices and may present configuration status reports to the system administrator. Thus, managed computing devices may receive a configuration policy identifying a desired configuration and may report back to the policy service the status of their individual configurations with respect to the desired configuration.
This Summary is provided to introduce a selection of concepts in a simplified form that are further described below in the Detailed Description. This Summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter.
In a particular embodiment, a method includes transmitting a configuration policy from a policy service to a managed computing device. The configuration policy includes values of each of a plurality of configuration parameters. The configuration policy also identifies a subset of configuration parameters to be reported to the policy service. The method also includes receiving report data at the policy service from the managed computing device, where the report data includes results of processing the configuration policy at the managed computing device.
In another particular embodiment, a computer-readable medium includes instructions that, when executed by a computer, cause the computer to receive a configuration policy from a policy service at a policy agent of a managed computing device. The configuration policy includes values and constraints of each of a plurality of configuration parameters and identifies a subset of the configuration parameters to be reported to the policy service. The instructions are also executable to cause the computer to process the configuration policy and to transmit report data from the policy agent to the policy service. The report data includes second values of each of the subset of configuration parameters, where the second values are determined at the managed computing device after processing the configuration policy.
In another particular embodiment, a computer system includes a processor and a policy service executable by the processor. The policy service is executable to receive configuration metadata including information associated with a plurality of configuration parameters. The policy service is also executable to generate an interface operable to receive desired values of the plurality of configuration parameters and to receive the desired values via the interface. The policy service is further executable to transmit a configuration policy to a plurality of managed computing devices, where the configuration policy includes the desired values and identifies a subset of configuration parameters to be reported back to the policy service. The policy service is executable to receive report data from the plurality of managed computing devices. The report data received from a particular managed computing device includes results of processing the configuration policy at the particular managed computing device.
In a particular embodiment, the policy service 110 is implemented as a web service that is accessible to the managed computing devices 161, 163, and 165 via the Internet (e.g., as a “cloud-hosted” service). Alternately, the policy service 110 may be a service available to the managed computing devices 161, 163, and 165 via a private network. In yet another embodiment, the policy service 110 may be executed at one or more administration servers (e.g., physical or logical servers) that are part of a network that is accessible to the managed computing devices 161, 163, and 165 (e.g., as an “on-premise” software product available via a private network, such as a corporate network).
The policy service 110 may be configured to receive configuration metadata 120 that describes one or more configuration parameters. Configuration parameters may include, but are not limited to, hardware and software settings at one or more of the managed computing devices 161, 163, and 165. For example, the configuration metadata may include types, descriptions, and constraints (e.g., upper and lower bounds) of the configuration parameters. In a particular embodiment, the configuration metadata 120 may be provided by a user (e.g., a software developer 101). For example, the software developer 101 may provide configuration metadata associated with a particular software product that is developed by the software developer 101 and that is deployed (e.g., installed) at the managed computing devices 161, 163, and 165. In a particular embodiment, the software developer 101 installs the configuration metadata at the policy service 110. The configuration metadata 120 is further described and illustrated with reference to
The policy service 110 may also be configured to generate and transmit a configuration interface 130 to be displayed at a display device 104. The configuration interface 130 may be operable to receive desired values 140 of one or more configuration parameters (e.g., configuration parameters described by the configuration metadata 120). For example, a user (e.g., a system administrator 102) may interact with the configuration interface 130 to provide the desired values 140. In a particular embodiment, the policy service 110 stores the configuration metadata 120 and the desired values 140 at a policy database 106. The policy database 106 and the policy service 110 may be located at the same computing device (e.g., server) or may be located remote to each other. In a particular embodiment, storing the configuration metadata 120 at the policy database 106 includes generating lookup tables that correlate the configuration metadata 120 with the desired values 140.
