Dan Cunningham

As promised, here’s the release version of the Software Compliance Tool, including fairly comprehensive documentation on how to use it. This has been tested extensively and is currently in-use on a 2,000+ workstation site, saving a huge amount of time in policing and removing unwanted applications.

This is being released as Donationware, as are all my other tools. I don’t get paid to write these apps, and there’s no obligation on you to donate. On this app in particular though, I think people should keep in mind that there’s a number of blacklisting (and whitelisting) tools out there that solely prevent new installations and don’t even attempt to remove unwanted applications, charging anywhere between $5 – $20 per workstation.  SCT compliments them wonderfully since it assists you in remediating back to your approved application list. If your company implements SCT, any sort of donation would be much appreciated

You can download the Software Compliance Tool in the SysAdmin Tools section.

If you hit any issues or need help in configuring, just get in touch on the Contact page.

Dan

Oh hi! Welcome to my all new site, with extra shiny bits  I’m really pleased with the new layout, I hope you like it too.

So over the next few days I’ll get the remaining pieces of the Software Compliance Tool together and post it here. You might notice I’ve already made a start on it, and it’s already got it’s own section under Admin Tools.

Things have been pretty hectic for me work-wise for the past few months, and generally by the end of the working day I’m exhausted – but things should start calming down soon enough and I’m hopefully going to blog a bit more frequently on things I’m working on – both work projects and some of my own personal development projects.

Stay tuned!

It’s been a while since I’ve posted – I’m up to my eyes in work I’m afraid. But since I’ve had quite a number of requests to release the Software Compliance Tool, I figured I should actually go ahead and do so. It’s working very well in my work environment at present, so I’m deeming it as pretty stable. I should probably do up some documentation to go with it first though, so I’ll get that together over the next few days and release something then

Dan

Update 15/12/09: Emm, actually this might have to wait until after Christmas. Due to some limitations with my current site design, I need to do a bit of an overhaul in order to post up new sections. This might take me a bit of time though – although feel free to get in touch if you want a copy of SCT now.

So I figured I’d formally unveil something I’ve had in development for quite a while. This has nothing to do with video encoding so, unless you’re a CTO or network administrator struggling to remediate application licensing issues and crack down on unwanted and potentially harmful applications installed across your userbase, you can safely skip this

So, the Software Compliance Tool is a small application designed to reduce the overhead in managing unwanted applications in a business environment. While Windows Vista and Windows 7 have made a lot of headway in easing reduced user rights into the Enterprise, it’s still very common that Local Administrator rights are given to end users. The reasoning for this is usually to work around application compatibility (both external and in-house). However, this introduces the ability for end users to install whatever they want on their computers, including games, peer-to-peer software and security vulnerable applications. It is the company’s responsibility to ensure that copyrights are not infringed, and that their network is secure. This is where SCT comes in (I love my acronyms don’t I?).

When implemented in your environment, SCT starts as a hidden application, scans the Windows Installer DB and the registry for application details. It then compares the found applications to the blacklist policy. If no matches are found, the application closes without any notification to the end user.

If a match is found, SCT displays a dialog to the end user and tries to remove the application automatically. For Windows Installer applications, this is generally fairly straightforward. For non-MSI based installs, the default uninstall string is used (from the registry) which can be further augmented with additions (ie, “/s” for a silent uninstall) or completely replaced with a custom action string.

Here’s what the end user sees if something is in breach of the policy:

So with regards to the policy, it can work in a number of ways:

• Firstly, an exact name match whereby you say ‘iTunes’ is not allowed.
• Secondly, you can specific that a partial match can occur. This is important for applications that write version information as part of the installation, for example, Firefox 3.5. With a partial name match, you can blacklist ‘Firefox’ and catch every version. This is also useful to blacklist types of applications, for example ‘Poker’
• Thirdly, you can blacklist against the previous two types, but also have a version restriction. So let’s say that you allow, but don’t support Adobe Flash for Firefox. Flash is notorious for having security issues, so you could have a version restriction to the latest patched version and all previous versions will be automatically removed.
• Lastly, you can apply a blacklist but also allow exclusions through Active Directory groups. Just specify the group name in the application policy, populate the group with users, and they will be automatically excluded from the automatic removal of the application. This is especially convenient for administration applications, that you KNOW your standard user shouldn’t have on their workstation.

In order to prevent against tampering with the policy, it’s encrypted on first run, changing from an XML file to a .ECF file (encrypted compliance file, told you I loved my acronyms). This prevents the more technically adept users from modifying it.

In addition to this, it’s also possible to log all policy deviations to a SQL database, which can be tracked internally for repeated breaches, and subsequently actioned by IT or HR depending on your policies.

Since this is a standalone application, it can be deployed and rerun with whatever mechanism you want, ie. login script, SCCM, or a simple script that pushes it down to each users workstation and puts a HKLM\Software\Microsoft\Windows\CurrentVersion\Run key in place. Updating the policy is as simple as replacing the .ECF file.

So, I have this pretty much completed, and testing has been going extremely well. I’d like to gauge whether this is of interest to people though, to release and maintain.

Thoughts, questions and feedback would be most welcome!

Last but not least, although this tool has been built from the ground up, it’s been heavily inspired by something that two colleagues of mine in the Netherlands produced a few years ago (Yury Dijkhuizen’s idea which was developed by Erik Zalm), and I owe them both a lot of credit!

Dan

So I finally got time to trim the fat and clean up the code last night and it’s now available on GitHub

It’s been fun working on both EncodeHD and WMA over the past few years and I appreciate all the support they’ve gotten. I’ll try to continue contributing bits and pieces and I’m really hopeful that someone or some people can pick up on both of these projects. If not, then I hope the code helps people better understand both FFmpeg and USMT respectively.

Regarding support for both apps, I’ve been trying to decide how best to handle this. I get dozens of emails a day and, probably to my own downfall, reply to every single one! So, over the next few days I’ll probably get rid of the GetSatisfaction support pages and start only occasionally trawling through support emails.

Update 06/10/2009: I’ve marked myself as inactive in the GetSatisfaction pages and i’ve taken the Feedback tab off this site.

So what’s next? Well, I’ve got an interesting tool in the works for sysadmins. It’s kinda like Win 7’s AppLocker – but retrospective. Rather than whitelisting, it uses a blacklist to remove applications automatically. I’ve sent it out to a few testers and if it proves worthwhile, then maybe it’ll see the light of day. I’m also learning Objective-C, so I’m hoping my next app will be for the Mac