Body
Upon accessing your new ITAM instance via the Web UI, there are some important initial configuration items to consider before starting to use the platform. This article starts the process of setting up the basics of your ITAM instance for both on prem (who should have completed the on prem setup section) and cloud customers. While an on prem installation may require other infrastructure admins, from here on we assume you are a platform admin. That is, you may not have access to the host, but you have full rights in the ITAM platform. For those with delegated rights, some of these items may not apply due to permissions, and if you are an established customer just looking for a refresh or getting up to speed joining the team, much of the initial work will already be done of course. This article also mirrors the first of our Readiness courses that new customers of the TD ITAM platform attend.
Initial Settings
Once you log in using the admin password you set during the setup wizard (on prem customers), or name and password you were sent by our infrastructure team (cloud customers), navigate to Settings and look at the following sections for a few baseline items. Note you need to click on the word Settings for these items. The ^ next to Settings will expand advanced items we will discuss later.
At the top of the sub navigation pane next to the Topics header there is an i button. That has a check next to it when enabled, which turns on all the verbose information in the settings panes. Because of all this in page information we won't go over every little detail in this article. Instead, we'll focus on important use case details not covered by the helper text.
Note that you can alter many settings under many Topics and when you click Save they ALL get saved. Attempting to leave the Settings page without saving will display a one time warning. Some of us like to be paranoid and Save before changing to another Topic, just in case we lose track of what we were doing.
Computer IDs
The first stop is Computer IDs because they are the very foundation of how Computers will be recorded in the database. While you will have a default that likely has Serial as the most important, it's advisable to review all the options and consider your environment in detail. It's also much harder to change these down the road once data is in place as a database conversion is needed. Some items of note:
- Thin Client Name is the top default for any TS/RDS style technology connections. You can choose to put Thin Client User above this if you like. This will use the authenticated user name instead of the connecting computer name in the "name" column of the Computers page for these connections. This is simply a readability choice in many cases. However, depending on your environment it may be less records as well. That is, if one user connects from 5 computers to the RDS farm, that's 5 computer records in AllSight. If however you use Name then it's one record. But, if there is limited access to the farm from thin stations, maybe there are only 20 computer names possible but hundreds of user names possible. Consider the infrastructure when making this choice.
- QND is used in our Japan market and meaningless anywhere else and will be skipped. You can remove this for clarity if you find it's in place.
- Most sites will use Serial as the primary after the Thin choice because it is unique and the computer can find its record after being totally re-imaged and renamed and update the info accordingly. Combined Serial is a reasonable backup for this to put in 3rd place. The Combined serial will try to find any serial between the BIOS, mainboard, and system level hardware and combine them for a unique ID. This can be useful if you have hardware that is custom built of off brand, but otherwise you can also skip this.
- Virtual systems with no serial will fall back to something else, in which case Computer Name or Virtual Computer Name may be a good fallback after Serial. Using Computer Name is useful to catch any hardware that lacks a Serial like a custom built machine. However, if that computer is renamed, a new record is made. Virtual computers are assumed to have unique names and lack serials, so if you only want to use name for those systems use Virtual Computer Name instead and allow physical hardware with no serials to keep working down the list.
- Hardware Digest is at the bottom as the last resort and can not be removed. This is a catch all in case of something like a WMI failure causing the serial to not be known (and therefore a "duplicate" record to be made under a new ID).
In more complex settings the exact order of IDs for fallbacks can be very important. Consult with Support as needed to ensure the best outcome.
MAC
This was a popular choice 20 years ago. However in modern times there tend to be a couple problems using this as an ID outside of special cases:
- If you image 10 laptops on the same dock, they are 1 computer because they have the same primary MAC at creation. This can be retained in deployment making it appear only one shows up at a time in the server because they are constantly updating the shared record with their details.
- If a laptop had no onboard NIC and uses multiple docks and dongles, it can have an "identity crisis". This leads to multiple duplicate records being made as the primary interface previously used is missing entirely and a new one has been found.
Virtual IDs
If you have complex virtual environments with multiple VDI pools, thick and thin services, thin desktops, hybrid WVD, etc, then you may need a more in depth consultation. There are several ID types that can facilitate these environment, and in some cases you may need targeted agent deployments with special install flags to force a certain ID type to be used. This can allow for different pools of machines to be identified in different ways to optimize your deployment. Consult with your Implementation consultant or support for further assistance.
Your choice of ID order should be made before mass deployment of the client to prevent possible duplicate records and confusion. While some of the virtual types can be safely added down the road, any changes to the ID order are best made in consultation with support to ensure you're not creating an issue for yourself.
Mail
In order to receive critical alerts and notifications, you will need to set up the Mail settings. On prem customers will need to input SMTP settings and an email service account so the server can send emails. Cloud customers need only enable the daily status emails and set the primary admin email address. Only one address can be set to receive these daily emails and the critical alerts, so use of a list address is often prudent. If you don't allow the server to send email, you won't have alerts, expiration notices, or be able to use scheduled reports.
