Desktop Management Product Analysis Roundup

We performed extensive tests on seven desktop management suites. Although Altiris' Client Management Suite trotted into first place, one competitor was just a gallop away, thanks to superior patch management,

March 25, 2005

24 Min Read
Network Computing logo

• Reporting: Without a solid reporting engine, forget effective and efficient desktop management. We looked at the depth of both software and hardware scans as well as presentation, and ran reports ranging from high level across the entire organization to a per-machine basis. Hardware reports let you determine whether PCs are up to task for the next major OS release, how much disk space employees use and which departments are most in need of upgrades. Software reports can show version numbers, who has what installed and who is using select pieces of software. Because we knew our test clients' hardware configuration, we could determine the accuracy of inventory reports. We also kept strict control over what software was installed on the clients to check inventory and license monitoring.

We were disappointed with the reporting on systems with hyperthreading-enabled Xeon processors. We installed test products on boxes with dual Xeons. LANDesk and iPass reported these as having only two processors. OnDemand and Vector showed four. Microsoft showed three processors in CPU Slot 1 and one processor in CPU Slot 2. Altiris showed two processors in some reports, and four in others. Tally reported two "Pentium 4 Xeon with HT Technology." Which was correct? Technically, everyone and no one. Hyperthreading turns a single physical Xeon processor into two actual Xeon processors. What we wanted to see in a report was, "2 physical processors, 4 logical." Tally came closest in reporting this correctly.

Note that all products require agent software installed on every node for full functionality.

Vendors at a GlanceClick to Enlarge

• Software Distribution: Four subcategories made up the bulk of the score; key among them were patch and vulnerability management. We depended on the software-distribution features to fix vulnerabilities by pushing out patches, antivirus products and virus definitions. We wouldn't want to depend on a desktop-management suite as our main line of defense, but they all nicely complimented our existing security products.

We rated patch-management capabilities by comparing the suites' listed vulnerabilities to those on Microsoft's Windows Update site. LANDesk was ahead of the pack here--its LANDesk Management Suite checked for missing patches, like the other products did, but it also looked at configuration settings and detected spyware. LANDesk's suite had the most robust system support, offering patch management for Windows, Linux, Sun Solaris and Mac OS X. Reboot control was also an important consideration, so we looked into ways to force, require or notify users about pending reboots. LANDesk once again came out on top.

We were disappointed with Vector's and OnDemand's patch management. Vector's PCDuo relies on Windows SUS (Software Update Service), so we couldn't target patches to specific machine groups, and reporting options were limited. OnDemand's Desktop Availability Suite was worse: The documentation says, "You must know what machines you need to patch." That's a bit like saying, "In case you're drowning, learn how to swim."

We looked closely at rollback, backup and migration capabilities. Unfortunately, only Altiris and Novell have good stories to tell. Altiris' cool and efficient desktop backup component, as well as its ability to test whether a widespread installation will succeed before actual deployment, gives that product a slight edge over LANDesk's. In addition, Altiris' product is the only one to offer true rollback capabilities. Being able to do a package uninstall is handy, but it isn't helpful if an install trashes the entire system. Altiris offers, in addition to desktop backup, support for disk imaging.

LANDesk supports imaging through third-party vendors, while OnDemand offers what it calls "personality transfers." We could back up user-specific files, such as program settings, address books and URLs, to a central server to be restored later. Novell's ZENworks let us do imaging and integration with its iFolder, a centralized network storage point for user files, and we could synchronize with local user drives in near real time.• Management: This category encompasses the most eclectic spread of features. Role-based security accounted for 10 percent of a product's overall score. Role-based administration can be valuable. For example, you may not want low-level techs remotely viewing or installing software on the HR computers. In addition, role and scope settings are handy in decentralized administration environments. We also tested the ability to grant and revoke full admin rights on the fly.

Destop Management Suite FeaturesClick to Enlarge

Altiris, Novell and Microsoft dominated the landscape here. Microsoft's product let us set administration, creation, deletion, read and modify settings on nine different functions. Users and groups were pulled directly from Active Directory, and we could impose settings for each computer group and replicate settings from one group to another. Altiris supports inherited group access control, whereby a user or collection of workstations that is a subgroup of another collection can have rights inherited or overridden from the parent collection. Novell, through eDirectory, allows for similarly granular access control.

