Print-friendly Version

Sun Java Desktop System, Release 2: Simplified Desktop Management

By Dirk Grobler and Matt Ruetz

Contents:

• Introduction
• Java Desktop System Configuration Manager
• Overview
• The Framework
• The Mechanics
• The Field of Application
• Sun Control Station 2.1 Software
• Remote Desktop Takeover
• Resources

Introduction

The initial release of the Sun Java Desktop System gave users an affordable, secure, and simple-to-use desktop alternative. With Java Desktop System, Release 2, Sun introduces a comprehensive desktop, system administration tools, and an enterprise-ready support offering. The desktop components are based on open source and standards and include the GNOME desktop environment; StarOffice productivity suite; Mozilla browser; Evolution mail and calendar client; and Java 2 Platform, Standard Edition.

Most compelling for system administrators, the Java Desktop System includes server-side administration tools that allow centralized configuration, deployment, and administration of the user desktop environment. And this is at no additional cost.

The system management tools include:

• Java Desktop System Configuration Manager -- A policy-based desktop configuration manager that defines user settings and provides the ability to lock down user desktop systems
• Sun Control Station 2.1 Software -- A comprehensive toolset for centralized desktop deployment and management that is designed for performing remote desktop provisioning, management, and software updating
• Remote Desktop Takeover -- A tool for remote administration, which allows the administrator to view and interact with the user's desktop display in order to guide the user and trouble-shoot problems

Back to top

Java Desktop System Configuration Manager

Overview

PC deployment and maintenance has always been a challenging task because of the number of deployed units and the complexity of the installed software. This holds true in both the Windows and the Linux worlds. Additional costs result from productivity lost through users corrupting their computer configurations or through increased complexity due to unnecessary functionality on users' desktops. Therefore, tooling to manage PC deployments is essential and should cover the whole life cycle.

The imaging side of the deployment is covered by a number of products or tools on the different platforms. To maintain and configure the user's desktop after initial deployment, limited toolsets are available. Microsoft is addressing this problem with Group Policy, which is a feature for central configuration management of Windows and Microsoft's point products like Microsoft Office or Microsoft Internet Explorer; it is based on the proprietary Microsoft Active Directory technology.

For Linux deployments, no equivalent technology is readily available to support administrators in centrally managing and maintaining large numbers of computer deployments. Therefore, administrators are forced to build their own solutions based on scripting and manipulation of various configuration files, which requires an in-depth knowledge of the system. Otherwise, they have to ignore the individual needs in their organization and provide just a few standard configuration profiles. The latter approach does not take into account different requirements in today's enterprises, such as:

• Minimizing help-desk calls
• Reducing complexity where appropriate
• Providing customized environments independent of the location
• Grouping of desktop customizations depending on organizational and task-oriented requirements

The Framework

The Java Desktop System, Release 2 addresses the need for central configuration management. This version concentrates on a number of enterprise features, including a configuration management component called Sun Java Desktop System Configuration Manager. The Java Desktop Configuration Manager offers an administrator the ability to define and lock configuration settings from a single point of control. Such definitions are called configuration policies. Configuration policies can be grouped and assigned to parts of the corporate user organization or groups of desktop computers (hosts). A central repository, which must support the standard Lightweight Directory Access Protocol (LDAP) protocol, is used to store the configuration policy information. The Sun Java System Directory Server can be used, or any repository supporting this protocol, such as OpenLDAP or Active Directory.

The configuration framework consists of several components acting on different layers of the management stack. Figure 1 shows the general architecture of the solution.

Figure 1: Overview of Architecture

The left side of Figure 1 illustrates the desktop components involved in the configuration management. On top, you see the target applications, which are affected by configuration activities performed by the administrator. These are the point products of the Java Desktop System such as StarOffice software, Mozilla, Evolution, and the GNOME Desktop itself. In addition, any application using the GNOME Configuration (GConf) can also be addressed with the Desktop System Manager. Underneath, a management agent, called the configuration agent, controls the access and the transfer of configuration policies to the target applications. One agent per host is activated on demand. The agent retrieves all configuration policies defined for the current user and the host used. In order to minimize negative impact on the desktop's startup performance, the agent caches previously requested configuration policies locally and retrieves only outdated configuration policies from the central repository.

The Desktop Configuration Manager and its environment are shown on the right side of Figure 1. The application is embedded as a web application within the Sun Web Console, which itself is running within a web server.

