Hosted Desktop Management

Desktop management is all about solving business problems and reducing the burden on IT. Desktop-management systems can be used to track inventory, distribute software, reduce network vulnerabilities and track software licenses in less time, and with less effort, than that needed in unmanaged environments. Still, conventional, on-site desktop management requires a significant investment in time, capital and knowledge. A hosted desktop-management setup reduces the upfront costs and removes some system implementation chores for IT staff.

Earlier this year, we tested low-cost desktop management suites (see "Node Control"). That review was framed around the efforts of a fictitious company, Last Spike Enterprises, the largest manufacturer, reseller and distributor of model railroad vegetation and livestock figurines. At the time, Last Spike had about 1,000 desktops, but since then, that number has grown to 2,200 desktops across six locations and hundreds of mobile workers. The company's growth could be unsustainable, however, and Last Spike might see a dramatic decrease in staff in the near future. The company is conservative with budgeting and hiring, so the thinly stretched IT department decided to consider hosted desktop management.

We sent a nine-page RFI to vendors of hosted desktop-management software and received responses from DirectPointe, Everdream and Getronics (see the complete RFI and responses below). All three have similar offerings, with the biggest differences found in access control, security and price. After our analysis, we awarded our Editor's Choice to Getronics' Future-Ready Workspace; it has the best combination of security controls, software-license monitoring, price and online backup capabilities. DirectPointe Complete Solution has a wide breadth of features but is expensive. Everdream's Compliance Services Suite and Uptime Services Suite are well-rounded, but their feature sets don't justify the price.

Roll Your Own?

Some organizations might consider developing their own desktop-management suite using the tools built into Windows, freely available software, scripting and light programming. We're not suggesting you code a whole suite from scratch, but you could replicate some of the components of a full-blown suite from existing tools. Active Directory offers tools for gathering inventory data and pushing out software. Microsoft WSUS (Windows Server Update Services) lets you set up a primitive but functional patch-management system. Windows XP Pro includes remote-control software. Typically, organizations have some level of desktop-management functionality within their login scripts, such as a mechanism to make sure the antivirus engine is running, so the concept of building a customized system isn't completely foreign.

Still, there are disadvantages to such an approach. Foremost is the significant development time and money required. Then there's the potential brain drain--if the lead programmer leaves the company, you may be stuck with a system that no one else can modify. Other disadvantages: The feature set likely won't be broad, and the inventory and system data gathered through Active Directory won't be as detailed as that from even a mediocre desktop-management suite. Each component may be loosely integrated, with a lack of consistency or shared resources. In contrast, with a commercial system, a tech-support person can look at inventory data, switch to a remote-control session, then deploy a software package all from the same console. In a DIY solution, this setup isn't as easy. Homegrown systems also can suffer from scalability problems and may require constant programming tweaks to deal with changing APIs, file locations and registry settings as applications and OSs rev. For all these reasons, we recommend against a homegrown solution for most enterprises.

Download the RFI and RFI Responses by clicking on the links below:

• Request for Information (RFI) On Outsourced Desktop Management
• Direct Pointe RFI Response

• Everdream RFI Response

• Desktop Infobox RFI Response

• Getronics RFI Response

Commercial OptionsFull-blown commercial suites sacrifice customization in favor of convenience. Such programs offer a wide variety of features, but customization, such as generating a custom report from the SQL database, must be accomplished through plug-ins or API hooks.

Some products handle only inventory or patch management and may not integrate well with other point products. Roles and permissions typically won't be replicated between products, and each piece may require its own client program, adding to bloat and maintenance costs. In addition, a few point products have morphed into full suites, and some tools have been licensed to other vendors. Tally Systems used to make a great standalone inventory tool called TS.Census, for example. But the company was purchased by Novell and the technology is now part of ZenWorks. And WinInstall once was a software-packaging program--now it's part of a desktop-management suite offered by OnDemand Software.

We expect such consolidation to continue, as an integrated approach is highly attractive, especially among patch-management and mobile-device-management vendors. When choosing a suite, check that the components are all seamlessly accessible from the same console, use the same naming conventions and honor the role-based permissions.

