Desktop Management Strategic Vision
Written by Tony Silveira
Contents:
This document outlines a strategic vision for managing desktop systems at Stanford University, focusing specifically on the services currently provided and managed by IT Services, and proposed products and services. "Desktop Management" (DM) includes desktop standards, configuration management, patch management, software distribution, hardware and software inventory, security, imaging, and data backup and restoration.
Although some IT organizations on campus have implemented desktop management products and processes, an IT Services enterprise desktop management offering has never been attempted. Consequently most of the items in this document fall into the "proposed" rather than "currently provided" category. For the most part, specific vendor offerings have not been included unless the technology is provided by an operating system vendor.
Principles
The goal of centralized desktop management is to reduce total cost of ownership of desktop systems by automating common computer support tasks, improve the client experience by increasing computing stability and predictability, protect client data from loss, improve support organization flexibility by reducing the variety and vagaries of supported systems, reduce user downtime by automating disaster recovery, and to improve desktop and data security. All of this should be done in such a way as to:
- Be transparent to the computer user.
- Allow for local control and variance to accommodate Stanford's decentralized desktop support model. Since Stanford schools and departments have some special needs that may be in variance from the IT Services standards, whatever systems are implemented must allow for local configuration and control.
- By implementing as an "opt-in" rather than an "opt-out" process, systems should explicitly join the managed model. This will accommodate school and departmental "special purpose" computers that have requirements inconsistent with the managed model.
- Standardize OS and software versions, file locations, and naming conventions.
- Support both "push" (centrally managed software deployment without user interaction), and "pull" (user initiated or "self-provisioned") software distribution.
- Take into account the fact that Stanford desktop computers are composed of both Stanford-owned and non-Stanford-owned (student, vendor, visitor owned, etc.) computer assets. This will directly impact all desktop management elements. For example, it may not be appropriate to maintain Stanford-specific desktop standards on a visiting scholar's desktop computer.
- Integrate with Stanford's authentication and authorization systems. See the "Authentication Strategic Vision" and "Identity Management Vision" documents.
A stable cross-platform distributed file system is a prerequisite for many of the elements of an enterprise desktop management system. See the "Storage Strategic Vision" document.
Technologies
Stable core technologies:
- BigFix system for patch management and vulnerability reporting. See the "Windows Infrastructure Strategic Vision" document.
- "Windows Update" for operating system security patching.
- Unmanaged Symantec AntiVirus for virus protection.
- Essential Stanford Software site for self-provisioned software distribution.
- PC-Leland and Mac Leland for authentication and AFS network file system access.
- Symantec Ghost for imaging Windows machines.
- Desktop security configuration automation ("Security Self-Help").
Emerging technologies:
- Netboot for OSX imaging.
- Linux desktop management technologies.
Deprecated technologies:
- Unmanaged virus protection.
- Common console administrator passwords.
Projects
First:
- Continue expanding the BigFix patch management system.
- Define desktop standards.
- Develop tools and procedures to implement and maintain those standards for Stanford-owned desktop systems.
- Develop images and installers that apply the standards to new and redeployed computers.
- Automate the collection, processing, and display of the BigFix inventory data. This data will facilitate planning and implementation of subsequent steps.
- Develop strategies for Mac inventory collection.
- Implement a system to assign and maintain unique secure administrator console passwords (Secure Password Web).
Next:
- Develop and put in place a phased automated software distribution ("push") and version control system that includes:
A formal change management process with checkpoints and an approval process.
A reliable and predictable tester base for Phase 1 and 2 integration testing.
An automated process for distribution of beta software to integration testers. - Develop and put into place a self-provisioned software distribution system ("pull") that is integrated with Stanford's software licensing system.
Later:
- Use the push software distribution system to implement a user data redirection and backup strategy based on stable industry standards.
Research
The following areas should be explored with an eye to their long-term inclusion in our desktop management strategy:
- CIFS network data storage for user data (primary user data storage).
- Explore applying more control to subsets of IT Services clients (administrative desktops, single-use desktops, cluster or lab environments) using either existing systems or systems that are currently under development (eg. Stanford University Computer Science Department's "Blue Sky" system) and explore alternate support pricing strategies for clients who participate.
- Third-party integrated enterprise desktop management systems (Marimba, SMS, Tivoli, LSVi On Demand, etc.).
- Realigning EHS to more effectively support the centralized application of desktop management.
- Remote Installation Services. See the "Windows Infrastructure Strategic Vision" document.
- Linux desktop management.
- Managed virus protection strategies.
