Common Solutions Group Workshop:Managing Large Environments

Introduction and Background

Susan Grajek, Yale

Steven Sather, Princeton

2

3

Overview of Today’s Workshop

1. Introduction and background

2. Managing desktop security

3. Asset and inventory management

4. Mobile device management

5. Wrap up, next steps

4

Workshop goals

• What are managed environments?

• Where do we stand today?

– Challenges

– Best practices

• What are the benefits of managing environments?

5

What are managed environments?

• Ad hoc Managed Device group met in Chicago in July

– Brown: Karen Asquith & Alan Usas

– Chicago: Greg Anderson, Corey Liss & Kevin Vaccaro

– Duke: John Cook

– Princeton: Charlayne Beavers, Phil Immordino & Steven Sather

– Stanford: There in spirit!

– Virginia Tech: Bill Plymale

– Yale: Lee Fontaine, Susan Grajek & Adriene Radcliffe

6

Chicago workshop recap

Goals

• Define managed devices

• Describe best practices

• Identify opportunities for collaboration

7

Defining device management

Security– Initial Configuration– Patching/Updates– Access Control– Malware (virus/spyware)– Privacy (encryption, hipaa)

Application deployment Inventory and asset management Image management• Data integrity• Remote assistance • Connectivity and registration• Software and licensing≠ (Accounts Management)

8

Management environments

Fully managed • Dumb terminals, thin clients. • No data or local applications other than those that

facilitate access.

Wide open • End users have administrative privileges at both the

application and operating system levels. • Applications and data are stored locally. • No common base configuration. • Subscription and self-service tools unlikely to be

available, so machine is managed manually. • No up-front prohibited protocols, devices, applications,

or actions (but machine will be disconnected if it causes a problem to the rest of the network).

9

Application storage

Data

storage

Common base configuration?

Updates Admin privileges

Fully managed

Centrally Centrally Complete To central configuration

None

Locked down

Locked down or served centrally

Centrally Updated image Delivered centrally

None

Secure Local or centralized

Locally Initial image, some updates

Subscription to managed updates

None, but options for configuring

Open managed

Locally Locally Initial image Managed updates or use self-service tools

Application, OS or both

Open unmanaged

Locally Locally None Self-service tools or manual

Yes, some few prohibitions

Wide open Locally Locally None Manual Yes, no prohibitions

10

Results of CSG Survey

11

24 respondents for 21 Schools and EDUCAUSE

• Brown University• Carnegie Mellon University• Columbia University• CU-Boulder• Duke University• Harvard - Central Administration• Indiana University• MIT• Princeton University• Stanford University• University of Chicago• University of Delaware • University of Michigan

– Campus Computing Sites– Health System

• University of Minnesota• USC • University of Texas @ Austin (two submissions, data averaged)• University of Washington• University of Wisconsin-Madison• University of Virginia• Virginia Tech• Yale University• EDUCAUSE

12

Desktop Management Environments  Faculty Staff Students

Configuration% current % poten-

tial % current % poten-

tial % current % poten-

tial

1. Fully managed

0 1 0 2 0 1

2. Locked down 8 12 11 19 7 10

3. Secure 11 25 27 42 4 2

4. Open managed

34 45 35 28 14 44

5. Open unmanaged

47 18 27 9 75 43

13

Some highlights

• University of Michigan reports 100% locked down for faculty, staff and students

• Four schools reported more than 80% of faculty machines are fully unmanaged:– Chicago, Delaware, USC, CU-Boulder

• Only three schools guessed that faculty machines could be fully managed: – Stanford (10%), UT-Austin (2%) and UVa (1%)

• Two-thirds of schools believe that at least 50% of student machines could be at least partially managed.

14

15

Different tools and processes will work in each environment.

16

Process used

Mapped each device management activity (e.g., application deployment) against each environment to:

• describe what each of us is currently doing

• consider other, additional options

• draft best practices for each environment

17

Example: Application deployment

18

Summary of management tools and processes

• Managed update tools (SMS, Zenworks, GPOs, WSUS, Shavlik)

• Manual update (end user or technician)

• Self-service configuration tools

• Images

• Remote data wipe

• Tools to enable end-users select their management preference

• Installers

• Software virtualization

• Thin client applications delivery

19

Summary of management tools and processes

• Network quarantine

• Life cycle management (leasing, mediated purchasing and disposal)

• Asset management tool

• Vendor-supplied data

• Bundle on CDs

• Mac address/network registration

• Published guidelines

• Site licenses

• Minimum requirements

20

Results of CSG Survey

21

Which practices and tools are we using?

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Registration of Mac addresses

Update tools

Manual update (by end users or technicians)

Images

Asset management tool

End-user guidelines for managing devices

Minimum hardware and software requirements

Life cycle management

Web-based self-service installers & config. tools

Network quarantine for unpatched machines

Self-service installers, etc. on CDs

Vendor data integrated w. asset management data

Thin client applications delivery

Application virtualization

Tools for users to manage deployment prefs

Remote data wipe for compromised laptops

% of schools using

22

How widely are we deploying tools & practices?

Registration of Mac addresses

End-user guidelines for managing devices

Minimum hardware and software requirements

Network quarantine for unpatched machines

Update tools

Web-based self-service installers & config. tools

Images

Life cycle management

Manual update (by end users or technicians)

Asset management tool

Self-service installers, etc. available on CD

Vendor data integrated w. asset management data

Tools for users to manage deployment prefs

Thin client applications delivery

Remote data wipe for compromised laptops

Application virtualization

<20% 20-50% 50-80% >80%

% of devices used with

23

How widely are we deploying tools & practices?

0

2

4

6

8

10

12

14

16

24

Questions?

30