Account Setup
If you want to use external authentication like Azure, this is where that is configured. Support is happy to assist as the topic of Permissions quickly follows and is a deep topic due to granularity. For initial setup see This Article. Generally only small sites will use a couple internal accounts, and larger sites will use external group membership to automatically provision ITAM accounts with the proper Roles.
Clients
If you an on prem customer and enabled the AD mapping in the prior setup steps, it will be enabled here. You likely want to make the default Use all OUs for Division Mapping so you get the whole "folder" structure you see normally in AD, rather than just using the first level OU. You may also want to disable the option for Mapping takes precedence over Rules. This allows flexibility for local rule override of AD mapping should you ever need it. Cloud customers are unlikely to use these settings in any way. The one niche use case is leveraging Azure groups for software access limitations in Policies.
General
You can use these settings to set a color scheme (including the TDNext new UI experience theme which is Lilac color with the TeamDynamix Font and Layout option enabled), and set the name that appears in the upper left of your instance. There are also optional login and analytics settings.
Maps
These are options related to using the Maps feature which will be discussed later. Notably you can set default icon colors for visibility or preference. Note that switching default status colors may confuse support so keep in mind you may have to tell us when we're confused looking at your computers list why things seem backwards ;)
PRS
On a nightly basis your local server checks with our Product Recognition Service to see if there are new product definitions to import based on local computer audits. It's prudent to make sure your Firewalls are set up to allow this communication. Clicking the Now button performs a check, which should only take seconds on a fresh server. Reload the page to ensure it was a successful check.
Audits
As a very rough statement, any site with less than 5000 endpoints should consider making the default Audit Interval daily. By default this is 14 days on a fresh install for safety, but most people don't want to wait 2 weeks to see if computers are up to date after a deployment action.
If you make this daily, the option to Send Program management settings to client during audits can be enabled as it will be an effective proactive option. This sends Policy information to clients to pre-cache so they are not pulled on demand, which is useful for mobile systems that may be off network.
Backups
This is legacy and no longer used. It creates local file copies which are not useful when you host on prem with virtual host snapshotting, and it's disabled for cloud instances.
Alarms
These are system level default settings that in some cases will make more sense as you explore the other features of the platform (like Purchases).
Updates
The server can tell clients to silently update to the latest client version when they check in to the server. Each version does have to be Accepted on release which allows sites to validate a new version before deploying. Clients random schedule the update as well so as to randomly balance the network activity pulling the installer, tiny as it is. This means it could be up to 24 hours after the check in before the update is applied.
The green dot in the UI flags attention that a new update is available to accept and serve out. If you are an on prem customer, ensure the download URLs are using the FQDN of the server (the CNAME for which you have an SSL cert is best).
Columns
These options also will make more sense as you become familiar with the asset management features that use them. Note that custom Lifecycle stages and Device Types can NOT be deleted once created. Be careful to only make these when you are certain about your additions to the platform choices.
Logging
This will only be used when troubleshooting requires more Verbose details. The settings should be returned to normal when troubleshooting is complete to not clog up the disk.
Idle Usage
This relates to a niche feature of Software Policies wherein you can pop up alerts when a user has software idle in the background.
Miscellaneous
A bunch of other niche things you will likely never use in most instances. Note however the System Login Names option at the bottom which is handy for global filtering out of service level account activity in your reports.
Network
Largely unused for cloud customers with the exception of the CSP settings if you are embedding content across platforms. For on prem customers, there is the hostname setting to consider. Once you have a CNAME set for your server, you'll want to set that in the hostname field on this page. This is of course also the name you want to get on your SSL certificate.
Advanced
Used in niche cases to load in vendor license files.
Information
Details about license position and disk usage.
Initial Tasks
Before we can really get in to using the UI, there needs to be something to look at. In order to get some initial hardware and software data to look at and act upon, you'll need to deploy a few clients to some computers. The agent is called KeyAccess, and it is supported on Windows, MacOS, and Linux (deb and rpm). You can install a few by hand to start, but ultimately you will want to consider some method of mass deployment (e.g. SCCM, InTune, Jamf, BigFix, PDQ, etc). We have extensive documentation on these various methods, using install flags, pre-flight scripts, etc.
Install Clients
Under the Help page on the left side navigation of your ITAM instance you will find prominent download buttons at the top for Windows and MacOS. Linux installers and other components can be found on our Downloads page. Once a client is installed it will show up in the Computers page of the Web UI a few seconds later. It will automatically perform an initial audit on first contact. This audit will contain a full hardware and software inventory which then forms the basis of software tracking and reporting.
Troubleshooting tips
- Ensure the KeyAccess client is installed and running. On Windows, open Control Panels -> KeyAccess. On Mac open System Preferences -> KeyAccess.
- Ensure KeyAccess is pointed to the correct server name (IP can be used but DNS is highly encouraged) and shows a connected status. For cloud customers remember the address must be in https:// format. If KeyAccess is not connected, click the Logon button in the control panel/preference pane to see what happens.
