There are two types of tenants in Movere: Customer and Partner. The tenant your user account is a member of controls what you can see and do, with the two key differences being access to data and the ability to upload data.
Members of a customer tenant can only access that tenant. Members of a partner tenant can access multiple customer tenants that they have permission to access.
While partners can access multiple customer tenants they are authorized to access, only users in a customer tenant can upload data to Movere.
Movere leverages SMS based two-factor authentication. As part of the registration process, you will be asked for a phone number that you can be reached at. Certain cell providers by default block SMS text messages from oversea numbers. If you are not receiving SMS text messages from Movere then you will need to contact your cell provider and have them white list our phone number on your account.
Our SMS text number is: +1 206 900 8003
Data presented on the Movere website can only be gathered using the Movere Console “Console”, which is unique to each customer. While any user can download the ~2MB Movere Installer, only customer tenant user(s) with a ‘Write’ claim can install the complete set of Movere binaries and security tokens required to upload data.
The Movere Installer “Installer” can be downloaded by clicking on the Console icon on the Movere website:
This will download a ~2MB executable titled ‘Movere.Installer.exe’. While the Installer can be downloaded by any user with a valid Movere login (customer or partner), the Console itself can only be installed by a customer tenant user with a ‘Write’ claim within the Movere tenant it was downloaded from:
Once downloaded, copy the Installer to the Windows device(s) you want to run the Console from.
We recommend creating a dedicated service account for Movere to use AND using that account to log into the Windows device(s) the Console will be installed on, as the permissions required to open the Console will be set automatically as part of the installation process.
IMPORTANT: This account used to run the Movere Console must be a local admin on both the device(s) the Console is installed on AND on the Windows device(s) Movere will be scanning. If utilizing the Movere credential mapper to add multiple sets of Windows credentials to be used for scanning, then make sure each set of credentials have full access to the folder housing the Console binaries.
Minimum System Requirements
Minimum system requirements for running the Console include:
- Operating System: 64-bit Windows Server 2008R2 SP1 (or above)
- .NET Framework: 4.7.2 (or above)
To check, run the following command in Command Prompt as an Administrator: reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\full" /v version
- Memory: Minimum 8 GB RAM
- Storage: Minimum 1 GB free space
If all Movere payloads are to be uploaded to the cloud via the Console device, then we recommend leveraging SSD storage.
- TLS 1.2 support. If you are running the Console on a version of Windows prior to Windows 10 or Server 2016, then TLS 1.2 may not be enabled. Please use one of the following guides on how to enable it:
- TCP Port 443 outbound external and inbound internal (refer ports section below for further details)
IMPORTANT: Only one copy of the Console can be installed and run per Windows device. The device must have TCP port 443 open, and not in use. During deployment, the Console installs a certificate that is bound to port 443. If this port is already in use, or has a certificate tied to it, Movere will not install or run. We do not recommend running the Console on a device that acts as a web (IIS) server or a similar role.
The full list of minimum Movere requirements can be found here.
URLs & IP Addresses
There are two IP addresses to white list based upon the region your Movere tenant resides in. The full list across all regions can be accessed here. While there are only two IP addresses per region, some security products can only white list URLs. Several services are required to run Movere including User Authentication, Tenant Emulation and Uploading, and if sites can only be white listed based upon URL, then all 9 (specific to each region) will need to be white listed.
