Altiris shakes up Windows configuration management

Every once in a while a product comes along that fundamentally alters your perception of what is possible with IT. For me, it was the first time I saw Microsoft’s IntelliMirror technology. The combination of Group Policies and client-side persistent caching of applications and data represented a huge leap forward in traditional “fat” client desktop manageability.

However, while I sat basking in the glow of management Nirvana, people far smarter than I were already hard at work on the next big evolutionary leap. The folks at Altiris weren’t satisfied with self-healing install programs or policy-based feature control (both cornerstones of the Microsoft IntelliMirror model). They envisioned a software deployment model that worked much like a light switch: Turn it on and the application is there; turn it off and it disappears without a trace.

The advantages of such an approach over IntelliMirror are clear: No messy installation scripts that break under tightened security; no troublesome “artifacts” in the Windows Registry; no leftover files lurking in obscure folders on the local hard disk, waiting to trip up the next deployment. In the software deployment world according to Altiris, applications would materialize and/or dematerialize with the flick of a switch.

Impossible, you say? I certainly thought so. But then I installed the company’s SVS (Software Virtualization Solution) on a few PCs, and found that I was wrong — virtual configuration management was possible, and Altiris does a bang-up job of streamlining the process.

Peeking Behind the Virtual Curtain

As I dug into the underpinnings of the SVS magic, I found a clever combination of file system filtering and multi-layered, local caching of code and data. Working together, they allow SVS to intercept application calls made to the Windows file system (including those calls to the Registry hive files) and redirect them to a private, hidden cache file.

This redirection allows you to install an application without modifying the PC’s configuration, and it’s the key to the SVS system’s power. You’re now effectively capturing all changes that the installation program would normally make (new files copied to the hard disk, Registry keys added/updated), while isolating them from the actual runtime environment.

The act of “turning on” the application then becomes a simple matter of layering these changes over the existing Windows runtime, using the filter driver to redirect file system calls as necessary to the cached code and configuration data. Turning off an application with SVS is equally simple — disable its profile with the filter driver and the application “disappears” from the PC.

It’s a potent formula: Filter driver plus Profiles (Altiris calls them “layers”) equals seamless application virtualization. Throw in an easy-to-use recording tool to document changes made by each application installer and a flexible, policy-based management component to isolate and organize the various layers within the cache, and suddenly the SVS “magic” looks a lot more like an innovative way to overcome some of the nasty limitations in the current Windows Installer model.

Harnessing the Magic

I began my Altiris SVS test drive by installing the company’s Notification Server software, which is a core component of its larger Client Management Suite framework. After “pushing” the basic Altiris client agent out to several systems using the Notification Server’s Console and its auto-discovery capabilities, I was able to schedule deployment of the SVS client.

The SVS client comes in two flavors. One is a standard version for application deployment; the other is an Administrator version that includes a local SVS management console for recording and managing application layers.

The recording process itself is a simple as selecting the “Create New Layer” menu option and then executing the application’s installer. The changes are recorded by the Altiris agent and saved to the new SVS layer, where they can be enabled, disabled, or exported for batch deployment via the Altiris Console server. You can also configure layers to auto-enable at Windows startup and manually reset a layer to effectively roll back any post-installation changes made to its various writeable sections.

SVS worked flawlessly during my testing. I was able to record, enable, disable and reset both simple (Office Web Components) and complex (the full Office 2003 Professional suite) installation layers on the fly, with nearly instantaneous results. Each local SVS management function was replicated within the Altiris Console, allowing me to activate, deactivate, and control application layers centrally. That’s a real boon for help desk professionals trying to diagnose installation or runtime errors.

As I put SVS through its paces and enjoyed the ease of managing the software virtualization layers, I couldn’t help but think that Altiris SVS is the kind of paradigm-shifting technology that one normally associates with Operating System evolution at the platform level. In comparison, IntelliMirror takes a more brute-force approach to application deployment; with SVS, the approach is more subtle and sophisticated, because the virtualization layer prevents reconfiguration of the OS.

Altiris, too, sees the “big picture” potential of SVS, which is why it is literally giving the technology away. In addition to building a grassroots community around SVS (Altiris’ Juice developer portal is a real treasure trove of free add-ons and expert advice), Altiris is making the solution available free for personal use. Corporate customers can deploy SVS for $29 per client node; existing Altiris customers get SVS bundled with Client Management Suite Level 2.

Given the power inherent to the SVS model, Windows configuration management will never be the same. Based on what I saw during testing, I think it could literally replace and/or obviate the need for a range of configuration management technologies.

And don’t be surprised to see Altiris expand its reach: Support for virtualization of OS patches, and the ability to merge these packages with the base is on the roadmap, along with support for Windows Terminal Services, support for server-based apps, and the ability to patch and upgrade VSPs themselves. Only one real question remains: How long before Microsoft rolls SVS-like functionality into Windows?