Common Solutions Group Workshop:
Managing Large Environments
Introduction and Background
Susan Grajek, Yale
Steven Sather, Princeton
2
Overview of Today’s Workshop
1. Introduction and background
2. Managing desktop security
3. Asset and inventory management
4. Mobile device management
5. Wrap up, next steps
3
Workshop goals
• What are managed environments?
• Where do we stand today?
– Challenges
– Best practices
• What are the benefits of managing
environments?
4
What are managed environments?
• Ad hoc Managed Device group met in Chicago in July
– Brown: Karen Asquith & Alan Usas
– Chicago: Greg Anderson, Corey Liss & Kevin Vaccaro
– Duke: John Cook
– Princeton: Charlayne Beavers, Phil Immordino & Steven Sather
– Stanford: There in spirit!
– Virginia Tech: Bill Plymale
– Yale: Lee Fontaine, Susan Grajek & Adriene Radcliffe
5
Chicago workshop recap
Goals
• Define managed devices
• Describe best practices
• Identify opportunities for collaboration
6
Defining device management

Security
–
–
–
–
–



•
•
•
•
≠
Initial Configuration
Patching/Updates
Access Control
Malware (virus/spyware)
Privacy (encryption, hipaa)
Application deployment
Inventory and asset management
Image management
Data integrity
Remote assistance
Connectivity and registration
Software and licensing
(Accounts Management)
7
Management environments
Fully managed
•
Dumb terminals, thin clients.
•
No data or local applications other than those that
facilitate access.
Wide open
•
End users have administrative privileges at both the
application and operating system levels.
•
Applications and data are stored locally.
•
No common base configuration.
•
Subscription and self-service tools unlikely to be
available, so machine is managed manually.
•
No up-front prohibited protocols, devices, applications,
or actions (but machine will be disconnected if it causes
a problem to the rest of the network).
8
Application
storage
Data
Updates
storage
Common base
configuration?
Admin
privileges
Fully
managed
Centrally
Centrally
Complete
To central
configuration
None
Locked
down
Locked down or
served centrally
Centrally
Updated image
Delivered
centrally
None
Secure
Local or centralized
Locally
Initial image,
some updates
Subscription to
managed
updates
None, but
options for
configuring
Open
managed
Locally
Locally
Initial image
Managed
updates or use
self-service
tools
Application,
OS or both
Open
unmanaged
Locally
Locally
None
Self-service
tools or manual
Yes, some
few
prohibitions
Wide open
Locally
Locally
None
Manual
Yes, no
prohibitions
9
Results of CSG Survey
10
24 respondents for 21 Schools and EDUCAUSE
•
•
•
•
•
•
•
•
•
•
•
•
•
Brown University
Carnegie Mellon University
Columbia University
CU-Boulder
Duke University
Harvard - Central Administration
Indiana University
MIT
Princeton University
Stanford University
University of Chicago
University of Delaware
University of Michigan
–
–
•
•
•
•
•
•
•
•
•
Campus Computing Sites
Health System
University of Minnesota
USC
University of Texas @ Austin (two submissions, data averaged)
University of Washington
University of Wisconsin-Madison
University of Virginia
Virginia Tech
Yale University
EDUCAUSE
11
Desktop Management Environments
Faculty
% current
Staff
% potential
Configuration
% current
Students
% potential
% current
% potential
1. Fully
managed
0
1
0
2
0
1
2. Locked down
8
12
11
19
7
10
3. Secure
11
25
27
42
4
2
4. Open
managed
34
45
35
28
14
44
5. Open
unmanaged
47
18
27
9
75
43
12
Some highlights
• University of Michigan reports 100% locked down
for faculty, staff and students
• Four schools reported more than 80% of faculty
machines are fully unmanaged:
–
Chicago, Delaware, USC, CU-Boulder
• Only three schools guessed that faculty machines
could be fully managed:
– Stanford (10%), UT-Austin (2%) and UVa (1%)
• Two-thirds of schools believe that at least 50% of
student machines could be at least partially
managed.
13
14
Different tools and processes will work in
each environment.
15
Process used
Mapped each device management activity
(e.g., application deployment) against each
environment to:
• describe what each of us is currently doing
• consider other, additional options
• draft best practices for each environment
16
Example: Application deployment

Most managed

Locked down

Secure

Open
managed

Open
unmanaged

Wide open































Thin client apps delivery
Imaging
Minimum requirements
Imaging (initial setup and changes)
Thin client apps delivery
Subscription-based updates (GPO’s, SMS, WSUS, etc) -required
Software virtualization
Minimum requirement
Thin client apps delivery
Subscription-based updated (GPO’s, SMS, WSUS, etc) -required
Imaging – initial setup only
Installers mediated by technicians (technician activation)
Software virtualization
Minimum requirements
Thin client apps delivery
Subscription-based updated (GPO’s, SMS, WSUS, etc) -recommended
Imaging – initial setup only
Installers mediated by technicians
Software virtualization (self-activation)
Bundle on CD’s
Minimum requirements
Imaging
Minimum requirements
Subscription-based updated (GPO’s, SMS, WSUS, etc) -recommended
Thin client apps assigned
Installers
CD bundles
Software virtualization contingent on image
Technician mediated (optional)
Installers (written for minimums)
Bundle on CD’s
17
Summary of management tools and processes
• Managed update tools (SMS, Zenworks, GPOs,
WSUS, Shavlik)
• Manual update (end user or technician)
• Self-service configuration tools
• Images
• Remote data wipe
• Tools to enable end-users select their management
preference
• Installers
• Software virtualization
• Thin client applications delivery
18
Summary of management tools and processes
• Network quarantine
• Life cycle management (leasing, mediated
purchasing and disposal)
• Asset management tool
• Vendor-supplied data
• Bundle on CDs
• Mac address/network registration
• Published guidelines
• Site licenses
• Minimum requirements
19
Results of CSG Survey
20
Which practices and tools are we using?
Remote data wipe for compromised laptops
Tools for users to manage deployment prefs
Application virtualization
Thin client applications delivery
Vendor data integrated w. asset management data
Self-service installers, etc. on C Ds
Network quarantine for unpatched machines
Web-based self-service installers & config. tools
Life cycle management
Minimum hardware and software requirements
End-user guidelines for managing devices
Asset management tool
Images
Manual update (by end users or technicians)
Update tools
Registration of Mac addresses
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100
% of schools using
%
21
How widely are we deploying tools & practices?
Application virtualization
Remote data wipe for compromised laptops
Thin client applications delivery
Tools for users to manage deployment prefs
Vendor data integrated w. asset management data
Self-service installers, etc. available on C D
Asset management tool
Manual update (by end users or technicians)
Life cycle management
Images
Web-based self-service installers & config. tools
Update tools
Network quarantine for unpatched machines
Minimum hardware and software requirements
End-user guidelines for managing devices
Registration of Mac addresses
<20%
20-50%
50-80%
% of devices used with
>80%
22
How widely are we deploying tools & practices?
16
14
12
10
8
6
4
2
0
23
Questions?
24
30