Sybase Afaria is 'the daddy' of device management solutions. The scope of this article is to give an overview of the features available. For detailed information on the product, view the product documentation on the FTP site:

ftp://ftpaccess:Brightpoint1@ftp.brightpointuk.co.uk/Sales/Sybase%20Afaria/

Due for release in Q1 2009 is version 6 of the product, which is the version I shall look at in this post.

Afaria is a modular product, with the solution being divided into a number of optional ‘Channels’, each Channel being independent of the others and being enabled or disabled based on the license key used to install the product:

• Software Manager – deliver and install commercial or custom-built software packages on client devices
• Inventory Manager – interrogate and report on the hardware and software resources available on client devices
• Document Manager – publish and deliver groups of documents to client devices, be they text files, images, HTML web pages, etc
• Configuration Manager – enable, disable and configure hardware and software elements on the client device, delivering connection settings, blacklisting applications, disabling camera and Bluetooth features, for example
• Backup Manager – backup and restore specified files from the client device to a specified location on the corporate network
• Session Manager – the most powerful feature of the solution, enabling automation of file distribution, directory management, registry management. I will examine this feature in more detail later
• Data Protection Manager – define and enforce security settings on the client device, including power-on passwords, encryption settings. Users can be allowed a set number of attempts to enter the password correctly, after which specific events can be triggered automatically, including removal of specific PIM data and/or files and applications, or a complete device hard reset
• Patch Manager – deliver operating system patches and security updates to clients automatically (Windows 32 only)

NOTE – not all Channels are available on all client platforms.

Multiple channels can be configured, with each channel having one or more of the supported client types associated with it, or specific users or groups subscribed.

Afaria supports both ‘push’ and ‘pull’ functionality, whereby application, file and other publication packages can be delivered to the client as soon as they are updated on the local network, and client devices can also request specific information from the server at the user’s initiation.
Push functionality works by the use of ‘Outbound Notifications’ on the server: a ‘Listener’ on the client monitors the server for changes to specific Channels. As soon as a change is saved and published by the administrator, an outbound notification is generated which is received by the listener, which causes the client to initiate synchronisation with the server.
‘Bandwidth throttling’ is also available, enabling the administrator to define how much of the bandwidth available to the client device can be utilised by the Afaria client, thereby giving priority to more business-critical applications if required.
‘Byte-level differencing’ enables the Afaria server to deliver to the client only those byte-level changes that have been made to files and publications since the client last contacted the server, reducing the amount of data transmitted and reducing connection times.
‘Segmented delivery’ allows for large files and publications to be broken down into smaller packages and delivered to the client over a series of connections if required.
‘Check point restart’ allows for interrupted connections to be resumed at the point that it was ‘broken’, reducing redundant data transfer and reducing connection times.
Compression technology allows for files and published data to be compressed during transmission to the client to further reduce data transfer and connection times.

Afaria can also be optionally integrated with the Microsoft System Management Server (SMS) product for further ease of client device administration and reporting.

New to version 6 is the inclusion of OMA-CP functionality. OMA is the Open Mobile Alliance responsible for ratifying standards governing the delivery of configuration settings to supported client devices via SMS messages. The Linux version of the Nokia Intellisync Mobile Suite offered this functionality when used in conjunction with the Nokia E and N series range of devices. Afaria 6 now offers similar levels of functionality which I will look at later.

Afaria is a Windows server-based application, requiring either Windows Server 2000 or 2003.
The solution requires a database back-end to store configuration information, this can be MSDE for smaller installations, Microsoft SQL Server 2000 or 2005 or Sybase’s own SQLAnywhere database product.
All administration of the product is done via a web interface, therefore IIS needs to be installed on the server also.

There are a number of other pre-requisite applications that also need to be installed prior to installing the Afaria product, but these are provided on the accompanying installation media and you will be prompted to install them automatically if they are not present on the target server:

• Microsoft Visual C++ Redistributable
• Microsoft Dot Net Framework 3.5
• Crystal Reports Runtime Redistributable
• Microsoft Core XML Services 6
• Microsoft Direct Access Components (MDAC)

The Afaria solution requires that a client application be installed onto the client device, I will look at how this application can be deployed to the client later.
Supported client platforms include:

• Windows 32 (Windows 2000, Windows XP, Windows Vista)
• Windows Mobile 5,6 (Pocket PC and Smartphone)
• Palm OS
• Symbian
• Blackberry
• Java MIDP

For the client to be able to contact the Afaria server, the server must have a public Internet-facing IP address, with a correctly configured DNS entry if a ‘friendly name’ is to be used.
All client-server communications are done over TCP port 3007, therefore this port will need to be open on the firewall if one is deployed. All client-server communications are encrypted using SSL.

