Metasys Software Security and Support

May 2021

Johnson Controls® prioritizes customer confidence and satisfaction in the Metasys Building Automation
System (BAS) above all else. We have organized the Metasys product development and support
infrastructure to help protect Metasys customers and ensure their confidence in the product that we
support. Summarized below are current operating guidelines and process for the Metasys BAS. The
Metasys product team employs commercially reasonable efforts and adheres to the guidelines and
process described herein. However, other mitigating factors may prevent complete adherence to this
policy, as determined by the Metasys product team at its sole discretion. Regardless, the Metasys product
team endeavors to address issues that arise within the associated products, with the severity that they
warrant.

Best Practices in the Field

The Metasys sustaining and support teams work with the field to help ensure best practices are followed
with respect to the deployment of the Metasys system. To help ensure our customers have the latest
updates and functionality, it is our policy to have our field representatives work with the customer in
encouraging and making available the latest software for the Metasys BAS.

The latest release is recommended as the base version the customer uses. Under typical circumstances,
we support the current software release and the previous major software release.

As of the publishing of this document, the prior releases of Metasys are as follows:

Table 1: Metasys Release Overview

Metasys Component Previous Release Current Release Future Release

Metasys Server1 10.1 11.0 12.0
Metasys User Interface (UI) Online 4.1 5.0 6.0
Metasys UI Offline 4.1 5.0 N/A
Launcher 1.7 2.0 2.0
System Configuration Tool (SCT) 14.1 14.2 15.0
SCT Pro 14.1 14.2 15.0
Controller Configuration Tool (CCT) 13.1 14.0 15.0
Metasys Network Engine
M4-SNE1050x-x 10.1 11.0 12.0
M4-SNE1100x-x 10.1 11.0 12.0
M4-SNE2200x-x 10.1 11.0 12.0
M4-SNC1612x-x 10.1 11.0 12.0
M4-SNC2515x-x 10.1 11.0 12.0
MS-NAE55xx-22 10.1 11.0 11.x
MS-NAE55xx-33 10.1 11.0 12.0
MS-NIE55xx-2,-3 9.0 9.0 N/A
MS-NIE59xx-2,-3 9.0 9.0 N/A

LIT-12013786
 Metasys Component Previous Release Current Release Future Release
4
NCE25xx-0 8.1 9.0 (9.0.9) TBD
NAE35xx-2
NAE45xx-2
NIE29xx-0
NIE39xx-2
NIE49xx-2

Metasys for Validated Environments

(MVE)5 10.1 11.0 TBD
6
UL/cUL 864 UUKL – Smoke Control 8.1 8.1 11.x

Note 1: At Metasys Release 11.0, Johnson Controls is discontinuing the Metasys Advanced Graphics
Application (AGA) software for a new installation and for upgrading an existing installation. In addition,
Johnson Controls is discontinuing the Metasys Graphic Generation Tool (GGT) application for a new
installation at Release 11.0. Refer to the Discontinuation of Metasys legacy graphics (LIT-12001094)
Discontinuation Letter for more details.
Johnson Controls continues to develop and expand the Metasys User Interface reporting capabilities from
release to release. Release 13 is expected to close the functionality gap for Metasys Export Utility, at
which time the Metasys Export Utility will be discontinued. The development required to provide functional
replacements for Advanced Reporting System and Energy Essentials is planned after the gap closure for
Metasys Export Utility.
Note 2: Metasys Release 11.0 will be the last supported major release for MS-NAE55xx-2. Because of
limited memory space, the MS-NAE55xx-2 network engines will not upgrade to Release 12.0 or later.
Johnson Controls will continue to patch these models through December 2023. Refer to the End of
support timing for MS-NxE55xx-2 Network Engines (LIT-12001127) Product Information Letter.
Note 3: Support of the MS-NAE55xx-3 beyond Metasys Release 12.0 has yet to be determined.
Note 4: The NxE2xxx-x, NxE3xxx-x, and NxE4xxx-x network engines cannot upgrade to Metasys
Release 10.0 or later because of limited memory space. Johnson Controls will continue to patch these
models through November 30, 2021.
Note 5: Maintain MVE compliance at every major and minor release, unless otherwise noted.
Note 6: Maintain compliance to UL 864 Smoke Control Listing within 12 months of a major release. SCT
and CCT versions for UL 864 Smoke Control Listing may differ from the general release.

While customers using older versions of Metasys are required to upgrade to a newer, compatible version,
Johnson Controls does reserve capacity to support earlier versions under certain circumstances. Metasys
is designed with compatibility in mind and in the interest of protecting the security of our customers. It is
recommended that customers apply the latest updates and patches to their Windows OS and SQL Server
environments upon which Metasys resides. The Metasys system is not designed to run on a hostile
network. It is strongly recommended that customers deploy security controls to limit network and physical
access to Metasys and its connected controllers, unless the customer uses a VPN with credentials. To
this end, it is recommended that customers segment their network to isolate the building security system
from the business network. Johnson Controls takes product security seriously, and we encourage our
customers to learn more about our best practices and product advisories, by calling 844-628-2529 or

LIT-12013786
visiting the Metasys Cyber Program website at https://www.johnsoncontrols.com/cyber-solutions/cyber-
program.

The Metasys engineering and technical support teams will continue to support the Metasys BAS with the
latest Linux, Windows Operating System (OS), and SQL updates/patches, so long as it meets our base
OS and SQL platforms, as published in our literature.

Metasys Product Sustaining and Support

The Metasys product sustaining and support engineering has been organized to expeditiously deliver
solutions to customers, as customer cases arise. With our technical support staff working directly in
collaboration with a dedicated engineering team, we commit ourselves to maximizing the response and
resolution times for Metasys customers. We currently practice a three-tiered support system, whereby all
customer cases are triaged and responded through a collaboration of dedicated technical support,
engineering development, and product validation teams. Through this process, we can prioritize our
customer cases based on varying degrees of urgency, commit dedicated development resources to
ensure that the solution is documented and validated throughout the lifecycle of the product.

Metasys Releases
Metasys product updates are distributed through a cadence of regular releases. While we target releases
every six to 12 months, we may accelerate this schedule for a critical update or delay it because of an
absence in new functionality. Our software releases are complete application installation packages,
allowing customers the convenience of either a new installation of the latest version, or conveniently
upgrading their existing Metasys system to the latest release, with the latest features, enhancements, and
fixes. Metasys application installation packages are specifically validated for reliability and convenience,
to deliver a positive experience for customers, while also minimizing downtime.

Metasys Patches
The Metasys sustaining team makes use of software installation patches to best expedite customer
related defect resolutions as quickly and reliably as possible. Metasys patches deliver a fix or an
enhancement specific to the customer need. Patches are designed for quick customer case turnaround
time, while maintaining the highest standards of validation, reliability, and convenience to respond to our
customer needs. Patch installation packages roll up and incorporate prior patch deliverables from the
same software release of the product. Currently, patches are only made available to the latest version of
the current release and the latest version of the prior software release of Metasys. Johnson Controls can
target cyber security vulnerabilities with a patch, but in some cases the complexity of a resolution may
require the resolution to be incorporated into a future release rather than issuing a patch. For additional
support and service, please contact your local Johnson Controls branch office or the JCI services and
support phone number: 844-628-2529.

LIT-12013786
 Metasys Development Standards for Product Security
Through organizational supervision, Metasys is subject to the standard practices established by our
product security group, with whom the Metasys development team directly collaborates with to help
protect customers against suspected product vulnerabilities. Per mandatory policies established by our
product security group, the Metasys development teams are held to mandatory training requirements
about cyber security development standards and best practices.

Reporting a Vulnerability
If you suspect a Metasys vulnerability, please contact the Johnson Controls Product Security Incident
Response (PSIR) team directly by:
• Calling 1-800-250-7830
• Emailing [email protected]
• Visiting the PSIR Inquiries website at https://www.johnsoncontrols.com/cyber-solutions/cyber-
response
For additional information on Johnson Controls service and support, please visit
https://www.johnsoncontrols.com/en_sg/buildings/services-and-support.

Building Technologies & Solutions

507 E. Michigan Street, Milwaukee, WI 53202
© 2021 Johnson Controls.

LIT-12013786