Ivanti Cloud and Solving User Experience Problems

March 21, 2019

Jon Rolls | Vice President of User Workspace Management Products | Ivanti

Learn how Ivanti Cloud can be used to discover and pinpoint user experience problems that are solved by Ivanti’s product portfolio, especially the User Workspace Management products. Ivanti Cloud can identify problems including slow logons, unwanted applications, high CPU load and over-privileged users, all of which have a negative impact on user experience, resource consumption and security. We’ll show you how to easily find those and fix them.


Jon: Okay. Hi, everybody. That's the top of the hour. I'm sure a few are still joining. So I will start slowly. Welcome to this Ivanti webinar. We're going to talk today about Ivanti Cloud and how you can solve user experience problems with some of the other products from Ivanti. You'll notice we're using the interchange PowerPoint template here. There's a reason for that. We had a conference last week in Madrid, in Spain and Ivanti runs two conferences every year called Interchange. One in Europe and one in the U.S. And the next one is coming up in Nashville, from April 29 to May 2nd. And it's a chance to meet a lot of Ivanti staff. We will have over 100 people there, lots of product managers, engineers, obviously technicians, sales engineers, consultants.

A chance to really get into deep dive training certification, get one-on-one sessions with all the product experts, product managers, and so on. There'll be keynote speakers and parties, and it's generally a great event. So I recommend attending that. And as another benefit, which we'll come back to at the end, if you were to attend that. So here's today's presenters. I'm Jon Rolls and also joining me is Andy Swindells. Say hi, Andy.

Andy: Hi, Andy, and hello to everybody. Welcome to the webinar.

Jon: We work in the product management team for user workspace management and have been with Ivanti for many years now and looking forward to giving you a preview of what's coming next. So I'm going to do quite a lot of talking for a brief intro here. And then Andy and I are going to walk you through how you would actually tackle some problems in user experience management and user workspace management, starting with Ivanti cloud. So I should probably give you a bit of background on what these things are. So first of all, we're going to talk about two major product sets. Ivanti Cloud, is what we announced at Interchange Madrid last week. You can find out more information on our website at that link.

In particular, it includes a project called Real-Time Intelligence as kind of a feature set. And I'll show you it in a second. It was formerly known as Pulse. If you were involved in the Pulse Beta program, or any of the early access testing, then that's now baked into Ivanti Cloud as Ivanti Real-Time Intelligence. It also includes the agent from an acquisition. When we acquired AppSense software, we include...that came with a product called Insight. And we've actually taken the agent from Insight and that's also included in Ivanti Real-Time Intelligence. And you'll see some of the information that provides when we get into demo in a second.

The other products that we're focusing on is User Workspace Manager, which is actually a bundle of a few products. And I'll explain that in a second. It also now includes entitlement to some of Ivanti Cloud. So you'll see all this working together. Okay. The user workspace manager is a bundle of the following five things, Environment Manager, File Director, Performance Manager, and Application Control. And as I said, parts of Ivanti Cloud because previously, it included the Insight product that has now been absorbed into Ivanti Cloud. And so we are going to include a subset of that as part of User Workspace Manager. So today, we're going to show you four of the five things in here all working together to solve user experience challenges. With that, I'm going to jump in and switch over to the Ivanti Cloud demo. Right. So let's clear up, because I was playing with a few things. So this is, what you're seeing here is the current look and feel of what you'll get if...

Andy: Jon?

Jon: Oh, I'm not sharing.

Andy: Yeah, you're not sharing just yet.

Jon: Thank you. All right.

Andy: Yeah, you're good.

Jon: Thank you. Oh, good grief. Right. So this is what you currently get if you signed up for the early access version of Ivanti Cloud. So everyone who attended Interchange Madrid last week, who signed up for it, this is roughly what they're getting. There's a few things in here. Obviously, an intro page, there's various dashboards we've built. So here's an example of patch intelligence. This looks at our patch database, which is shared across multiple of our patch solutions, including endpoint manager, a patch for a CCM, a patch manager. These are, you know, the latest updates to the patch database.

And you can come in here, you can look at where they're linked to CVEs in the public exploit database. And you can see which products it covers and dates released, and lots of useful information about what's been going on in the last 14 days. Also what happened in the last Patch Tuesday. You've got things like smart advisors in here. And these, again, take intelligence fed from various information sources and give you some recommendations. So here, for example, is a set of Windows devices, and recommendation on whether you should reimage or replace them as you upgrade to Windows 10. And there's various information sources you can use, device warranty, disk space available, memory, those kind of things.

You get a sense that Ivanti Cloud is about collecting information from devices and pulling it into the cloud, and then providing some analysis and some intelligence and ultimately some actions. Now, the thing I'm going to focus on a lot today is this feature here called Real-Time Intelligence. And this was originally the Pulse product. This includes some of the technology from Insight. And to show this is working, I'm actually going to click first on Agent Overview and it's going to show you all of the agents registered with this tenant, of which there are one located here in California. And it's actually me, and that's this Windows desktop here.

And to try to show you what we mean by Real-Time Intelligence, let me give you a simple example of...oh, by the way, it uses this thing called native language processing. It's like a...you actually have a conversation with it, although there are some preset queries but the idea is you type in questions like show me where Notepad's running and right now Notepad's not running anywhere. And to show you how real time this is, if I start up Notepad like that and come back to this and refresh it, you'll see that what's happened there is our Ivanti Cloud Service has reached out in real time to the agent on my Windows 10 endpoint, reported back...

