Desktop Management update from March 2005

Has the bucking desktop-management bronc been broken? We're cautiously optimistic. Sure, the task of keeping desktops up, running and patched is still tough. But apply the techniques and tools we discuss in this package and your systems may just drive themselves.

Our previous review of desktop-management suites pictured an IT admin smashing his head through a monitor (see "Dreaded Desktop Management," part I and part II). That image captured the attitude toward desktop management by many readers responding to our e-mail poll--and was a compelling argument for LCD monitors over CRT to boot. Part of the problem: Almost 40 percent of readers polled didn't have desktop-management software and weren't getting it anytime soon.

Now, nearly 71 percent of respondents have a desktop-management system or plan to by mid-2006. A whopping 81 percent of respondents to our most recent desktop-management reader poll say they aim to have desktop management within three years. And these aren't just large multinational corporations: Most respondents manage 500 or fewer desktops.

If you haven't yet implemented desktop management, now's a good time to jump on the chuck wagon. In our tests (see "Desktop-Management Roundup,"), we saw significant improvements: Role-based administration, patch management and vulnerability assessment have matured, while conventional functions like inventory, software distribution and remote control continue to show incremental improvements.The core reasons for using desktop management haven't changed over the past two years, but organizational needs and requirements have. Our poll showed more demand for change management, rollback, security-configuration management and license monitoring, with less call for self-healing applications and self-service software. We believe an increased focus on security and publicity surrounding software audits are driving this shift. And, in Windows NT/2000/XP environments, self-healing isn't as big a deal as it was in the bad old days when Windows 98 was the norm and the end user was effectively the administrator.

Desktop management is a vital part of any asset-management initiative as well, especially if you think you may have bought too much software. This can be a strong selling point if you're looking to free up funds--over the next five years, organizations that commit a minimum of 3 percent of their annual operating budgets to IT asset management can expect a 25 percent reduction in IT asset TCO (total cost of ownership), according to Gartner. The consultancy adds, though, that less than 10 percent of its customers are up to speed on software-asset management.

Any desktop-management suite lacking extensive patch management and a vulnerability reporting engine is worthless to enterprises. More than 81 percent of our poll respondents say it's highly unlikely they'd purchase a product lacking patch management. Small and midsize businesses that don't require reporting, targeted installation and rollback can get away with using Microsoft's free SUS (Software Update Services) and WUS (Windows Update Services). They aren't as robust as a full desktop-management suite, but they're better than nothing.

When choosing a patching tool, keep in mind that desktop-management vendors' integration of patch management could spell the end of the gravy train for pure-play products, such as Ecora Patch Manager and PatchLink. The biggest reason for going with these offerings is cost: Patch-only software runs as low as $10 per node, while enterprise-class desktop-management suites are in the $60 to $100 range. Even so, the argument in favor of full-fledged desktop management is persuasive. Most desktop-management vendors strive for modularity, mainly over licensing, so features can be activated as needed. For example, a small company could purchase a desktop-management suite with only patch management and minimal inventory capabilities enabled. As the company's needs grow, it can easily add more desktop-management functionality because the infrastructure and agents are in place.

In addition, patch management requires some desktop-management chops: Machines must be discovered, basic inventory scanning performed and computer groups maintained. Finally, pushing out patches alone is good, but pushing out security patches with antivirus definition files, software releases and full application suites is exponentially better.We're not ready to put pure-play patch vendors out to pasture, but we're watching the market closely for some mergers, with other pure plays beginning to incorporate desktop-management functionality. Novell, one of our roundup participants, licenses its patch-management application from PatchLink, for example. Microsoft has a free local patch server in addition to automatic updates enabled by default in Windows XP SP2.

Software Audits

Another vital element of desktop management is tracking software licenses. One in four reader poll respondents say they have been audited or that an audit could easily happen in the near future, but nearly 70 percent aren't worried, saying they know they're in compliance. We suspect at least a few of the nine California companies that in February paid the BSA (Business Software Alliance) $826,270.81 to settle claims that they used unlicensed copies of software were similarly confident.

A software-license report will tell you how many copies are installed in your organization and how many licenses you own. Terms, conditions, penalties and costs associated with an audit are determined by the contract you signed with your vendor, but penalties can be as high as $150,000 for each unlicensed software package; if the feds pursue criminal prosecution, penalties can run as high as $250,000 and five years in jail. Granted, unless you do something stupid like set up a warez server, this is unlikely. But all profits attributable to the infringement can be garnished, which could be devastating to a corporation dependent on a particular product for its revenue.

Software audits typically are initiated by a vendor or the BSA, whose agents act as "lawyer proxies" and are tasked with investigating piracy claims, performing audits and recovering lost revenue for members. Being audited directly by a vendor is slightly preferable to a BSA inspection in the same sense that being kicked in the ass by a horse is preferable to a hoof in the head. Vendors are interested in keeping you as a client, so if you have 101 copies of a program installed but only 100 licenses, the vendor may cut you some slack. Legally, a vendor must send notice at least 14 calendar days before performing an audit, unless otherwise specified in your contract. Microsoft provides at least 30 days, and you won't have to pay for the audit unless you're out of compliance by 5 percent or more, according to the March 2003 Microsoft Business Agreement guidebook. The BSA holds enterprises to higher standards because you're not a customer, and it's more likely to seek the maximum penalties available under the law.The good news is that we're not aware of any instance when desktop-management reports weren't considered sufficient proof for BSA auditors or the courts. Even if auditors insist on using their own tools, you can rest easy knowing you're in compliance. In fact, we highly recommend performing in-house audits regularly. If you've overpurchased, you can drop some support and renewal contracts. If you've underpurchased, you can buy additional licenses to comply. Some vendors are more likely to give you favorable terms and prices if you go into a sales meeting showing you're in full compliance.

Software metering, yet another useful desktop-management feature, lets you see how often a program is used by a given individual or department, or across your organization. Some companies save money by underpurchasing licenses for infrequently used programs and installing them when needed. This rationing is kosher from a licensing perspective, as long as you don't have the software installed on more machines than you have licenses for at any point and such practice isn't forbidden by your purchase contract. For example, if metering reports that Microsoft Visio is used by five people in your IT department only in June and five people in facility planning every September, you only need to buy five licenses instead of 10. This micromanagement is easy to tally with a desktop-management suite, though frequent installing and uninstalling may cost more administration time than it's worth. Some desktop-management vendors offer self-service software centers where installs are triggered automatically at a user's request. Alternatively, you could build a Web site that lets users make software requests, automates getting management approval and integrates with the desktop-management suite to install the software.

The safest way to avoid an audit is to have a clear and strictly enforced procurement process, in which a central software-purchasing department buys and maintains license receipts. Keep all license agreements, volume agreements, order confirmations, proof of payment, purchase orders, records of transfers and anything else a contract specifies as proof of purchase--this is where a central purchasing repository makes life easier. The last thing you want to do during an audit is track down proof of payments for a purchase made by a non-IT-department employee who left the company two years ago.

Bottom line, all but the smallest shops can benefit from an asset-management or desktop-management suite and from enacting a standard software-purchasing process. Even open-source software can come with contract agreements, especially if you buy service and support. Linux desktop management is still in its infancy, but this will change as desktop Linux gains market share. An ounce of prevention in the form of a desktop-management suite can bring the patching process under control, ward off costly and embarrassing audits, and help you make wise software-purchasing decisions.

Michael J. DeMaria is an associate technology editor based at Network Computing's Syracuse University's Real-World Labs®. Write to him at [email protected].In bull riding, the rodeo's main event, wranglers must stay atop a maddened, 2,000-pound flailing hunk of beef for a full eight seconds, then leap off and beat feet to avoid being gored. If you feel a kinship with these cowboys because your typical day involves dodging end-user complaints about malfunctioning PCs, only to be skewered by a new load of Windows patches, consider us your own personal barrel man (for you city slickers, that's the rodeo clown who hides in a barrel waiting to distract murderous bulls).

We won't deny that implementing an enterprise-class desktop-management suite is a major undertaking. But it will pay off in myriad ways, including improved patch management, a better grip on software licenses, and handy role-based administration and vulnerability-assessment capabilities. Software-license monitoring alone can save your sirloin if a vendor--or worse, the Business Software Alliance--comes calling for a compliance audit.

In our previous roundup of desktop-management suites (see "Dreaded Desktop Management," part I and part II), seven vendors participated. This time out, we imposed additional requirements--asset management, software distribution, software-license monitoring and Windows patch management--and still had eight vendors on board: Altiris, iPass, LANDesk Software, Microsoft, Novell, OnDemand Software, Tally Systems and Vector Networks. Altiris again took our Editor's Choice award, but this time LANDesk closed to within 0.05 points. This is good news for enterprises looking to work a deal on desktop management, and that's no bull.