According to our poll, our readers consider remote control nearly as important as license monitoring, so we made it a scoring line item. Here, we were most impressed with Vector's product, which it sells as a standalone remote-control system. Aside from the standard collaboration features of screen sharing, file transfer and remote execute, we found a host of unique capabilities; for example, we could capture a print job executed on a remote machine and output it to any printer. Altiris is the only other vendor to offer a similar function. Vector also has multiuser chat rooms that let us send one-way messages and record screen-sharing sessions for later playback. Both the Vector and LANDesk products let us doodle on a remote machine--we were channeling John Madden in no time. All the other products provide only basic functionality, except for OnDemand's, which doesn't offer any remote control.

Finally, we looked at price, and this is where reality and reader desires diverge: Only 17 percent of those polled are willing to pay more than $50 per seat, yet our Editor's Choice starts at $92 per node; a 10,000-node volume discount only brought us down to $63. Offerings from OnDemand, iPass and Vector were priced below $50, but all three had less functionality compared with their more expensive brethren.Cheap desktop management is better than none. But the superior patch-management and role-based security functions found in top-end desktop-management products are worth the extra expense in larger environments. And, there are ways to lessen the sting. Volume discounts are always available, and you may be able to negotiate out functionality for a reduced price. Vector says it offers nearly 40 pricing combinations, letting customers pick and choose features as needed. LANDesk offers a product version that strips out all functions except patch management, and Tally can do software licensing separate from the rest of the desktop-management suite. If you have exclusively Windows XP systems, you can use terminal services instead of a suite's remote-control functions.

Ultimately, we had four classes of desktop management: Altiris and LANDesk are at the forefront of desktop-management innovation. Microsoft and Novell have years of desktop-management experience in large enterprises and, though not on the cutting edge, their products are mature and time-tested. Tally's and iPass' offerings would be competitive in a midsize business; they lack reboot control, helpdesk support and fine granularity over role-based administration, but such features are less vital in small organizations. OnDemand's and Vector's entries are lacking some important functionality, but smaller businesses seeking low-cost desktop-management might find they fill the bill.

For the second time in as many major desktop-management reviews, our Editor's Choice award goes to Altiris ... but just barely. LANDesk closed the gap to a mere 0.05 points and, in fact, surpassed Altiris in patch management, OS support and license monitoring. Microsoft hangs on to the third-place spot on the strength of its role-based access control and reasonable price.

Although we want to see improved vulnerability-assessment capabilities, Altiris CMS offers the best range of features and fulfilled all our requirements. Its easy-to-use interface, granular access control and desktop backup prowess earned Altiris our Editor's Choice award.

The suite's basic user interface has changed considerably--and for the better--since our last roundup. For example, related tasks, such as setting configuration options, are now grouped together under master categories. We could create role and scope settings for just about every function and collection of computers; CMS supports inherited policies when creating access control subgroups. Its Web console however, is sluggish. Performance has improved with the recently released service pack, but the console still needs optimization. Loading pages was irritatingly slow at times.But the product's desktop backup functionality was its most unique feature--no other vendor does backup at this level. In tests, we took a live snapshot of a standard Windows XP install and saved it to a central server; the backup took up just 1.2 GB. Not only was the data compressed, redundant files and segments of files were eliminated. When we backed up a second XP system, it used only 25 MB of additional space. Users can access backup information for their own rollback or file restore. To test this, we deleted a file from the documents directory and altered a second file; we easily restored both to original condition within minutes. Admins can create restore CDs from the central console if a user on a slow link needs a full system restore. Personality migration, for transporting a user from one machine to another, also worked well in tests. Although several other vendors offer this feature, only CMS detected duplicate data.

We also found a number of features that will make tech support personnel salivate. Aside from remote control, text and audio conferencing, we could monitor and manipulate processes. We initiated applications, managed printers, rebooted, performed a port scan, ran a traceroute from console to host and restarted services. A password-reset feature made resetting local or domain account passwords a breeze.