- Make sure any workstation or network security is not blocking the agent from running or communicating to the server.
Organizing Computers
Computers provide your data, but there are some features you will only be able to leverage once you have organized them into Divisions. Divisions are like OUs in Active Directory (and can potentially be based on the latter automatically) or Folders of objects in other UIs. Click on the Computers navigation item and you will see a sub navigation pane under which is Divisions. By default there is only Uncategorized, which is not actually a division, it's a holding area for computers not assigned to one. Click the + next to DIVISIONS to make a new division. Note that if you are using Active Directory mapping for clients, this should not be necessary. In that case, divisions should be automatically created and computers allocated when they connect to the server.
You can right click on a Division to Edit the name or Delete it, or make a New Division nested underneath it.
The actual methods of using AD OU mirroring, creating Rules to move computers automatically based on name, leveraging Azure attributes for organization, and more will be discussed in later portions of the documentation. For now just play around with the basics of manually making a division or two, and think about how you will want to structure your divisions as we move forward. Divisions are the foundation of many computer Reports as well as the Maps feature of the platform, so consider those features when thinking about your structure.
Once you have divisions made, you can drag computers into them to organize your environment. Again this is not needed if you're using AD mapping, only if you're organizing manually.
Software Tracking
As mentioned, the inventory of software is implicit to the platform functionality. That inventory extends to the individual executable level and also includes other meta data from each endpoint. That is a LOT of granular information which can be overwhelming. The normalization process of ITAM compares the discovered inventory to our PRS catalogue and finds matches. This can in large cases distill some 200k programs down to 1k Products, which is much more consumable. While PRS contains over 19k products and counting, you may have software in your environment not in our normalization catalogue. Not to worry, we'll get in to how you can create your own products when needed when we talk about KeyConfigure. The platform also looks for web browser activity to known URLs to identify SaaS products that may be used in your environment.
But again, all this is just the inventory, or as we call it Audit data. If you want to know who used what software when and for how long, that requires gathering Usage data. This is done by way of Policies, which can also block or manage software execution if desired. But at the most common simple level, you just want to pick from a list of discovered software the things you care to track. A word of advice, don't be a data hoarder. A lot of data that will never be useful simply takes up space and causes reports to take longer, which is why the platform does not implicitly track anything. Make good choices about what you want to track. Site licenses that will never change, freeware, system utilities, these are things that are less likely to be useful compared to that software you pay a high fee for a handful of seats and aren't sure if you're getting your money's worth out of.
How to Track Software Usage
The Software -> Manage page allows for simple one click tracking of discovered Products and control over list visibility in the Web UI. By default if there are new products you have not made a decision about, you will be taken to the Attention section of the Filters. Regardless of filters, the same options are available - the Attention filter is simply a convenience to help ensure you do not miss new items having been found so you can choose an action. A green dot will also appear by the main Manage item when there are new discoveries.
Each line item shows a Product. Products are basically definition containers for programs and pulled down automatically from our Product Recognition Service (PRS) based on the Programs that the KeyAccess client finds on your computers. You can add your own Products if needed which we will cover in KeyConfigure. Most will have an icon that is 4 squares. This is a Family product that contains all sub versions of the product. The box icon is a stand alone Edition product that has no Family, or due to specific actions breaking out versions for individual tracking or other actions. The relation from Program to Product to Family is best illustrated with something like Microsoft or Adobe. MS Word is a Program that is in one or more Products like Office Home 2019 and Office Business 2020. Microsoft Office Home versions 2018, 2019, 2020, etc will all be a part of the Office Home family product. In this way, acting on the family allows for tracking of all versions of all apps in the suite backward and forward as versions are released and added to PRS. Other columns show Platform and Publisher details for reference.
The options are quite simple and summarized in the alert header:
- Observe usage of the software by clicking the Green dot. This will cause the system to create an Observe policy, which causes all clients to record launches and quits of the Product (and programs contained therein) in question.
- Ignore usage by clicking the Red dot. You will still have all the Audit (inventory) data available, this just says you're not interested in the granular usage details of who ran it when on what machine for how long. Audit data still gives you where everything is installed, when it was first seen, and when it was last used.
- Show the product on lists. By removing the Checkmark in the "map" column (if you're old enough to remember folder paper maps the icon make sense) you hide this Product from appearing on the Software page and software lists when clicking Computers on Maps. This is useful for things like security software that are useful to be able to report on when needed, but which don't need to clutter the Guest view of "useful" applications that are available for use.
We'll talk more about how you can fully customize your Software catalogue later. For now just choose some of the most stand out Products you want to collect usage data for. You may also want to ensure a little usage occurs for a couple of those apps on the computers you have installed the agent on.
With the initial handful of computers you have installed and collected inventory, and the software you chose to collect usage data for, we'll have something to look at as we learn our way around the UI in the next part of the walkthrough.