Here is a quick test that can be performed to confirm connectivity to Movere. Open a browser and navigate to: https://geo.movere.io/ip. If you see an IP address, you can connect to Movere:
Some anti-virus products will block all newly installed executables by default. If applicable, the following executables should be white listed on all Windows devices:
Default installation location: c:\Windows\Temp\
The following executables only need to be white listed on the Console device(s):
To begin the installation, right click on the installer and select ‘Run as administrator’:
On the ‘Notice and Acceptance’ popup you will find links to the terms and conditions governing the use of Movere. Once these items have been reviewed and approved check the ‘I Accept’ checkbox to proceed. The ‘OK’ button will remain greyed out until the ‘I Accept’ box has been checked:
If your username and password are valid and TCP port 443 outbound is available, then you will see a ‘Logon Successful’ message after clicking on the Authenticate button (refer below):
The installation path defaults to the Documents folder in the user’s profile, but this location can be configured as required e.g. c:\Movere\Console. The user permissions required to run the Console will be set automatically on the selected destination directory. Once the installation has been completed, Movere will confirm that the certificate created during the installation process has been successfully installed:
Opening the Console for the first time will prompt the user for a Magic Word:
This prompt will appear each time the Console is opened until at least one set of credentials (Windows, SQL, Linux, etc.) have been added to the Console via the ‘Manage Credentials’ tab. Once one or more credentials are saved, the user will be prompted for their chosen Magic Word going forward.
The Magic Word is not stored on disk nor in the cloud and therefore cannot be reset or recovered. It can be the same or unique to each copy of the Console you choose to deploy in your environment; but it must be at least 12 characters long and include the following characteristics:
- One upper case letter,
- One number; and
- One special character.
IMPORTANT: If you forget the Magic Word after saving credentials in the Console, then you will need to uninstall then reinstall the Console to regain access. You can then reenter any credentials previously added.
Credentials and Propagation
The Console will only function correctly if executed by personnel with local admin access to the Windows device(s) the Console is installed on, and the Windows device(s) to be scanned. These permissions are assigned to Domain Administrators by default, but for security purposes, Movere prohibits the propagation of credentials with Domain Admin privilege to the Movere Bots “Bots”. This means Domain Admin credentials can be used to run the Console and scan Windows devices, however they will not be sent to the Bots to collect secondary data (i.e. SQL Server). Domain Admin credentials can only be leveraged to collect data from SQL Server using impersonation. This is possible when the Bot runs as a local process using the ‘Local Scan’ scanning method AND the Domain Admin account has the required SQL permissions.
Instead of leveraging a Domain Admin account, we recommend creating a dedicated service account e.g. ‘movere_svc’, that has local admin access to each Windows device, but it is not part of the Domain Admin group, to scan environments on an ongoing basis. This will avoid account lockouts when a user account password is reset and will permit account propagation when Movere is run with its preferred scanning method set to ‘All available’ (default).
SQL access can be granted multiple ways, and even if the appropriate roles and mappings are set to the lowest level possible, the right to login to a specific SQL Server can simply be denied. The items listed below outline the lowest level of access the Movere service account requires to gather the data it requires from a SQL Server:
- Server Role: public
- User Mapping: master (db_datareader); and msdb (db_datareader)
- Securables: Connect SQL, View server state; and View any definition
- Status: Grant: Permission to connect to database engine; and Enable: Login
- Secondary SQL access: Querying SQL databases housing data from sources such as SCCM, SharePoint, vCenter, VMM etc. requires db_datareader to each of the specific database(s)
The account to be used by Movere to scan Linux device(s) will require SSH access and a local home directory. Home directories housed on a distributed filesystem, e.g. NFS used to mount storage to multiple systems are not supported.
IMPORTANT: Movere can scan a Linux device without ‘root’ or a ‘superuser’ account by setting the ‘LinuxSkipSudo’ flag in the ‘Movere.Service.exe.config’ to “true”. The config file is located in the directory where the Console is installed. While superuser access is NOT required, scanning a Linux device that Movere is already running on with a Linux account that does not have superuser access will fail as a non-superuser account will be unable to terminate the existing Movere instance that is already running.
While many customers create individual service accounts for each of these roles (Windows, SQL, Linux) all three can be combined into a single account, if domain-based credentials can be used to authenticate into your Linux systems.
Movere can scan the following operating systems:
- Workstation(s): Windows 2000 Pro (and above)
- Server(s): Windows 2000 Server (and above)
- Linux Device(s): for supported distributions refer here.
