LANDesk rules the roost in desktop management

Our Clear Choice Test of desktop-management software points to Altiris and LANDesk.

In this round of testing desktop-management software, we decided to analyze how well the tools performed from the perspective of five different roles, or sets of users. For example, looking at these products from the perspective of the help desk, we evaluated how well the products help diagnose and fix problems on remote desktops, and we looked at the deployment of software, imaging, personality transfer and upgrades.

Issues on the horizon

Archive of Network World tests

Subscribe to the Network Product Test Results newsletter

We analyzed the products from the perspective of security in terms of patch management, anti-virus updates, and software application monitoring and metering. We also looked at the products’ support for Cisco’s Network Admission Control (NAC) and the protection they offered for mobile workers away from corporate networks.

We looked at these tools from the perspective of users – how well the products let them find and restore lost files, fix applications or reset their passwords. We took the perspective of IT executives in terms of how the offerings produced accurate and informative software and hardware inventories and useful reports for CIOs, and how they addressed day-to-day management issues at the operational level.

We invited several top desktop-management vendors to participate, as well as Altiris, LANDesk, Microsoft and Novell. CA had a new release of its Desktop Management Suite in beta, but it wasn’t ready for release before we finished our testing. Numara Software (formerly Intuit) submitted its Track-It Enterprise product, which we reviewed separately, because it doesn’t match up well with the other products tested.

Our Clear Choice Award goes to LANDesk for having a broad range of features that covered our five sets of users well, and had superior security features.

LANDesk

LANDesk has provided the broadest-possible level of platform support in all its products since we’ve been testing its gear. Version 8.6 of the LANDesk Management Suite is no exception: It supports multiple versions of Linux, Macintosh and Windows. The inclusion of the LANDesk Management Gateway makes it possible to manage a laptop or desktop system over the Internet. This release of Management Suite makes significant strides in its reporting capabilities. Previous versions delivered a set of canned reports and a simple report generator, but we found a more complete (although complex) capability in this release.

LANDesk really shines in the deployment arena. With Management Suite’s support for Intel’s Active Management Technology (AMT) (see a related story), LANDesk has made deployment even more effective. We really liked being able to boot a remote PC from a local Integrated Drive Electronics device, such as an external USB drive or a CD or DVD. After booting, you can turn around and image the machine remotely if needed.

The LANDesk OS Deployment Wizard guides you through the entire operating-system deployment and migration process. Alternatively, LANDesk provides a software developers kit to let you develop customized deployments. LANDesk also can deploy images created with its tools or by other products, such as Symantec’s Norton Ghost. A peer-download capability makes it possible to deliver, for example, large software updates faster at the local subnet level.

On the help-desk front, LANDesk management console adds several new user-interface features that make finding information and accomplishing specific tasks a snap. We loved its tabs for quick access to functions and its ability to define a custom console layout to fit our needs. We did this easily by dragging windows around, closing or opening new windows, and clicking a button to save the layout. Getting information about specific workstations was quick and easy from the management console. A remote-control session is initiated by right-clicking the option for “any system” listed under “devices.” Remote control worked smoothly and gave us the ability to execute a program remotely, transfer a file, initiate a chat session or reboot the computer. We also could draw things on the screen to point things out, lock out the remote keyboard and blank the screen.

LANDesk also excels in the security arena. The LANDesk Trusted Access application adds scan and block capabilities to the basic patch and update tools of previous versions. The application uses a quarantined network environment for any computer that doesn’t have the current LANDesk client and up-to-date patches installed. For delivering patches across an enterprise, LANDesk uses its patented targeted multicasting technology to deliver critical updates quickly. The system also has a unique twist: To help speed patch delivery it prestages updates across an enterprise while a patch is tested. Once the patch is cleared for deployment, it can be delivered to each desktop much faster, because the patch resides on a local subnet.

On the IT management side, LANDesk has made significant improvements since the last version we tested. The canned reports provide a wide variety of information without any need for customization, although you can modify them if you want. The system also includes a full-featured report generator for building custom reports from scratch.

LANDesk has some key new features that will appeal to end users. There are a number of benefits for Lenovo (formerly IBM) desktop and laptop users from the integration LANDesk has done with its existing tools. The ImageUltra Builder allows local users to make individual system backups, but these can be scheduled also and performed automatically through LANDesk.

