The phrase unmanaged desktops can instill fear in an IT manager. Faster software deployment, simplified patch management, regular hardware inventory updates, software-license monitoring and locked-down security settings are all benefits gained from desktop-management suites. But do these products blow IT budgets out of the water or are they too difficult to set up and maintain? Fortunately, there's a wide range of lower-cost but fully functional desktop-management suites for the small-to-midsize enterprise.

We tested desktop-management suites intended for 10,000 nodes and more last year (see "Winning the Desktop Rodeo"). Many of the reasons for using a desktop-management system hold true for small shops as well as large: For starters, you could save $1,605 per desktop over four years with a well-managed system compared with an unmanaged Windows XP system, according to a Gartner study. This time around we reviewed desktop-management products intended for smaller organizations. Our fictitious company, Last Spike Enterprises, the largest manufacturer, reseller and distributor of model railroad vegetation and livestock figurines, is a midsize business with 1,000 desktops and a budget of $30,000.

We invited 17 vendors, including all participants in our enterprise desktop-management review, to send their offerings to our Syracuse University Real-World Labs®. We wanted to be able to perform inventory scanning, software distribution, software-license monitoring and patch management for $30,000 or less. We required support for Windows 2000 and XP clients. We didn't consider outsourced or hosted solutions.Altiris, BMC Software, LANDesk Software, Novell and iPass declined, each saying it couldn't meet our budget without stripping out too many features. NetSupport. com's product doesn't offer patch management. Stream Theory (previously Endeavors) said its product didn't fit our requirements. Centennial claims its product is a "point solution," not a broad suite. CA and Vector Networks were between release cycles during our tests. Microsoft declined, citing little change from previous reviews. We didn't hear back from Enteo Software.

Criston Software, New Boundary Technologies, Numara Software (recently spun out of Intuit), OnDemand Software and ScriptLogic accepted our invitation. OnDemand also participated in our enterprise review. In the end, we gave the Editor's Choice to ScriptLogic's Desktop Authority. This product has some of the best vulnerability-management features we've ever seen in a desktop-management suite, extensive access control, remote control, tech support and a simple user interface. All the products we tested could stand improvements in license monitoring, rollback installations, reboot control and alerting.

Litigation Threat

We graded in four major areas: reporting, management/ features, software distribution and price. Reporting received the heaviest weighting. You can't manage desktops if you don't know what's there.

License monitoring accounted for 10 percent of the score. We've noticed that many midsize businesses are targeted by software piracy lawsuits. A quick perusal of the Business Software Alliance's news releases shows more small businesses than large enterprises getting nailed. Recently a southwest homebuilding corporation of 1,200 employees paid $200,000 to the BSA. A 150-employee manufacturing company in Florida had to pay $50,000 for unlicensed software.Granted, the BSA can only target a relatively small number of businesses, but the threat of litigation is there. Unfortunately, only New Boundary's Prism Suite had much to offer for license management. With it, we could specify license count, see licenses used, list managed and unmanaged applications. We could also enter purchase dates, purchase order numbers, price information and expiration dates. All the vendors base licenses on applications and files existing on disk, not running in active memory. Most software licenses are per seat instead of concurrent running. None of the products we tested offer active enforcement of license count.

To evaluate inventory features, we looked at accuracy, detail level and presentation of hardware and software scans. All the products offer about equal hardware detail. Criston's Desktop Management goes a step further and let us see the entire registry, traverse the hard drive and view the event log. We were disappointed, however, with its reporting engine. We had to create the reports manually, whereas all the other products offer canned basic reports.

All the products offer better role-based access control than we expected. Last Spike has a distributed IT staff. Select workers in individual departments are responsible for their user's day-to-day tasks, and a small central group handles IT direction, backbone infrastructure, policy and advanced tech support. Isolating departments from each other was an important consideration. We could create multiple administrators as well as create read-only and limited-access accounts. The only thing we wished for was better control over setting permissions on a per-machine basis, instead of a system-wide or group wide-basis; however this level of micromanagement is just a minor criticism.

