Security and Privacy for Asset Intelligence in Configuration Manager
Updated: May 14, 2015
Applies To: System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1
This topic appears in the Assets and Compliance in System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide.
This topic contains security and privacy information for Asset Intelligence in Configuration Manager.
Security Best Practices for Asset Intelligence
Use the following security best practices for when you use Asset Intelligence.
Security best practice
When you import a license file (Microsoft Volume Licensing file or a General License Statement file), secure the file and communication channel.
Use NTFS file system permissions to ensure that only authorized users can access the license files and use Server Message Block (SMB) signing to ensure the integrity of the data when it is transferred to the site server during the import process.
Use the principle of least permissions to import the license files.
Use role-based administration to grant the Manage Asset Intelligence permission to the administrative user who imports license files. The built-in role of Asset Manager includes this permission.
Privacy Information for Asset Intelligence
Asset Intelligence extends the inventory capabilities of Configuration Manager to provide a higher level of asset visibility in the enterprise. Asset Intelligence information collection is not automatically enabled. You can modify the type of information collected by enabling hardware inventory reporting classes. For more information, see Enable Asset Intelligence Hardware Inventory Reporting Classes.
Asset Intelligence information is stored in the Configuration Manager database in the same manner as inventory information. When clients connect to management points by using HTTPS, the data is always encrypted during transfer to the management point. When clients connect by using HTTP, you can configure the inventory data transfer to be signed and encrypted. Inventory data is not stored in encrypted format in the database. Information is retained in the database, until the site maintenance task Delete Aged Inventory History deletes it in intervals of every 90 days. You can configure the deletion interval.
Asset Intelligence does not send information about users and computers or license usage to Microsoft. You can choose to send System Center Online requests for categorization, which means that you can tag one or more software titles that are uncategorized and send them to System Center Online for research and categorization. After a software title is uploaded, Microsoft researchers identify, categorize, and then make that knowledge available to all customers who use the on-line service. You should be aware of the following privacy implications of submitting information to System Center Online:
Upload applies only to generic software title information (name, publisher, and so on) that you choose to send to System Center Online. Inventory information is not sent with an upload.
Upload never occurs automatically, and the system is not designed for this task to be automated. You must manually select and approve the upload of each software title.
A dialog box shows you exactly what data is going to be uploaded, before the upload process starts.
License information is not sent to Microsoft. The license information is stored in a separate area of the Configuration Manager database, and it cannot be sent to Microsoft.
Any software title that is uploaded becomes public, in the sense that the knowledge of that given application and its categorization become part of the System Center Online Asset Intelligence catalog, and then is downloaded to other consumers of the catalog.
The source of the software title is not recorded in the Asset Intelligence catalog, and it is not made available to other customers. However, you must still verify that you do not load any application titles that contain any private information.
Uploaded data cannot be recalled.
Before you configure Asset Intelligence data collection and decide whether to submit information to System Center Online, consider the privacy requirements of your organization.