Desktop Management Suites: How Suite it Is

We tested seven desktop-management suites. Find out which takes the anxiety out of that dreaded task.

November 7, 2003

18 Min Read
Network Computing logo

The Big Picture

None of the suites we tested is what we'd call spot-on. For example, we saw some really good user interfaces, and some not so good. On our wish list: More control over deploying software to the entire organization; better security and role-based access controls; patch management from every player; and improved alerting and scripting capabilities. We expect to see a lot of innovation, enhancements and development over the next few years--each suite had its own stand-out features that we'd like to see added to all the products.

All the DM suites we tested were current shipping versions, except for Microsoft's. In a departure from our usual rules of engagement, we tested a beta copy of SMS 2003 Release Candidate 2. Microsoft says the product will be shipping when this issue goes to print, and we couldn't pass up the opportunity. Normally, we bar beta versions from comparative reviews, but when we make an exception our policy is to treat the beta software no differently than the shipping products. Microsoft was informed of this policy and chose to participate.All the DM suites we tested have a similar pyramid architecture. At the top is a central database server and a central management server. Inventory, client and policy information is stored here. Distribution servers (aka staging, local, relay, deployment, fan out or transmitter servers, depending on the vendor) can be installed in remote offices or on multiple subnets. These servers cache data from clients and store local copies of policies and software. Client machines can pull software from the closest distribution server to help distribute network load and increase performance. At the very bottom of the pyramid are end-user machines, which must have client agents loaded. These agents periodically upload inventory data and check for new policies or enforce current ones. Agent software can be distributed via disk, CD, e-mail, network share or login script, or it can be downloaded from one of your Web servers or pushed out via an AD domain. None of the products tested had agents that struck us as gluttonous RAM suckers.

As for feature sets, here's what we consider important:

• Patch management: All products we tested could distribute patches. However, without patch management you can't see which nodes on your network are vulnerable. You could run a custom report identifying software versions with known vulnerabilities, but that tack has some limitations: You would need to keep the list up-to-date, it wouldn't be as elegant, and the technique would fail if a patch didn't increment the version number. Thus we consider full patch management a key selling point for DM suites, and we gave it a heavy weighting. Altiris, Marimba and Microsoft are the only vendors tested that supported Windows patch management. Novell supports only Linux patches via Ximian's Red Carpet.• Software distribution and execution: You'll likely want to distribute software after hours, when network use is reduced, and then install in the morning when users log in. All products tested support that capability, and all except Microsoft also support Wake-on-LAN. Only CA's product has an application-rollback feature, so that if an installation fails as you deploy it, you can specify to stop, continue or roll everyone back to the old version. Altiris can do rollbacks via machine snapshots and its disk-imaging suite. None of the products, however, offers good calendaring. We wanted a way to say: "Deploy this application to collection X on Monday, Y on Tuesday, Z on Wednesday." This would be useful for applications or files that you deploy regularly. It also would help with distributing new applications, either to a preproduction test group or to do a phased rollout. We didn't like having to create multiple deployments to handle each step in a rollout.

Assert Yourself

As for usability, though only the products from CA and Novell provide granular access control, we found their interfaces poorly designed and hard to use. CA's product had us jumping from window to window, while Novell's requires knowledge of eDirectory. Marimba's UI was no walk in the park either.

Access control for most products was based on roles: An admin can perform only specified functions across the entire network. CA and Novell were on the top end of this scale; we were able to limit which administrators could access which computers, thus letting us delegate responsibility for specific collections. On the other end of the spectrum, Altiris' product is severely lacking in access-control capabilities, though the company promises this will be remedied in the next release. We could set up access controls for the Web reports via IIS permissions.

Despite this shortcoming, Altiris Client Management Suite is our Editor's Choice, thanks to its excellent reporting, license monitoring, patch management and usability. We were also impressed with LANDesk's suite, which would have finished neck and neck with Altiris if it offered patch management. LANDesk says this feature will be in its next release.