Operating system support was limited to Windows environments. Criston's Desktop Management supports inventory and software distribution on Linux; New Boundary's Prism Suite has Linux patch management; and Numara's suite can gather inventory data on Macs. We gave Numara a very low score for usability because its solution is actually three separate products in one: One component handles inventory and helpdesk features; another component, licensed from New Boundary, handles software distribution; and a third is for patch management. Each piece requires a separate console, with different user interfaces, computer groups and settings. Although the consoles are easy to use, having to deal with three is irritating.

Desktop-management suites are useful to the helpdesk. Although Last Spike uses chiefly a distributed tech-support staff, it has a small central helpdesk for advanced cases. We graded tech-support features on how useful the product would be to support personnel. Numara's suite scored highest here because it includes a helpdesk solution with managed trouble tickets. Although its helpdesk features aren't on scale with the likes of Remedy's, they should be sufficient for smaller IT shops. We also like integrated remote control capabilities. Microsoft's remote desktop connection, which is included with Windows XP, is good for simple remote screen sharing. We'd like to see additional features that RDC doesn't offer. For example, ScriptLogic's Desktop Authority supports instant messaging. The products from Numara, Criston and ScriptLogic all support file transfers.The software-distribution grade also covers patch and vulnerability management, and rollback and migration. Software can be distributed by placing an installer on a network share or pushing the install package onto a client's local drive, among other methods. OnDemand's Desktop Availability has the most extensive set of options, including letting you e-mail a package from the management console or burn an installation CD. We weren't happy with the way any of the suites controlled forced reboots. Instead of letting a user "snooze" a reboot for a set number of minutes or times, they forced an immediate reboot after installing software or waited an indiscriminate period of time.

ScriptLogic's Desktop Authority was tops at controlling security settings. We could perform tasks such as disabling the USB devices for a user, adjusting the Windows Firewall setting and hiding control panels. We especially liked how the management console integrated the setup and control of Active Directory Group Policy Objects. We've yet to test another desktop-management suite that integrates so closely to GPO. Even Microsoft SMS doesn't directly integrate with GPO.

Desktop Authority also had the best patch- and vulnerability-management features we've ever seen in a desktop-management suite, large or small. However, it doesn't let you push a patch. Instead, you must wait for the user to log on or off of the workstation. OnDemand's Desktop Availability has the worst patch-management capabilities--a criticism we levied a year ago. The manual says that you have to know which machines to patch beforehand. A desktop-management suite should provide that information to you. The other products offer much clearer reporting on which machines are vulnerable.

We were surprised by the lack of strong encrypted client-server communications. Desktop Availability uses a RC2 cipher with a 40-bit key. That's minimal encryption; the company claims to be moving over to SSL based encryption later in the year, however. New Boundary's Prism Suite uses a 48-bit Sapphire II cipher, while Criston's product uses a 40/64-bit RC2 cipher. We would have preferred stronger and longer keys, such as 128-bit SSL encryption.

Prism Suite, Numara's suite and Desktop Authority don't offer any migration support--the ability to move users from one machine to another--which is disappointing. Criston's Desktop Management let us back up and restore directories to FTP servers, as well as to migrate users between machines. OnDemand's Desktop Availability also can act as a PXE (Preboot Execution Environment) server and do bare metal installs, something none of the other products offer. None of the products support disk imaging.Our final grade covers pricing. The price had to include all components under test and one year of patch management. The budget limit did not require maintenance be included. Desktop Availability came in well under budget, at $22,000. Desktop Management and Prism Suite priced out at exactly $30,000, while Numara's suite came in over budget at $32,719. Desktop Authority's original quote was $29,800, but we also included ScriptLogic's $499 package-creation studio. We decided that the cost of Numara's and ScriptLogic's products were close enough to our limit that it would be a disservice to dismiss them.

ScriptLogic Desktop Authority 7

This product has the tightest integration and dependence on Active Directory of the products we tested. Although it earned our Editor's Choice, Desktop Authority has some limitations. You must use an AD domain. Managed nodes must be joined to the domain. The product only engages itself and checks for updates and tasks at a logon or logoff event. And you cannot push out tasks or schedule updates. Fortunately Desktop Authority includes an inactivity timer, so if a node has been idle for set amount of time, it'll log the user off. ScriptLogic acknowledged that a more real-time model would be better and is working on one. We also were disappointed that Desktop Authority install software only from network shares, rather than letting you push it out from the management server.

