Managing and Controlling Client Devices

Security threats are becoming increasingly sophisticated and the myriad of compliance requirements businesses must address call for controls to reduce the risk of unauthorized access to systems, and ultimately the underlying data. In addition, the sheer volume and rate of change has increased to the point that the limited administrative staff can’t keep up with demand, resulting in skyrocketing IT management costs.

Further compounding the issue is today’s mobile and remote workforce. Client devices are distributed around the globe and information workers use them as both the hub of their productivity and the gateway to corporate information, resulting in the need for stringent service availability and even greater security.

Despite IT’s best efforts to standardize hardware, software and processes, events such as mergers and acquisitions make this a challenging task. Today’s reality is a heterogeneous client environment and multiple hardware and software platforms, which means IT needs to maintain multiple images and applications, making change deployment an exponentially difficult task.

While data center operations team shudders at the thought of hands-off operations, the desktop operations team is different. They need to perform a variety of management tasks on thousands, if not hundreds of thousands of devices on a daily basis – everything from software distribution to OS deployments to patch management – making a hands-off automation approach IT’s only viable option.

Given the complexity of managing client devices in today’s world, an effective strategy needs to leverage policy-based, hands-off automation across the device lifecycle, including a continuous baseline of the environment for visibility, automation of change to optimize cost efficiency and service availability, automation of security and compliance to reduce audit risks and the agility to scale by provisioning new devices and services in the timeframe required by the business.

Leveraging automated discovery and inventory management tools to baseline the IT environment is the foundational element of client management, as you cannot manage what you don’t know exists. Mergers and acquisitions is a great example of why this is critical, as IT needs an efficient method of capturing what is being acquired from a both a hardware and software perspective to make better asset purchase, migration or retirement decisions as part of the IT integration process. Any company undertaking Windows Vista migration also needs to factor inventory as part of the planning process. For example, who is using what hardware and software? Are they using desktop PCs tethered to an office, notebooks with the freedom to wander the globe, or other devices designed for home office environments? What is the age and lease information of the PC fleet? Most companies have PCs of various vintages, so an aging fleet of computers may suggest a far different Windows Vista deployment initiative than a relatively young, more powerful PC environment. And the middle ground of a relatively balanced mixture of old and new machines can require an even more focused examination of how many PCs need to be purchased, how many can be upgraded, and which machines fall into which category. Security is another driving force for good discovery, as rogue machines on the network are a prime target for malicious acts. Automated discovery will help identify machines that might not have been previously under management to control the environment.

Now you have a basis of information which can be used to set policies and leveraged for service desk and asset management tools as part of a comprehensive service management strategy for both asset and software lifecycle management. While inventory scans are one basis for policy creation, an ideal client management strategy should enable you to set policies based upon multiple criteria, such as user identity (for example, role, department or location in the organization). With this policy model in place, software deployment and management is not only factored by type of machine but also the user itself, creating a more robust method for automating change and compliance.

With a policy model in place, the next step is automating software changes to managed client devices, everything from bare metal provisioning to software distribution – including operating systems, patches, applications, content and configuration settings – to software updates, repairs and removal over the lifecycle. While many organizations have some level of automation across these processes today, traditional automation solutions in the market are task-based solutions. While semi-automated tools may be acceptable for smaller organizations, they fall short of the hands-off operation that is needed to maximize operational efficiency in enterprise organizations. A typical example of software distribution using task-based solutions could require up to ten steps: IT needs to package the software, create a script, refresh inventory information to get current state information and identify target devices, generate a success/failure report and repeat the process until all installations are successful. This can become quite a laborious process, especially when you think about large-scale deployments such as Windows Vista migrations. Not only must IT deploy Windows Vista to every PC in the enterprise, it must also verify that the right applications and personal settings all get to the right PCs – all while decreasing the intrusion to the end user.

Today’s needs require a policy-based, hands-off automation solution to maximize administrative time and cost reduction. In contrast to task-based solutions, policy-based automation will reduce the process down to a few steps: package the software, create an entitlement policy which does not rely only on inventory information but could be based upon user or machine identity, and deliver the software package automatically to all devices that comply with the policy. Failed distributions are retried on the next scheduled client connection, and configurations are verified and repaired with each client connection. The IT administrator simply receives reports to track progress and status. This process occurs automatically, without installation scripts or administrative intervention, to maximize administrative efficiency and productivity.

In the example of Windows Vista migration, this means that IT automatically collects user personality data and settings across all of the target devices, and based upon a pre-defined policy aligned to the migration strategy (for example, all users in a specific department or all machines with certain attributes) the new OS is automatically deployed to every desktop, notebook and remote PC in the environment that meets the policy. In addition, all relevant user-customized settings, applications and content are applied to each machine based upon policy, and the distribution of necessary OS patches on each computer are streamlined by automatically accessing Microsoft’s website, obtaining the patch and installing it on the hard drive. Once deployed, hands-off automation will periodically verify all of the managed components are in place according to policy and will automatically fix broken files or settings, optimizing service availability and virtually eliminating help desk calls in the process.

Policy-based automation not only provides cost efficiency, but it is also a core part of maintaining good security posture. By automating patch and vulnerability management, instead of running a periodic scan to identify non-compliant devices each time the client connects it will verify the actual patch level with the defined policy, immediately applying the appropriate patch if there is a policy deviation. With multiple compliance requirements focused on restricting unauthorized access to systems and data, policy-based automation also plays a key role around restricting access to systems that may house material or confidential corporate data. Let’s say an employee moves into a different department where they don’t have access to the same systems based upon job function. And what if that employee moves out of a finance role where they had access to financial information? With policy-based automation, software entitlements can be set based upon role or department, so when the employee moves departments a new policy will automatically apply the new software entitlements, and remove any systems they are no longer entitled to.

Regulatory compliance is only one aspect of compliance organizations must adhere to. Rogue software installations are also a significant source of software license non-compliance. Analysts anticipate that in the next few years, a staggering 40 percent of midsize and large enterprises will face a software-licensing audit. When corporations are not following sound software asset management practices, responding to an audit is generally a manual, time-consuming and costly procedure. Companies that don’t have control of software deployment, ownership, asset location and proof of purchase will always be at risk of failing a software audit.

To reduce audit risk, an integrated client and asset management strategy is critical for reconciling inventory and software utilization information with licensing information in the asset management system. From this information, IT can quickly identify software that’s been installed on a machine without entitlement, and use the client automation tools to remotely uninstall the software to facilitate license compliance.

By applying automation to key processes across the client lifecycle, IT now has the tools in place to respond to changing business requirements in a timely manner, and has created a repeatable process for managing devices, change and compliance.

HP Client Automation solutions have helped customers reduce software deployment times up to 50 percent, migration costs up to 68 percent, patch distribution time from months to days and improve software management efficiency up to 75 percent*. To learn more about how your organization can adopt a client automation strategy suited to meet today’s business needs, visit us at www.hp.com/go/software.

*Customers may see different results, and HP does not guarantee similar results.