Deployment Questions

This page has not been liked. Updated 3/14/14, 8:43 AM by KarenKueTags:

When deploying an enterprise application like the IBM Endpoint Manager, there are a number of questions that must be answered before deployment begins. Below is a list of commonly asked questions and other information that will aid in the deployment planning process. If you have any questions about these topics, please contact your sales engineer or support technician. In addition, the Endpoint Manager Installation Guide (IEM 9.1) or Endpoint Manager Administrator's Guide (IEM 9.0) contains more detailed discussion of deployment issues.


How many Clients are necessary for your deployment?

  • Each server, laptop, desktop, or any other computer with the Agent installed is considered a single Client license.
  • Don't forget to include the non-Windows computers, home users, traveling users, and room for growth (additional Client licenses can easily be added after deployment).


How many Servers are necessary for your deployment?

  • One is recommended for most deployments.
  • You can separate the administrative rights of different Console operators to only let them view their own computers -Endpoint Manager Installation Guide (IEM 9.1) or Endpoint Manager Administrator's Guide (IEM 9.0).
  • Some organizations deploy multiple Consoles for organizational/political reasons, but there will likely be additional hardware and administration costs.


What are the Server Requirements for your deployment?


How many Consoles operators are going to use Endpoint Manager?

  • There is no additional license cost for each Console operator.
  • There tends to be an administration cost per Console operator (create the user account and password, establish the appropriate management rights for Client, provide training, etc.).
  • As more simultaneous Console operators connect to the Server, there is a performance degradation and a more powerful Server may be necessary.
  • An additional issue to be addressed is the way Console privileges will be separated, whether by subnet or location, by active directory, or an another property.


What are the bandwidth limitations within your network?

  • One of the main strengths of Endpoint Manager is the ability to work in a variety of environments including in networks with very small bandwidth pipes (4 kbps to 128 kbps).
  • It is recommended to have at least one Relay per geographic location for bandwidth reasons - TEM Relays.
  • It is recommended to throttle the bandwidth usage for Clients that are connecting on dial-up or slow VPN connections -Bandwidth throttling options (throttle option "B").
  • Consider throttling the bandwidth usage for Relays downloading files on very slow pipes - Bandwidth throttling options (throttle option "A").
  • Speak with your sales engineer or support technician for more information on lowering the risk of WAN problems within your organization.


Which computers are going to be used as Relays computers?

  • A Relay is recommended per 500-1000 Clients for optimal performance.
  • Relays are designed to run on shared computers, such as file servers, print servers, SMS servers, AV servers, etc.
  • Relays are easy to install and uninstall through the Console.
  • Clients can be set to automatically find their closest Relay based on network hops, thereby significantly reducing administration costs.
  • Most BigFix customers use existing infrastructure for Relays or purchase minimal additional hardware for the Relays.
  • Desktop computers can be used as Relays, but it is important that the computer be on all the time and if there is a user working on the Relay computer, they may experience some small performance issues.
  • It is suggested to have a "Top Level Relay" to accept incoming connections from other Relays for deployments over 10,000 or deployments with more than 50 Relays (although a top level Relay can be used in smaller deployments).
  • More information available at TEM Relays and in the Endpoint Manager Installation Guide (IEM 9.1) or Endpoint Manager Administrator's Guide (IEM 9.0).


How are the Clients going to be deployed?

  • The recommended method of deploying the Client to computers is to use whichever method is the standard practice for installing applications or patches at the organization.
  • Customers have used several methods of Client deployment successfully including third party deployment applications, login scripts, the Client Deployment tool, and others.
  • More information is available in the Endpoint Manager Installation Guide (IEM 9.1) or Endpoint Manager Administrator's Guide (IEM 9.0).


Do you have policies in place for the security concerns with Endpoint Manager?

  • Make sure to keep the site credential files and publisher credential files.
  • Make sure to securely backup the site credentials key files and password.
  • You can revoke access of users no longer authorized to use Endpoint Manager.
  • Understand that the key files and their password control access to all the Clients in the organization.
  • IBM cannot help if you lose your key files or passwords because the private key files are never sent to IBM.
  • More information is available in the Endpoint Manager Installation Guide (IEM 9.1) or Endpoint Manager Administrator's Guide (IEM 9.0).


How does a TEM agent authenticate a TEM server and how does a TEM server authenticate a TEM agent?

  • The TEM agent is always installed with a masthead (the masthead.afxm file), and this file is the basis for how the agent trusts the server. The masthead contains the certificate for the license for the deployment, and the client verifies that content coming from the server can be traced back to that license certificate. Specifically:
    • Each customer deployment has a license.pvk and license.crt (the private key and certificate). This is generated when they first become a customer.
    • The license key is used to sign the masthead.afxm file, which contains the server URL and the license certificate. All agents must be installed with a masthead file so they know which server URL to contact, and how to trust that server URL.
    • The license key is also used to sign all other keys in the deployment. Specifically, it signs the "server signing key", a sub-key of the license key that's used to sign actions and other content.
    • When the client fetches actions, it verifies that it's signed by a key that's signed by the license key.
  • Before 9.0, the server and relay never verified the agent's identity. In 9.0, when the agent first initializes, it generates a key-pair, and sends a certificate signing request to the server. The server signs the agents certificate, and returns it to the agent, who verifies that the certificate is signed by a key that's signed by the license key. Whenever the agent requests content over HTTPS, it uses its certificate as a client ssl certificate, and so relays and servers can verify that the agent belongs to the deployment. Whenever the client submits a report to the server, the client signs the report with its key, and the server can verify that the report is signed correctly.

How do I install the Mac Client?

Please refer to this page to view the answer.


If there are other deployment issues that are not addressed here, check the Endpoint Manager Administrator's Guide or contact your sales engineer or support technician.