Hosts With The Most

Hosted desktop-management systems offer features and control similar to conventional on-site suites yet remove the burden of maintaining the necessary infrastructure. Benefits of the hosted model include guaranteed levels of service and availability, the ability to increase or decrease usage levels as needed, easy support for remote workers and a reduction in related IT workload (for a feature-by-feature comparison of internally developed, commercial and hosted desktop management, go to nwc.com/2006/1026toc).The quotes we received in response to our RFI are significantly higher than those for low-cost licensed desktop-management suites. The winner of the Editor's Choice award in the low-cost desktop management review, ScriptLogic, gave us a price of $30,299 with $7,600 in maintenance for 1,000 nodes. Extrapolated to 2,200 nodes, a first-year outlay would be about $75,000, without taking into account any additional volume discounts. That's about two months' worth of service from the cheapest hosted provider.

The price quotes for a hosted solution look quite expensive compared with a low-cost on-site solution, and in some ways, that's a fair assessment. But adding in the costs of hardware, maintenance and upgrades (as well as the cost of running a helpdesk) raise the TCO of an on-site solution considerably. A hosted service removes some hard and soft costs inherent in a commercial on-site suite. Hosted solutions obviate hardware for management servers and require fewer IT hours for maintenance. Remote workers can be managed without an active VPN tunnel. And on-site solutions with data-backup services require building and maintaining a large central storage system. The manpower required to plan, implement and test a distributed on-site solution translates into higher actual costs. Midsize businesses with just one or two locations and no remote users won't need to spend as much time worrying about infrastructure needs, and should at least consider a low-cost on-site solution.

Outsourcing your Level 1 helpdesk also can help reduce costs. A typical IT helpdesk employee earns around $40,000, depending on location (see NWC 2006 Salary Advisor ). Take into account taxes, benefits and overhead, and that helpdesk employee costs approximately $60,000 per year. Getronics' price quote for Last Spike assumes 13,200 calls per year, or approximately 36 calls per day, equivalent to two helpdesk positions, or $120,000 per year.

Rich Features

We graded the RFI participants in four major areas: reporting, software distribution, management and price (see suites comparison at right ). All the vendors offer similar feature sets (much like those in an on-site suite), with only a few key differences. Each offers similar inventory capabilities. DirectPointe Complete Solution and Everdream Compliance Services Suite and Uptime Services Suite can track inventory changes over time, to see what was upgraded or changed. All three products can perform a complete file listing of managed client machines, though this feature is not enabled by default. Everdream's and Getronics' products can scan registry information. DirectPointe can display registry information during a tech-support session. All the products also track leased hardware. Lease information, renewal dates and cost can all be stored in the database.

»REPORTING
All three systems we evaluated can inform admins of an unauthorized software installation, but none can alert the instant unauthorized software is detected. DirectPointe claims this functionality can be developed through its product's internal reporting engine. You may be able to limit software execution through a desktop-security product, such as a personal firewall. Such an approach will function outside the scope of the desktop-management suite, but it's a good alternative. Desktop-management suites, while able to report on certain vulnerabilities, aren't designed for active and robust security functions.

Getronics' Future-Ready Workspace has the best software-license monitoring of the systems we examined. It can store serial number, purchase order and license expiration data. Everdream's and Getronics' products support site licenses. Getronics also supports downgrade license borrowing (when a license for one version of a product is considered valid for a previous version.)

» SOFTWARE DISTRIBUTION
As to software deployment, on-site desktop-management suites have the edge over hosted software on the LAN, though hosted works better for remote users. Packages and patches are big and can easily be several hundred megabytes--Windows XP Service Pack 2 is 266 MB. Even with an on-site suite, the problem is how to deploy such data without overloading the network. One solution is to send the updates overnight. In a normal 9-to-5 company, this is the best approach to reduce impact on network performance, but it will delay the time it takes to get software to users. Another rationale for nighttime deployment: Branch offices typically have slower Internet connections than company headquarters, and deploying software to a few machines during the day can saturate the link.

The best model for LAN deployment--no matter which type of desktop-management system is implemented--is a central site with multiple distribution points scattered in strategic locations. Software is pushed out to the distribution point, which then fans it out to clients. In this instance, a software package is downloaded just once to a remote office and then is made available locally for other users in that broadcast domain. Altiris and LANDesk, two of the biggest names in on-site desktop management, offer products that handle this very well, even going as far as automatically configuring ad hoc distribution points to optimize bandwidth usage. The hosted vendors' suites aren't as advanced. They all let you use local distribution points, but you must create these points.WAN software deployment is better with hosted services. Remote clients connect to the hosted provider's data center and download from there. In an on-site situation, the download originates from inside the corporate LAN, putting extra strain on the company's Internet connection. All client communications must be routed to a distribution point, so the client must connect to the enterprise's LAN. Clients can operate in disconnected mode but cannot send information or receive new tasks. A hosted model creates a distribution point in the Internet cloud, so clients can send or receive data more frequently, since doing so doesn't rely on a user establishing a VPN tunnel. In the Last Spike scenario, with 450 remote workers, off-loading the bandwidth for package downloads is advantageous.

Preparing and packaging an application for deployment can be handled by the internal IT staff or the hosting vendor. Everdream provides best practices, training documentations and videos. It also offers a service that will build packages, but at an extra cost. DirectPointe packages apps for its customers, then places the installers on a shared directory on the customer's network. On-site desktop management requires the IT department to handle packaging exclusively. Packaging custom software, especially that which does not have a standard MSI installer or requires snapshot installs, is a bit of extra work. For conventional commercial desktop-management products, packaging an MSI-based application is as simple as running a wizard. Nonstandard installers, especially snapshot installs, require that you take a baseline scan of the system, install the application, then rescan the system to see what has changed. The install script may need to be modified to ensure proper order of operations. Packaging through a hosting provider will save some time and effort, though the savings won't be significant.

» MANAGEMENT
Patch and vulnerability management is an important component of desktop management. All the hosted vendors can deploy Microsoft Windows patches; third-party and custom patches are sent through the software-distribution mechanism. We've seen considerable movement, mostly from the larger on-site desktop-management vendors, into the vulnerability-management arena. LANDesk has been a pioneer in this field, integrating spyware detection into its product line. Only DirectPointe offers vulnerability detection. Its service can determine whether antivirus or antispyware products are installed, whether the definitions file is up-to-date, and whether the endpoint complies with your security policy. Getronics Future-Ready Workspace can lock down USB ports, which is helpful in preventing information leaks through removable media, such as flash drives or MP3 players.

Some day there'll be no distinction between desktop management, patch management and vulnerability management. It doesn't make sense to treat these as separate entities since the process of detecting and closing vulnerabilities mirrors those of desktop management, and maintaining two systems that do similar things is inefficient. Going forward, expect greater security capabilities--including spyware detection, antivirus support and baseline security verification--to be integrated into desktop-management suites. Also expect better support for Active Directory GPOs (Group Policy Objects); they are handled poorly by many desktop-management products today, with ScriptLogic being a notable exception. Because Active Directory has a number of handy policy-related options, we expect admins to continue taking advantage of AD GPO. Most desktop-management products do not replicate the functionality of GPO, such as controlling password policies, authorized software or login screen settings. The built-in Active Directory configuration tools are OK on their own, so this has slowed down the adoption of Active Directory GPO in desktop-management suites.

All the hosted systems offer remote-control capabilities. Everdream also supports remote file send and print, as well as chat; record sessions; capture screens; and automatic reconnect after a reboot. A hosted helpdesk service from Everdream is available for $20 to $25 per user--a figure not included in the price the company quoted. Getronics offers a Level 1 helpdesk as part of its quoted price. It also offers Level 2 and 3 support as optional services. DirectPointe also included hosted helpdesk services as part of its price quote.Because desktop backup off-loads storage from the corporate network, its another area where the hosted applications excel compared with the on-site systems; in terms of available features, there's not much difference: User data is periodically sent to a central location, and, in some cases, historical files are maintained. Administrators can choose to back up all data, or just select files and folders. But the hosted model's ability to obviate a large disk array can translate into considerable savings. If Last Spike's 2,200 users each required 1 GB of backup space, for instance, that would amount to about 2 TB, which would cost several thousand dollars per year for maintenance, hardware and backup tapes. DirectPointe offered 20 GB of backup space per user in its quote, while Everdream offered only 5 GB. Getronics offered a paltry 120 MB per user by default. More is always nice, but 5 GB should be sufficient for most users.

We were disappointed that Everdream doesn't offer LDAP or Active Directory integration, for creating computer groups or for role-based access control, though the company says such integration is on its road map for next quarter. But importing data into Everdream from Active Directory is possible. And, during the agent install, you can insert a pop-up registration screen for gathering user contact information. DirectPointe Complete Solution has a similar function: Active Directory data is exported, used to create administrative users, then is manually synchronized going forward. Getronics also supports Active Directory and lets you control which suite features are available to each admin.

We were pleased by the level of encryption among the hosted products. Everdream and Getronics encrypt client-server communications. DirectPointe encrypts only backup and tech-support communications. Likewise, not all data is stored in an encrypted format on the hosted servers. With the DirectPointe and Everdream systems, for example, backup data and login names/passwords are encrypted, but inventory is not. Only Getronics claims to encrypt all customer data.

» PRICE
Price varied greatly among the vendors. For Last Spike, Getronics was the cheapest, at $33,000 per month, which includes a Level 1 helpdesk service. Everdream would cost Last Spike $74,800 per month. DirectPointe offered a fully outsourced Level 1 and 2 help-desk service with its product, which costs about a third of the overall price quote. DirectPointe's total submitted price was $94,358 per month. Removing the helpdesk services from the equation, the price drops to $66,484 per month.

Large organizations should consider a first-tier on-site desktop-management suite. Distributed companies with many remote workers may discover that a hosted solution is a better bet over the long run. Companies with an unpredictable number of desktops, such as those with seasonal growth periods, may also want to choose a hosted solution, since it would allow those companies to avoid overbuilding a central management server. It is possible to go with a hybrid model, where you use an on-site solution for LAN and a hosted model for remote or expansion users, but this would mean you'd lose out on volume discounts and there may be poor to no integration between the two.Scenario: NWC Reports: Hosted Desktop Management

To participate in our RFI, vendors had to offer a non-beta, hosted desktop-management suite that would be available to customers by Nov. 9, 2006. We required client support for Windows XP Pro. The suite had to perform inventory scanning, software distribution, software license monitoring and patch management, and it needed to work with dynamic and unpredictable IP addresses.

RESULTS

All vendors offer similar features in their basic suites. We found differentiation in security and price. Our Editor's Choice, Getronics' Future-Ready Workspace, has excellent license monitoring, encryption, platform support and desktop backup capabilities. Everdream's suites don't have LDAP/Active Directory integration. DirectPointe has well-rounded features, especially for desktop backup, access control, helpdesk and license monitoring, but its price and lack of encryption on all communication weighed against it.

PARTICIPATING VENDORS

DirectPointe, Everdream, Getronics

TESTING SCENARIO

Our fictitious company, Last Spike Enterprises, is a midsize business that produces model railroad vegetation and livestock figurines. The company has seen a massive explosion of growth since March, more than doubling in size to 2,500 employees; not every employee needs his own machine, however, and the IT staff supports a total of 2,200 desktops and laptops. The group has not been able to keep up with the rate of growth, and existing desktop-management techniques have been insufficient. The company has a central office with 2,000 workers. Five branch offices are connected to the corporate network over business-class DSL and an IPsec-based VPN. Each branch has 10 desktop computers. Another 450 employees are remote workers with company-owned laptops, which also connect to the corporate network over an IPsec-based VPN.

Last Spike's IT staff is distributed. Individual departments are responsible for routine tasks and basic tech support, with a small central group that handles management issues, backbone infrastructure, policy and advanced tech support. A companywide Active Directory domain has been deployed successfully. The lack of a centralized system for ordering new software has Last Spike concerned about the results of a software-license audit.Find our complete analysis of the RFI submissions at NWCReports.com

SCORING CRITERIA

We graded across 10 areas. Reporting accounted for 15 percent of the score, with software licensing having the heaviest weight--license compliance is key to avoid costly litigation and overspending on software. Software distribution accounted for 30 percent of the grade, split among architecture, patch and vulnerability management, and desktop backup. The management category was assigned the highest importance in our rankings. This broad category includes other features not mentioned above: role-based access control, platform support, tech-support features and security. Role-based access control is vitally important for Last Spike's distributed IT staff. We considered platform support, though the majority of Last Spike's systems are Windows-based. Tech support is also important to Last Spike, as is security, with data being stored and sent to Internet-based hosting providers. Finally, price accounted for 20 percent of the grade, and we based our score on one year of service with support and maintenance.

Getronics Future-ready Workspace

An extensive and detailed response helps set Getronics Future-Ready Workspace apart from the competition. We found the product's license monitoring, desktop backup and security features to be among the best in our review, and the price was just right. Fifteen dollars per user per month is a small amount to spend for the time saved through automation, online backup and closed security holes. The quoted offering is based on a three-year contract and includes Level 1 helpdesk services, assuming six calls per user per year.Future-Ready Workspace has a wide range of security features that pleased our scenario company, Last Spike. All client-server communications are encrypted with SSL, and inventory databases can be encrypted upon request. On the desktop side, Getronics supports vulnerability scanning and lockdown of USB ports. The company also offers additional security consulting services that can be purchased separately, such as IT security strategy and risk analysis, benchmarking against best practices, vulnerability assessment, penetration testing, wireless assessment, code and network design review, as well as system and device setting tweaking.

With Future-Ready Workspace, tasks such as deploying software or updating inventory data can be pushed out to clients on an ad-hoc basis or pulled down at regular intervals. Patches are deployed through the push mechanism. Users can postpone a required reboot, and administrators can specify a limit to the grace period. Users can also connect to a self-service portal and initiate downloads of optional software. Remote workers can take advantage of checkpoint restarts and bandwidth throttling when connected to slower networks. Future-Ready Workspace also offers the ability to burn an installer CD, for situations where Internet-based downloads would be too slow or impractical. In this case, an administrator would create a software package and download a copy to his local machine. The admin would then create the CDs and mail them to users.

Future-Ready Workspace's asset management component allows for tracking PCs, leased property and other equipment. Networked devices can be discovered through SNMP and recorded in the asset database. Non-networked devices can be entered into the management component manually. Other information--including physical location, owner department, owner contact, warranty end-date, purchase price, purchase order number and so forth--can be stored.

In addition, nearly every option we could think of to track software licenses was supported. The only license type not supported by Getronics is concurrent usage, though this type of licensing is becoming increasingly rare so the lack of such a feature is not critical. We were happy to see support for license downgrading, though this relies on manual reconciliation using automated reports. License downgrading refers to when a license for one version of a product is considered valid for a previous version. For example, an individual license for Office XP would be valid for an individual installation of Office 2000.

DirectPointe Complete Solution

DirectPointe's Complete Solution has a rich feature set, and the company offers optional professional services. Other optional services include those for network infrastructure, antivirus, Active Directory, Exchange, SQL, Web and DNS management. We found the reporting, patch management, desktop backup and tech-support features in Complete Solution to be very good, but the product's high price tag is a big drawback. At more than $1 million per year for 2,200 seats, DirectPointe is the most expensive desktop management product we've reviewed.

Both push and pull deployment models are available with DirectPointe's service. Clients can pull tasks as often as every 15 minutes. The push deployment employs a unique technique: One machine on the LAN is designated as a delegate machine. This node maintains a connection with the Complete Solution management portal. When an update occurs, information about the update is passed to the delegate machine, and then the delegate machine informs clients that an update is available. The clients then check with the management portal to find out what task it should run. Software packages can be stored on a specified shared directory on the LAN, or they can be downloaded across the Internet. The only exception to this convention is for patch management: The delegate machine will receive a copy of the patch, and clients download directly from the delegate.A robust backup and restore system is also part of Complete Solution, and users can even restore data without having to contact the helpdesk. One feature allows users to download data that was backed up from a computer other than their own, in case they are located at a computer that isn't their normal desktop, though this feature can be turned off if security policy demands it. DirectPointe is very generous with disk space, giving each user 20 GB of online storage. Not many users will require this much space, but having so much space available is certainly convenient.

Everdream Compliance Services Suite And Uptime Services Suite

Although Everdream's Compliance Services Suite and Uptime Services Suite have enough features to be competitive with low-cost, on-site desktop management suites, they didn't stack up as well in this review. We were especially disappointed by the high price tag: $74,800 per month for 2,200 users. Everdream's suites are cheaper than DirectPointe, but the company didn't include Level 1 helpdesk services in the price quote--though such services are available for an extra fee. Other optional services include theft recovery and McAfee virus protection. In addition, the company's software deployment model is pull-only.

Everdream's software license monitoring was also weaker than its competitors'. The suites support recording of serial number, purchase order, price, license expiration, per-seat licenses and site licenses. There is no support for downgrade license borrowing. Reports can be generated to show the state of software license compliance and software usage per user.

There are some pretty spiffy helpdesk features available from Everdream and included with the suite. Technicians can initiate operations such as remote file send, remote print, live chat, record sessions, force reboot and install software during a session. Connections are made using HTTP or HTTPS, which allows for penetration of most firewalls and NAT devices.Michael J. DeMaria is an associate technology editor based at Network Computing's Syracuse University's Real-World Labs®. Write to him at [email protected].

R E V I E W

Desktop Management Suites Interactive Report Card

Sorry,
your browser
is not Java
enabled

Welcome to NETWORK COMPUTING's Interactive Report Card, v2. To launch it, click on the Interactive Report Card ® icon above. The program components take a few moments to load.

Once launched, enter your own product feature weights and click the Recalc button. The Interactive Report Card ® will re-sort (and re-grade!) the products based on the new category weights

you entered.

Click here for more information about our Interactive Report Card ®.