The key processes that desktop management tools address are inventory, monitoring, software deployment, patching and security. These are broad areas, and there is some overlap among them.
Software deployment may involve changes to end-user privileges, which is obviously a security topic. There are also dependencies between these areas. Comprehensive monitoring depends on an up-to-date inventory. And security concerns may drive patching -- especially emergency patching done outside normal maintenance schedules.
It is important to note that different tools may focus on different processes. Additionally, some might emphasize enterprise-scale support, while others focus on ease of use. As you evaluate desktop management options, be prepared to accept some feature trade-offs. You may not get exactly the combination of capabilities you are hoping for.
Inventory management focuses on tracking desktops as assets, but monitoring collects information on how those desktops are used.
Waiting for users to complain about desktop performance is one way to monitor utilization, but it's a fairly ineffective method. Desktop management applications often include tools that monitor the state of key performance metrics of desktops, such as CPU utilization, I/O throughput, memory use and network traffic.
Other features, such as application profiling and log monitoring, can provide finer-grained details about specific applications and their performance characteristics.
Software deployment tools
Small organizations may deploy software by sending desktop administrators to physically install applications. That is too inefficient, inconsistent and potentially error prone for larger organizations.
Windows operating systems provide support for pushing applications to desktops from a central console, which may work well in small and some medium-sized businesses. The chances that you will need to perform specialized operations or address installation problems grows with the size of the user base.
There are several features you can expect from the software deployment tools in desktop management systems, including:
- The ability to distribute multiple types of installers, such as MSI and EXE packages.
- A repository for installers.
- Support for pre-installation checks and script execution.
- Support for post-installation checks.
- The ability to run rollback scripts in the event of failures.
Some software deployment tools also include templates for installing commonly used software, such as productivity suites.
Patching is the process of executing software to correct flaws or improve features of installed applications or operating systems. Patching is such a common process that the term "Patch Tuesday" has come to refer to the second Tuesday of a month, which is the time Microsoft releases updates or patches for its software.
Of course, any operating system or application may require patching. One of the distinguishing features of patching tools is their breadth of support for different target systems. Enterprise patch applications should support both Windows and OS X desktops.
Patch management features include:
- Desktop discovery and vulnerability detection.
- Ability to detect and patch both physical and virtual machine instances.
- Ability to detect and install patch dependencies.
- Reporting tools to provide information on the status of systems, vulnerabilities and patches applied.
Testing patches on a representative set of desktops with a variety of configurations before deploying is generally considered a best practice; patches may break functioning applications. In spite of efforts by vendors and software developers to avoid such problems, there may be other unintended side effects of patches.
Centralized management helps mitigate the risk of misconfigured desktops, which can be significant. Attackers can exploit open ports on desktop firewalls, outdated antimalware and weak authentication.
Of course, some attacks start with zero-day exploits and human mistakes. Those are more challenging to address and make basic desktop security all the more important as a first line of defense.
Centralized desktop management tools can also implement several security-related support features, including:
- Enforcing authentication procedures.
- Locking desktops.
- Ensuring antimalware is installed and up to date.
- Enforcing encryption policies.
- Checking the configuration of local firewalls.
Patching is a common response to newly discovered vulnerabilities. When vulnerabilities are of sufficiently low risk, administrators may apply patches during routine maintenance windows. In some cases, however, administrators must apply emergency patches because the risk of waiting for the next maintenance window is too high.
The human element in software deployment
Automated tools for deploying cloud-based apps
Third-party patch deployment tools