The policy service 110 may further be configured to generate and transmit a configuration policy 150 to the managed computing devices 161, 163, and 165. The configuration policy 150 may be deployed using a “pull” model (e.g., transmitted to one or more managed computing devices in response to a request from the particular managed computing device) or a “push” model (e.g., transmitted to one or more managed computing devices at the discretion of the policy service 110). In a particular embodiment, the configuration policy 150 includes or identifies the desired values 140 of the configuration parameters provided by the system administrator 102. The configuration policy 150 may also include constraints (e.g., high and low bounds) for the configuration parameters. For example, the desired value of a particular configuration parameter may be “5”, and a constraint for the configuration parameter may be “1<value<10.” In a particular embodiment, the configuration policy 150 identifies a subset of configuration parameters to be reported by the managed computing devices 161, 163, and 165 as report data 170 to the policy service 110. For example, the configuration policy 150 may include desired values for three parameters “A,” “B,” and “C.” For example, the parameters may represent a screensaver timeout, a screensaver name, and whether or not a user is required to login after deactivating the screensaver. The configuration policy 150 may indicate that the managed computing devices 161, 163, and 165 should report the values of “A” and “C” (e.g., the screensaver timeout and whether or not users will be required to login) back to the policy service 110. In a particular embodiment, the report data 170 also includes the original desired values 140 from the configuration policy 150. For example, including the desired values 140 in the report data 170 may enable the policy service 110 to determine whether the configuration policy 150 that was processed at the managed computing device is outdated (e.g., because the system administrator 102 has recently provided new desired values).
The policy service 110 may receive report data 170 from the managed computing devices 161, 163, and 165. The report data 170 may include the results of processing the configuration policy 150 at the managed computing devices 161, 163, and 165. The report data 170 from each particular managed computing device may be the same or may be different. The policy service 110 may store the report data 170 received from each of the managed computing devices (e.g., the managed computing devices 161, 163, and 165) at a report database 108 that may be located at the same server as the policy service 110 or may be located remote to the policy service 110. The policy service 110 may also generate a configuration report 180 based on the report data 170. For example, the configuration report 180 may provide the system administrator 102 with a configuration status of each of the managed computing devices 161, 163, and 165, and the configuration report 180 may include aggregated data, statistics information, or alerts.
The managed computing devices 161, 163, and 165 may include desktop computers, laptop computers, tablet computers, mobile phones, servers, other fixed or mobile computing devices, or any combination thereof. The managed computing devices 161, 163, and 165 may each include a policy agent (e.g., illustrative policy agents 162, 164, and 166, respectively). In a particular embodiment, the policy agents 162, 164, and 166 are deployed (e.g., installed) to the managed computing devices 161, 163, and 165 by the policy service 110. The policy agents 162, 164, and 166 include software that is executable to process configuration policies received from the policy service 110. The policy agents 162, 164, and 166 also include software that is executable to transmit results of processing the configuration policies to the policy service 110. Processing a configuration policy may include determining that a particular configuration parameter is non-compliant with the configuration policy and updating the configuration parameter to comply with the configuration policy. In a particular embodiment, a policy agent may mediate between multiple configuration policies. For example, a first configuration policy may constrain the value of the parameter “A” to between 1 and 10, and a second configuration policy may constrain the value of the parameter “A” to between 8 and 12. The policy agent may set the value of the parameter “A” to a value compliant with both policies (e.g., 9).
The report data 170 transmitted by a policy agent to the policy service 110 may include configuration parameter values that are determined at the managed computing device associated with the policy agent after processing of the configuration policy 150. For example, at a time after processing the configuration policy 150, the policy agents 162, 164, and 166 may query the managed computing devices 161, 163, and 165 for the values of the configuration parameters. Alternately, the policy agents 162, 164, and 166 may measure the values of certain configuration parameters (e.g., by executing tests or evaluating metrics at the managed computing devices 162, 164, and 166) The report data 170 may include the values of those configuration parameters that the configuration policy 150 identified to be reported back to the policy service 110.
