1.2 The Management Paradigm

All design features of the ZENworks Configuration Management architecture flow from the basic Novell philosophy of the Open Enterprise: a simple, secure, productive, and integrated IT environment across mixed systems. ZENworks Configuration Management empowers IT staff to manage systems to support real users, with all their various security, location, device, and other needs, while keeping simple, centralized control over the entire end-user environment. It also supports the idea that IT staff should be empowered to manage systems according to the paradigm that best reflects the organization’s business policies and the IT staff’s preferred working style.

ZENworks Configuration Management provides the flexibility to manage systems tactically (on a device-by-device basis) or strategically, using any combination of the following four distinct management paradigms:

1.2.1 Management by Exception

Two of the most important considerations when evaluating any configuration management solution are: how well the administration design scales and what burden it places on the IT staff as they update the solution to accommodate changing business policies. Novell is a pioneer of “management by exception,” and ZENworks Configuration Management continues to offer this powerful method of continuously adapting, with minimal IT effort.

Management by exception is a complement to policy-driven management. It allows the general rules of configuration management to be at a high level across user or device groups, while permitting exceptions at a more granular level to accommodate more specialized needs.

For example, normal business policies might allow employees to remotely access the corporate network. However, applying this policy across the board to all desktops, including devices in the finance and legal departments, could expose the company to regulatory penalties and corporate spies. Exception-based management allows IT staff to create and automatically enforce general access policies, as well as more restrictive policies that are enforced on top of the general policies to protect devices and users that require a higher degree of security. In this case, the exception policy restricts access to normal business hours, on-site, and by authorized users. Exception-based management allows complete management flexibility in accordance with business policies, without requiring IT staff to manage separate policy silos for each type of user and machine.

1.2.2 User-Based Management

User-based management, which leverages user identities, group roles, and business policies, is the gold standard for automation, security, and IT control. User-based management has always been a Novell specialty. Although the underlying architecture has been dramatically enhanced in ZENworks Configuration Management, the full power of user-based management has been retained.

True user-based configuration management separates users from the specific devices they use, and treats the users as the company’s most valuable asset to be managed. Devices serve their proper role as tools. Allowing users, rather than devices, to be managed as a first-class configured entity means that policies, applications, and other configuration details can follow users from device to device. User-based management also ties IT policies directly to business policies, which increases responsiveness to the changing business conditions. User-based management also leverages identity stores and business systems across the enterprise to eliminate errors, increase security, standardize workflows, document regulatory compliance, and support effective decision making.

User-based management can be defined as strategic, while device-based management is tactical. In ZENworks Configuration Management, both can be mixed and matched according to business and IT requirements by using management by exception. For example, a general policy can be applied to a specific device and then overridden, depending on the identity information for the user who is currently logged on. Or, a general policy based on user identities and roles can be overridden, depending on the device being used and its context, such as a mobile device attempting to access the network from beyond the firewall.

1.2.3 Device-Based Management

Many organizations base their configuration management practices on the devices being managed. In fact, this is the default method used by most of the configuration management products on the market today. Without user-based and exception-based policy management, products that target specific device configurations treat actual business policies and user needs as an afterthought -essentially equating a specific user with a specific device. Applications, policies, and other configuration information are associated to a managed device or set of managed devices. This approach tends to force users into rigid roles instead of supporting users as dynamic participants in evolving business processes. For that reason, Novell has not focused on device-based management in the past.

However, the new ZENworks Configuration Management architecture adds device-based management as a tool that can be used, in addition to the other management styles, to fill specialized needs. For example, manufacturing-floor devices, public kiosks, and call centers where multiple users work different shifts and share a single device are all instances where device-based management might be more appropriate than user-based management. Additionally, companies that normally rely on user-based management might need the ability to quickly set up a device for one-time use. For example, a customer might need to configure a device to auto-run a presentation in a conference center without having to bother about creating a new “user” for this one instance. With the new ZENworks Configuration Management architecture, customers now have the option of using device-based management whenever it suits their specific needs.

Because device-based management is the most familiar method to most IT professionals, and because it is the fastest way to configure a device in the short term, before setting up long-term user-based policies, device-based management is the default management model after installing ZENworks Configuration Management.

1.2.4 Location-Based Management

ZENworks 11 introduces the concept of locations to Endpoint Management to further enhance the flexibility and power of managing endpoints. Locations can use the concept of Closest Server Rules (first introduced in ZENworks 10 Configuration Management) to allow the administrator to define in detail all locations that contain managed devices.

Locations can be defined using very specific criteria such as DNS server, gateway and, subnet. After a location and its network environments have been defined, ZENworks policies and bundles can be applied to allow ZENworks to automatically adjust the configuration and security posture of the device.

Location awareness originates from Novell’s Endpoint Security Management product which is now integrated into the common ZENworks architecture. The ability to utilize locations is another example of the benefits of an integrated architecture for all Endpoint Management products.