Done a query and said, "Hey, where have you got Notepad running?" And as reported back to the server, and there's the result. We're using IoT, Internet of Things technology for doing this. It's one of these HiveMQ kind of things, if you know what those are. So that there's essentially a web socket open between the endpoint and our service in the cloud so we can do real time questions at any time. So now show me where Edge is running, and if you noticed I just started up Edge and switch to that. And you can see Edge actually fires up a few processes when it begins, but...807 or something. You can see it literally just started. And those are all the processes there and how they're running as.

This will be relevant later. Is it running elevated? We're going to come back to that. Remember that thought. It's actually running as a user, not in admin context. That gives you a sense of this is real time connection to endpoints. And you can find out all kinds of fun things. So this is all very good. And here's an example. So this is a different tenant where we have a lot more endpoints, and we're going to come and look in here quite a lot as well. In here we have 498 endpoints scattered all over the world. And you can see that they're responding in real time. They've all checked in now. There are actually 2,000 registered, but only 498 are currently online for us to do real time operations with.

So that gives you a flavor of what Ivanti Real-Time's all about. So let's get on with the bulk of today's presentation. And just to recap, our guiding principle in Ivanti is this three-step process, discover, provide insight, take action. Discover is about finding devices, users, software packages. We've already done that step. We've already pushed our cloud agent on to those endpoints. Now we're looking very much at the provide insight piece and how we're going to use the User Workspace Management Suite to take action. So let's dive into some actual real life examples of how you can put those two together and solve some common IT challenges. And this is where my esteemed colleague is going to take the role of various people in the organization who have challenges of requirements for me, the bumbling IT person. So, Andy, over to you.

Andy: Okay, IT person. So my budgets are getting tighter and tighter. I've been told by my vendors, I need to run this expensive tech or kit in order to run these very basic applications, so where all these resources going? My users are telling me that things are slow and performance is poor. Yeah, I'm paying for a high amount of dollars for what was meant to be high performance kits. So, there's lots going on. How can I get to the bottom of this?

Jon: I'm very proud of our data center, all the flashing lights and the racks of really cool hardware. Are you telling me the fact it cost millions and millions of dollars is kind of a problem now?

Andy: Indeed because I need to justify I'm paying all this money but my users' experience is so poor.

Jon: Oh, but it just looks so cool. All right, fine. All right. Okay, why? You're asking why we need all of that really expensive kit with the whirring fans and the flashing lights. Okay, the problem is a lot of applications we use were not by us. I mean, they've come from vendors 15 years ago, or they were written in-house by us using old development frameworks. Anyway, the problem is we have these applications, and they just take a lot of CPU and a lot of memory. And we'll show a real life example of how common this is. But this is a common. And in particular, we'll stand them up on virtual desktop, virtual server farms. And it needs some really big expensive hardware to do it.

So what we're going to do here is going to use Ivanti Cloud Real-Time Intelligence to go and find some of these applications. And then we're going to show you how you would use Ivanti Performance Manager to get them under control. And I'm gonna make sure, because I mentioned, we'd try and cover some of these features here. And let's have a look. So let's get over to Ivanti Cloud. Right, so let's start with this one. So this is my 498 nodes. I will warn you before I get too far into this that some of them may be simulated. They may not be real endpoints, there's mixture of real and virtual ones. All right, so here's a real time view. We're reaching out to...oh, we're down to 497 now, one's gone offline...

Endpoints in real time and saying, "How you're doing for memory?" Now this is a slightly contrived example because in the case of the data center, we're actually reaching out to Windows servers or hypervisors and saying, "How are you doing for memory? How are you doing for CPU?" Or into those virtual sessions, and say, "Which applications are consuming them?" So what you have is a breakdown of every application...Oh, sorry, of every session, or in this case, physical endpoint, and how much memory is available. And you can see a lot of them are just completely wiped out, especially [inaudible 00:12:33].

Andy: Is that why my end users are complaining? Is that why everyone...

Jon: That's definitely going to be a fact...yeah, it's going to be a factor. Yeah, having 31 MB left, you're just maxed out.

Andy: Okay. So I'm paying a lot of money and obviously I need to sort this out. So what can we do?

Jon: Well, it's actually worse than that. Because if you then look at the CPU usage, again, as they gradually all phone home, we're going to get a sense of which applications are the biggest hogs in terms of resource. Ah, yeah, we got that. I'm suspecting someone in accounts is running some pretty big queries in Excel because they've wiped out one core of their dual core CPUs. Okay, that's [inaudible 00:13:18].

Andy: Okay. Well, I use Excel at home on my home PC, and I don't have this problem and it's just a basic home PC.

Jon: You know, those cost savings we were talking about earlier? You probably don't have quite the same spreadsheets and clear as running that the people at the bean counters do. All right, let's figure out we can do about this because I have somewhere in my armory, I have a tool for fixing this. All right, so this is the management console. Performance manager console that I'm going to use to get some of this stuff under control. And this creates a policy. I'm going to push that policy onto my virtual servers and into my sessions. And what it will do is it will restrict and control very intelligently the CPU load and the memory load inside those sessions. Now...

Andy: Okay, but what happens if I don't understand all of that? Is there anything out of the box I can use?

Jon: Yes, let's start with the...I want to give the nice people at home a flavor of what it can do, and then show in actual fact you don't need to deal with the scary, scary stuff. Because this is insanely powerful in the level of control you can have. So for things like we got various technologies here for managing CPU loads. So I think we'll share factors with where resources and multiple users in the same server, how you break up, who gets a share of this. Whereas if you want an analogy, we're completely replacing the way that Windows allocates CPU cycles as a scheduler whatever it's called inside the kernel.

We basically teach it a better way of allocating CPU resources. And so it prioritizes the system first and then administrators and other users. And you can tweak all this, there's various share factors. Then you can reserve bits of the CPU, particular applications. You can assign affinity to a particular cause where you need to. Then there's all this memory stuff. If you really want to get into this, you can then minimize or maximize memory available by process. You can do trimming so that you get rid of unused over-allocated memory. And you can do it every time this rule runs. And then there's things like thread throttling, where if a CPU peaks out at 100%, what we do is we clamp it, give it a few seconds, release that clamp and see if it's still trying to behave badly. It's very powerful. And as you say, most people take one look at this and go, "Is there an easy mode?" Yeah.

Andy: You're scaring me, yeah.

Jon: Yeah, easy mode, we built three or actually four templates out of the box. And you can just say, "Look, you know, I'm on Remote Desktop sessions," or, "Terminal Services," or, "Zen app," or whatever it's called these days. And it will load a preset configuration. And you can push this to those servers to those virtual desktops or physical desktops. And it will do our recommended best practices. If you think you can still get more juice out of that hardware, you can phone us to help or you can engage a partner, or we can get, you know, we can send you a services person, and you can fine tune this. And we generally can get even more out of that hardware. But out of the box, it's got a pretty decent set of readymade configurations that are good to go. Eighty percent of our customers just use the template.

Andy: Excellent.

Jon: Let's get back to the presentation. So we talked a little about some of these things. Here's a real life case study. A security company-based in Florida had an in-house application. And it was written many years ago in an old framework, not very well maintained, but absolutely business critical. Could not get rid of it, could not work without it and published through Citrix servers. And they had an army of, you know, a huge array of physical Citrix servers in the datacenter. And they got 38 users on to each physical server with this application. It's pretty beefy kit. I mean, this is high-end hardware but 38 was the maximum they did.

They were physical servers, though, which are hard to manage. They wanted to virtualize the whole farm. And so they put in a hypervisor which cut it down to 26 users per...so for the same hardware, just for the benefits of easy management and virtualization, that reduced the density to 26 per server, at which point they called us. We sent in Performance Manager, didn't spend very long tweaking it, just got the application under control, did memory trimming to the CPU limits. Got them to 48 for the same hardware. So now you've got all the benefits of virtualization, but nearly doubled the number of users. And the cost of Performance Manager was less than half the hardware they saved. So instant, easy ROI.

Andy: And I'll say as well at that point in time user experience is greatly improved. Less service desk tickets and so on. So reducing costs in that way as well.

Jon: Absolutely. Yeah I think we got 48 users on the same piece of hardware. All of them now are getting a fair share of the CPU memory. So, number one problem, I think we can solve that, we will definitely reduce our hardware bill. All right, go and change hats, and now you're going to come back as our security officer.

Andy: Okay, so I notice, everyone does...Everyone hates me. It's fine. It's fine. So what's keeping me awake at night, Jon, is the security on my endpoints. I've got different departments like HR and account telling me that they need admin rights on their local machine to run certain applications. It's not I don't believe them, but I need to have the evidence to question that and to understand why they need those privileges. I need to know where they need those privileges, and what endpoints we're talking about? And then once I know that, is there anything I can do to make sure that they can still use their applications but without having to expose our local admin privileges? What can I do?

Jon: This is a good question. Why is it so bad them having local admin privileges? I mean, it makes my life easier if they don't call me.

Andy: It just opens them up to thinking at that point in time, you know, we're in the hands of the end user. And if they're going off and they got local admin on the internet and they're using the machine at home in a laptop environment, for example, they're just opening us up to attack.

Jon: I thought we had, like, antivirus and we've got all these clever next generation, you know, detection things. All the, you know, agency put on the endpoint. Doesn't that take care of all that?

Andy: It does. But if you're the local admin, you can stop those things from doing their good work.

Jon: Oh, they can just turn them all off?

Andy: They can switch them off and they can do anything they want. They download their own software, they can install it, and so on. So, it keeps me awake.

Jon: I can see that would be a problem, yeah, it will be when we get hacked, yeah. Okay. All right, so let's take a look at this. What can we do? So the problem is that users are often given admin privilege so old apps work. A lot of apps, all applications it's assumed the user's an administrator of the only user on that device. They can do whatever they want. And also, it lets users configure their stuff, as you say, it doesn't mean they have to call the Help Desk. It makes my life easier. It's a huge security hole. So let's go and find some users who are over-privileged. I'm going to start with my device because I know how I set it up, and then we'll look at some others. So back to the Ivanti Real-Time Intelligence report. We're going to reach out to all of the endpoints, as in this one, and look for unexpected admin users.

So here's one here conspicuously named ituser1 in my JAR domain. And apparently, they're a domain admin. I wonder how on earth that happened. And if I was to actually skip over to that desktop. Let's get rid of Katie Couric and Notepad, and have a look inside my local users and groups. I look at my administrative group. You'll see that somehow ituser1 has been added and as a local administrator on this device. So the Real-Time Intelligence in Ivanti Cloud was detecting correctly that this user is actually somehow a member of the administrators group. This is typically been done because on their desktop, they were trying to figure out how to make an application work, or how to set the time, or how to change something in the control panel. And it was just they were calling the help desk every time and somebody finally said, "Oh, fine, I'll just make you an administrator. Do it yourself. Don't tell anybody." That's usually how that...

Andy: That's exactly what's happening. That's what's happening. HR are telling me that they've got people that need that to do those types of things that they move around. So they move country and so on, and they change times and so on, and contacting the help desk or service desk is just too much overhead for both parties. That's what's happening.

Jon: Yeah. Well, we can't have that because it's a massive security hole. Okay. So we fixed this one today. How are we going to stop this going forward because, you know, that was obviously a manual, easy fix, but we need to actually put it in place. So let's get rid of Performance Manager, we're not gonna look at that again and pull up a different product called Application Control. And I will walk you through how you do that. So there's various things you can do with Application Control. We're going to come back and show you the kind of the white listing and application, you know, restrictions in a second, but also there's very granular privilege management. And so for example, if I had an application...and I'm going to pick on, I don't know, Internet Explorer. This is a terrible example now I think about it, but let's just go with it for a moment.

Say I had an Internet Explorer and I wanted to always run it as the administrator, I've got this policy called builtin elevate. And I can also apply it to child processes and create that rule. What's going to happen here is every time...oh, this by the way, this configuration gets pushed to either a virtual desktop, virtual session or a physical desktop. And every time the user launches this application, we're going to pause the application start, we're going to check the rules here, if it matches one of the rules, we're going to modify the security token of that application or that process and give it admin privilege. So the user and the application can work as if they were a local admin, but they don't actually need to be. So what we can do is we can go through, get rid of all the local admins off our desktops, virtual sessions, everything, we can get rid of all the local admins. And where we've got application problems, because an application like this one needs to be an admin, or the user thinks they need to be an admin, we'll just elevate them in real time.

Let's take another example. Say we had a user who wanted to set the date and time. And that's a task they need to be an admin to do. We're just gonna elevate them. Whenever they go into the date and time control panel, we're going to make them an admin for the purpose of that operation. But they can't install anything they shouldn't. They can't do anything that would require admin privilege the rest of the time.

Andy: But of course, Jon, that'll only work when I'm on the...when I use it on the corporate network, whereas when they go home, surely this won't carry on working.

Jon: No, sir, this will follow you anywhere you go. This is a locally resident policy and agent. It's completely independent of whether you're connected or not. Once it's out there, it stays forever. By the way, you know there's really, really difficult users who just say, "Leave me alone. I'm going to quit if you don't make me, you know, an admin." We've got a little trick for that as well. We're still going to take away their admin privilege. So they can't turn off the, you know, auditing, they can't turn off the antivirus, they can't turn off the, you know, all the other clever detection agents we've got.

But we are going to let them self-elevate at certain times. So if they want to install an application, we can let them do that. For example, we could put, you know, MSIexec in here, and let them elevate the Windows Installer. And we can also force them to type in something, some text to explain why they're doing that, but they still won't actually be a true administrator. And we don't have a security risk. It's a [inaudible 00:25:26] house. They can still install dangerous stuff, but they can't completely break their devices and cause a security hole.

Andy: Okay. That gives me some flexibility to users that I may recognize need that ability is sometime keeping control. Excellent. Okay.

Jon: I'll say they're off by default for most people. And you can target these settings that any combination of groups, devices, processes, I mean, any combination of even the clever custom thing here where...how to use this. Yeah, you can build conditions based on just directory membership or environment variables or anything. So we can get really, really targeted with that. All right, so back to an actual case study. We had a customer who was a movie studio headquartered in LA, surprise, surprise, who actually got hacked through a Windows desktop. They had users who were over-privileged and an unhappy third party sent them some email that contained various malware executables that got installed because users were over-privileged.

They were acting as admins, were able to install that. And as a result, they got hacked and whole bunch of information got stolen, and it was very embarrassing for them. And we got a phone call within hours. And we sent in Application Control to take away privilege from those users, and ensure they couldn't do any of those operations. All right, so I'm aware that we're talking and time is running. So let's move on to a really gnarly one now. Andy, what's the problem now?

Andy: Okay. So, I'm very sorry, Jon, but I'm managing the IT service desk and all I'm hearing back from my business partners is that they're losing time, when their users are logging in. So they come in in the morning, some of them have got time to go make a cup of coffee and minutes chatting to their colleagues in the kitchen, and so on. This is all lost productive time. Don't even get me started on the people that work remotely that constantly complaining about really slow logons at home and so on. So what can we do?"

Jon: Okay. Well, I think I know what causes this. Here's an example. This came from an actual customer, whose name I don't think is on here. And this was a breakdown of what was going on in their login process. They had a bunch of group policies, and we're gonna look at this in a second. And some of these things just get stuck. This was a folder redirection group policy that got stuck for 16 seconds. And we replaced that with what I'm going to show you in a second and got that down to three seconds, but these are cumulative effects. If you have a lot of group policies that are used for desktop configuration, you know, folder redirection and setting up the environment, they can be very single threaded and very time consuming.

Logon scripts are even worse, where you have a handwritten script or batch file that's gets used for, you know, for setting up the environment and putting registry keys in places and copying files and deleting stuff. And it's got conditions in there. They last for years, and they get very slow. So let's look at what Ivanti Cloud Real-Time Intelligence can provide in terms of the breakdown and show you where the problems are. And then we're going to show you Environment Manager and how you can fix that. And there's a whole bunch of stuff we need to make sure we cover. So I'm going to trust Andy to keep me honest on that. So let's go back to Real-Time Intelligence. And click on "Show me logon performance." Oh, don't let me down now. I might switch to this one. All right. So, show me...Did I just fall off the internet? Yeah, you can still hear me, can't you?

Andy: [inaudible 00:29:24].

Jon: All right. Let me give this a refresh. This may be a security token timeout, or it might just be that Chrome hates me.

Andy: Enjoy the live demos, Jon.

Jon: I know. This is why you always do live demos. But this is also why I had two tenants, both of which have crept out. Okay. There we go. Thank you. Let's do a little refresh. All right. Now what this is doing is it's going out to all of my agents and saying, "Hey, send me information about your most recent logon events." I really wanted to do this one because I made it intentionally bad one. Here we go. It's working now. Tell me your most recent logons. And so it gives you a breakdown of every device, every user logon and how many times they've logged on recently, their average, minimum, and max. And you're seeing that we've got 23 logon sessions here.

And the most recent, which I did yesterday when I was in Utah, took 37 seconds, which some people will say is not that bad. But compared to my other ones, it was obviously particularly long. And this is the really cool thing, it gives me a breakdown of exactly what happened during the logon process. And as you can see, I've got a bunch of group policies kicking in various client side extensions here, which all of which are taking four, five...nearly five seconds, two, five. That's meant to explore initialization. I bet you that's some logon script. If I click over to some of these, it's gonna find a terrible example. I do love the wording on that.

And it's going to find a really bad example in 1 minute 16 seconds. And again, the same kind of thing. In this case...Oh, active setup is also, ugh...whatever Explorer's doing during its first setup is taking 54 seconds. As you can see, this is kind of ugly.

Andy: Every Monday morning, we're getting inundated at the service desk with calls from people complaining. Managers complaining that their teams aren't up and running as quickly as possible. So, what can we do?

Jon: Okay. All right. So let's go and look at another product that's in the User Workspace Management Suite. I'm gonna come back to application control. And this is Environment Manager. Now Environment Manager works on a series of triggers. It's a policy engine, is probably the best way of describing it. And it's got various actions that can happen on the device and we can respond to those. So they're the ones we're talking about mostly here are login ones. And as you can see, when the user logs on, we have three triggers that set off at various points during the logon process. We've got one called Pre-Session, which is very early in the logon process. I mean, literally, I've authenticated, typed my username, password. It's what happens next.

And then we've got one called Pre-Desktop. What we're doing here is we're holding up the login so the user doesn't get to an interactive desktop. We're not launching Explorer or any of those things. We're holding it up while we do some preparation in the background. That's where you'd put things like security settings, or anything that has to go in place that absolutely has to be there before the user can interact with desktop. And then we've also got Desktop Created trigger. So the desktop's now visible. The user can start to click on things. But we're going to run things in the background that, you know, connect printers and do all those things that don't need to be there. They're not a security risk, but they will be convenient. They'll be helpful to the user. So let me give you a few examples.

So what you do is under every trigger you add a node, and you can have as many of these as you like. You can create sub nodes. You can create workflows here. Just for simplicity, we're going to start with one node. And this early, early, early trigger...there's very little you can actually do on purpose because you can see, these are all the actions you can take later on. But right now we're very early in the session, not much is available. But you can do important things like setting the registry. And to save you the time and effort of finding a registry key, what we've got is the ability to import Group Policy templates. So I'm looking for a very particular one here that I know has to be set very early. I want to set the idle time for my remote desktop sessions.

I have to set it that early. And you see it's done all the hard work for me. It's converted it to milliseconds I guess that is and it's found the registry key from the Group Policy template. And when I set that there, every time a user logs on, we're going to set that time out. Pretty straightforward stuff. Let's go and do some more settings. Let's get some more of the environment ready for them. And I'm going to show you how conditions work now. So let's, for example, let's go and set based on the computer IP address. Now if I had a few more minutes here, I would go and find the IP range of everyone who works in a particular wing of our building. If I happen to know they're between there and there and there and 254.255. I happen to know they're in that range.

Andy: Okay, yeah. On that one, Jon, whenever I travel, so, I traveled Tuesday to our Darby office, the Ivanti Darby office. I know we've had trouble getting the printer on the third format,and I know the local IT guy is getting really frustrated with me. So, could this help?

Jon: Yes, so this is where we're going to set you up. So I don't know. I could go find it. Imagine this is the IP range of that office. So whenever you go there now and you log in, or even actually not even just log in, we could also make it so whenever you just connect there, we can make this happen. We're going to attach you to a printer. And we can go and find the printer if it's on the network. And for the sake of this, I'm just going to call it print01. And I'm gonna set that as your default printer and I'm gonna do various things like if you need the driver, I'm gonna tell it where driver share is driver1. And what will happen then is every time you log into that IP range, or even if you...I can use a session reconnect trigger.

So say you move from your current Wi-Fi access point to one on the third floor in that building, then we would run through this, and we would connect your printer for you...it doesn't like that, probably because it's not a real driver. Okay, well, that's how you would do that. You get the principal. And you can do anything in here. You know, you can create custom actions if you want to. I can set you up with printers. I can set environment variables. I can configure our File Director product. I can copy and delay, delete, and change file type associations, all that kind of thing. I can send you messages to remind you to do stuff. I can set your outlook signature.

Andy: If I don't meet that criteria, then that action is run. So I'm not waiting for it to do [inaudible 00:36:31] that criteria.

Jon: Exactly, yeah. So this is why it's a really powerful conditions and actions engine. So the basic model is, trigger happens, we evaluate some conditions, we take an action. Now the real power of this is it also is multi-threaded unless you tell it not to be. So say I'm going to configure, you got 100 applications there, 27 of them need special registry keys, they need files copying in, they need something modifying in them, they need some privileges setting. All that stuff is going to happen at once. You're not going to go through it sequentially. We're not gonna be stalling your log on while we set those things up. We're going to get you logged on really, really quickly.

Andy: Excellent.

Jon: And again, you can set actions to take place when any process starts, when you change the network, when you disconnect or reconnect from an actual virtual session, or when you lock and unlock your laptop. We can use all of those as triggers to improve and change your environment.

Andy: Okay, the one challenge I have with my account is when they start in a particular application that they need the master drive. So they start their account application, could we...I guess what we could use process started to do that. [inaudible 00:37:41].

Jon: Do you want my job? Is that what you're saying? You want to do my job.

Andy: I'm after your job, Jon. I'm after your job.

Jon: Okay. Fine enough. Okay. So we've typed in the path to your, you know, some way that we can match your application there. You can type in anything, especially thing's like a regex, almost. And when that happens, as the process starts, we're going to go and map a drive. And it looks for the T-Drive, right? If I remember right.

Andy: That's right.

Jon: Yeah. Okay, and then we set the path to server01/share, and so on. And there's various options you can do around that. And whenever that process starts, we're going to go and connect the drive and then release the application to load into memory, and it will find the T-Drive as you need it.

Andy: Excellent. And I guess process start would allow me to take that away when they stop the process.

Jon: Yeah. And you could, yeah, exactly and you could also clean up all those temporary files. I know it sprays all over the hard disk and do all that kind of stuff there as well.

Andy: Excellent.

Jon: I'm just going to mention one more thing while we're in here. The other thing you can do here is integration with our automation product. So, Ivanti Automation is like a...it sits in our data center, and it can do anything. It connects to different systems, our CRM system, our Active Directory, the file servers and any other application a CCM, whatever we've got, and it can take operations to, you know, on-board a user, off-board a user, set up an environment, set up an application for first use. All of that can be triggered from here, and again, within the power of the context engine. So on an application first launch, or when I change locations, all of that can now be triggered. So it's bringing together our investment in Ivanti products. And automation is free for connecting to Ivanti products. I think we covered a lot there.

Andy: Well, actually, other question, Jon, is...and I think maybe this is the future prime. I have lots of details at the moment, good policies at the moment. And it's going to take a long time to get all those to convert into environment. You don't think that's prime maybe for [inaudible 00:39:52]?

Jon: Yeah, good question. Good and very leading question. Yeah, so as you can see here, you can set group policy settings based on importing from a group policy template. So this makes it much easier to go find particular settings and you can recreate what your group policy is doing in here and it's much more efficient and much easier to manage. And there's all kinds of clever search and replace things to go and find them. So it's a much better way of doing group policy. But as you said, the problem is, if I've already got...I mean, one of our customers has over 1,000 group policies that we're using for configuring the desktop, getting them in here took a long time, rebuilding them line by line. So what we're going to do next is actually have a bulk import that actually reaches out to Active Directory, pulls them in in bulk and it automatically creates all these actions for you so you can then bring them under control, make them multi-threaded, add conditions to them and just generally make it much more manageable and much faster.

Andy: Excellent. Very cool.

Jon: And here's a case study from the Ivanti website with the Autotrader, we took them down from 8-minute logins to 35 seconds. They had again, nearly 1,000 group policies and the logon script was 2,500 lines. And you can read about more about that at that link. All right, we'll do one more example. You get to beat me up one more time.

Andy: One more time. Here we go. I've got a beard now. Okay, so I'm the License Compliance Officer now, Jon. And I'm really concerned that from my perspective, it's my job. I need to make sure, I keep compliant to stay on top of it. How do we go about doing this? So how do I stop people from installing software they've acquired by whatever means? You know, it's so easy now to go on the web with a credit card and, you know, download Adobe products or actually anybody's products with a credit card and install them. As we spoke earlier about local admins and so on, you know about from the organization. So what can I do? How can we stop this from happening? What can we do to make sure we're staying compliant and so on?

Jon: It's a good question. I can get you a long way with what we've really looked at actually. So the problem here is you say, users have installed apps without authorization. They can buy them through Shadow IT, which means a credit card. And also a lot of applications increasingly installed into the profile. So whereas most of the time you could take away admin privilege and that would be enough. Users can now install apps directly into their profile with just regular user privileges. So that's why we're getting into this mess, but we're not quite sure.

So what we're going to do is, again, pull up Real-Time Intelligence to go and take a look at the applications we're using. It's kind of a basic version, though. If you know the process, then you can go and find who is using it and what's going on. For the more advanced version, we actually got another product called Ivanti License Optimizer. We're not going to go into that today. But that actually has the real intelligence. It understands package names and it will take a survey across your entire estate. It will import from your purchasing database and reconcile that so you can really see exactly what's been in use, and where you stand from a license compliance point of view. But I'm going to show you how far you can get here just by using Real-Time Intelligence and then using the Application Control product again from earlier to limit usage and prevent users installing apps.

So let's take a look at how far we can get. So you saw earlier, we can look at processes. So for example, when Notepad's running, this could just as easily be Excel or something like that. And, Well, that's not a good example is it? No one is using that. But this gives you a basic view of who is using applications. The other thing it does give you though is also a view of who's installed applications, app installs. Here we go. So this is where users have installed apps...or applications have been installed recently. And you want to have a good look through this list and see if there's anything in there that's not expected. Now I would, again, this is why I mentioned some of these may not be 100% real actual end user. There's a mixture of Katy Perry and...

Andy: Donald Trump? [inaudible 00:44:32]

Jon: Not the Donald Trump. Oh, I see. My misunderstanding. We have a lot of celebrity names and companies, don't we? But it gives you a view of who's installed applications and you get a view of the processes in use. It's not a full asset management solution. We have one of those. As I mentioned, it's called License Optimizer, and we can give you a much more detailed view. But it does show you who's installing applications and what they're installing and it can give you some clues as to how...a problem you may need to solve. And so we go back to our Application Control product. Earlier, we only looked at the privilege management piece, but you've got a number of other things you can do here. First of all, you can set which applications users are allowed to run.

So this is like a whitelist, blacklist thing, first of all. And I will quick...at the risk of distracting everybody, I will just quickly point out we have this concept called trusted ownership, which is the easiest way of making a whitelist. So typically, people don't like whitelisting products, because of the requirement to maintain a massive list of applications that users are allowed to run and explicitly list every one of them. And even worse, they might need to create signatures or digital hashes of all those applications. You can do that in here and I'll show you how in a second. We've got this concept, though, of a trusted owner, where we look to see who put the application on the endpoint.

If it was put there by the system or it was put there by a trusted installer. So by an endpoint manager or on a CCM or any of those things. Then we will trust it and we'll run it. If it was installed by the user, then by default, we're going to say no, unless you come in here and explicitly add it. So first of all, we can block anything from running and we can be very selective on what we allow to run based on, again, on a whole granular set of rules. But we can go further than that in that we could also...we could limit the use of the Windows Installer. So for example, you could say, I only want MSIexec to be run by certain users or in certain situations. You can also take away user privilege so that users are not allowed to install applications or only allowed in certain conditions.

So using this, you can actually block things. The other rule I want to show you is this Device Rule. And this is kind of interesting because, again, here for example, I've got Internet Explorer. And say I only wanted it to be allowed to be used on certain devices, I could actually do that here. I can pick either an explicit list of devices. I can do it by IP range, or I can go into the OU, or I could look at security groups and active directory. This is not looking at the IP address of necessarily where the application is running, it's looking at where it's being accessed from. So in a virtual environment, I'm looking at the IP address of the thin client, the thing at the...in front of the user. So the application might be executing on a virtual server, it might be running in a virtual desktop but we're looking at where it's being accessed from. And that's important in a device-licensed scenario where the application is attached to the end user device, not to the host environment.

Anyway, that was a...I know I went quick. I'm aware we're running out of time. I want to leave time for questions. But as you see, we've got enormous control over what can be installed, how it can be installed, where it can be used, where it can be run, and you can begin to tackle some of the unwanted applications in your environment.

Andy: So yes, so if I was just the Service Desk Analyst, I can use real time to get a very quick overview of what's going on, what applications people are running and so on. If I want to go back to my license compliance persona, I've got this level of granularity to really [inaudible 00:48:20] to tie things down and understand what's going on.

Jon: Exactly, yeah. And you could even build. We've got customers who have built like a two-level workflow where everything is denied by default and you get a message saying, "Hey, please contact the Help Desk." The Help Desk review the thing that you want to use. They create an exception and then you get a refreshed policy, and you're now able to use that application, that sort of...You can actually build those kind of checks and balances in as well if you...in a highly regulated environment.

Andy: Excellent.

Jon: All right, so that's a quick look through it. I think I already talked about that how you can use...Also do licensing by device looking at the actual endpoint even in a virtual environment. All right, so I'm going to quickly talk about entitlement and how you get hold of this stuff and then I see there's a few questions piling up that we should cover at the end. Cool stuff and getting better all the time. We are innovating fast on particularly the cloud products, where the new features will arrive there on a regular basis. Okay, so evaluating and purchasing this stuff.

So first of all, as I mentioned, all Interchange attendees are eligible for the use of Ivanti Cloud for the rest of 2019. If you go to the Interchange show in Nashville, you can sign up while you're there and we will put you at the front of the queue for standing up a tenant. We got a lot of signups in Madrid. We're about halfway through standing them all up and we'll get the rest done in the near future and those customers are already able to look at it and roll it out in their environment and use it in production.

It will also be available for standalone purchase. Right now, we're just signing up for trials and they're behind the Interchange attendees but you can sign up there and go into the list and as soon as we work our way down, you'll be able to sign up for a trial there. We're also going to do some entitlements from existing products. So if you are a customer of Insight or User Workspace Manager, the full bundle, then you will be entitled to some of the functionality of Ivanti Cloud. We're pinning down exactly what this is and how that's going to work.

But basically, what you've seen today, you'll be entitled to use that and some other bits and pieces. You won't get the full product. There are some pieces that I hadn't shown today that won't be available but that's being worked out. So say, we're working through the people who came to Interchange first and working on entitlements, but that will all follow. Same for Endpoint Manager. There will be entitlement to a level of functionality from Ivanti Cloud yet. The exact details to follow but there will be some eligibility there as well. The goal is to get all of our customers who invest in our on-prem solutions to get value out of Ivanti Cloud, regularly using the features in there, able to leverage the power that's there and, yeah, do this sort of hybrid mode of being able to use on-prem and cloud solutions working together to get more value.

So one more plug for Interchange. That's where you go if you want to sign up for that and get free access to Ivanti Cloud at the front of the queue for 2019. And then just a couple more links. Obviously, all product information, you start with Ivanti cloud...sorry, ivanti.com. A plug for the User Workspace Management Community. If you go to this site here, we have a community. We're very, very interactive with this community as a product management team. You can vote on product ideas. This really does drive the feature priority and the backlog. To go in there, you'll get notified when we have things ready for design, review, for testing, early access when they're in beta.

All of that will be done through the product ideas icon and the user voice site behind it. We also share UX designs where we're looking at designing a new feature. You can go in here, interact with these designs, give us your feedback and be part of shaping how a feature looks even before it gets released. We also will time to time we'll release things like a survey, understand more about how you're planning to use cloud in your environment. And of course, you can always talk to your account rep, your reseller, your partner, integrator, whoever you buy and source Ivanti products through can get more information to you. All right, so we're gonna pause there. And there's a bunch of questions piling up a lot of activity flashing in the corner of my screen. So...

Andy: Do you have one which maybe we may take away and maybe come back with, it's from Jason, which was around the bandwidth usage, what you use in Real-Time Intelligence. How much bandwidth is it using when it's doing its real time queries?

Jon: It's tiny. It's based on IoT protocols and which means it's the same kind of stuff that we're using for your smart devices, whether it's light switches or the supercharger on a piece of industrial equipment. I mean, it's designed for lightweight, secure communications across the internet to millions or even billions of devices. So yeah, it is very light. We'd have to get you some actual real world numbers. But, I mean, it's been nothing that we've noticed yet. It's not designed for bulk transfer of information, I will say that.

If you want to do an upload of an asset database or deployment of an application, we're not doing that through the Real-Time Intelligence stuff. It's not designed for large data transfers. It's designed for small packets of information. So that's why the bandwidth usage is tiny is because we're literally calling a sensor saying, "Tell me what processes are running." We're getting back a few kilobytes of information. We're not going to be pulling back, "Give me a dump of your last crash file." We're not going to be saying, "Here's an executable for you to install." That will go through a completely different path. Cool.

Good question there. Is there a way to report on applications that failed to run due to not having admin rights? The Insight agent does discover application errors. We may not be surfacing those in the Ivanti Cloud interface yet. So if they're not there and you need to check the latest version, you can put a request in for that but the agent does know about them and can send that back. So it wouldn't be very hard to add it. As you say, you can run application control in discovery mode as well or whatever it's called, audit mode. There's a mode for discovering that also would give you a clue on what application control, what rules you need to make.

Andy: A template stored locally. So I think maybe that is the application control templates maybe or the end template?

Jon: I think by template, you mean configuration.

Andy: Configuration, yeah, that's right, yeah.

Jon: Yes, they are. Absolutely. They're downloaded to the endpoint and they're stored there. If you go offline, you are not connected then it doesn't make any difference. The config file is still there. And it's secured in the file system behind an echo so only the system can change it. So the users can't go offline and edit the config file. Okay. Good questions, keep going.

Andy: And then Jason asked a question about whether or not Real-Time Intelligence can work out how the [inaudible 00:55:56] was used to actually deploy the application so that you won't see who's installed something. Can it tell if VPN's being used, for example and so on? I think there's a few ways we could do that using some creativity as well. There's a little chat in the main chat page as well around that.

Jon: Yeah, okay. Yeah. I'm sure it can...again, I just don't think...within the product itself I should've shown you there's a kind of a place you can enter your questions and product ideas. We'll respond to those very quickly because it's a cloud platform. We can add those and we know who the installer was, so... Yeah, I'm sure that can be done. It just might not be in there today. Oh, "Does it have separate service for servers and workstations, does it write..." Okay. So now the windows agent is the windows agent it works on both servers and workstations. Yes. "Does it support Mac OS?" Yes. We have Mac and soon Linux clients for Ivanti Cloud coming as well. Yeah, if you get the trial now, you can connect to Mac devices already. We are still building up the number of sensors and information you can get. But yeah, there is a Mac client for Ivanti Cloud already and it's improving by the day.

Andy: Okay, so Jason asked me about if there won't be more context, sort of the reason behind the question about VPN and so on, was that he could understand who's installing things outside of DPM, SCCM, [inaudible 00:57:22] etc. So that's the use case. But as you say, you can post a question can't you, to Real-Time Intelligence and if it's not known, then we can actually add that reasonably quickly as you say, or actually very quickly.

Jon: Yeah, we definitely know how an application got there because we can look at the owner of the files and whether it's a trusted owner.

Andy: Yeah.

Jon: It'll also spot every...yeah, I know we can do it. It just may not be in the cloud platform yet but it's a great question. Good use case.

Andy: I think that's our Q&A at the moment.

Jon: Cool. Well, that's almost exactly out of time anyway. Great. Okay. Well, I guess let's stop there. And thanks very much for attending everybody. I hope that was informative and useful. And please do follow up with questions and hope to see at least some of you at the Interchange events.

Andy: Excellent. [inaudible 00:58:15] Jon, thanks so much. Thanks, everybody. Okay, bye.

Jon: Thanks. Bye.

Andy: Bye-bye.