Have you considered packaging those Firefox/Adobe etc apps up with App-V or something? It certainly mitigates some of the risk given that the packaged app can't interact heavily with the underlying OS due to the SystemGuard feature. When a client system checks in, it could then pick up the updated app. You'd have to pre-cache the apps for offline use, but it would certainly mitigate against a large part of the risk factor.
Cheers, JR Sent from my Blackberry, which may be an antique but delivers email RELIABLY -----Original Message----- From: David Lum <[email protected]> Date: Thu, 14 Mar 2013 20:23:57 To: NT System Admin Issues<[email protected]> Reply-To: "NT System Admin Issues" <[email protected]>Subject: RE: Keeping 550+ systems maintained Excellent questions Ken, thanks. Up to date at this point means 1. Current (within 1 day) of anti-virus signatures 2. Have the latest Acrobat/Java/Firefox/Chrome updates within two weeks 3. Successful backups (we use Tivoli to back up endpoints) 4. Weekly report to confirm the above Dave From: Ken Schaefer [mailto:[email protected]] Sent: Wednesday, March 13, 2013 8:01 PM To: NT System Admin Issues Subject: RE: Keeping 550+ systems maintained I think you need to know what your requirements are. How do you define "up to date"? e.g. - How quickly do you need to deploy something (or even have a range of critical/medium/low priority updates)? - And how do you need to report compliance (on demand? At pre-set intervals?) - And how do you measure your SLA? E.g. what is an acceptable level of 'unknown' state devices? And how long can they remain as 'unknown' Once you have an idea of what you need to meet, then you can start to work out what combination of technologies and people you need to meet it. Cheers Ken From: David Lum [mailto:[email protected]] Sent: Wednesday, 13 March 2013 1:40 AM To: NT System Admin Issues Subject: Keeping 550+ systems maintained Scenario: * 550 Windows workstations, with 100+ of them remote. * Active Directory (W2K8R2 and W2K3 DCs). * Windows 7 and Windows XP. * Users are local admins. * Some remote users VPN in daily, others only VPN in once/month, a few others almost never * 30+ onsite users frequently jump between wired and wireless (in my experience this occasionally trips up DNS and thus management agents for a bit) * Systems are cycled out at the rate of about 30 machines every quarter (relevant because finding a noncompliant machine often means knows if a system has been decommissioned or not). Systems are not always immediately removed from AD for various reasons. Task: Keep them up to date on anti-virus and patches, incl. 3rd party (Java/Adobe/Chrome/etc.). This includes coordinating (with select users) installing/testing the patches on their systems before full rollout to the rest of the org. Is this enough info to give a SWAG for how many hours/week you would you tell management this would take? A rough number works. David Lum Sr. Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