It is not necessarily a requirement that HTTP access be allowed through to the server from the Internet unless you need the ability to administer the server remotely (in which case a VPN solution would be preferable).

It is not advisable that the Afaria server be located in a DMZ environment if the Afaria server is going to need to access local network resources (file servers, database servers, AD authentication information, etc). For the security conscious, Afaria provides the ability of deploying a ‘relay server’ in a DMZ environment. This is a Windows or Linux-based IIS or Apache service that accepts client communications on a customisable port, and relays them to the back-end Afaria server on an alternative port.

I will look at the server installation procedure in a separate post.

The Afaria Administrator

All aspects of the Afaria server’s operation can be configured through a web browser. Internet Explorer is required, and the Microsoft Dot Net Framework 3.5 must be installed.
Administrative Roles can be configured allowing administrative accounts different levels of access.

The default view displays status information on the server as well as historical connection statistics:

It is beyond the scope of this post to go through all of the features available within the Administrator web interface. I shall look at the features available in the various Channels, which are configured within the Channel Administrator view:

Software Manager

The Software Manager allows the administrator to deliver pre-built application installers to client devices and run them:

The installers can be stored locally on the Afaria server or on network shares. The administrator can specify where on the client the package is delivered to and also where it is then installed to. Checks can be implemented to verify before proceeding with the installation that the client has sufficient free storage space and memory available.
Custom actions can also be specified so that events occur both pre- and post-installation of the package. This involves integration with the Session Manager which I will look at in more detail later.

Inventory Manager

The Inventory Manager allows the administrator to define an inventory collection task on the server. Inventories can be hardware-only, or both hardware and software:

Once the Inventory has been processed on the client and the data uploaded to the server, that information can be viewed and reports generated based on specific criteria (devices with Adobe Reader 5 installed, for example).
Inventories can also be included in the Session Manager

Document Manager

The Document Manager allows the administrator to ‘publish’ specific files and folders, be they local to the Afaria server or network shares. Users can then choose to ‘subscribe’ to some or all of those published files:

Configuration Manager

The Configuration Manager allows the administrator to deliver connection settings and access point information to the client device. The Symbian configuration manager also has templates pre-defined for the delivery of Mail For Exchange settings (the Server ActiveSync client for the Nokia E and N series range of handsets enabling push synchronisation with Microsoft Exchange):

The Windows Mobile configuration manager offers comprehensive options including templates for access points, connection settings, Server ActiveSync profiles, hardware control (Bluetooth, IR, WiFi, Camera, etc), Owner Information, Regional Settings and lots more:

Backup Manager

The Backup Manager is relatively straightforward to configure. Once created you can specify specific files or folders (including subfolders if relevant) to be included in the device backup publication:

Similar restore packages can be created, including all or less of the data that has already been backed up:

Data Protection Manager

The Data Protection Manager allows the administrator to enforce a power-on password on client devices, specify how many attempts users have to enter their password correctly, and what happens to the client device should that numbers of attempts be exceeded:

Patch Manager

The Patch Manager is for Windows 32 clients only (Windows 2000, XP and Vista). This feature integrates with Windows Update and allows the administrator to approve available updates and have them delivered to clients automatically:

Session Manager

It is the Session Manager that is the most powerful feature of the Afaria solution, and effectively all of the above Channels can be invoked for inclusion in a Session Manager ‘worklist’, so it is the Session Manager that I shall look at in the most detail.

The Session Manager allows the administrator to create and order Worklists. Each worklist can be run separately or part of a sequence.

Each Worklist can be comprised of one or many pre-defined actions, including querying an element of the device’s hardware or software status (free memory or storage, version of application installed, for example), delivering a file (be it a document, application, patch or whatever) if required, based on the result returned from the previous query executed on the client, verifying the successful delivery of the file (based on the creation of a directory on the client, the value of a specific registry key or a value in an ini file on the client, for example), then sending an email to a pre-defined address to alert the administrator to the fact that the worklist has been completed successfully.

Worklists can be completely automated, having queries performed on the client on a preset interval and have pre-defined actions trigger automatically should specific criteria be met on the client. A client request might query the device registry, file structure, a specific text file, or even a custom variable defined by the administrator.