In a particular embodiment, the configuration policy 150 further includes one or more schedules for the policy agents 162, 164, and 166. For example, the configuration policy 150 may include a reporting schedule indicating when or how often policy agents transmit report data to the policy service 110. The configuration policy 150 may also include a retrieval schedule that indicates when or how often policy agents retrieve information (e.g., the configuration policy 150) from the policy service 110. The configuration policy 150 may further include a processing schedule indicating when or how often policy agents are to process previously retrieved and stored configuration policies. Illustrative configuration policies are further described with reference to
It should be noted that although
In operation, the policy service 110 may receive the configuration metadata 120 (e.g., represented in accordance with an XML schema) from the software developer 101 and may generate the configuration interface 130 based on the configuration metadata 120. The system administrator 102 may use the configuration interface 130 to define the desired values 140 for certain configuration parameters. The system administrator 102 may also identify a subset of configuration parameters to be reported back to the policy service 110. Alternately, or in addition, the subset of configuration parameters to be reported back to the policy service 110 may be identified by the software developer 101 in the configuration metadata 120. The policy service 110 may generate the configuration policy 150 (e.g., represented in accordance with an XML schema), where the configuration policy 150 includes or identifies the desired values 140 and the subset of parameters to be reported to the policy service 110.
As an illustrative example, the policy agent 164 at the managed computing device 163 may retrieve the configuration policy 150 from the policy service (e.g., in accordance with a retrieval schedule provided in a previous configuration policy) and may store the retrieved configuration policy 150 at the managed computing device 163. The policy agent 164 may subsequently process the stored configuration policy (e.g., in accordance with a processing schedule included in the configuration policy 150). Processing the configuration policy 150 may include evaluating configuration parameters at the managed computing device 163 for compliance with the configuration policy 150. Processing the configuration policy 150 may also include determining that a particular configuration parameter is non-compliant with the configuration policy 150 and updating the particular configuration parameter in order to comply with the configuration policy 150.
The policy agent 164 may transmit the report data 170 to the policy service 110 (e.g., in accordance with a reporting schedule included in the configuration policy 150), where the report data 170 includes results of processing the configuration policy 150. For example, the report data 170 may include the value 9 for the parameter “A.” In a particular embodiment, the report data 170 is represented in accordance with an XML schema. The policy service 110 may generate the configuration report 180 for the system administrator 102, where the configuration report 180 indicates that the parameter “A” has a value of 9 at the managed computing device 163. Similar operations may also occur with respect to the other managed computing devices 161, 165 and policy agents 162, 166.
It will be appreciated that in the system 100 of
The configuration metadata 200 may include information associated with each of a plurality of configuration parameters. For example, in the particular embodiment illustrated in
For example, the configuration metadata 200 may be associated with a screensaver application at a managed computing device (e.g., one of the managed computing devices 161, 163, 165 of
The configuration metadata 200 may be provided by a software developer along with a software application. For example, in the example above, the configuration metadata 200 may be provided by a developer of the screensaver application or by a developer of the operating system that executes the screensaver application. Alternately, the configuration metadata 200 may be automatically generated based on the software application. For example, the configuration metadata 200 may be automatically generated during compilation of source code of the screensaver application.
It will be appreciated that the configuration metadata 200 may encapsulate information associated with configuration parameters, where the information may be used by system administrators to determine which configuration policies are to be deployed to particular managed computing devices. It will also be appreciated that the configuration metadata 200 may provide a vehicle for software developers to define “default,” “recommended,” or “required” configuration parameter values or constraints. System administrators may selectively overwrite those values or constraints as desired.
The configuration policy 300 may include information associated with each of a plurality of configuration parameters. For example, in the particular embodiment illustrated in
The configuration policy 300 may also include one or more schedules. For example, the configuration policy 300 may include a reporting schedule 340, a retrieval schedule 350, and a processing schedule 360. The reporting schedule 340 may indicate when or how often a managed computing device transmits configuration report data to the policy service. The retrieval scheduling 350 may indicate when or how often configuration policies are to be retrieved from the policy service 110 by the managed computing device. The processing schedule 360 may indicate when or how often the managed computing device processes a previously received or stored configuration policy.
