Would Windows Intune be a possibility for those remote devices?
From: Graeme Carstairs [mailto:[email protected]] Sent: Friday, March 15, 2013 12:12 AM To: NT System Admin Issues Subject: Re: Keeping 550+ systems maintained You could look at direct access As long as the remote machines ate Internet connected they can be managed Usually people may still access the web bit not VPN onto corporate On Friday, 15 March 2013, Ken Schaefer wrote: So, if I could summarise your requirements, and current state: Machines: In Office Remote: once-per-day connectivity Remote: once-per-month connectivity Remote: no connectivity 450 ~30 ~30 ~30 Requirement Metric Compliance Update AV Within 24 hours of release 100% of machines. Weekly report Update Acrobat/Java/Firefox/Chrome Within 14 days of release 100% of machines Weekly report Successful Backup (unsure what the scope is here) Unsure what the metric is here (Daily? Weekly? Monthly?) Weekly report Compliance Report Weekly 100% coverage If you need to meet 100% compliance (you don't mention meeting, say, 90% compliance within 1 day, 100% within a week, or dividing machines into "in-office" vs. "remote") then I think your problem is the infrequently connected machines (~10% of the fleet), as they don't connect frequently enough for central enforcement and meeting your turn-around-times. So you might look at: a) A configuration management system that's able to communicate "over the internet". Could be as simple as a script that runs as a scheduled task and posts the data back to a web server that you have centrally b) Some way of making remote configuration changes (Go-To-Meeting or something) to enforce updates (if/when required) You could look at using RDS or similar to publish the apps you need to update within 14 days (except the ones listed all have their own updating mechanisms). If that's not working well, then Citrix/RDS might be an option, as at least you can enforce the updating centrally Backup - I'm going to assume that TSM is not going to work for the machines that do not VPN in, so you need something separate for them. I'd also look at your configuration management procedures, and tighten up the link between asset lifecycle management -> configuration management -> AD configuration, to reduce the time being spent on machines that haven't been removed from AD. You might want to read the ITIL docs to see all the process areas you should have (not saying you should implement ITIL, but it'll help with proactive/consistent management of the environment. If you really need to hit the metrics you have above (including proving compliance), you could be devoting almost an entire FTE to the above. Cheers Ken From: David Lum [mailto:[email protected] <javascript:_e(%7b%7d,%20'cvml',%20'[email protected]');> ] Sent: Friday, 15 March 2013 7:24 AM To: NT System Admin Issues Subject: RE: Keeping 550+ systems maintained Excellent questions Ken, thanks. Up to date at this point means 1. Current (within 1 day) of anti-virus signatures 2. Have the latest Acrobat/Java/Firefox/Chrome updates within two weeks 3. Successful backups (we use Tivoli to back up endpoints) 4. Weekly report to confirm the above Dave From: Ken Schaefer [mailto:[email protected]] Sent: Wednesday, March 13, 2013 8:01 PM To: NT System Admin Issues Subject: RE: Keeping 550+ systems maintained I think you need to know what your requirements are. How do you define "up to date"? e.g. - How quickly do you need to deploy something (or even have a range of critical/medium/low priority updates)? - And how do you need to report compliance (on demand? At pre-set intervals?) - And how do you measure your SLA? E.g. what is an acceptable level of 'unknown' state devices? And how long can they remain as 'unknown' Once you have an idea of what you need to meet, then you can start to work out what combination of technologies and people you need to meet it. Cheers Ken From: David Lum [mailto:[email protected]] Sent: Wednesday, 13 March 2013 1:40 AM To: NT System Admin Issues Subject: Keeping 550+ systems maintained Scenario: * 550 Windows workstations, with 100 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] <javascript:_e(%7b%7d,%20'cvml',%20'[email protected]'); > with the body: unsubscribe ntsysadmin -- Good news everyone, you have just received an e-mail from me! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] <mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
