In January 2017, we announced ZENworks 2017. At that time, we also announced we would be moving ZENworks from its traditional release cycle of every 18-24 months to every 6 months or so. ZENworks 2017 Update 1 was delivered in July 2017 and Update 2 was delivered in February 2018. That means it’s just about time for the next update, ZENworks 2017 Update 3.
In this article, we’ll take a look at the new ZENworks capabilities coming to a management zone near you. These include:
- Actionable Dashboards
- OS Deployment Improvements
- Lost Mode and Geolocation
- InTune App Protection Policies
One of the things we’ve heard from customers is that the ZENworks Control Center needs to offer the ability to more quickly visualise the status in the zone and then provide the ability to take action if needed, to resolve issues. With ZENworks 2017 Update 3, we are pleased to introduce a new dashboard framework that begins to make this a reality.
As we introduce this, we are also beginning to use new, more modern technologies in our UI that will provide other frequently-requested capabilities.
In ZENworks 2017 Update 3, we are providing a limited set of customisable dashlets that will enable you to build additional dashlets to meet your needs. Let’s look at some of the key dashboard features in ZENworks 2017 Update 3.
ZENworks 2017 Update 3 actionable dashboards are based on modern technologies that allow the dashboards to render properly and be usable across a wide range of devices. This includes being able to view the dashboards on your favourite mobile device.
ZENworks 2017 Update 3 enables you to create multiple dashboards per administrator, which they can use to keep an eye on things. With this release, you can create dashboards on the Home page, Devices page, and Patch Management page. By default, these pages are pre-populated with all dashlets that are applicable for that particular canvas.
From this page you can add new custom dashlets, remove dashlets, and re-arrange the dashlets to meet your needs. The content of the canvas and its position are tied to each administrator, so once you have created your dashboard the way you want, it follows you no matter where you access ZCC.
Because ZENworks enables you to restrict the objects that an administrator can view, it is important that dashboarding take these same rights into consideration. This means if you have delegated administration so that an administrator is managing a regional site, department, or other organizational structure in your zone, then the dashboards that the admin sees in the zone will reflect only the objects for which they have access. For instance, figure 1 shows two dashlets from the same zone: one as viewed by a zone superadmin and the other as viewed by a limited admin.
Notice that in the first graph there appear to be approximately nine devices, while in the second there are significantly more. Also notice that in the second graph there are servers and other platforms that do not appear in the first. This is because the limited admin has no rights to those other objects.
Each of the dashlets on the dashboard canvas can be customised to meet the needs of the administrator. You can do this by clicking the expand button and then modifying the filters and chart settings.
This includes being able to perform simple tasks such as changing the graph type and more complex customisations such as limiting the scope of the dashlet to a particular folder or group, device type, and more.
The screenshot below (figure 2) shows an example of how you could customise the Device Distribution chart to see the breakdown of devices by ZENworks Adaptive Agent version instead of by platform and visualise it as a donut chart instead of a bar chart:
Once the chart has been customised, it is then possible to save a copy that is specific to this administrator and place it on any of the dashboard canvases where it might be relevant. This example is a Device dashlet, so it could be pinned to either the Devices canvas or to the Home canvas.
Details Data Grid
When you expand a dashlet, you not only see the chart and have the ability to change it, but you also see a data grid that shows you the data related to the details behind the chart, as shown below in figure 3.
From here, you can search and sort the list. If you update the filters for the dashlet, then both the chart and the device details are updated. You can also customise the columns that are displayed in the list and, if needed, export the data to a CSV file.
Most of the dashlets provide common actions that you are likely to take to address issues that the chart dashlet might surface. For instance, in the case above, if you found a device that had not checked in for some time, you might immediately want to initiate a refresh for the device or device(s) in that state. You can also drill down into a particular object in the list and then easily come back to the dashlet.
Over time, it is likely that the number of actions will increase as more of the quicktask capabilities are ported to the Angular-based framework. So, as you use it, if you find yourself having to often leave the grid to do another action, please let us know by submitting a request for that action.
With ZENworks 2017 Update 3, we’re just getting started, so look for other dashlets and dashboard canvases to appear as we move forward.
OS Deployment Enhancements
ZENworks 2017 Update 3 adds two key improvements to OS deployment. First, you can now upload your MDT CustomSettings.ini and Bootstrap.ini files and then modify them right from the ZENworks bundle. You can also leverage ZENworks variables in these files so that you can populate them at OS Deployment time with the data store in the ZENworks zone.
This feature should significantly reduce the number of times you need to rebuild the MDT deployment share and also enable you to maintain a single WIM file if desired.
In addition to the MDT changes, ZENworks 2017 Update 3 provides the ability to define preboot rules based on the firmware type, so that you can better target BIOS vs UEFI events and UEFI-32 vs UEFI-64 devices. Once targeted, you can now also define ZENworks variable values based on the rules, so that you can pass those values into MDT deployments and scripts.
If you are familiar with ZENworks 2017, then you know that we have been working on transforming ZENworks from a Client Management solution to a full Unified Endpoint Management solution. We continue this work in ZENworks 2017 Update 3, adding several key mobile capabilities.
iOS Lost Mode and Geolocation
ZENworks 2017 Update 3 provides support for locating an end user’s lost device and, in the case of iOS, securing the device. The requirements for locating a device differ by platform, given the API set available on iOS or Android. For iOS, you can locate supervised devices by first triggering a quicktask to put the device into Lost Mode.
This restricts the device completely, preventing anyone from accessing it without first contacting the administrator. Once the device is in Lost Mode, you can then initiate a quicktask to find to the device from the new Geolocation tab on the mobile device, as shown in figure 4.
You can see that once a device is located, it displays the geolocation coordinates as well as the friendly place name and the accuracy data. From here, you can also click View on the map to open those coordinates on Google Maps and see the location.
On Android devices, there is no Lost Mode capability, but you can simply initiate a geolocation for any device that has the ZENworks app installed. Some Android devices require that the device be configured for high-accuracy mode for the location in order to be retrieved by the MDM agent.
Android Enterprise Work Managed Device Support
In ZENworks 2017 Update 2, we added support for BYO Android device management by supporting Work Profile enrolment. With the release of Update 3, we are bringing similar capabilities to corporate-owned devices by supporting Android Enterprise Work Managed Device mode. In the Android world, this is analogous to supervising an iOS device. Similar to iOS supervision, this is a destructive task— meaning that in order to manage the device as a Work Managed device, you must first factory-reset the device and then during factory-reset, provide a ZENworks-specific string that indicates the device will be managed by ZENworks.
This will cause the ZENworks application to be installed as the trusted MDM solution on the device. Once installed, the end user can enrol with ZENworks in the same way as other devices.
With Work Managed mode, the end user will only have access to applications that the administrator grants and might not be able to add their own accounts to the device. In addition, any policies will impact the full device, unlike Work Profile mode where only access to the corporate profile is restricted.
InTune Application Protection Policies
Recently, Microsoft added support to the Graph API, enabling vendors to interact with the InTune Application Protection capabilities. These capabilities can be implemented to restrict the behaviour of Office 365 applications and other InTune, container-enabled applications.
With InTune Application Protection policies, you can do all of your mobile management from ZENworks and still have the benefits of being able to protect your sensitive Office 365 data. (Figure 5).
It is important to note that in ZENworks 2017 Update 3, InTune application protection policies have only been implemented for iOS; we will extend this to Android in the next update.
This decision was based on our experience with the Microsoft capabilities being substantially more stable on iOS than on Android at present. It is also important to note that in order to use these capabilities, the users you assign the policy to must have a valid InTune App Protection license assigned to them in Azure AD.
Also, unlike most policies in ZENworks, the InTune App Protection policy does not allow for the creation of a sandbox version for testing.
The reason for this is that when you are making changes to the policy, those changes are being written back to the Azure cloud, which currently does not provide any sandbox-like capability.
ZENworks does still maintain multiple versions of the InTune app protection policy so that you can revert to a previous version if required.
ZENworks 2017 Update 3 also provides the following notable enhancements:
- Configure the mobile inventory settings through ZCC
- Report on mobile inventory from ZENworks Reporting
- New iOS device control settings to prevent users from adding their own Wi-Fi and/or VPN configuration
- New iOS DEP settings supported in the latest version of iOS
- Reboot or shut down an iOS device remotely
- Send audit data and message data to syslog server for integration with SIEM solutions such as Micro Focus® ArcSight and Sentinel
- Automate the checking for and deployment of PRUs
- Improved recognition of Windows 10 versions and the ability to use that version information (1703, 1803, etc.) in system requirements and dynamic group filters
- Change the display size of the ZENworks User Application icons to provide an experience more consistent with the previous ZENworks
- Application Launcher
- Support for managing SLES 15 and OpenSUSE LEAP 42
ZENworks 2017 Update 3 is poised to be another great release that provides many capabilities to help further reduce the administrative overhead associated with managing your diverse endpoint estate and to improve your visibility into the system. We anticipate the release early in the second half of 2018.
We extend a big thank you to all our beta testers, engineers, and others who help us ensure a high-quality experience with each release!
This article first appeared in OHM Issue 41, 2018/2, p15-18