The Altiris Client Management Suite comprises multiple components that integrate flawlessly with one another. We tested only the inventory, metering, remote-control, software-deployment and contract-managment sections, but the suite also has modules for asset control, contract management, helpdesk software, TCO (total cost of ownership) management, WISE package studio, OS migration and disk imaging. The imaging portion, Deployment Solution, was the Editor's Choice in our previous review of disk-imaging software. A full-featured, 10-node demo license is available on Altiris' Web site.Altiris' suite was the only product in this roundup to let us create collections, or groupings of computers, for each of its components. We could create one collection specifically for metering, another for remote control and a third for software deployment. We also could set up additional groupings of collections within each component. This let us create a large number of collections and still keep them manageable. Each component collection may be used across the entire suite, so your remote-control collections can be referenced in software distribution, for example.

For patch management, we had to install the free Microsoft Baseline Security Analyzer (MBSA) on our clients. The clients run MBSA periodically and send the reports back to the Altiris server. This lets you see which patches are needed and by how many clients. However, we had to download and package the patches manually. A minor inconvenience, granted, but an automated approach would be welcome. Each patch can be rolled out to a collection of test-bed computers, and then to your entire organization. Marimba and Microsoft use a similar approach, though their automated packaging features earned them a slightly higher score.

Altiris does go the extra mile with its vulnerability reports. These reports blow the whistle on SQL and IIS vulnerabilities, such as exposed passwords, blank SQL passwords, or if the IIS lockdown tool has not been run; blank system passwords; bad file permissions; improper IE settings; and nonexpiring passwords.

Vendors at a Glance

click to enlarge

We give Altiris props for having the best user interface of the products we tested. The UI is Web-based, and we liked how individual components, such as inventory and software distribution, have separate collections, policies and alerts. The drill-down capabilities were especially good. For example, instead of being presented with a static list of clients that had 256 MB of RAM, we could see details for each machine. This additional information beats the more limited approach taken by many other products, which present lists of data and no way to gather details. However, we do have a few quibbles: The process to define collections and queries was not totally intuitive. Many of the table- and field-selection names were cryptic, like "AeX EU Contact Detail," which contains information about Exchange accounts in one long drop-down menu.

Also, we were disappointed in the lack of access controls for limiting the rights of other administrators. Altiris says that this feature will be in the next release. There is, however, a separate Web report section. We could create individual Web sites containing a selected subset of the available reports. For instance, you could have reports only on hardware made available to a person or group responsible for physical assets, as they wouldn't need to know about software configurations. Access to these individual sites is controlled by IIS permissions.

Features List

click to enlarge

The contract module allows for extensive tracking and reporting of software licenses. We could specify data on maintenance and renewal costs, start and end license dates, which machines are authorized to use the software, purchase-order information, scanned images of the proof of purchase, payment history and asset tracking. This is also where vendor aliasing is useful: We've found executables from "Microsoft corp," "Microsoft," "Microsfot" and "Microsoft Corporation" all on the same machine. With aliasing, you can make all these show up as products by "Microsoft." Only Marimba and Mobile Automation don't support aliasing.

Altiris also had the best remote-control software. Aside from standard screen sharing, we were able to simultaneously instant message, voice conference, transfer files and share clipboards.

Altiris Client Management Suite 5.6. Altiris, (888) 252-5551, (801) 226-8500.

If LANDesk's suite had patch management, it would have given Altiris' product a run for its money. As it is, LANDesk Management Suite represents the best deal among the products we tested, and it earns our Best Value award. However, price alone didn't buy the second-place spot: LANDesk is strong in inventory, alerts and license monitoring.

LANDesk's presentation of inventory, similar in appearance to the Windows Device Manager, was the best of the bunch. LANDesk was also the only product to do a BIOS dump. Although we're trying to figure out the usefulness of this feature in daily life--and LANDesk didn't have much to say beyond, "We can read it anyway, so why not?"--we don't see a compelling reason not to dump it, either.

The product's software scanning really impressed us: It let us grab config, batch or other text files in the software scan, as well as exclude selected directories. Registry keys can be scanned and reported as well. Best of all, creating custom form data (such as asking users for their phone numbers and mailing addresses) was a breeze. We could then be alerted to any changes in inventory, such as a decrease in RAM on any system. We also were able to set up network broadcasts, display Windows message boxes, send e-mail and pages, and run program alerts for events like failed software distributions or when new machines join a collection.LANDesk was the only product to allocate temporary software-distribution servers automatically. Unless you specify otherwise, when you deploy software to a subnet or remote office, the management server will find the fastest responder and download software to that node. Then all nearby nodes will download from there. This lets you conserve bandwidth while avoiding the need to manage and monitor distribution servers.

