So, if I could summarise your requirements, and current state: Machines: In Office
Remote: once-per-day connectivity Remote: once-per-month connectivity Remote: no connectivity 450 ~30 ~30 ~30 Requirement Metric Compliance Update AV Within 24 hours of release 100% of machines. Weekly report Update Acrobat/Java/Firefox/Chrome Within 14 days of release 100% of machines Weekly report Successful Backup (unsure what the scope is here) Unsure what the metric is here (Daily? Weekly? Monthly?) Weekly report Compliance Report Weekly 100% coverage If you need to meet 100% compliance (you don't mention meeting, say, 90% compliance within 1 day, 100% within a week, or dividing machines into "in-office" vs. "remote") then I think your problem is the infrequently connected machines (~10% of the fleet), as they don't connect frequently enough for central enforcement and meeting your turn-around-times. So you might look at: a) A configuration management system that's able to communicate "over the internet". Could be as simple as a script that runs as a scheduled task and posts the data back to a web server that you have centrally b) Some way of making remote configuration changes (Go-To-Meeting or something) to enforce updates (if/when required) You could look at using RDS or similar to publish the apps you need to update within 14 days (except the ones listed all have their own updating mechanisms). If that's not working well, then Citrix/RDS might be an option, as at least you can enforce the updating centrally Backup - I'm going to assume that TSM is not going to work for the machines that do not VPN in, so you need something separate for them. I'd also look at your configuration management procedures, and tighten up the link between asset lifecycle management -> configuration management -> AD configuration, to reduce the time being spent on machines that haven't been removed from AD. You might want to read the ITIL docs to see all the process areas you should have (not saying you should implement ITIL, but it'll help with proactive/consistent management of the environment. If you really need to hit the metrics you have above (including proving compliance), you could be devoting almost an entire FTE to the above. Cheers Ken From: David Lum [mailto:[email protected]] Sent: Friday, 15 March 2013 7:24 AM To: NT System Admin Issues Subject: RE: Keeping 550+ systems maintained Excellent questions Ken, thanks. Up to date at this point means 1. Current (within 1 day) of anti-virus signatures 2. Have the latest Acrobat/Java/Firefox/Chrome updates within two weeks 3. Successful backups (we use Tivoli to back up endpoints) 4. Weekly report to confirm the above Dave From: Ken Schaefer [mailto:[email protected]] Sent: Wednesday, March 13, 2013 8:01 PM To: NT System Admin Issues Subject: RE: Keeping 550+ systems maintained I think you need to know what your requirements are. How do you define "up to date"? e.g. - How quickly do you need to deploy something (or even have a range of critical/medium/low priority updates)? - And how do you need to report compliance (on demand? At pre-set intervals?) - And how do you measure your SLA? E.g. what is an acceptable level of 'unknown' state devices? And how long can they remain as 'unknown' Once you have an idea of what you need to meet, then you can start to work out what combination of technologies and people you need to meet it. Cheers Ken From: David Lum [mailto:[email protected]] Sent: Wednesday, 13 March 2013 1:40 AM To: NT System Admin Issues Subject: Keeping 550+ systems maintained Scenario: * 550 Windows workstations, with 100+ of them remote. * Active Directory (W2K8R2 and W2K3 DCs). * Windows 7 and Windows XP. * Users are local admins. * Some remote users VPN in daily, others only VPN in once/month, a few others almost never * 30+ onsite users frequently jump between wired and wireless (in my experience this occasionally trips up DNS and thus management agents for a bit) * Systems are cycled out at the rate of about 30 machines every quarter (relevant because finding a noncompliant machine often means knows if a system has been decommissioned or not). Systems are not always immediately removed from AD for various reasons. Task: Keep them up to date on anti-virus and patches, incl. 3rd party (Java/Adobe/Chrome/etc.). This includes coordinating (with select users) installing/testing the patches on their systems before full rollout to the rest of the org. Is this enough info to give a SWAG for how many hours/week you would you tell management this would take? A rough number works. David Lum Sr. Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