Desktop Authority is full of features to make up for these deficiencies, however. The rich security and policy-enforcement features blew us away. Each policy can be targeted to nodes that meet specific requirements. We created an IP address-based policy, for example, that set a specific corporate desktop background on nodes that would be public facing, like sales terminals and kiosks. You can define other requirements, such as computer name, a check for file existence, IP range, registry entries, OS version and connection type. However, the scope cannot be limited based on inventory or hardware data unless such setting is available in the registry, or unless you write a custom script is with a Windows Management Infrastructure (WMI) call. A wide range of Active Directory GPOs are available. We hid control panels, disabled autocomplete in IE, disallowed registry editing and disabled the user's ability to add or delete printers.

With the built-in inactivity timer, we specified a how long before a warning message popped up, and how long before the user is logged out or the machine shut down. We could disable the inactivity timer at any time--handy if you don't want it to check for inactivity during normal business hours. Users can be forced to wait until patches are downloaded and installed before being able to finish logging on or off. For client vulnerability patches, this is acceptable since vulnerabilities in products like IE and Windows Media usually only occur when the user is logged in. Unfortunately, the handful of machines that run network services, such as SQL Server, would be at risk longer than they would be with a push-based installer.

The tech support features in Desktop Authority are handy. After logging into a client machine for remote maintenance, we were greeted by a screen showing the patches installed, OS details, system stats, performance graphs and the event log. This summary information would be perfect for a user working with tech support. We could launch a screen-sharing application, send instant messages and transfer files.

Desktop Authority 7.0,ScriptLogic Corporation,(800) 813-6415,www.scriptlogic.com or [email protected]

Criston Software Desktop Management 5.2.4

Although Desktop Management doesn't have as many standout features as Desktop Authority, this well-rounded product performed well in our tests. Its inventory reporting is extensive, its role-based access control is granular and, like OnDemand's suite, it offers migration capabilities.

Desktop Management uses a Java management application. We created multiple administrators and set up admin groups. Each admin or group could set permissions for various features. We could give each administrator read or write access to individual and groups of PCs. This meshed well with Last Spike's distributed IT staff.

Criston's solution made it easiest to modify end user systems in real time. We could browse the remote machine's drive, edit text files, modify the registry, restart services, kill processes and view the event log--all through the management console. In contrast, Desktop Authority can display real-time stats in the remote management component, but cannot actively alter settings without using remote control. We also could remotely control and reboot the PC. This functionality is handy for Last Spike's Level 2 tech-support desk, which can perform these tasks without looking at the user's screen. When logged in with a domain admin account, we couldn't read the user documents folder from the console--offering a bit of privacy for the end user.We used "operational rules" to back up directories and perform basic tasks or scripts. Each operational rule is composed of one or more steps that may include editing a text file, checking for free disk space, updating inventory and so forth. We created a rule to back up the user directory to an FTP server and then install an application. We then migrated a user's data files from one managed PC to another. Windows system files also could be migrated between hosts.

We were disappointed in the reporting engine: Although it's possible to create detailed and customized reports, there were no predefined reports in our console and each report had to be created from scratch. We specified a format, layout and query to generate a report. Once built, any report could be generated according to a defined schedule, or on the fly.

Criston Desktop Management v5.2.4,Criston Software,+33(0)4 9238 1300,www.criston.com or [email protected]

New Boundary Technologies Prism Suite 7.0.2
Like the other products we tested, Prism Suite does some things very well, and others poorly. As noted, its license-monitoring component is better than any product's. However, we weren't thrilled with the alerting and tech support features, and Windows Remote Desktop Connection is used for screen sharing. Prism Suite doesn't have any built-in tools or additional collaboration features, but screen sharing can be engaged from within the console.

The patch-management engine is up to snuff. We could browse the domain tree and see installed and missing patches, and sort vulnerabilities by severity or affected product. Patches can be installed immediately or at a set time, and each patch can be marked as required. A compliance report can be generated across the entire organization, showing which machines have all patches installed and which machines are not yet in compliance. Our main complaint, and Prism Suite's biggest downfall, is that patch management is handled on its own console, which doesn't share anything with the main management console.

As for license monitoring, Prism Suite gave us a list of all applications marked as unmanaged, and let us see which computers had which licensed applications installed. We could add a site, per-seat, or concurrent-usage license to the application, and include information on the purchase date, license count, cost, PO number, maintenance expiration date and serial numbers. What's more, we could add multiple license purchases to an application, which is handy if you buy licenses over time. We could view the licenses per manufacturer or type. Each application showed the license count: anything that exceeded the count was labeled as illegal. Licenses can be specified for each version of an application, but are all rolled into one license unit by default.You can install packages with a simple drag-and-drop mechanism. As with Desktop Authority, you can't distribute an application directly from the Prism Suite management server--packages must be located on a network share. A package installation may be configured to run in silent mode or as a specified user account. Fortunately, an included package editor allows for additional control beyond what a standard MSI package would offer. Before, during and post-install messages can be displayed. You also can configure default behavior for file and registry overwriting and deleting. A digital signature can be applied to the package to enforce integrity checking, one of the few security concerns missing from Desktop Authority. When a package is ready, the administrator can deploy it through drag-and-drop to the computer or group, and the package can be distributed immediately or at a specified time.

Prism Suite 7.0.2, New Boundary Technologies, (800) 747-4487, www.newboundary.com or [email protected]

OnDemand Software Desktop Availability Suite 8.7
In our enterprise desktop management review, OnDemand's product ranked on the lower end of the Report Card. In this review, however, this suite is one of the best values out there. Although its score suffered because of issues with the patch-management and license-monitoring components, organizations with tight budgets will find that DAS offers the functionality needed to perform advanced software installs, rollback and migration. It's also the only product in this review to offer bare-metal OS installs over an included PXE server.

DAS offers the best software installation features and options. Originally a software-packaging company, OnDemand includes a number of configuration options that can be set for each package. We could change environment variables, registry entries, even set minimum system requirements and password protect packages. The package can then send status logs through e-mail, SNMP trap, or to a Microsoft SMS (Systems Management Server) or Tivoli server. Packages can then be sent to a PC from the management console. You also can e-mail a package from the console, or create a burnable CD image, which was handy for sending service packs and large installs to the traveling salesmen. None of the other vendors offered this variety of delivery mechanisms.

Also substantial is the migration feature: It retrieves a user's preferences and files from one machine and restores them to a different machine, or to the same machine after a reinstall. We found this very simple and quick to perform. OnDemand touts DAS's PXE boot environment for performing bare-metal installations, though this feature can also be used for simple backup/restore purposes. We did not test PXE-based OS installs, but did test other functions. We created a template listing the applications and system settings we wanted to preserve. We also specified the particular directories to back up, such as the user's documents folder, as well as schedule automatic backups--all of which get backed up to the WinInstall server. Using client migration, we moved a user from one managed PC to another and created a template to copy all user files. The data was transferred in just a few minutes.

Our biggest disappointment came from the patch-management engine. We heavily criticized OnDemand last year for having only the most basic support for patches. This problem still exists: The DAS manual still states that you must know which machine to patch beforehand. Patches are grouped by application and version, allowing you to download and build a package installation from the patch listings. Unfortunately, DAS won't simply return a list of non-compliant computers, but you can write some custom reports to figure out which machines need patches. OnDemand's DAS would have ranked higher had this component improved since our last review.WinINSTALL Desktop Availability Suite (DAS)OnDemand Software(877) 495-0541, (239) 495-0541www.ondemandsoftware.com or [email protected]

Numara Software Track-It 7, Deploy and Patch Manager 5.0.1
Numara's solution is actually three products. At the heart is Track-IT, an inventory and helpdesk solution, while a separate product (licensed by New Boundary) is used for application deployment. A third product handles patch management. Individually, the three products are simple to use and work well, but they don't really come together as a suite. The three components don't talk to each other, nor do they share similar GUI designs or features. You must configure each component separately for role-based access control, managed PC and groups. Given the distributed nature of Last Spike's IT staff, this was worrisome. We gave Numara a low usability score because the three pieces require more work than seems necessary.