LANDesk's software-management module was similar to Altiris'. One feature that LANDesk supports is borrowing for downgraded licenses. For example, you can purchase licenses for Office 2000 that can be downgraded to cover Office 98. LANDesk reports show you when an Office 2000 license is being borrowed for an Office 98 install.

LANDesk Management Suite 7. LANDesk Software, (800) 982-2130, (800) 208-1500. www.landesk.comMarimba's product is well-rounded and has potential. And only Marimba offers X.509 certificate code signing and autodial modems for users who need to check in for an update.

We were pleased with the suite's access-control features: We created administrator accounts and read-only operator accounts based on LDAP groups. We also could target software to a specific user so that when the user logs in, the application is installed, and then subsequently uninstalled upon logout. This feature would be useful in, say, a classroom setting, though Marimba's implementation isn't as spiffy as that of ZENworks, which doesn't require uninstalling but denies unauthorized users.

Marimba uses Timbuktu for remote control, and we were satisfied with its features and capabilities.Marimba did lag behind rivals with its user interface and reporting. For instance, its scans of our Macintosh inventory didn't show the presence of a network card, input device or modem, all of which were present on our PowerBook. Its ability to drill down in reports is limited, and its reporting engine is incomplete and difficult to use. We received alerts only via SNMP when a software deployment failed, though we could get an e-mail when a change was made on a distribution server. Other downsides: Vendor aliasing support is not available, and access controls, beyond admin and operator status, are limited.

Marimba Desktop/Mobile Management 5.0. Marimba, (888) 800-5444, (650) 930-5282.

Microsoft SMS 2003 is a big step beyond the previous version, with support for roaming users, good patch management and improved reporting capabilities, but the product still has a way to go. For example, handheld support won't be available for six months after the final release of SMS 2003, and you can't use the remote control and chat at the same time.

SMS 2003 does not have alert capabilities, and Microsoft's is the only product not to offer client-server encryption, which is handy for sending confidential information to internal users. On the plus side, access-control lists, based on the AD users and groups, can be set up for just about every element or collection, and we were pleased to see patch-management capabilities.

The product was quite slow at times, with the admin console taking a few seconds to display even small sets of data, and deployed software taking 30 minutes to distribute instead of our polling interval of 5 minutes. This may be attributable to its beta status.

The pricing information Microsoft sent did not reflect our scenario. We gave SMS 2003 a score of 1 for price; however, even if SNS had scored a perfect 5, it would not have beat Altiris or LANDesk.Systems Management Server 2003. Microsoft Corp., (800) 426-9400, (425) 882-8080. Associates' product is a collection of integrated components, and does it show! We had to keep jumping from window to window to access different features of the suite. Unicenter was also the most expensive product we tested. And though the version of Unicenter we tested does not provide patch management, CA offers this functionality in its eTrust suite, which can be intergrated with Unicenter.

The Unicenter suite's ability to set access controls for each object and folder, roll back across all targets if an installation fails on any one and record remote-control sessions all add brownie points. However, these pluses couldn't overcome its lack of patch management, poor UI design and high price. CA's product also does not support HTTP communication and wouldn't let us specify not to distribute a package on a slow link.

Unicenter Software Delivery 4.0, Unicenter Asset Management 4.0, Unicenter Remote Control 6.0. Computer Associates International, (800) 225-5224, (631) 342-6000.

Novell ZENworks works with and authenticates against eDirectory, which replicates data from other directories, such as Active Directory. The product's DirXML component sends any changes made in AD to eDirectory. If you use AD for your directory services, this arrangement is less than optimal, but if you can get past that, or use eDirectory, ZENworks offers some cool features. It had the best lockdown capabilities, limiting application access to certain users and groups. Novell also is the only vendor to support Linux patch management, via Ximian Red Carpet, which the company recently acquired. We could configure ZENworks to run an application in thin-client mode when a user is on a slow network connection, and locally when on a fast connection.

If you manage mostly desktops and want to save a few bucks, you can purchase ZENworks for Desktops, which manages only PCs; the full ZENworks 6 suite includes server and handheld management.