IMPORTANT: Movere can both Inventory and collect Actual Resource Consumption (ARC) data from Windows devices. While inventory data can be collected remotely via WMI or locally using the .NET 2.0 (or higher) Framework, ARC data can ONLY be collected from Windows device with the .NET 3.5 (or higher) Framework installed. Remote WMI is NOT supported for capturing ARC data.
Windows device(s) running the Console:
- Inbound: Internal TCP 443 (HTTPS protocol over TLS)
- Internal traffic from endpoint(s) being scanned back to Console (internal use only)
- Outbound: Internal TCP 389 (LDAP) & TCP 3268 (ADGC), External TCP 443
- 443 External for Console, token download from Movere and payload upload via Console
Windows device(s) being scanned:
- Inbound: Internal TCP 445 (Windows file sharing), TCP 135 (RPC), TCP 139 (NetBIOS) & TCP 49152 through 65535 (dynamic port range required to run Bots as a process versus a service)
- Outbound: External TCP 443 (optional for direct upload to cloud from endpoint being scanned)
- Benefit: direct upload to cloud minimizes internal network traffic
IMPORTANT: One way to confirm if the ports required to scan Windows devices are open is by running a test scan against a sample of servers and workstations and looking for 5 key messages:
- Public IP: 126.96.36.199 … When your IP address is visible then the Console can reach Movere’s APIs on TCP port 443. If no IP address is visible, then uploading to Movere will not be possible. From a network connection perspective this appears as a local connection from a dynamic port (49152 through 65535) to a Movere’s API address & port e.g. 188.8.131.52:443 for West US.
- Launching bot PROJSVR.IO.PRIV … The Console is copying the Bots to the targeted endpoint(s), in this case ‘PROJSVR.IO.PRIV’. From a network connection perspective this appears as a local connection from a dynamic port (49152 through 65535) to the targeted endpoint with the label ‘microsoft-ds’ aka Microsoft Directory Services. On the targeted endpoint you will see ports 135, 445, a dynamic port and 443 connection to the Console.
- Service success PROJSVR.IO.PRIV … The Console has delivered the Bots to the targeted device and has successfully launched the FrameworkVerifier to start the scan. If the Bots run as a process (Local Scan) versus a service (default), then this message will not appear, and the dynamic port range (49152 through 65535) must be permitted inbound on the targeted endpoint(s) to allow the process to start.
- Local scan started PROJSVR.IO.PRIV … If the targeted device can establish a secure connection back to the Console on TCP port 443 then a message is sent confirming that the scan has started.
- Cloud upload success PROJSVR.IO.PRIV … When the targeted device can reach Movere’s APIs on TCP port 443 then you will see this connection on the endpoint coupled with a “Cloud Upload Success” message. If the device cannot reach Movere’s APIs directly then the payload will be sent to the Console via port 443 internal for the Console to upload to Movere’s APIs.
Linux device(s), ESXi Host(s), vCenter Appliance(s), XenServer Host(s)
- Inbound: Internal TCP 22 (Secure Shell SSH Protocol)
- Outbound: External TCP 443 (optional for direct upload to cloud from endpoint)
Manual scans & Automated deployment via 3rd party tools
While we recommend using the Console to deliver Bots to targeted endpoints, this isn’t always possible. Movere supports manual placement (copy) and delivery via automated deployment platforms like System Center Configuration Manager (SCCM). To enable both methods of deployment several configuration steps need to be completed (refer below).
The Console must be configured to secure communication with Bots delivered via means other than the Console itself. The first thing that needs to be set is the Maximum number of Devices where you plan to deploy Bots. The default is set to 1000, but this number can be set to any number desired. This setting acts as a limiter and should be set to a value slightly higher than the number of devices you plan to scan. No further security tokens will be released once this number has been reached.