The Track-IT Technician Client, for inventory, remote control and tech support, is the strongest product and is designed for use by both asset managers and tech support. On the asset-management side, you can access inventory and captures of the major Windows config files. We specified software licenses and how many copies we owned. We also determined whether our software was authorized on a node-by-node basis. We liked the compliance report, which showed illegal software in red, fully licensed in black. Tech support can remotely control PCs, send IMs, transfer files, synchronize clipboards, reboot machines and run programs. Also included is a simple helpdesk application. Space is provided to specify the description of the problem and resolution.

Numara's patch-management reporting was best. A summary page shows the Top 10 missing patches, vulnerable machines and severity status. This report can be e-mailed to an administrator, the owner of the machine or any specified address. If a user is logged on during a patch that requires a reboot, you can force a reboot, let the user snooze for a specified time period, or reboot after the user logs out.

Numara Track-It! Enterprise Edition; Numara Deploy; Numara Patch Manager, Numara Software,(800) 557-6970, www.numarasoftware.com or [email protected]

Executive SummaryYou sent out a patch notice to users three weeks ago, but when spot-checking a few desktops, you find three machines without the fix. How many other PCs don't have it? Without desktop-management software, IT administrators must rely on users to install patches or do it all themselves by updating each client machine individually. Large enterprises have desktop management down to a science, deploying patches and monitoring licenses with relative ease, but where does that leave the smaller enterprise on a tight budget? In this installment of Affordable IT, we evaluate desktop management for midsize businesses.

We asked desktop-management vendors to send us products capable of supporting 1,000 nodes for less than $30,000. Of 17 invited vendors, Criston Software, New Boundary Technologies, Numara Software, OnDemand Software and ScriptLogic rose to the challenge. We examined each vendor's offering, rating the software's reporting, management and features, software distribution and price, as well as GUI and helpdesk troubleshooting capabilities. ScriptLogic's Desktop Authority, our Editor's Choice, earns high marks for usability, patch management and technical support. Any smart IT manager will jump on these reasonably priced packages to alleviate license-maintenance headaches and patch-update calamities.

You can find all our Affordable IT articles here.

How We Tested Desktop Management Suites

Our fictitious midsize business, Last Spike Enterprises, has 1,000 desktops and a budget of $30,000. We used a dual 3-GHz Xeon with 3 GB of RAM, running Windows 2003 Server Enterprise Edition SP1, as Last Spike's management server. We used MSDE or SQL 2000 Enterprise Edition on the same box as the management server. Our client machines were 1.2-GHz Pentium III systems with 512 MB of RAM, running Windows XP Pro SP2. All systems were joined to an Active Directory domain, and were all located on the same subnet.The AD domain provided user authentication and WINS resolution. Last Spike uses AD only for authentication and not for system management. We pushed out software packaged using the standard MSI format as well as standalone executables. Last Spike's environment uses both types of installers.

We pushed out Adobe Acrobat Reader, BGInfo, Winzip and other apps. Microsoft hotfixes for WinXP SP2 were deployed to verify the patch management components. We paid close attention to how mandatory reboots would be handled, as some patches only take effect after a restart. Application launching was verified by running Notepad. We tested remote control, the component that tech support staff would use most often, by looking at both the host and administrator consoles. We performed instant messaging chats, transferred files and checked that the clipboards could be synchronized to verify functionality and determine ease of use for lower-ranking tech support staff.

We based role-based access control on users and groups we set up in AD. Administrator groups existed for central and distributed personnel, as well as by varying skill levels. We limited access to advanced features like system migration or patch deployment to higher-ranking personnel, while Last Spike's front-line workers were given access to remote control and inventory reports.

All Network Computing product reviews are conducted by current or former IT professionals in our own Real-World Labs®, according to our own test criteria. Vendor involvement is limited to assistance in configuration and troubleshooting. Network Computing schedules reviews based solely on our editorial judgment of reader needs, and we conduct tests and publish results without vendor influence.

R E V I E W

Desktop Management Suites

Sorry,
your browser
is not Java
enabled

Welcome to NETWORK COMPUTING's Interactive Report Card, v2. To launch it, click on the Interactive Report Card ® icon above. The program components take a few moments to load.

Once launched, enter your own product feature weights and click the Recalc button. The Interactive Report Card ® will re-sort (and re-grade!) the products based on the new category weights

you entered.

Click here for more information about our Interactive Report Card ®.

0