4.6.3 Analyzing management targets
JP1/IT Desktop Management 2 allows device management, security control, and asset management. The range of target devices varies depending on the management methods. Before starting operation, you need to determine which devices in the organization you want to manage.
In addition, you can use online management for computers that can be connected to the network, and use offline management for computers that cannot be connected to the network. For details about functional differences between online management and offline management, see (1) Functional differences between agent/agentless management.
Target devices for device management
For device management, you can view the device status and many types of information by collecting information from devices connected to the network. Examine the devices for which you want to view the current status in the organization.
Device management is applicable to devices that have IP addresses, such as computers with OSs, network printers, and routers. To perform device management, you must register the devices as JP1/IT Desktop Management 2 management targets. One license is used to manage one device.
You can search for any device having an IP address in the network to automatically collect information. Therefore, even if devices in a department are unknown, you can use JP1/IT Desktop Management 2 to collect information for the devices in the organization and add them as management targets. For devices without IP addresses, such as offline computers, use offline management or manage them as assets.
Peripheral devices for computers, such as a mouse and keyboard, can be managed as part of device information by entering information for the peripheral devices as additional information. Therefore, no licenses are used for managing peripheral devices.
If you do not want to use JP1/IT Desktop Management 2 to manage some devices in the organization, register them as exclusion targets. For example, if you only want to manage the devices which are subject to security control, register devices such as network printers and routers as exclusion targets. This allows you to collect information only from the managed devices.
Device management targets are determined as follows:
-
Devices to be managed by collecting information:
Register the devices as management targets. One managed device uses one licence.
-
Devices not to be managed:
Register the devices as exclusion targets (uses no license).
Devices subject to security control
For security control, you can view the security status of devices and take corrective actions based on the information collected from the managed devices. Examine the devices for which you want to maintain security.
Security control is applicable to managed computers running Windows.
By installing agents in computers, you can judge and diagnose the security status and take security measures.
Agentless computers can also be subject to security control, provided that administrative share is enabled and you can log on as a member of the Administrators group. Note, however, that you can judge and diagnose the security status of an agentless computer only within the range of device information that can be acquired. Security judgement and diagnosis are not possible for some information. There are also functional restrictions. For example, the auto enforce function and the software startup suppression function cannot be used.
Security control targets are determined as follows:
-
To automatically apply security measures:
Computers with agents installed are subject to security control.
-
To judge and diagnose the security status:
Computers running Windows are subject to security control. Functions are restricted on agentless computers.
Target devices for asset management
For asset management, you can manage the status of devices owned by the organization (hardware assets), no matter whether they are connected to the network. Analyze the devices which you want to manage as assets in the organization. No licenses are used for managing hardware assets.
Asset management is applicable to all devices owned by the organization. Because you can register any asset information, you can manage peripheral devices and devices without IP addresses.
Of the devices owned by the organization, register the devices you want to manage as hardware assets with asset numbers assigned. By registering the devices as hardware assets, you can manage the asset status (indicating whether the asset is in use or in stock), user name, contact phone number, and related contract information, in addition to asset numbers.
Hardware asset information is automatically registered for devices that are added asJP1/IT Desktop Management 2 management targets. To manage devices as assets rather than adding them as management targets, you must register hardware asset information manually.
- Organization of this subsection
(1) Managing device information for online managed computers
To correctly manage device information in the organization where devices increase or decrease on a daily basis, you need to periodically perform a search and register all devices to be managed. The managed device information must be kept up to date.
To manage device information, you need to decide on a search range, search schedule, and whether to install agents on computers discovered by a search. You also need to set up an operation schedule to collect and update device information for computers.
Analyzing device search requirements
Consider the following items related to device search.
-
Search range
Decide the ranges for device searches. Because the IP addresses to be searched for are specified during setup, determine the ranges of IP addresses of the devices to be searched for.
You can specify multiple search ranges. We recommend that you specify only ranges of IP addresses used in the organization. Because connection is attempted to all IP addresses in the specified range, if you specify a search range that contains unused IP addresses, a long time will be required until the search completes.
-
Search schedule
Decide when to perform device searches. If you plan to perform device searches on a regular basis, decide the search start time and the date. You can set a schedule by specifying a day of the week and time to perform a search, for example, at 8:00 on the first Monday of every month.
Turned-off devices cannot be discovered by a search. Therefore, for the first week after installation of JP1/IT Desktop Management 2, set up the system to repeatedly perform searches so that all devices will be discovered. When all necessary devices have been registered, set up a search schedule based on a consideration of how frequently devices are installed in the organization.
-
Setting and allocation of authentication information
To collect information such as the device type and OS during a search, you need to register authentication information used for searches. A search uses two types of authentication information: SNMP and Windows administrative share.
- SNMP authentication information
-
Register a community name for using SNMP to connect a device.
If a community name has not been set in the network, public is set as the community name. Because authentication information with public assigned is registered by default, you do not need to register SNMP authentication information if no community name has been set.
- Authentication information for Windows administrative share
-
Register an ID and password used to access Windows administrative share.
You can specify the registered authentication information to be used for each search range. If the computer authentication information varies for different search ranges, you need to register the necessary authentication information and set it for each search range.
If no authentication information is registered, you cannot collect device information during a search, but can only confirm the existence of devices.
-
Operation on discovered devices
Decide which action should be performed when a new device is discovered by a device search. The following actions can be performed.
-
Automatically add the discovered devices as management targets
Computers that are recognized by a search as Windows OS devices are automatically added as management targets.
-
Automatically install agents on discovered devices
When an agent is installed on a computer, that computer is automatically added as a management target and becomes subject to security control.
To install an agent on a computer, authentication information for Windows administrative share must be registered and allocated.
-
Deciding collection and update intervals for device information
Decide how to collect and update device information during operation. How device information should be updated varies depending on whether an agent is installed on a managed computer.
-
For a computer with an agent installed
The agent collects computer information, and then reports it to the management server on a regular basis. This allows the computer information retained by the management server to be refreshed automatically.
In addition to automatic collection, you can collect computer information at any time.
-
For an agentless computer
An agentless computer cannot report information to the management server automatically. Therefore, the device information on an agentless computer is configured to be collected and updated on a regular basis. By default, the device information is collected once every hour.
If there are many agentless computers and collecting information places load on the network, specify a collection interval that is appropriate for your environment.
More detailed information can be collected and managed for a computer with an agent installed than for an agentless computer. Consider installing agents. Also, consider how to update device information.
(2) Applying security measures to online managed computers
Decide how to set security policies considering the organization's security rules. Also determine the judgment schedule based on the security policies, and set the calculation targets and storage period for reports created as a result of security diagnosis.
Applying security policies
By default, the default policy is applied to the managed computers. If there is only one set of rules in the organization, you can change the security policy settings for all computers by editing the default policy. If some computers require special security policies, mainly use the default policy and create special security policies.
In addition, decide security policy details (security configuration items and action items).
- Deciding security judgment items and automatic application of security measures
-
Decide which judgement items should be set for a security policy based on the organization's rules, and determine which security measures should be automatically applied to violations.
- Deciding actions to be taken against security policy violations
-
Decide the action to be taken if a security policy violation is found. You can select from the following actions.
-
Notify the user of a security policy violation.
-
Deny network connection of the computer that has a security problem.
-
Setting up the security judgment schedule
The security status is determined at a regular interval based on the specified security policy. Use the Settings module to specify the time of security status judgment appropriate for operations.
Considerations related to calculation of security diagnostic reports
The results of a security status judgment can be calculated in a security diagnostic report. Decide the calculation period and storage period for security diagnostic reports.
-
Calculation period
You can check the security status using periodic security diagnostic reports in addition to checking the current status. You can specify the period as weekly, monthly, quarterly, half yearly, or yearly. Use the Settings module to specify the calculation start date appropriate for the operation in the organization.
-
Storage period
You need to decide how long the calculated security diagnostic reports will be stored. You can specify the storage period in a range from 1 to 10 years.
(3) Managing asset information
You can manage a variety of assets owned by the organization. Consider the management target for each type of asset information.
- Hardware assets
-
Information about the devices, such as computers, servers, printers, network devices, and USB devices, can be managed as hardware asset information. In addition to detailed asset information, you can manage the status indicating that the asset is in use, in stock, or disposed of. Thus, you can see the status of the hardware assets in the organization.
Determine which hardware assets owned by the organization you want to manage by using JP1/IT Desktop Management 2. Then, provide information on the assets.
- Tip
-
If you have an asset register at hand, you can register the asset information by importing the asset register.
In JP1/IT Desktop Management 2, assets are managed by using BIOS serial numbers to associate assets with device information. If multiple devices have the same BIOS serial number, device information cannot be correctly associated. For details on methods other than using BIOS serial numbers to associate device information, see the procedure for changing the device information association in the JP1/IT Desktop Management 2 Administration Guide.
- Software licenses
-
You can manage information about the software licenses owned by the organization. Computers permitted to use them can also be managed.
To manage the software licenses, register information about software license certificates. Provide the certificates for the software licenses owned by the organization.
The software type can be used as a judgment condition when you consider whether to manage software licenses. For example, you can choose to manage only the licenses for the software whose software type is commercial software.
- Managed software
-
You can register a software product corresponding to a software license to manage the license used for each software product. In addition to managing the total number of licenses, you can allocate a license to each computer to find computers that use licenses without permission.
You must confirm in advance which software products currently in use correspond to which software licenses.
- Contracts
-
You can register contract information about hardware assets and software licenses, such as support contracts, rental contracts, and lease contracts, and then manage the contract information associated with asset information. Because you can view information about the contracts that are about to expire, you can create a work schedule.
To manage contract information, register information about contract documents. Provide contract documents related to the hardware assets and software licenses owned in the organization.
Handling management items
You can create original management items as additional management items. You can also add options to the existing management items. If you want to individually manage information in the organization, you must first determine which management items should be created.
- Tip
-
Before you attempt to import and register asset information, confirm the management items contained in the data to be imported. To manage items that do not exist in JP1/IT Desktop Management 2, you need to create management items before importing asset information.