Figure 2 shows the main page of the Sun Web Console, which offers the administrator a selection of installed and granted management applications.

Figure 2: Sun Web Console

Under the section "Desktop Applications," the authorized administrator can access the Configuration Manager. The Configuration Manager itself is divided into two panes. The left pane allows you to navigate to Managed Entities. The category for these can be either "user" (for organizations and roles, for example) or "host," which contains the managed hosts (the desktop computers) and their groupings, such as domains. Selecting the managed entity activates the right pane of the management application. This pane allows you to define and enforce configuration policies on behalf of a managed entity. Figure 3 shows the general layout of the management application.

Figure 3: Desktop Configuration Manager

The Mechanics

The main goal of desktop configuration management is to provide an environment for the user that meets the needs of both the company and the user. Company requirements relate to security and costs (for example, minimizing help desk calls), whereas user needs include reduced complexity and customization. Desktop System Management offers three ways to address these needs:

• Host-based configuration: Administrators are able to define the default desktop environment for specific hosts. To reduce the work required for administration, they can group hosts and can assign configuration settings to those groups, which are then applied to all group members. The level of grouping is not limited and can be adjusted to the needs of the enterprise. Host-based configuration policies are applied when first requested by an application; this could already be at system startup.

• User-based configuration: Typically, an enterprise applies an organizational structure to its managed user base. Examples of those organizational structures are departments, business units, or user roles. An LDAP directory is the standard repository to manage those structures in the enterprise and to store relevant information assigned to those managed entities. The Desktop Configuration Manager makes use of these managed entities. A user that is part of an organizational unit or is assigned to a certain role inherits any configuration policy defined for higher-level managed entities. Configuration policies are effectively applied when users start their desktop sessions or when they start managed applications. The host used is non-essential in this context. Configuration policies are always applied independently of the used host or location.

• Profile-based configuration: A profile within Desktop System Manager, also called a configuration policy group, is a way to reflect specific types of users, such as novice or advanced users. A novice user might have a reduced, less complex desktop environment with fewer menu entries and restricted access to applications, while an advanced user would require a more complex environment. Desktop System Manager allows you to define those configuration policy groups and to assign them to any managed entity, for example, to users.

Figure 4 illustrates how these configuration alternatives are applied, when a user starts a desktop session or starts an application that is managed by Desktop Configuration Manager. On top of the illustration you see the globally available Configuration Policy Repository. This repository can be used to create configuration policy groups, which then can be linked to any managed entity within either category (hosts or users).

Figure 4: Configuration Policy Processing

The processing of configuration policies follows a predefined order. Host-based configuration policies are applied first. They override existing default configuration settings on the local host. Thereafter the user-based configuration policies are processed. Within the host or the user hierarchy, the position of the host or the user, respectively, determines the selection and the processing order of configuration policies. Configuration policies are defined for a managed entity, and its ancestors in the hierarchy are selected and ordered by their position, where a parent always proceeds its children.

Figure 4 illustrates the overall processing order. A colored rectangle represents a managed entity associated with a configuration policy, and the sequence of processing is reflected by the associated numbers. In the given example, the system processes the host top-level configuration policy first, and the configuration policy group assigned to the managed entity representing the user is processed last. Any user-defined settings are applied thereafter in the merging process. This order ensures that configuration policies are able to overrule or block local user settings.

In addition, an administrator can decide to protect a configuration setting within a configuration policy. The protection blocks further overwriting of a configuration setting with the consequence that the configuration setting becomes mandatory for a user and cannot be changed. This leads to more control for the administrators of the desktop and lower probability that users could "mess up" their desktop environment.

The Field of Application

In its initial version, the Configuration Manager offers a variety of options for the administrator to take over control of user desktops. About 900 configuration settings are exposed to the administrator, covering the desktop and all point products. The number of settings, combined with effective tooling, supports the administrator in a variety of cases, as explained here.

• Central control of desktop configurations: The Web Console and the included Configuration Manager can be accessed within the intranet or Internet in a secure manner. Support of pluggable authentication and authorization through the Java Authentication and Authorization Service (JAAS), as well as delegated administration, offers flexibility in the enterprise. The Configuration Manager exposes features to the administrator to specify and monitor configuration policies and their application. Reporting, backup, and restore through the import and export of configuration polices are among the features that assist the administrator in preparation and maintenance of the user desktop environment.

• Configuration per user versus configuration per host: In contrast to most imaging and configuration tools available for UNIX platforms, the Configuration Manager allows an administrator to associate configuration information both to users and hosts. In particular, user-based configuration helps to make users independent of their current hardware and location. They can move over to different hardware and still find their common environment without requiring extra administration. On systems such as the Sun Ray ultra-thin client, where hardware plays its role in the background, this is very helpful and can reduce the amount of administration significantly. Other examples are mobile users who are not tied to a location, but are still able to receive their standard environment as soon as they are connected to the intranet.

• Grouping of configuration policies: The Configuration Manager provides several mechanisms to group and structure configurations in order to reduce the overall amount of administration costs, while retaining the full flexibility an administrator needs. Standard desktop environments can be created for the entire company and further customized for individual organizations, up to user roles or a single user. Desktop Configuration Management utilizes the given LDAP user directory and incorporates user desktop information into this structure. The hierarchical nature of the directory is used to inherit and merge configuration settings up to the user, on whose behalf this information is finally applied during desktop login or at application launch.

• Lockdown of the user desktop: In the context of configuration management, lockdown plays a significant role, as it prevents users from changing their default environment and helps administrators provide and mandate simpler desktop environments, which in turn can help prevent users from being distracted from their core work. In the competition with other desktop systems, lockdown plays an important role.

  The Configuration Manager controls a variety of lockdown features of the Desktop. In general, each setting exposed to the Configuration Manager can be enforced on behalf of the user. This prevents users from making mistakes in configuring their desktop environments. In addition, the administrator is able to control which applications can be launched by a user, which functionality is visible to the user, and which parts of the file system are accessible. These are only a few examples of the rich lockdown capabilities offered to the desktop administrator.

• Consistent configuration: The ability to ensure a consistent environment is key in a variety of use cases. For example, an administrator needs to control security-critical functionality in a consistent and efficient manner. In the desktop context, one example would be the execution of document macros or use of JavaScript technology in web content. Utilizing the Configuration Manager, the administrator is able to set, publish, and enforce those settings globally or in a smaller context if needed. The desktop machines will then pick up the newly defined settings within a given refresh interval and apply them on the running desktop or the target application. A restart of the desktop is not required.

Back to top

Sun Control Station 2.1 Software

Sun Control Station (SCS) 2.1 software constitutes a comprehensive toolset for centralized desktop deployment and management; it is designed for remote desktop provisioning, management, and software updating. The interface also performs dependency checking, health monitoring, and asset management (see Figure 5). Some of the features include:

Installing new RPM packages by pushing them from the SCS server to remote desktops

• Monitoring the health of remote desktops
• Tracking performance of remote desktops
• Listing inventory of systems managed by SCS
• Imaging of systems with the "AllStart" module

Figure 5: Sun Control Station

Back to top

Remote Desktop Takeover

The Java Desktop System allows for remote viewing of the current desktop session, which is also known as "session sharing." This functionality is useful for help desks for remote diagnosis and training purposes.

This feature is built on the open source standard protocol Virtual Network Computing (VNC). VNC clients are supported on all major operating systems.

The remote desktop allows for full control of the session by means of the following preference settings:

• "Allow other users to view your desktop" -- This enables remote users to view your session, but all remote input events (such as keyboard, pointer, or clipboard) are ignored.

• "Allow other users to control your desktop" -- This enables remote user events to control the session.

• "Users can view your desktop at this web address" -- This displays a URL for people to view your desktop in a Java technology-enabled browser (in case they do not have a VNC client installed).

• "When a user tries to view or control your desktop" -- This preference has three items to set security on session sharing:

  • "Ask you for confirmation" -- In this case, the local user confirms any remote connection attempts.
  • "Ensure the user is using encryption" -- This forces remote users to enable encryption to prevent eavesdropping.
  • "Require the user to enter this password" -- This forces the remote user to log in with a password, configured on the same screen.

Back to top

Resources

• Sun Product Information -- Java Desktop System
• BigAdmin Page -- Java Desktop System
• Xtreme Tech Show -- Java Desktop System
• Developers.sun.com -- Resources for Java Desktop System
• Developer Tools for the Sun Java Desktop System, Release 2

Unless otherwise licensed, code in all technical manuals herein (including articles, FAQs, samples) is provided under this License.