This setting can be altered by opening the ‘Movere.Service.exe.config’ file located in the folder the Console is installed in using a text editor e.g. Notepad:
If the default value is altered, then the ‘Movere.Service.exe.config’ file must be saved. If the text editor prohibits the file from being saved to the same location, save it to an alternative location e.g. Desktop, then manually move it back into the folder housing the Console. You will be asked to replace the existing file confirming that you are placing it in the correct location.
The Passphrase is a secret chosen by the user before deploying Bots manually or via 3rd party tools other than the Console itself. The same Passphrase must be provided both to the Console and the Bots. It can be set either as a command line argument, or via the config file of the respective component (binary): key= “PassPhrase” in Movere.Service.exe.config for the Console, Movere.Bot4.Local.exe.config for Bot4, and Movere.Bot2.Local.exe.config for Bot2.
Since the Bots will try to establish communication with the Console as soon as they start in order to obtain a security token, the Passphrase must be provided before the scans are initiated. Failure to do so will install the Movere service without a Passphrase. If this occurs then the Movere service will need to be stopped, deleted, then re-installed after the Passphrase has been set. There is one exception to this rule which is use of the ‘-noconsole’ flag. This flag will allow the Bots to start without a Console, but they will only collect up to 12 hours of data (the lifespan of the Token.txt file) before dissolving. Further details on using this flag are provided below.
Prerequisites for running manual/3rd party deployments of Movere:
- The Console has already been installed,
- A Magic Word has been set and at least one set of credentials (Windows, SQL, Linux, etc.) have been added via the Console’s “Manage Credentials” tab,
- The Movere Console is NOT running, and it has NOT already been installed as a Windows Service. If it has, then stop the service titled Movere.Service (if running) then delete it from an admin command prompt using the following commands:
sc stop Movere.Service
sc delete Movere.Service
Failure to stop and remove an existing Movere Service will result in all Bots deployed either manually or via a 3rd party tool to fail. The service can also be removed by uninstalling then reinstalling the Console.
- If you are planning to gather both Inventory and ARC data from each targeted endpoint, then the ARC scan must be activated first. The easiest way is via the Console using the following steps:
- Open the Console and enter your Magic Word,
- On the main tab, select the ‘Windows Devices’ and ‘Windows ARC’ check boxes,
- On the ‘ARC’ tab, set the desired duration and frequency of the ARC scan; then
- Close the Console.
You can manually confirm that the ARC scan has been enabled by reviewing the Bot2/Bot4 config files in the Bot2/Bot4 folders located in the directory the Console is installed in:
The ArcEnabled flag should be set to “true”. If it isn’t, then manually set it to “true”.
The ARC interval and duration can be confirmed by reviewing the Arc2/Arc4 config files in the Arc2/Arc4 folders, also located in the directory where the Console is installed:
The name of the device the Console is running/listening on should also be confirmed by reviewing the ServiceHostUrl value:
If the ServiceHostUrl value has not been changed from the default (https://localhost) that implies that you have not run any scans yet. You can set the ServiceHostUrl manually or by running a simple scan (e.g. AD) and verify that the value has been updated to the FQDN of the device where you have installed the Console.
Steps for running manual/3rd party deployments of Movere:
- Open the file ‘Movere.Service.exe.config’ using a text editor e.g. Notepad. This file resides within the folder where the Console is installed.
- Set the ‘MaximumDevices’ number to a value slightly higher than the number of devices you intend to scan. The default is 1,000, but this can be set to any number required:
3. In the same file, set a unique Passphrase. In the screenshot above we’re using ‘Movere.1’, but you will set this to a Passphrase of your choosing.