Since our last review, Altiris purchased Wise Package Studio--a smart investment. We created software packages inside Wise, then checked for compatibility problems before deployment. We also could perform a "preflight check," where a package is distributed and simulates being installed. This method is designed to catch conflicts so admins can take corrective steps before committing--as we all know only too well, even slight variations among PCs in software installed, patch levels and hardware can cause an install to fail. Although putting an installer through a test environment can catch many potential problems, no test bed can accurately simulate the conditions of your whole enterprise. Performing a system backup, then checking for conflicts before installing software is a best practice.

Altiris Client Management Suite 6.0. Altiris, (888) 252-5551, (801) 226-8500.

LANDesk Management Suite scored very high in our review, thanks to good vulnerability management, inventory reporting and license monitoring, almost on a par with archrival Altiris. But Altiris CMS' slightly more granular access control plus better user migration support and tech-support features kept it on top.

LANDesk Management Suite has a new, simpler console interface that uses tabbed and pinned windows, and it was easy to create workspaces. We simply picked which windows we wanted open, set their locations and saved the configuration. Later, we could re-create that same workspace, which let us organize windows around our tasks, not the interface. The main console is a Win32 application, but Web reports are available as well.LANDesk had, by far, the best patch and vulnerability management. Not only could we perform patch management on our Windows, Linux, Mac OS X and Solaris machines, but LANDesk could detect Windows spyware. We were also impressed with the level of reboot control when installing patches and software. Some patches require a reboot to function, but you don't want to interrupt a user in the middle of productive inspiration. With LANDesk, we could create custom messages to the end user; give the user a "snooze alarm," delaying a reboot; or let the user cancel.

A module called "connection control manager" was likewise unique among our players. It let us disable USB ports, removable media drives, modems and wireless and Bluetooth connections on a per-machine basis. There's also an option to disable USB devices, except for keyboards and mice. No other vendor offered hardware lockdown capabilities. When we tested USB blocking with a removable flash drive, we noticed that blocking is not done in real time; instead, LANDesk polled the device for a set interval of minutes. We were able to use the drive for a few seconds before it shut down. This may inspire employees to act in accordance with IT policies, but we'd need to see immediate blocking to consider this a truly effective security procedure.LANDesk also offers a unique method of software distribution: It automatically divided our network by subnets and created temporary distribution servers. End clients pulled software from the distribution server instead of across the WAN, and any client with a LANDesk agent could become a distribution point.

LANDesk Management Suite 8.5 with LANDesk Patch Manager 8.5. LANDesk Software, (800) 982-2130, (801) 208-1500.

In the battle for third, Microsoft SMS beat out Novell chiefly because of price--Microsoft's product was the least expensive of the enterprise-caliber players, though sadly, not free, as many believe. (SUS has no relationship to SMS.) Unfortunately, we couldn't pry loose information about volume discounts, so the actual street price is likely even lower than what's listed here.

The downsides are that SMS does not come with a software packaging environment, and we weren't impressed with its rollback capabilities or, surprisingly, license monitoring. SMS 2003 will work only in an Active Directory environment and may require extending the AD schema.

The bright side? SMS offers excellent reporting, access-control and tech-support features, and its role-based administration is first-rate. We defined create, delete, read, modify and administer privileges for domain users and groups. Permissions from one user/group can be copied to another, and controls can be placed on a per-group basis. Users and groups were pulled from AD. We would have liked to see integration with AD group policies as well, since it's a Microsoft product! None of the desktop-management suites tested support AD group policy management.Microsoft's Web reports were the most impressive of the products tested, though Altiris offered decent drill-down capabilities as well. In tests, we ran a report listing all software installed across all our machines. We clicked on one particular program and saw all the machines that had that program installed. We then drilled down to find complete inventory data for each machine.

We also liked the inventory change log. Previous changes are date-stamped, and it was easy to see what had changed in addition to the latest info. It was a bit difficult comparing existing changes to the current configuration, but none of the other products offer such a detailed change display.SMS also has the best diagnostics and tech-support components. We could perform remote control using an included client or via terminal services on Windows XP and easily see the current network settings, print jobs, running tasks and IE settings through the SMS administration console. Event logs are pulled in real time from the client. Also unique to SMS is remote performance monitoring. We could set alerts for performance thresholds as well; for example, if a user complained about his or her machine being slow, you could set up alerts for CPU and RAM utilization, instead of having to wait for the user to notice a problem and call it in.

Systems Management Server 2003. Microsoft Corp., (800) 426-9400, (425) 882-8080.

You don't need to have a Novell shop to use ZENworks, but non-Novell environments will face some challenges. For example, ZEN uses and integrates directly with eDirectory, so you'll have to train admins on how to use it. If you want to target software to specific users as defined in AD, you must install components that synchronize data between AD and eDirectory. Novell shops, on the other hand, should consider ZENworks, though it's expensive.

Novell licenses several components from other vendors; for example, an OEM copy of PatchLink handles patch management--Novell just changed the logo. In our tests, patch management was handled completely outside of the ZENworks environment. We had to re-create computer groups and ACLs, and install additional client agents. The nonintegrated nature of this beast ate way too much time, but it was worth it because ZENworks' patch-management capabilities were among the best tested. Other plusses: wide support for third party and non-Microsoft patches and extensive reboot control options that let us set reboot snooze limits.

Desktop migration is performed through Miramar Systems' Desktop DNA. We could back up user and network settings, files and folders to a central server. Novell, like Altiris, also supports disk imaging, and its iFolder product let us synchronize data between a client machine and our network server.

ZENworks takes a slightly different approach to software distribution. We could target software to workstations, users or groups; users were presented with a folder on the desktop listing all available programs, whether currently installed or not. If we chose an installed program, it ran as expected. If the program wasn't installed, it was immediately downloaded and installed.ZENworks' shortcomings show up in remote control and tech support. We missed advanced collaboration features like chat and audio conferencing, and the inventory data is not as detailed as that the other products provide. We also found the reporting engine difficult to use and reports hard to interpret.

Novell ZENworks Desktop Management. Novell, (888) 321-4272, (781) 464-8000.

Tally's desktop-management product comprises an inventory and software-license-monitoring application called Census and a desktop-management piece called Cenergy. Cenergy looked very familiar; after some investigation we discovered that Tally licensed Mobile Automation's product, now owned by iPass. So, not surprisingly, Tally and iPass have similar grades. The main differences between the two came down to inventory, reports, license monitoring, OS support and price: Tally supports Linux and Solaris, iPass does not. Tally also charges a lot more, tying with ZENworks as the most expensive product.

Census runs separately from Cenergy, requiring different consoles and management. We would have preferred a unified environment. Despite this limitation, Tally offered the best software detection in our tests. It maintains a list of signatures for several thousand programs, improving accuracy during software inventory and offering improved and clarified reports, especially with version numbers. We could break down application usage by machine, user or product, and group software by genre, such as accounting, development and scientific programs. The license-monitoring components also offer support for entering purchase details and authorizations. Still, these advantages couldn't outweigh the greater functionality offered by the top competitors. Improved reboot control, tech-support features, a unified console and, most especially, a price cut would have helped the product secure a better finish.

TS.Census 3.2; Cenergy Client Management Suite 4. Tally Systems Corp., (800) 262-3877, (603) 643-1300.

We found iPass' product, like Tally's, better suited for small or midsize businesses with fewer users to manage. For example, MLMS' role-based access control is limited compared with competitors. We placed users into management units, or groups, then assigned these units access control rights. A user can be in multiple management units, but a PC can belong to only one.Helpdesk components are rather weak. In remote control mode, we could do chats, but not file or clipboard sharing. We could see running tasks, loaded modules, services and the NT event log, but found inventory data poorly presented, and we had limited Web reports.

On the plus side, patch management worked well. We saw which patches were required, downloaded them as needed and installed them to all affected machines. There's even an option to shut down the Microsoft SQL or IIS service first. We do want to see better reboot control, however. Our users couldn't delay reboots--a five-minute countdown is presented, and then the system forces a reboot. We left an unsaved document open at the end of the countdown, just to see what would happen. A save/cancel box appeared for about 15 seconds before the program force quit.

IPass includes a packaging environment that feels more like a scripting studio. A snapshot tool helped us create installers that aren't based on the MSI format, and this functionality extends beyond program installers: By using the snapshot tool and packaging environment, we maintained and controlled changes to configuration files. IPass charges on a per-month basis as opposed to yearly or perpetual licensing. However, just like every other product, each managed device is charged for.

Mobile Lifecycle Management Suite 6.1. iPass, (650) 232-4100.

