I see the following case at a couple of our customers:
Employee calls in at the ServiceDesk and needs local administrative rights on his device for "reasons". Often the ServiceDesk employee doesn't have the rights to grant the user specific rights and even if the ServiceDesk employee has the rights it could happen that this change won't be undo. By this the local administrative rights spread across the company. Of course with BCM we are able to identify local administrative account or account which are member of the local administrator groups.
Since the numbers of mobile workers is getting bigger and bigger the customers needs a solution which will also work if the device is not connected with VPN or is not able to process the group policies.
At the moment I am working on an extension for BCM with which BCM is able to create a user account and add it to the local administrator group (any group, but local administrator group is the original idea) with an random password which will be stored encrypted in the custom inventory. In addition to this there will be a small program where you could paste the encrypted value to decrypt it.
By this mechanism a service desk employee is able to create a local admin account on any device where the BCM agent is installed with a random password to give it to a non it-employee. As soon as the operational rule is re-run a new password is generated and stored in the custom inventory. The old password which was told the non it-employee is now useless.
This could now be combined with the scheduling options for operational rules. As an example the OR should be run on startup or every day or every week. Depending on the needs of each customer.
Another option would be to deploy the emergency admin / operational rule to all windows client devices and store the encrypted password already in BCM. By this whenever a user needs to have this sort of emergency access on his device there won't be any waiting between OR assignment and custom inventory update.
And since BMC added the inventory to the web console the service desk employee needs only have access to the web console. And may be more important a second small program to encrypt the password. Or if you are using additional products like FPSC, CMDB and so on you could easily import the data directly into them and by this the servicedesk employee doesn't even need to have access to the BCM web console.
Screenshot from the web console:
Screenshot java console:
Screenshot password decryption interface:
Normally if we create extensions for BMC ClientManagement we will only offer them to our customers in Germany but in this special case I thought that there are may some BCM customers who have the exact same requirement. If this is correct for your environment just leave a comment in this discussion and I will keep it up-to-date once we have a final release.
Required BCM licenses: Inventory & Deploy