Introducing Novell ZENworks 11 SP3

On February 25, 2014, we released Novell ZENworks 11 SP3. This service pack is the latest release of the integrated ZENworks platform. We worked hard on this release to answer customer requests and provide new capabilities to solve the challenges our customers were facing.

Though there are many smaller things that will improve your daily experience with ZENworks on both the server and agent sides, these are the key capabilities we’re introducing in ZENworks 11 SP3:

  • Remote manage your devices from anywhere
  • Share bundles and policies between zones
  • Keep control with new auditing capabilities
  • Simplify patch deployment
  • Manage administrator rights

In this article I’'ve summarised these changes and included links to places where you can find more information.

Remote Manage your Devices from Anywhere

The ZENworks join proxy is a new role that is always assigned to primary servers, and which you can assign to satellites. The join proxy’s job, as the name implies, is to join two connections together. In this case the first connection is the one the managed device is maintaining to the proxy server, and the second is the connection coming from the administrator’s viewer machine. Figure 1 shows a typical join proxy deployment:

Figure 1: A join proxy deployment

In this diagram you can see the following key elements:

  • The managed device. When you use a join proxy, the ZENworks Adaptive Agent connects at boot-up, or when it determines its location necessitates the use of a join proxy. It initiates a TCP connection to the Join Proxy Server, then periodically checks in to keep the connection alive.
  • The join proxy. In this case the join proxy has been deployed to a satellite in the demilitarised zone (DMZ). As long as this server is reachable by both the ZENworks administrator and the managed device, the administrator can remotely manage the device. If this device is a Primary Server then you only need one device. If the device is a satellite you will also need a Primary Server that is reachable in the DMZ as shown in the diagram.
  • Network address translation (NAT). Notice that in this diagram, the device is in a hotel room behind a NAT. Because of this, it is impossible for the administrator to contact the machine directly. However, since ZENworks determined the device was in a location requiring a join proxy, the managed device connected and now the administrator can reach the join proxy and initiate the session.

For information on configuring the join proxy, see my article in Cool Solutions.

Share Bundles and Policies between Zones

This capability allows an administrator to quickly and easily share software bundles and policies with other zones. This is great news if you have a production and test zone setup, are using multiple zones for political or scale reasons, or if you are a partner who wants to provide a service where users can subscribe to a set of pre-created bundles or policies.

Let us look at a scenario at ABC Corporation to see how useful the ZENworks 11 SP3 share and subscribe feature can be.

ABC Corporation’s environment is divided into two zones: a lab zone and a production zone. Tom is the administrator of the lab zone and Jim administers the production zone.  ABC Corporation has a practice of creating and testing bundles and policies in their lab zone before using them in their production zone. One day, Jim meets Tom and discusses with him the new requirements for the production zone. Based on the discussion, Tom creates several bundles and policies in his lab zone.

After multiple iterations and tests, Tom is finally satisfied with the objects created in his zone. This entire process takes him around a week. He meets Jim again and tells him that the bundles and policies are ready to use.

In the past, there was no easy way to copy these objects from the lab to the production zone, and Jim and Tom would have to recreate them again in the production zone.  So for ABC Corporation, the entire process of creating and testing these bundles and policies takes several weeks. This means they are both pulled away from their core business activities. The process of recreating these objects is also prone to error.

The new share and subscribe feature enables administrators like Tom and Jim to share and subscribe bundles and policies across multiple zones. The zone that shares the objects is called the sharing zone and the zone that subscribes to get the objects is called the subscribing zone.

Figure 2: Separate lab and production zones
Figure 3: Share and subscribe to bundles across zones with ZENworks 11 Sp3

For detailed steps on how to use this new ZENworks 11 SP3 feature in your environment, see Adharsh Praveen’s article on Cool Solutions.

Keep Control with New Auditing Capabilities

One of the things we’ve consistently heard over the years is that administrators need a way to find out who did what in their system. The new auditing capabilities in ZENworks 11 SP3 allow you to keep track of most changes made in the ZENworks Control Center. The initial audit implementation in ZENworks 11 SP3 provides the following auditing capabilities:

  • Audit most changes in ZENworks Control Center. ZENworks 11 SP3 allows you to enable various “Change Events” that deal with important changes that can be made in ZENworks Control Center. You can now audit approximately 80 percent of the change events related to your ZENworks products.
  • Audit remote management operations. You can now audit the remote management events that occur against a device. This includes tasks such as Remote Control, Remote View, File Transfer, Remote Execute and Remote Diagnostics. Using this auditing capability, you will have a centralised log of who performed the operation, when the individual did it, and in the case of File Transfer, Remote Execute and Remote Diagnostics you will be able to capture what the individual did during the session.
  • Audit other core agent capabilities. You can audit agent-focused events such as ZENworks login and logout, password changes through the ZENworks agent, and location and network environment changes as a device moves from one location to another. You can enable these events at the zone or device folder levels or at each individual device.
  • Audit ZENworks Endpoint Security Management events. You can audit files that are being transferred to or from removable media as well as security policy change events.

Because the amount of data that an audit can generate is significant, ZENworks 11 SP3 requires that this data be stored in a separate database. This prevents the large amount of data in the audit tables from degrading the performance of the ZENworks system. Additionally, from a security perspective, this means that the audit database is independent from the actual operational database.

New tools for viewing and reporting against auditing data make it easy to quickly find important events. We’'ve included a completely new ZENworks Reporting server with ZENworks 11 SP3. This new, lightweight reporting solution makes it easy to build interactive reports that you can use to analyze information about the system and provide reports to individuals within your company. Additionally, the new dashboard designer makes it easy to build dashboards for non-technical users.

To learn about configuring these new audit options, see my article on Cool Solutions.

Figure 4: The new ZENworks audit reporting options

Simplify Patch Deployments

In talking with existing ZENworks Patch Management customers we heard about several common problems, most dealing with administrative overhead.  In ZENworks 11 SP3, we are introducing patch management policies.  Using patch management policies you can define desired patch states in your environment. You can tell ZENworks Patch Management what patches to apply, what machines to apply them to and when to apply them. You can also set rules on maintenance intervals. This should make it easier than ever to keep your devices up to date without negatively impacting your users.

Figure 5: Options that determine when a patch policy runs

Once this is done, your job is just to see if the updated policy applies correctly on your test machines and then to push a button in ZENworks Control Center to publish the policy to your production workstations.

To see how to configure these new patch management policies, see my blog on Cool Solutions.

Manage Administrator Rights

One of the common complaints that we’'ve heard from customers is that delegated administrators can always see everything in ZENworks Control Center, even though they can’t necessarily do anything with those objects. With ZENworks 11 SP3, we are introducing a new right called “View Leaf.” When you give a user this right, they are able to see any leaf node objects in that container, such as a device, group, bundle, policy and so on. If they are not assigned View Leaf rights then they will be able to traverse the folder structure, but they won’t be able to see any of the leaf node objects in the folder.

With the new rights being introduced in ZENworks 11 SP3, it will be possible to restrict delegated administrators from seeing objects in ZENworks Control Center. It will also be possible to delegate control of system update deployment to administrators that are not full zone admins.

You can see how to configure View Leaf rights in my blog on Cool Solutions:


The improvements I’'ve just discussed are not the only improvements in the ZENworks 11 SP3 release. New optimisations throughout the code have significantly improved performance in small and large environments alike. This should result in much better server-to-device ratios. You can find more information on this, and on all the new features of ZENworks 11 SP3, on Cool Solutions and in the ZENworks documentation.

(This article was published in OHM 25, p5-7, April 2014)

Leave a Reply