The complete list of actions available within the Session Manager is as follows:

 

Append File

Check File

Check Memory

Check Speed

Check Volume

Comment

Copy File

Create Registry Key

Delete File

Delete Registry Key

Delete Registry Value

Delete Variable File

Directory Listing

Disconnect

Else

Else If

End If

End Impersonation

End Quota

End Repeat

End Session

End Work Object

Execute Program

File Status

Find File

Get Database Field

Get File From Client

Get Registry Value

Get Script Variable

If

Impersonate User

Increment Variable

Insert Channel

Insert Worklist

Load Script

Make Directory

Message

Notify Program

Quota

Raise Event

Read Variable File

Reboot Client At End Of Session

Release Script

Remove Directory

Rename File

Repeat

Run Script Function

Search Registry

Send File To Client

Set Bandwidth Throttling Config

Set Client Time

Set Database Field

Set File Attributes

Set Registry Value

Set Script Variable

Set Variable

Test Group Membership

Test Variable

Update Variable File

Wait For File To Exist

Adding an action to a worklist displays the options available for that action, so for example, should you choose to send a file to a client, the administrator can specify where on the network the file lives and where on the client it needs to go. File differencing can be enabled (so that only byte-level changes to files are sent to clients to avoid having to re-send whole files should only small changes have been made to the source), etc:

The Safe Transfer option prevents the creation of the destination file until the file has been successfully transferred. This option instructs the server to use a hidden temporary file until the file transfer completes. Once complete, the server renames the temporary file to the destination filename.

Further variables can be defined, so that for example should you wish to retrieve a file from a client device, you can have a directory created on the target server which includes the machine name of the client, the date and the time that the file was uploaded:

These variables can be pre-defined or custom variables created by the administrator. The list of available variables is as follows:

 

<!Drive<VarName>>

<!File<VarName>>

<!Path<VarName>>

<%UserDefined>

<AuthenticatedUser>

<ChannelName>

<ChannelViewer>

<CheckDiskSize>

<CheckMemorySize>

<ClientAllUsersDesktopDir>

<ClientChannelDir>

<ClientCommonFilesDir>

<ClientDomainName>

<ClientInstallDir>

<ClientIPAddress>

<ClientMachineName>

<ClientMemorySize>

<ClientOS>

<ClientOSServicePack>

<ClientOSShell>

<ClientOSVersion>

<ClientProcessor>

<ClientProgramFilesDir>

<ClientRasUserName>

<ClientSyncUserName>

<ClientTempFilesDir>

<ClientUserName>

<ClientVersion>

<ClientWindowsDir>

<ClientWindowsSystemDir>

<ConnectionId>

<ConnectionSpeed>

<ConnectionType>

<d>

<date>

<dw>

<dy>

<FileStatCount>

<FileStatSize>

<FileStatVersion>

<GetFilesAttempted>

<GetFilesFailed>

<GetFilesNoUpdate>

<GetFilesSuccessful>

<hh>

<mm>

<ms>

<SendFilesAttempted>

<SendFilesFailed>

<SendFilesNoUpdate>

<SendFilesSuccessful>

<ServerCommonFilesDir>

<ServerID>

<ServerInstallDir>

<ServerIPAddress>

<ServerMachineName>

<ServerMemorySize>

<ServerName>

<ServerOS>

<ServerOSVersion>

<ServerProgramFilesDir>

<ServerTempFilesDir>

<ServerVersion>

<ServerWindowsDir>

<ServerWindowsSystemDir>

<SessionDuration>

<SessionStartTime>

<ss>

<time>

<VolumeSize>

<y>

<y1>

<y4>

The ‘Execute Program’ command can be used to issue any command native to the client operating system. Therefore, for example, should a specific service need to be stopped on the client whilst an action is performed, and then subsequently restarted, the NET STOP and NET START commands could be used. As mentioned above, Software Manager publications can be configured to run Session Manager worklists before and after application installers are delivered to the client.

An element of control can be incorporated into worklists. For example, the ConnectionSpeed command can be used to query the bandwidth available to the client and have different actions available depending on the speed of the connection:

Whilst the Configuration Manager has templates defined for easy configuration of common features on client devices, provided that the administrator knows the required files, variables and registry entries that need to be specified on the client, virtually any aspect of a client’s operation can be controlled via the Session Manager.

Session Manager is, then, very powerful indeed.

Monitors & Alerts

Monitors can be defined on the Afaria server, including:

• Connection Monitor
• File/Directory Monitor
• Memory Monitor
• Power Monitor
• Process Monitor
• Registry Monitor
• Schedule Monitor
• Window Monitor

Thresholds can be defined within the properties of each monitor so that should defined values be reached (a named service on a client device stops running, for example), then a specific event is triggered automatically – this could simply be an alert in a log file, an email to the administrator, or a pre-defined Session Manager Worklist.

Alerts can also be defined so that the administrator is informed automatically should certain event occur on the Afaria server, be it via email, pager or text message.

Channel Sets

Individual channels can be grouped into a channel set. The Afaria client is configured with the address of the Afaria server to connect to, and the channel set to request. That way a client only needs to know the details of the channel set and can automatically be delivered the contents of a Backup Manager, Configuration Manager, Document Manager, Session Manager, or whatever the administrator has ‘published’ to that channel set.

Client Deployment

Client installation packages can be created for all supported client platforms (CAB package for Windows Mobile, SIS package for Symbian, etc). Installers can be pre-configured with the name or IP address of the Afaria server, the channel set to connect to, and can be configured to automatically connect to the server immediately following installation.
Once created, the installation package can be placed on a network share, on a web site, or distributed via memory card, for example.

Static & Dynamic Client Groups

Client devices can be arranged into groups in 2 ways. The membership of static groups does not change: you can define, say, all Windows Mobile 5 devices, or all Sales staff.
Dynamic groups can be defined on a more intelligent basis and their membership can change based on the results of Inventory scans – all devices with over 10MB of available storage, for example.

Reporting

Afaria boasts comprehensive reporting capabilities: monitors and alerts can be reported on, as well as the different server log files and all aspects of the general server ‘health’ (disk usage, network bandwidth, etc); the status of successful and unsuccessful package delivery and connection requests can be reported on; and reports can be generated from the Inventory information collected from all clients that have an Inventory Manager channel defined.

Authentication

Afaria offers a range of mechanisms for authenticating client devices. Devices can be automatically ‘approved’ so there is no need for the user to enter any authentication credentials. This may be preferable if the devices are only being used on a local, closed network, or security has already been addressed elsewhere: a VPN connection, for example.
The Afaria server can be configured to use Active Directory authentication so that users are required to enter their Windows username and password on their client device in order to connect to the server.
Alternatively, an LDAP authentication source can be defined to authenticate against an LDAP server using the Lightweight Directory Access Protocol.

OMA-CP Messages

The ability to generate Open Mobile Alliance Client Provisioning (OMACP) messages from the Afaria server is a feature new to version 6 of the product. This feature allows devices to be remotely configured with connection settings using
XML-based .DFF files delivered via SMS (the Short Message Service, not to be confused with the Microsoft System Management Server I mentioned earlier). No client software is required on the device, the device simply needs to support the OMACP standard (which most Symbian devices do now).
This means that a ‘fresh’ client can be configured with the necessary settings to connect to the Internet, a text message can be delivered to the client containing a link to where the Afaria client can be downloaded, and then the device can be configured directly from the Afaria server once the client has been installed.

This feature does require that the Afaria server have access to an SMS Gateway, or have a cellular mode connected to it which supports SMS message delivery (virtually any mobile phone installed as a modem or a connected Fixed Cellular Terminal would provide this capability).

Within the Afaria Administrator, browse to Home → Client Deployment:

Select the option to create a new OMA CP Message Template, the following window will be displayed:

Enter a name for the template and define the APN, username and password for your cellular service provider. Click Save, the new template will be listed.

Right click on the entry and select the option to Send Notification:

In the To field enter the mobile number of the device to which the message is to be sent.
NOTE – the format of the contents of the To field will depend on the requirements of the SMS Gateway or SMSC Connection you defined earlier. This may be full international number format (+447843359005), international format minus the ‘+’ prefix, the format of an email address @carrier.com, etc. Your carrier or service provider will be able to provide assistance.

NOTE – an address book can be configured on the Afaria Server containing the details of all of your recipients. These addresses can also be arranged into distribution groups.

Create an SMS Message containing the link to the Afaria client download: within the Afaria Administrator return to the Client Deployment screen. Select the option to create a New Message, the following window will be displayed:

Enter a name for the message.
Enter a subject for the message and in the Message field enter the link to the Afaria client download.
Save the message, then right click on it and select the option to Send Notification.

Delivering Settings via OMACP

Whilst templates exist for the delivery of Internet connection settings, provided that the administrator knows the correct syntax of the XML to be delivered to the client, virtually anything that can be defined in XML can be configured on the client device using this feature.
Within the Client Deployment screen is an option to create a ‘Free-Form’ Message:

Enter a name for the message.
In the Body field enter the XML source of the OMACP message you wish to deliver to the client.

Save the message, then right click on it and select the option to Send Notification.

Summary

To conclude, then, Afaria offers a level of ‘granular’ control not available in any other product I have come across, on the widest range of client device platforms of any device management solution. The administration of all these features is correspondingly ‘involved’, but once you are familiar with how Session Manager worklists hang together the possibilities are virtually endless!

Addendum

For details on the new features available in version 6.5 of Afaria, read this article - http://blog.brightpointuk.co.uk/sybase-afaria-65