4. Open both the ‘Movere.Bot2.Local.exe.config’ & ‘Movere.Bot4.Local.exe.config’ files in the Bot2/Bot4 folders which reside in the folder where the Console is installed. Insert the same Passphrase used in step 3. The Passphrase authenticates the Bots with the Console when delivered to endpoints manually or via 3rd party tools:
5. Create a folder e.g. Local, that will house the binaries to be delivered to each targeted endpoint using a delivery vehicle other that then Console. Copy into this folder:
1. The ‘FrameworkVerifier.exe’ file in the FrameworkVerifier folder located in the directory where the Console is installed; and
2. The Arc2/Arc4 folders AFTER reviewing the ARC interval/duration and ServiceHostUrl,
3. The Bot2/Bot4 folders AFTER adding the Passphrase to the Bot2/Bot4 config files in step 4 and AFTER confirming that the ARC module has been enabled,
4. Create a folder e.g. Local, that will house the binaries to be delivered to each targeted endpoint using a delivery vehicle other that then Console. Copy into this folder:
5. The Token.txt file (optional). If the Token.txt file is included in the local package, then each targeted endpoint will attempt to upload its payload to Movere’s APIs directly via port 443 outbound. If this port is unavailable, then the Bots will send payloads back to the Console. To avoid any communications with Movere’s APIs other than the Console, do NOT include the Token.txt file in the local package.
The local package to be delivered to each targeted endpoint should look like this:
6. Install and start the Movere service on the device housing the Console. This must be done AFTER adding the Passphrase to the service config (step 3 above). The easiest way to install and start the Movere service (with the Passphrase in place) is to run a simple scan (i.e. AD) or scan the device the Console is running on (localhost):
After the scan of the device housing the Console has concluded, the Movere service will automatically install and start itself:
7. Copy/distribute the folder created in step 5, e.g. Local, to the targeted endpoint(s) and start the FrameworkVerifier.exe file using the following command:
In the above example ‘consolehost.domain.com’ is the FQDN of the device the Console service is running/listening on. Replace this with the appropriate Console device name on your network.
The FrameworkVerifier will start the appropriate Bot (Bot2 or Bot4) which in turn will contact the Movere Console device (which is listening on port 443) using the Passphrase specified in the Bot config files. If the Passphrases match, then a ‘Token2.txt’ file will appear within the local folder deployed to the targeted endpoint(s). Once this occurs the scan will run. The encrypted payload will then be sent back to the Console for upload to Movere. If the Token.txt file is included in the local package (refer above), then the endpoint will attempt to upload its payload to Movere’s APIs directly via port 443. If this port is unavailable, then the Bot will send the payload to the Console. If all communications with Movere are to occur via the Console, then do NOT include the Token.txt file in the local package.
Scanning without a Console
As mentioned above, there is one exception to the rule that Bots must communicate with a Console and that is use of the ‘-noconsole’ flag. This flag will allow the Bots to start without a Console, but they will only collect up to 12 hours of ARC data (the lifespan of the Token.txt file) before dissolving. This option is ideal for collecting point in time inventory data, but at this time ARC collecting is capped at 12 hours.
In the example above we used the command:
To start the Bots without a Console, replace the host name and port number with the flag ‘-noconsole’:
Notices and Disclaimers
Movere® is a registered trademark, and Movere™ is a trademark, of Movere, Inc.
This guide, as well as the Movere® service described in it, is furnished pursuant to license and may be used only in accordance with that license. Except as permitted by any such license, no part of this guide may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, recording, or otherwise, without the prior written permission of Movere, Inc.
The content of this guide is furnished for informational use only, is subject to change without notice, and should not be construed as a commitment by Movere, Inc.
Movere, Inc. assumes no responsibility or liability for any errors or inaccuracies that may appear in the informational content contained in this guide.
Microsoft, Windows, SQL, Exchange, Azure, Office and Office 365, Active Directory, Hyper-V, SharePoint, Exchange, and Lync are registered trademarks of Microsoft Corporation in the United States and/or other countries.
XenServer is a registered trademark of Citrix Systems, Inc
vCenter Server are registered trademarks of VMWare, Inc.