OnDemand's product might have fared better if we'd tested it at the end of this year: Support for Linux, PXE booting, Wake-on-LAN and client multicasting are all scheduled. Still, even excluding these features, we found a lot of functionality missing from what is billed as an enterprise-class desktop-management suite.

OnDemand, also known as WinInstall, is the only vendor that doesn't offer a remote-control option, nor software metering. It doesn't support access controls on a per-machine basis. And we had to hit OnDemand hard on patch management, which is nearly nonexistent. We couldn't even see which systems were unpatched. Although this product has potential, it's about two years behind the leaders in functionality.

We did find some interesting features in the WinInstall packaging environment. This is an excellent packaging studio overall, and we could also create MSI transforms; require environment variables and registry keys; check for other applications; and set minimum requirements for memory, CPU, OS version and screen resolution. A conflict-assessment scan determines if a package will conflict with existing files or registry settings.OnDemand's biggest selling point is its price, the lowest of the competitors. If you're looking for basic inventory and software distribution, OnDemand may be an appropriate choice. However, its limited patch-management support, poorly presented reports and limited tech-support capabilities severely hindered it in our tests.

Desktop Availability Suite 8.6. OnDemand Software, (877) 495-0541, (239) 495-0541.

When we saw that Vector uses the word "Enterprise" in its product name, we had to wonder if it might be referring to the starship. There's no support for migration, no client backup, no access-control capabilities and no packaging studio. Patch management is handled through a separate SUS server; using SUS means you cannot selectively roll out patches to computer groups.

PCDuo does have a low price and impressive remote-control capabilities. It supports multiuser chat, one-way messages, synchronized clipboards, drawing on the screen and capturing print jobs. We also could record a session for later playback, which may be handy for creating training videos. PCDuo let us set up application fingerprints, which let us specify file locations, sizes and registry settings to determine if a program is installed.

We didn't see anything remarkable in the rest of the product. There aren't as many default reports in PCDuo as the other competitors, and many reports required us to write SQL queries. Fortunately, a SQL builder helps make this task easier by providing drop-down menus with selection options and values. We could query users with a custom data form that asked basic questions, such as where the computer is located, which building floor or the nearest telephone extension. This information is then put into the inventory database.

PCDuo Enterprise Desktop Management Suite 3.0. Vector Networks, (770) 622-2850. Michael J. DeMaria is an associate technology editor based at Network Computing's Syracuse University's Real-World Labs®. Write to him at [email protected].

We used a dual 2.4-GHz Xeon with 1 GB of RAM running Windows 2000 Server SP4 as our management server. When required, we also used Microsoft SQL 2000 SP3a or the vendor's included database. Our client systems were a mix of Windows 2000 Server, 2000 Pro and XP Pro; clients chiefly ran on white-box systems with Intel motherboards and Pentium III processors. We also tested against a dual Xeon with hyperthreading-enabled server. An Active Directory domain running on a separate Windows 2000 SP4 box provided user authentication and workstation management.

We pushed out software that was packaged using the standard MSI format and standalone executables. Programs we pushed include Visio Viewer, Acrobat Reader 7, WinZip and Office Web Components plug-ins. We also evaluated the vendors' packaging studios for repackaging installer programs. While we did not test disk imaging or bare metal installs, we did look at personality migration components. In the case of Altiris, we performed full system backups and restores. We tested remote control by looking at both host and administrator console screens. We checked for permission requests, verified that the end user was able to approve control requests and performed instant messaging chats. We also tested remote printer capabilities by printing out a standard text file. Role-based access control was verified by logging into the management system under various user names.

All Network Computing product reviews are conducted by current or former IT professionals in our Real-World Labs® or partner labs, according to our own test criteria. Vendor involvement is limited to assistance in configuration and troubleshooting. Network Computing schedules reviews based solely on our editorial judgment of reader needs, and we conduct tests and publish results without vendor influence.


Desktop Management

your browser
is not Java

Welcome to NETWORK COMPUTING's Interactive Report Card, v2. To launch it, click on the Interactive Report Card ® icon above. The program components take a few moments to load.

Once launched, enter your own product feature weights and click the Recalc button. The Interactive Report Card ® will re-sort (and re-grade!) the products based on the new category weights you entered.

Click here for more information about our Interactive Report Card ®.

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights