[RFC] Enterprise console

[wpn]

I created a similar thread here: http://forum.avast.com/index.php?topic=101270.0 (since 13-7-2012)
The purpose of this thread is not discussing wanted changes like it happened in the other thread but to organize changes we want to see in the console on which the Avast team (hopefully) can give us input by giving us details about the progress of implementation if the change requests are accepted. So they can also say which changes will be incorporated in the next console release.
ENTERPRISE CONSOLE ONLY

RFC 1: Free choice mirror location URGENT
Since this is an ENTERPRISE product I as the administrator NEED to have control over the product installation and locations. I need to be able to control where the program places the mirror location (user data) and separate it from the program location and OS partition. This issue has been addressed in the SBC forum to a big extend and build with arguments. It was present in the SBC console, now in the Enterprise (bigger) brother its gone.
Its needed to be able to comply to company policies on where to store program data, user data and such.
Running the program from the C: partition where the OS resides is EXPENSIVE, usually this partition consists of mirror disks (50% space loss). The program itself can be installed there, but user accessible data should be on another volume which is cheaper in usage (different RAID setup, less loss of space) and less performance straining on the OS volume.

RFC 2: Active Directory integration
Make AD integration possible so that we can appoint AV administrators that can access the console with their AD username/password. Possibly even set drill down rights on just logs or only deploying stuff like that.
Next to that the sorting of objects can be based on the OU layout of the corporation build in AD, which eliminates to keep another list of how it is buildup.
I have several free products in use that enumerate the computers based on OU layout. (EMCO software)

RFC 3: Logfile display consistency, inside the console
Right now there are at least two ways of opening logfiles from the menu, one opens the file directly in notepad, the other opens IE first, downloads the logfile and then opens in notepad.
This should all be possible to show within the console with an option to save the logfile and date/time filtered when the administrator wants to save the file. If it is not in the console then only use notepad directly, not a browser to download first.

RFC 4: Change the starting dashboard
I would like to see that the starting dashboard directly after logging in shows information that is useful:
- Mirror information like status of update (plus reason if failed), server receiving updates from, versions (console, enginge, VPS), streaming update status, counting of clients behind in VPS or engine update?
- Total licenses, modules that are licensed and expiration date of the licenses,  amount of licenses in use
- Last computers with infection and which infection and action taken on the discovery of infection, or a counter with the days free of infection (this second one is just a bonus)
- notification of program updates for clients and console
- Anybody has other suggestions?

RFC 5: Protected the Endpoint with password from uninstall
In previous versions uninstalling the product was protected with a password. This option is gone in v7. Since there are users with local admin rights in corporations for different reasons, it is not wished that the product can be removed by others then the systemadministrators.
The option to protect uninstallation would be useful in the CONSOLE. Turn on the option to protect, turn off to be able to uninstall when needed.

RFC 6: Autorefresh console
Every time you change something, run a task/job, move a machine… you have to press F5 to refresh the info on the screen to reflect the changes. When you make a change like that, it is more efficient to do an automatic refresh.

RFC 9a: Automatic program updates
In the settings for updates there is only a posibility for ASK or MANUAL updating the program. The option for automatic updating would be desired by several customers.
Right now you have to wait for a computer to be online to be able to update it and start a manual created task to do the updating.
This also imposes a threat if the program update causes problems like blue screens and the update should NOT be rolled out

RFC9b: Approval of program updates (inherent on 9a)
In the business part, the program updates are NOT regular like in the consumer product. The consequences of a program update are mostly financial loss if the update crashes. Therefor if there is an update ready for the program it would be good to have an approval of the update, which can be placed in a test container to see if the update gives trouble.
This is much like the WSUS approval system. Ofcourse this is not wanted for VPS updates (even tho the same risk is involved).
With this request it is also important to have a dashboard at login that states the versions

RFC 10: Client-Side & Server-Side session tasks remove fold-out
Remove the fold-out option in the folder structure at the tasks. When you click on that option (client-side tasks) the tasks are listed in the right side already. No need to be able to fold-out to see exactly the same but ordered on name of the task and descending.

RFC 11: Session -> Local scanners / on-access scanners: Add object info and actions
There is no info about which computer has the infection or any possible actions to take on the infections.
At least give the computer name on which the infection was detected and the possibility to quarantine or delete the file.
In general more information is wanted in the console.

RFC 12:  Generate MSI package instead of EXE package
ADNM (4.x) used to create an MSI package which in turn could be used in AD group policy (or other deployment tools) to deploy. To comply to company policy it should be possible to have 1 solution for software deployment which is the choice of the company (by policy) and therefor it should be possible to have an MSI file for deployment. With an proper MSI file there is no extra tweaking needed for deployment.

RFC 13: Manual VPS/Program update on mirror server
In rare cases it is not possible to get connected to the internet anymore to get updates (internet down, hacked, u name it). In these cases it would be useful to be able to update the VPS and program versions manually on the AES server for clients to pick it up, preventing the administrator to have to go by every desktop to update manually.
The manual VPS is already present for download but its for individual updating.
In some other cases (to be found in the ADNM thread) it is possible to send such update to a ship that is without internet but has several stations managed.
(this would be considered a bonus)

RFC 14: Have unmanaged clients without consuming licenses
All computers found by the console automatically receive a license. This is not desired since not all discovered computers need a license (other AV, no AV, u name it). The license becomes available when you delete the object again. When the discovery task is automated then every time the computer is discovered it gets the license again.
Make a container option that prevents the console to give the objects in that container a license. This is like the SOA where there is an unmanaged container.

RFC 15: Targeting specific Organizational Unit in Active Directory for computer discovery task
It should be possible to have the ability to configure a task like the default "find computers" task in AEA to scan a specific OU in AD.  Since this is an enterprise solution, the option of scanning workgroups seems a bit out of place.
In larger companies there are several administrators responsible for a certain part of the network (think of multiple offices)


RFC 16: Set the client user interface language in the console (Internationalisation)
Right now the clients automatically choose the language of the OS. For user friendliness the OS in the native language so Avast adopts that automatically. As administrator (and problem solver) you also get errors in the native language, this means finding results to solve the problem are very limited. This mostly has it cause in the translations from either the Avast translator or the administrator.
An option to choose which display language is used would be useful.

RFC 17: Clean AES server log files
You can see several log files from the  View option in the menu: Server, remote install... but you cannot clean them or empty from the console.

RFC 18: Test SMTP/database settings during setup and SMTP also inside the console
There is no option to test the settings for SMTP and database connections during setup. This was introduced in the setup for the SBC 6 console. This should be available for the Enterprise console setup too.
When there is no SMTP configuration during setup, then there should be a test option for the configuration in the console itself.

RFC19: semi-integration of the maintenance tool into the console with smart-decisions
Right now there are two tools:  the console and the maintenance tool
When the console doesnt work you need to use the maintenance tool to do troubleshooting.
Re-write the console login procedure to be smarter:  When the console cant login offer to start the maintenance tool or start it automatically when the console is started from the AEA server.
Since the maintenance tool requires administrator rights, a person that dont have those right will not be able to use the tool so its secure to offer the program this way.

[wpn]

RFC 18: Test SMTP/database settings during setup and SMTP also inside the console
There is no option to test the settings for SMTP and database connections during setup. This was introduced in the setup for the SBC 6 console. This should be available for the Enterprise console setup too.
When there is no SMTP configuration during setup, then there should be a test option for the configuration in the console itself.

RFC19: semi-integration of the maintenance tool into the console with smart-decisions
Right now there are two tools:  the console and the maintenance tool
When the console doesnt work you need to use the maintenance tool to do troubleshooting.
Re-write the console login procedure to be smarter:  When the console cant login offer to start the maintenance tool or start it automatically when the console is started from the AEA server.
Since the maintenance tool requires administrator rights, a person that dont have those right will not be able to use the tool so its secure to offer the program this way.

RFC20: Support for Server 2012 and GUI-less installation
Server 2012 is released. The server is specifically without GUI (it is a choice to install), since the aim is to do remote management (more towards cloud).
In this thread: http://forum.avast.com/index.php?topic=116772.0    the installation was done on 2008 without GUI but with some unnecessary efforts.

RFC21: support multi OS installations (and thus mobile devices too)
There are clients for windows, linux, mac os, android... Since enterprises use mobile devices and use linux/mac/windows mixed it would be logical to have the console be able to controle those clients too and deploy them. Right now only windows clients can be managed.

RFC22: Update console from console or maintenance program
To update the console you have to go into ADD/REMOVE PROGRAMS from Windows. This is not logical. Place the option where it should be, either in the console itself as option (most of the software can do this) or in the program for maintenance (see RFC19).

RFC23: Extended information about (remote installation) errors (if possible)
See thread http://forum.avast.com/index.php?topic=116969.0 pushing the installation fails, but the message is

Code: [Select]

CreateService C:\~AVINSTL\aswISvc.exe error 1727 (The remote procedure call failed and did not execute)
Either more information about why not or a possible cause could be given. The system tries to create the service with/for aswISvc.exe. Is the RPC service on the computer not running? Is the user that is used not authorised to do so? The installation must give a result to the createservice proces right?


** continue building **

[wpn]

RFC24: Computer lock on virus presence
In a business environment its important to contain spreading viruses. Users see the notification they are infected but many ignore it because they are busy working. This means a computer is spreading infection or has plenty of possibilities to do so.
With the current version of mobile avast it is possible to lock the phone. This feature would be very useful in desktops too where Avast can lock the desktop and kill network traffic when the administrator orders the desktop client to do so.
The administrator can then visit the computer and unlock it with the avast password that is only known to administrators and clean up and chekc the computer and restore functionality when it is clean.

[wpn]

**reserved for expanding RFC item organizing**

[wpn]

**reserved for expanding RFC item organizing**

[wpn]

*reserved for expanding now too and acting as a BUMP to hopefully get feedback from the development team*

[wpn]

@Avast team
A pending release to support windows 8.1 is stated for december, possibly december 14.

What about some input about the above RFC's for the enterprise console?

Looking forward to input

[wpn]

*bump*

[JayZ]

Sorry to dash any hopes here but the upcoming update is strictly about 8.1 compatibility and fixing bugs. While the above is an awesome list of features to look into for the next version of the business products, I am quite sure that new features are not on the order of the day right now.

If you have any bugs to share then I'm all ears...

Definition of Bug: Something that doesn't work as avast intended it to.

[wpn]

Thanks JayZ, good to know  and finally an answer from the team....

Just to state the obvious.... above is not a bug list...  its and list with RFC's  Request For Change.
The next enterprise console is for the 8.1 compatibility, its an "emergegcy" release and greatly appreciated when it is here december 15.
When is the release with possible RFC's from above planned?  Some still are urgent changes to be made like the mirror location and infection warning and license control.
Next to that an information dashboard with stated information at startup would mature the product closer worhty of enterprise level product, some of those are partially build into the SOA product already (like the mirror location if i remember correct from beta testing v6).

[JayZ]

Well, the next release of the business products is planned for late next year. This will likely be a completely new product made from scratch, not a mere upgrade of the current EA console which is past its 10th year of life in terms of when the first code for it was written. It has had a long and venerable journey but we have pretty much exhausted all practical options on what we can do in terms of changes, we need new code.

This emergency update is likely the last one the current consoles will see for some time, so we are trying to squeeze what we can in here to make the wait for the new product as comfortable as possible, which is unfortunately not much.

[wpn]

Now THAT is an answer i can enjoy reading even tho the timepath is long it should become worth it i believe, if you also listen to input from the users (like me).

[JayZ]

Before we get excited (I am looking forward to it as well) lets keep in mind that the "planned" release is at the moment a rough estimate at best. It may be earlier if the market conditions push it, or it may be later as well. The only thing that is sure at this moment in time is that we need a new business product and that plans are in motion to get us there.

However regarding features, we are more than happy to get constructive feedback. I am currently compiling a list of feature requests from all sources that I come across and we will use that as input for discussion about the new product.

[wpn]

well, you have given already more information then I expected   Keep it coming i would say!

I would love to be kept in the loop for this new product, if it is up to me i would love to get it sooner (tomorow) then later, specially if the RFC's above are incorporated in it