To use ZENworks effectively, you'll need to be familiar with eDirectory, which is used to store and reference all policies. We found the reporting mechanism weak and difficult to interpret, and alerts are limited to SMNP and log files. However, if you purchase Crystal Reports Designer, which works with ZENworks, you can write custom reports.The product's remote-control software lacked instant messaging and shared-clipboard capabilities, and Linux-only patch management also brought down ZENworks' score.

Novell ZENworks 6. Novell, (888) 321-4272, (801) 861-7000. www.novell.comDespite its name and roots in managing mobile devices, Mobile Automation's desktop-management suite is a good first start, but it needs work.

We were disappointed in its lack of alert capabilities, limited license monitoring and lack of patch management. The suite did, however, offer some of the best self-healing capabilities of the products tested. We could fix any system setting and find missing files and registry keys. We were even able to reset VPN and dial-up configurations.

Mobile Automation has a few unique features, too. For example, lookup lists in its inventory reports let us replace values, such as 0, 1 or #CAEF, with other names or values. The inventory also can easily pull information from .ini configuration files.

In addition, we could announce the availability of a new software package via a desktop shortcut. The advertisement puts an icon on the end user's desktop; when the user double-clicks it, the package is downloaded and deployed. Alternatively, users can access a download-center Web page for self-service installations.Mobile Lifecycle Management Suite 5.2. Mobile Automation, (800) 344-1150, (310)

Michael J. DeMaria is an associate technology editor based at Network Computing's Real-World Labs® at Syracuse University. Write to him at [email protected].

Post a comment or question on this story.We ran our management server on a dual 2.4-GHz Xeon with 1 GB of RAM running Windows 2000 Server SP3. SQL 2000 was used as a database on the same machine. We ran client software on Windows 98SE, Windows 2000, Windows XP, Red Hat Linux and Macintosh machines. We used a Compaq ProLiant 400, Micron Millennia Pro and Dell GX1 for our legacy equipment test. An IBM ThinkCentre M50 and an S40 were used for testing on newer equipment. We used an IBM ThinkPad R40 and ThinkPad T40 for our remote users, and a PowerBook G4 running OS X 10.2.6 was employed for Macintosh compatibility testing.

An Active Directory domain running on Windows 2000 SP3 was used for authentication, and we employed a Windows 2000 box with routing enabled to simulate a remote branch-office link. Our remote office had as many as three nodes, while the main office had as many as eight. All devices were connected via Fast Ethernet.

We graded the vendors in 13 categories, broken down into four major areas: reporting, management, software distribution and price.• Reporting consists of all elements that involve informing the administrator of what's on his or her network. Inventory reflects the amount of detail reported both for hardware and software and ease of creating custom form data. Alerts refer to actions that can be taken when software distributions fail, inventory changes, new machines join the collective or any other event. License monitoring involves passive metering of how many products are installed across the network, and if you can specify in the admin console how many copies of a license you own.

• Management capabilities carry the most weight. We looked at helpdesk and Level 1 support features. This score reflects the interface, access control and abilities a front-line support person could take advantage of when using the suite. For example, can a front-line person quickly look up a user's PC, get inventory and then use remote control? For security options, we looked at access-control capabilities.

• Software distribution refers to controlling deployment to specific users, groups or workstations. We looked for Wake-on-LAN support, self-service installs, forced installs, expiring packages, rollback and scheduling.

• Price refers to the list price supplied by the vendors to determine price, taking into account all components tested and disclosed volume discounts. Note that these suites are generally modular--we tested and evaluated the products as the vendors shipped them to us; vendors used our invitation letter to determine which components to include.


Desktop Management Suites

your browser
is not Java

Welcome toNETWORK COMPUTING's Interactive Report Card, v2. To launch it, click on the Interactive Report Card ® icon

above. The program components take a few moments to load.

Once launched, enter your own product feature weights and click the Recalc button. The Interactive Report Card ® will re-sort (and re-grade!) the products based on the new category weights you entered.

Click here for more information about our Interactive Report Card ®.From the Editors:

Due to an interactive report card constraint the following weights were changed. The alterations did not impact the outcome or grading, however.

  • Reports: From 10% to 11%

  • License Monitoring: From 7.5% to 7%

  • Alerts: From 2.5% to 2%

Trace Mike DeMaria's steps as he prepared for our Desktop Management Suites evaulation in our Syracuse Lab.

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights