Guide to Client Management

Ensuring the client manager you choose works for you

By Barry Nance, Network World Lab Alliance

Propagating the installation of a client management product across a network entails some basic and some not-so-basic steps. For example, how can you be sure you haven't inadvertently skipped a machine which rightly falls under your administrative umbrella? This sort of problem rarely crops up when you're deploying server-oriented tools. But in a large company, thousands of desktop PCs can form a seemingly impenetrable jungle.

The answer to the dilemma is to take a methodical and systematic approach: Use the client manager's discovery feature to find all the desktop units. Then examine its reports to verify you've included every machine.

Here are some additional tips to ensure your client manager deployment goes smoothly and that the product works the way you need it to:

1. Before deploying a client manager throughout the network (even with a vendor's help), first try out the software in a controlled, small environment to better understand how it installs, how it performs and what it does in specific situations that you force it to handle. Become familiar with how the desktop manager behaves and know how to use it to enforce licensing as well as operating system and software versioning. Get comfortable with the product's remote control feature, and run some practice drills to understand how the tool distributes software, updates and operating system patches.

2. Use Windows policies, directory and file permissions and desktop controls to keep users from altering corporate-approved PC configurations, but keep in mind that the corporation, not the employee, owns each desktop screen. Other employees will from time to time need to use the PC that the employee thinks of as "his" or "hers."

3. For the sake of simplicity and consistency, avoid mixing and matching different client management products across the network. Centering on one tool will yield better control over desktop PCs and other computing devices. It will also reduce the variety of backup devices and backup formats you have to manage. Using a single tool will give you consistent, consolidated reports on the number, types and configurations of your desktop units. And it will make life a lot easier for network administrators and troubleshooters.

4. Take the time to document the client computing environment in your organization. Keep the documentation up to date. The documentation will help you the next time you need to do a major upgrade. It will be a useful resource for capacity planners. And it can even be your justification to the IRS for the depreciation expenses your company claims at tax time.

5. Assume, despite your best efforts to prevent it, that spyware, a virus or some other malady will damage your client management configuration at some point in time. Establish procedures to restore desktop configurations and run fire drills to make sure your procedures work. Use similar goals for your desktop and other computing devices that you use for your servers – you want to maximize uptime and availability for the users who rely on the desktop machines to get their work done.

Nance runs Network Testing Labs and is the author of Introduction to Networking, 4th Edition and Client/Server LAN Programming.

Five questions to ask client management vendors

By Barry Nance, Network World Lab Alliance

The following are five key questions to ask desktop management vendors that should help you select a product that's right for your environment:

1. Does the client manager recognize and handle all the different desktop platforms (such as Windows, Linux, Solaris, AIX and MAC OS) and kinds of desktop computing devices (such as PCs, notebooks and PDAs) that are in the company? If the desktop manager is not going to support some computer devices you want to know this before the sale, not after.

2. What's the vendor's history with respect to supporting new platforms? As new desktop computing tools emerge will the vendor support them? And in what time frame will this realistically happen? How long you'd have to wait for support depends on a variety of parameters including the scope of the technological advance, its relationship to the desktop (i.e., office worker) and its rate of adoption. But nothing stands still, and PCs are in some ways old technology, with new devices and paradigms on the horizon. Can the vendor keep up with the pace of changes in IT?

3. What type of data repository does the client manager use?
Database administration can involve some nontrivial expenditures of time and effort. If the desktop management repository is a database your administrators are unfamiliar with, additional training time and effort will be required.

Additional questions include whether the database is relational, how much attention and care the desktop manager's data repository will require and what are the support mechanisms for backing up the database? Storing the desktop data in a relational database would likely be overkill - and an annoyance - to a small customer. However, a large enterprise may have a corporate policy requiring the use of an RDBMS. Why? Three reasons: (1) The company's backup/restore regime may require it. (2) People within the enterprise may want access to the DB for special purposes and for custom reports. (3) A large company may require the reliability and familiarity of an RDBMS (large companies have gotten burned too many times by proprietary, vendor-designed data storage algorithms that fail or slow down at critical times).

4. How responsive is the company to emergencies? Suppose the network adapter in the desktop management central-console machine fails late on a Friday night; how easy is the re-installation of the desktop management tool, especially in light of license-key issues and whether a license key is tied to a specific MAC address? Many software products' license keys have a direct relationship to a central console's IP address or MAC address. Recovering from a network adapter failure can turn into a nightmare of all-weekend work for your company's network troubleshooter or tech support person if a vendor's support people aren't available or responsive.

5. Can the desktop management tool interface (perhaps via SNMP) with a network manager such as OpenView or Tivoli? Can it interface with a help desk tool such as Remedy?
You may very well want problems and issues identified by the desktop manager to flow into a network management system for the sake of producing useful and comprehensive reports and summaries that include desktop computing device activities. Similarly, the desktop manager's interface with a help desk tool can save you time, effort and potential for transposed digits when having to key the data into another product.

Client management becomes security guard for endpoints

Desktop tools evolve to help IT with internal security on endpoints

By Denise Dubie

Managing client devices continues to challenge IT staff looking to equip end users with productivity tools while also protecting networks from errant behavior on the desktop.

"One of the biggest challenges for today's IT operations group is the management of an increasingly distributed and heterogeneous environment," says Natalie Lambert, senior analyst at Forrester Research. "Despite their efforts to standardize, the client environment is in a state of constant change."

Client systems management, once referred to as desktop management, has become more critical over the past several years as end users have become more mobile and client machines range from standard workstations to laptops and mobile devices such as PDAs and BlackBerries.

"This means that IT operations must now maintain multiple operating system images, deploy hundreds if not thousands of applications, and assure patch and system security compliance - knowing all the while that system connectivity to the corporate network is not guaranteed," Lambert says.

Just ask Matt Giblin, senior systems analyst at Mercy Health Services in Baltimore. He chose a vendor, Altiris (now part of Symantec), which he believed could address the spectrum of management and security needs. Yet he still finds challenges in managing client devices; among them is keeping up with systems and software since, despite his best efforts to standardize the software and systems on machines, changes happen.

"The pendulum has shifted from hardware being difficult to support. Now the operating systems and applications are complex, and it has to get easier to support multiple operating systems and applications," Giblin says. "It's an always-changing environment, and it's critical just to keep up with the changes."

Today's client management vendors are working to ease the burden of managing multiple, distributed client machines with features designed to address related issues.

Companies such as Symantec, CA, HP and LANDesk (now part of Avocent) are upgrading their client management tools into integrated suites to address client life-cycle management, security and compliance management, and application management from the end-user perspective.

Client management suites must include operating system management, software management and systems management capabilities, but industry watchers say that going forward integrated software packages also must feature integrated security tools and data leak prevention technologies to help client managers maintain performance and security on client machines.

"While the IT operations group traditionally handles all of the PC management tasks, they are finding themselves stuck in the weeds with the day-to-day administration of security tools," Forrester's Lambert says. That means client managers are expected to also handle antivirus, antimalware, patching and access control policies on end-user machines.
"The operations group is struggling because solutions are still deployed as point products, and no single solution gives end-to-end insight into the system inventory, security posture, and overall state of compliance."

Client management vendors are incorporating intrusion prevention systems into their suites that use existing server and agent technology to better secure endpoints. For instance, LANDesk introduced add-on software that the company says helps network managers secure internal networks from unknown threats by monitoring traffic, learning behavior and alerting when anomalies in known behavior occur. LANDesk says its software performs such tasks as behavioral blocking, whitelisting, blacklisting and compliance enforcement when it detects traffic in conflict with predefined security policies.

LANDesk also incorporates a network access control (NAC) element, the company says, that can prevent client access to a network if it doesn't meet patch or systems security levels, for instance. Industry watchers say such security measures will help client management teams looking to keep desktops and laptops available and secure. The convergence of management and security in such technologies reflects changes in IT organizations looking to protect internal networks as much as the perimeter.

In its March 2007 report entitled "Client Management 2.0" Forrester says that many security teams in enterprises are passing client security and network access responsibilities to the IT operations groups.

"For example, desktop operations staffers handle not only upgrades to your PC but also the patching and antimalware updates that maintain system compliance. Similarly network administrators just as comfortably set firewall access control lists as switch and router ACLs," the report reads. "Consequently, security and access control are becoming part of the overall management of your IT environment."

Beyond NAC

NAC is network-focused, Forrester says, but because much of the endpoint security lies with the desktop operations group, newer technologies will emerge to enable better endpoint security. And Forrester predicts another technology will grow out of NAC, proactive endpoint risk management, or PERM, which would encompass multiple solutions and serve as NAC 2.0 for client systems management and security. The research firm defines PERM as "policy-based software technologies that manage risk by integrating endpoint security, access control, identity and configuration management."

And while, like NAC, PERM is not yet complete, Forrester predicts the technology will take enterprise management and security by storm in the next three years.

"Proactive endpoint risk management isn't far off -- in fact, the landscape has already started to develop," the report reads. "Forrester predicts that client security suites will be the first to evolve, with Microsoft and Cisco only an acquisition -- or two -- away."

Client management tools keep end users productive

By Denise Dubie and Tom Henderson, Network World Lab Alliance

Client management technology promises to help IT departments keep happy their most important customer; the end user.

These products, typically software packages, work to maintain operating system and application health on client machines ranging from desktops to laptops to mobile devices such as PDAs or BlackBerries. The products use two sets of programs: software installed at the server that administers, monitors and updates the other piece of software – often called agents. Agents are distributed to all client machines and are often configured to update a central server or management console about their health and status, but the server software can also poll client machines on a scheduled basis to learn more about the status of the systems.

Client agents are often active data gatherers that communicate various administrator-desired information regarding client states, such as CPU, memory, disk space utilization, network traffic seen, and other system characteristics to a centralized server. The server then digests, possibly analyzes, and stores the collected data. Some management applications also allow the analysis of incoming data to trigger actions. For example, the software could initiate the lockout of a user account after too many password failures, indicating a desktop is undergoing unauthorized access attempts.

Agent software may also be the delivery conduit for agent-assessed patches and fixes, updated antivirus or malware files, and other data payloads. Sometimes the agents "pull" information on demand or on an administrator-defined schedule, or have software "pushed" to the client based on server scheduling.

Many agents, when joined with management applications, also have the ability to summarize all of the software a client has available, and subsequent comparisons can be made with lists of applications that are administratively approved or disapproved for organizational use as a policy-enforcement mechanism.

Client management software may also be responsible for authenticating a user, keeping track of and auditing user network navigation and resource access, and may add communication encryption and resource 'ticketing' of both local and network applications. Management software may or may not be tightly coupled with an organization's directory services for purposes of authentication, access audit, single-sign-on usage,  VoIP profiling and configuration, as well as offering mobilized resources like "remote desktops," mainframe/hosted-application access, and simple Wi-Fi accessibility. Clients can also be monitored as detection nodes in Wi-Fi intrusion detection, where each Wi-Fi node (because it has a two-way radio) can "listen" or monitor the surrounding area for unauthorized equipment.

Asset management features included in many tools help IT administrators maintain accurate license information, which could assist during software-license negotiations and promise to cut costs for shops with unused client resources. For instance, the software can share details around which applications installed on client machines are tapped most and which remain mostly idle and unutilized. During vendor negotiations, IT managers can save cash by taking into account usage data collected by client management tools.

Security measures include monitoring end-user access to applications for compliance purposes and providing information needed to better secure endpoints. Client management tools, for instance, collect information on patches installed on the machines, which let administrators know which client systems might be vulnerable to attack.

The end-user perspective is the last stop in end-to-end performance management and is often considered the most critical point at which an application must perform up to expectations. Data collected on client machines can give insight into application response times and help IT work out problems causing services to slow down.

Finally, client management applications often ally operating system accessibility, by enforcing limitations on user behavior. These policy-enforcement actions may perform actions such as disabling USB ports on client/desktop systems so that data can't be copied, policing the use of Web access, aiding in monitoring e-mail application misuse (sending company information, forbidden language, as examples), or prevent undesirable user-installed software.


Subscribe to the Best of PCWorld Newsletter