Each of the reporting schedule 340, the retrieval schedule 350, and the processing schedule 360 may include a periodic schedule (e.g., “every 6 hours”), a specific time schedule (e.g. “8:00 am and 5:00 pm”), or some other schedule (e.g., “each time a configuration parameter changes at the managed computing device” or “each time a user logs in or logs off at the managed computing device”). A policy agent at a managed computing device may automatically report, retrieve, and process data in accordance with the schedules 340, 350, and 360.
It will be appreciated that the configuration policy 300 may thus provide a data structure that system administrators may use to encapsulate and deploy configuration information. It should be noted that any number of configuration policies may be provided to any number of managed computing devices, and that configuration policies may differ with respect to included parameters and schedules. Configuration policies may also be defined by multiple sources (e.g., multiple system administrators), and conflicts between different configuration policies may be resolved at the managed computing devices.
The policy service 430 may receive configuration metadata 410 from a software developer. In an illustrative embodiment, the configuration metadata 410 is the configuration metadata 120 of
In a particular embodiment, the configuration metadata 410 is encoded according to an extensible markup language (XML). For example, the configuration metadata 410 may be encoded into the following XML code, which also includes information for additional configuration parameters “AntiMalware:ScanParameters” and “AntiMalware:ExcludedPaths.”
The configuration metadata 410 may be associated with or include an XML annotation and an XML resource table that includes additional information for the configuration parameters:
The policy service 430 may generate a configuration policy 420 based on the configuration metadata 410 and parameter definitions received from a system administrator. The configuration policy 420 may be transmitted to the managed computing device 440. In an illustrative embodiment, the configuration policy 420 is the configuration policy 150 of
In a particular embodiment, the configuration policy 420 is encoded according to an XML schema as follows:
It will be appreciated that the above XML schema indicates that the parameters “DisableRealtimeMonitoring” and “ExcludedPaths” are ReportItems but the parameter “ScanParameters” is not a ReportItem. Thus, fewer than all of the configuration parameters may be selected as ReportItems to be reported back to the policy service 430, thereby enabling a system administrator to control the amount of bandwidth in a system that is used for reporting configuration data to a policy service.
The managed computing device 440 may process the configuration policy 420 and may transmit results of processing the configuration policy 420 (including the selected “ReportItems”) to the policy service 430. For example, the managed computing device 440 may transmit report data 450 to the policy service 430. In an illustrative embodiment, the report data 450 is the report data 170 of
In a particular embodiment, the report data 450 is encoded according to an XML schema as follows:
The method 500 includes receiving configuration metadata at a policy service, at 502. The configuration metadata may be received from a software developer or from some other source having knowledge of the configuration parameters in a system. For example, in
The method 500 also includes generating a configuration interface based on the configuration metadata, at 504. The configuration interface is operable to receive values of each of a plurality of configuration parameters. For example, in
The method 500 further includes receiving values of each of the plurality of configuration parameters at the policy service via the interface from a system administrator, at 506. For example, in
The method 500 includes transmitting a configuration policy from the policy service to a managed computing device, at 508. The configuration policy includes the values and identifies a subset of configuration parameters to be reported to the policy service. For example, in
The method 500 includes receiving report data at the policy service from the managed computing device, at 510. The report data includes results of processing the configuration policy at the managed computing device. The results include second values of each of the subset of configuration parameters that are measured at the managed computing device. For example, in
In the embodiment illustrated, the method 500 also includes storing the report data at a report database, at 512, and generating a configuration report based on data retrieved from the report database, at 514. The configuration report indicates a configuration status for one or more managed computing devices. For example, in
The method 500 of
The method 600 includes receiving a configuration policy from a policy service at a policy agent of a managed computing device, at 610. The configuration policy includes values of each of a plurality of configuration parameters. The configuration policy also identifies a subset of configuration parameters to be reported to the policy service. The configuration policy further includes a reporting schedule, a retrieval schedule, and a processing schedule. For example, in
The method 600 may also include one or more of processing the configuration policies in accordance with the processing schedule, at 620, transmitting report data in accordance with the reporting schedule, at 630, and retrieving other configuration policies in accordance with the retrieval schedule, at 640. The number of times and order in which the actions 620, 630, and 640 are performed may depend on the particular details of the processing schedule, the reporting schedule, and the retrieval schedule, respectively. For example, in
Processing the configuration policy, at 620, may include evaluating configuration parameters for compliance with the configuration policy, at 622. For example, in
The report data that is transmitted, at 630, may include second values of each of the subset of configuration parameters that are measured at the managed computing device after processing the configuration policy. For example, in
It should be noted that the other configuration policies that are retrieved, at 640, may include updated versions of the originally received configuration policy, versions of unrelated configuration policies (e.g., non-malware policies with respect to
The computing device 710 includes at least one processor 720 and a system memory 730. For example, the computing device 710 may be a desktop computer, a laptop computer, a tablet computer, a mobile phone, a server, or any other fixed or mobile computing device. Depending on the configuration and type of computing device, the system memory 730 may be volatile (such as random access memory or “RAM”), non-volatile (such as read-only memory or “ROM,” flash memory, and similar memory devices that maintain stored data even when power is not provided), non-transitory, some combination of the three, or some other memory. The system memory 730 may include an operating system 732, one or more application platforms 734, one or more applications 736, and program data 738. In the embodiment illustrated, the system memory 730 includes a policy service 737. In an illustrative embodiment, the policy service 737 may be the policy service 110 of
The computing device 710 may also have additional features or functionality. For example, the computing device 710 may also include removable and/or non-removable additional data storage devices such as magnetic disks, optical disks, tape, and standard-sized or flash memory cards. Such additional storage is illustrated in
The computing device 710 may also have input device(s) 760, such as a keyboard, mouse, pen, voice input device, touch input device, etc. connected via one or more input interfaces. Output device(s) 770, such as a display, speakers, printer, etc. may also be included and connected via one or more output interfaces. For example, the output devices 770 may include the display device 104 of
It will be appreciated that not all of the components or devices illustrated in
The illustrations of the embodiments described herein are intended to provide a general understanding of the structure of the various embodiments. The illustrations are not intended to serve as a complete description of all of the elements and features of apparatus and systems that utilize the structures or methods described herein. Many other embodiments may be apparent to those of skill in the art upon reviewing the disclosure. Other embodiments may be utilized and derived from the disclosure, such that structural and logical substitutions and changes may be made without departing from the scope of the disclosure. Accordingly, the disclosure and the figures are to be regarded as illustrative rather than restrictive.
Those of skill would further appreciate that the various illustrative logical blocks, configurations, modules, and process steps or instructions described in connection with the embodiments disclosed herein may be implemented as electronic hardware or computer software. Various illustrative components, blocks, configurations, modules, or steps have been described generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present disclosure.
The steps of a method described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in computer readable media, such as random access memory (RAM), flash memory, read only memory (ROM), registers, a hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. An exemplary storage medium is coupled to a processor such that the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor or the processor and the storage medium may reside as discrete components in a computing device or computer system.
Although specific embodiments have been illustrated and described herein, it should be appreciated that any subsequent arrangement designed to achieve the same or similar purpose may be substituted for the specific embodiments shown. This disclosure is intended to cover any and all subsequent adaptations or variations of various embodiments.
The Abstract is provided with the understanding that it will not be used to interpret or limit the scope or meaning of the claims. In addition, in the foregoing Detailed Description, various features may be grouped together or described in a single embodiment for the purpose of streamlining the disclosure. This disclosure is not to be interpreted as reflecting an intention that the claimed embodiments require more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive subject matter may be directed to less than all of the features of any of the disclosed embodiments.
The previous description of the embodiments is provided to enable a person skilled in the art to make or use the embodiments. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the scope of the disclosure. Thus, the present disclosure is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope possible consistent with the principles and novel features as defined by the following claims.