Desktop Management: Angst-Ridden?

A Question of Size

Not every organization needs a comprehensive, automated desktop-management strategy. Does yours? Here are two key questions to ask: Are your existing procedures keeping up with changing technologies, new software revisions and user support issues? And will they continue to scale?

Even for those with relatively sophisticated desktop-management setups, if a worm or year-old vulnerability has hit you recently, you're not up-to-date. Many new features have been added to DM suites in recent years, including patch management and license-compliance monitoring. New DM suites are also useful for handling laptops and remote users--don't limit desktop management to your physical building.

Today's DM suites can make an impact in six major areas: inventory, software distribution, support and helpdesk components, patch management, reports and software-license monitoring. Some suites also contain accounting software, disk imaging, OS migration, self-service software installs, application healing and support for handhelds.

Gains and LossesOf course, a package that can fix a large and diverse range of problems will cost you. Even a 10,000-node installation may run upward of $1 million.

List price of the suites we tested in our comparative review (see "How Suite It Is") starts at $67 and goes to $125 per node, and that doesn't always include maintenance contracts. We found a disconnect between this price range and what readers want to spend: Only 12 percent of respondents say they'd be willing to spend more than $50 per node, and a minuscule 2.4 percent would go above $100. The sweet spot was $10 to $20 per client.

Assert Yourself

There are ways to close this gap. Volume discounts are available, and very large installations (more than 100,000 nodes) can negotiate to receive services, such as on-site installation and training, free or at a reduced price. Sometimes you can economize by unbundling features. For example, if you own remote-control software, you may be able to get this functionality removed.

Although shops with 100 to 1,000 nodes won't have as much negotiating power, they do have a wider range of choices. Products from small vendors such as FrontRange Solutions, Intuit and Vector Networks may not scale as well, but they offer functionality similar to those from the big boys. Our tests focused on a 10,000-node installation, but why pay for distributed systems-management capabilities if your organization is contained in one building and will be for the foreseeable future?As for ROI, there are studies that will more than support the purchase of a DM suite. Gartner's "Desktop TCO Update, 2003" cites a three-year total cost of ownership for an unmanaged Windows XP desktop of $5,309. The same desktop when well-managed--defined by Gartner as implementing a raft of best practices combined with appropriate tools, processes and policies (read: a full-blown DM suite)--is $3,335.There are four major metrics to realizing ROI:

• Productivity gains: Information workers with more reliable systems and faster tech support are more productive.

• Software-license management: Avoiding the overpurchase of licenses or evading an audit may yield an immediate ROI. Don't fall into the "An audit will never happen to us" or "We're compliant even though we can't prove it" trap. The risk of an audit is very real.

• Reduced administrative expenses: These expenses include the cost of rolling out new software, upgrading existing software, capacity planning and asset tracking. Organizations with many legacy systems, diverse hardware or remote users may have a hard time keeping track of their desktops, and a DM suite can help target specific computers based on inventory data.

When switching vendors or hardware platforms, DM suites let you target updates to specific systems. For example, you can easily distribute a BIOS update to all Dell OptiPlex systems, or new NIC drivers to Compaqs that are running Windows 2000 but not XP. Performing such tasks with login scripts can get messy.Another benefit is in updating configurations. If your site decides to implement a nontransparent proxy server that requires end-user configuration changes, you can use the DM software to push down new configs or change registry values. And some suites let you lock down a system's config file, avoiding the risk of a user making a change that could blow up his system.

The reporting capabilities found in DM suites can provide both a high-level view of your entire organization and a focus on individual nodes. Knowing how many machines are in use is handy for planning future purchases, for instance, and will reveal if hardware upgrades are needed before rolling out a new OS. Do users need new machines or just extra memory? Some products will generate reports automatically if the inventory changes, which is useful for spotting the theft of RAM, hard drives or other hidden components.

• Reduced support costs: According to our e-mail poll, this was the No. 1 cost justification for using DM software. Internal technical support is purely a cost center: It doesn't generate any revenue, and the cost seems to keep going up. That's not to say that support is optional or frivolous, but minimizing costs while increasing productivity is just good business sense.

Support can be broken into two parts: proactive administration and helpdesk assistance.

Leading the proactive pack is patch management--44 percent of those polled cite "patch and service-pack deployment and management" as the most important DM function. It's no wonder: Organizations have lost millions of dollars cleaning up Blaster, SoBig, Swen, Klez and a whole smorgasbord of viruses, Trojans and worms. Trust us--it's cheaper to patch now than to clean up later. Of course, we strongly recommend that you test all patches before deploying them, but the argument that patching causes more trouble than it saves is a paper tiger. Some recent worms took advantage of holes discovered more than a year before. If you can't install a simple patch in a year, you're doing something wrong.Attacks are also coming faster nowadays, with some being released less than a month after a vulnerability is announced. A DM suite will let you deploy a patch within hours or days instead of weeks, reducing the amount of time your network is vulnerable, and it will patch systems proactively, without requiring end-user involvement. You can push patches out to remote users automatically the next time they log in.

Prying accurate information out of a user can be challenging, so your helpdesk staff will appreciate the inventory and remote-control components of a DM suite. DM agents installed on every computer will report back information such as hardware configuration, software installed, version numbers and Ethernet addresses. This helps reduce the amount of time an operator needs to spend on a call. Most suites will even publish their database schema, thus letting you write custom queries or custom-tailored helpdesk apps.

One frustration helpdesk operators often voice is guiding users to fix problems over the phone. Fortunately, remote-control features are the next best thing to being in front of a broken system. They let administrators remotely watch a user's screen or actually take over the keyboard and mouse controls. Some DM suites allow for IM (instant messaging) or voice conferencing with the user as well. Even better, some DMs will let an operator put the remote-control software in watch-only mode and let users demonstrate the problem.Desktop management security benefits stem from improved patch and firewall management and the ability to stanch the flow of unauthorized applications.

One fly in this ointment: Linux and Unix support is limited or nonexistent in many DM suites. Although Linux distributions are relatively easy to administer remotely via PERL scripts and SSH (Secure Shell), those don't offer the functionality, scalability or reliability found in a DM suite. Of course, if the installed base of desktop Linux increases, the DM industry will shift to fill that need.

A desktop-management suite also can help track down rogue or unauthorized applications. Some apps, like Quake, are relatively harmless, though they kill productivity. However, P2P programs, unauthorized instant messaging and spyware may open you up to attack, legal liability or intellectual property theft. We've heard horror stories of corporate documents accidentally leaked onto P2P networks, and the RIAA is quick to sue for music copyright infringement. Your organization won't have licenses for rogue software, which can get you in trouble in an audit.Firewalls go only so far--unfortunately, the Internet is now defined as Port 80, and organizations allow Web traffic through their firewalls. But Trojans, spyware and P2P also run on Port 80. Some applications use HTTP and have proxy-server support. Encrypted traffic, such as programs utilizing SSH or SSL tunneling, is even harder to inspect for content. Relying on gateway firewalls to block or detect rogue software is doomed to failure.

Then there are your remote users, who aren't always kept safe behind your main firewall. You can use your DM suite to ensure that desktop firewalls are in use on every workstation while keeping tabs on non-networked applications (for more on remote firewalls, see "Defense Starts Here").

Tying It Together

Management may ask, why buy a pricey DM suite when we can go with multiple free components? After all, you can get a free license-monitoring product from the Business Software Alliance; free remote-control via Terminal Services in Windows 2000; and a free patch-management tool, called SUS, from Microsoft.

The short answer: Going cheap will cost you in terms of scalability, integration and consistency. Scaling a tool to support thousands of machines across various networks, domains and locations is difficult and expensive. For example, even Microsoft admits that SUS isn't appropriate for large organizations. A single SUS server can support a maximum of 15,000 clients. However, it doesn't support pre-Windows 2000 SP2 systems, Office patches or SQL Server patches.Having multiple products also means that you must build and maintain each separately, including all associated infrastructure. Multiple tools won't integrate with one another in the same interface or share data. If you create a dynamic group in one tool, you'll need to create that group in all. You may need to load one tool to do inventory, a second for software compliance, another for remote control and a fourth for deploying software. Because there is no shared data, some of the tools may not be on all machines, leading to inconsistent or inaccurate reports.

Political Suicide

Seventy-six percent of those who responded to our second annual reader survey (see "We Asked, You Told") said politics is the thing you like least about your job, so we have to warn you: Rolling out a DM suite may land you smack dab in the middle of an interdepartmental bickering war. Get your CTO and CFO on board, and let strong orders come down from above. To get the full return on a DM suite, get all departments to use it--and we don't just mean the security team, systems people and helpdesk staff. Upper-level management and bean counters will need to communicate their needs and expectations. The power users among them can even run reports at any time, as opposed to bothering an IT wonk and waiting a week for results. And if you foster some cross-department communication, so much the better.

Desktop management is not a panacea. The suite you purchase may not handle your organization's Macs, for example, and rolling out new software may fail on one-off or oddly configured machines. This failure rate will depend heavily on the level of homogeneity in your desktops and the control you have over them. If you have a standardized network, failures may be rare. Less tightly controlled organizations, or sites that currently have varying OS revisions, service packs and applications, may not fare as well.

Michael J. DeMaria is an associate technology editor based at Network Computing's Real-World Labs® at Syracuse University. Write to him at [email protected].Post a comment or question on this story.If your desktop-management strategy doesn't provide beefy end-user interaction tools or help with software compliance and patch management, it's not doing all it could. Although a new DM suite will dent your budget--our Editor's Choice lists for $80 per node, well above what readers polled said they want to pay--the payback is easy to quantify.

Take, for example, patch management. Although patching admittedly won't solve all your security problems (see "Patches Don't Equal Security"), a well-equipped DM suite will pinpoint which nodes are vulnerable, then help you get patches deployed in a timely manner. Other benefits of automation include reducing the software-deployment failure rate and freeing IT staff to build your business instead of doing inventory.

We devised a scenario that required DM products to perform a range of asset-management functions, integrate with directories and support remote users and three flavors of Windows. Patch management, access control and software metering were optional but desirable. Altiris, Computer Associates, LANDesk Software, Marimba, Microsoft, Mobile Automation and Novell sent their suites to our Real-World Labs® at Syracuse University, and we found something to like about each of them. However, Altiris' suite stood out and took our Editor's Choice award, while LANDesk snagged a Best Value award.

• See "How Suite It Is"

• "Desktop Management Enlightenment"• "No Time To Relax"

• "Microsoft Customers Find New Licensing Plan Is Bad News, But Not as Bad as Feared" There's no software-compliance branch of your local sheriff's office, but the license police are a very real threat to your organization and being out of compliance could cost you millions. If your company is suspected of being out of compliance with a software-licensing agreement, you may be asked to perform an audit. Asked is code for, You have 30 days to prove your innocence or we'll sue you.

The core of this "police" force is the Business Software Alliance. The BSA has no direct government ties; rather, it represents its members, similar to the RIAA in the music industry. You need to take the BSA seriously--it has lots of lawyers and knows how to use them.

The group's public radio commercials go something like this: "I would say to businesses that unless you have no current or former unhappy employees, you are only one phone call away from a BSA investigation." Even if you're completely innocent, you can still be audited at your expense. And the instant your organization receives a software-audit request, the IT department must deal with it. You can imagine the disruption that would cause, not to mention the cost.

If you're found out of compliance, penalties can run as high as $150,000 for each unlicensed copy. Many organizations have settled out of court, though you can bet the settlement price per copy will be higher than the purchase price--that's because you are, in fact, breaking the law, and you have little bargaining power. Publicly disclosed settlements listed on the BSA Web page range from $10,000 to $525,000. The BSA has collected more than $83 million in 12 years, with $12 million collected in 2002 alone.An audit can occur at any time, so be prepared. Here are some guidelines:

• Prove you have the licenses. If individual departments are allowed to make software purchases, make sure they submit copies of the licenses and purchase orders to a central location. If an employee installs software without a license, your company may be liable, even if the application was installed against corporate policy.

• Keep tabs on your license count to help reduce costs. Instead of guessing how many licenses you need, buy exactly what you need or close to it (always buy a few extra licenses, just in case new machines are added).

• Use software metering (tracking the frequency with which an individual uses a program) to determine if you really need a license for every user or if you can share. Make sure to uninstall unneeded software or bar inactive users from accessing the product, as most software licenses are based on per-seat installs, not simultaneous usage.

Of course, desktop-management suites let you see exactly what is installed and where. So, if you get an audit alert, you can reply in minutes with, "We have 4,830 copies of Windows 2000 installed, 4,293 copies of Word, and have the licenses for 5,000 each. Have a nice day."

Trace Mike DeMaria's steps as he prepared for our Desktop Management Suites evaulation in our Syracuse Lab.