Altiris

The Altiris system uses a modular architecture for the individual parts plugged into its notification server. A Windows 2000 or 2003 server with the latest support packs, along with Microsoft SQL Server, is required for the notification server installation. The Microsoft SQL Server Desktop Engine stand-alone database can be used for a small installation, but Altiris doesn’t recommend this.

To test all the roles we wanted, we installed the Deployment Solution and Recovery Solution. A new Altiris feature in beta is its Software Virtualization Solution (SVS). We tested SVS in several scenarios and think it will be a great addition to anyone’s toolbox. SVS places applications and data into managed units that can be instantly activated, deactivated or reset based on a business’ or user’s requirements. SVS affects only how application files and registry settings are installed, not how they are consumed or run, which preserves application supportability.

Altiris’ Deployment Solution 6.5 delivers all the tools needed to create Linux or Windows operating system images and deploy them. The software provides good support for disaster recovery, in addition to the initial deployment of new systems. It also can provision Linux and Windows servers. The PC Transplant Pro application provides excellent support for upgrading and migrating users to new machines. It lets you build sophisticated deployment jobs to migrate personalities automatically, including deployment tasks that capture a user’s personality; migrate operating systems and software; and reconfigure a computer with a user’s original personality settings. You also can edit Personality Packages or Rapid Install Packages on the fly using the PC Transplant Editor and the Wise Package Studio editing tools from the Deployment Solution Console.

The Altiris console is a Web-based application that gives help-desk personnel access to any information they need about systems under their control. Altiris uses Carbon Copy software it acquired from Compaq in 2001 for all remote-control needs. The application works well and provides several features, including tight integration with the Notification Server and browser-based remote control. An integrated incident-management feature available from the management control can log and track support incidents. The help desk or users can create incidents using a Web-based form. Incident notification rules determine what types of incidents will generate specific alerts, such as an e-mail or pager message.

The Altiris Security Management Suite uses several approaches to help prevent network security breaches. The Deployment Solution for Network Devices application is Altiris’ version of the Cisco NAC architecture, though it was still in beta at the time of our testing. Automated patch management is a key piece of the company’s security management strategy. Detecting and updating systems needing a security patch without user intervention helps reduce the risk of viruses spreading.

On the IT management side, Altiris offers a strong Web-based reporting system. We especially liked the dashboards that showed a graphical summary of important information, such as patch status, incident reports and software delivery status. The system includes a long list of predefined reports and makes it possible to modify an existing report or create new ones. Altiris does a good job with asset management, letting you track things such as lease expirations and asset depreciation information. The only kicker is that you have to enter all the information manually to track cost items for each item you want to monitor.

Altiris provides a number of features to make life easier for users. The Recovery Solution product makes it possible to recover lost files from a hidden local partition, should you choose to configure it that way. The company also offers a software portal that allows users to pick from available software applications to install locally on their machines. There’s also a way to configure help desk-management software to reset a password automatically based on a specific trouble ticket.

Novell

Novell’s ZENworks has come a long way from the NetWare-only product it started out as. ZENworks 7.0 excels in terms of multiple platform support. All of the server components can be installed on Linux, NetWare or Windows systems. Client support includes Linux, Macintosh and all flavors of Windows.

You still need to install a copy of eDirectory, as many of the ZENworks modules rely on it for authentication and policy information. ZENworks 7.0 does not rely on the Novell client for anything, but needs a small footprint-management client installed on each system to be managed.

Novell’s approach to user data backups is its iFolder product. Self-service passwords are not a specific component of ZENworks but can be achieved with third-party products.

ZENworks’ deployment stacked up well against the other products. Multiplatform support is one of the hallmarks of ZENworks, with strong emphasis on Linux. The ZENworks imaging server supports Preboot Execution Environment (PXE) booting and multicasting for rapid delivery of images to multiple workstations. For personality migration Novell resells Unicenter Desktop DNA from CA.

ZENworks uses a Desktop Management Workstation Imaging (Linux) partition for reimaging workstations. Once this partition has been installed, the workstation can be autoimaged remotely or on a scheduled basis. This works great for environments such as computer instruction labs, public-use computers or anywhere you need to reset a computer to a known configuration.

Most help-desk functions require the use of ConsoleOne to view information about a specific workstation, initiate a remote-control session or change policy settings. The current version of ConsoleOne is a vast improvement over earlier versions but still requires more than a few clicks to accomplish any task.

The iManager application is a well-designed Web console that performs several management tasks, including user and group management and password reset. We couldn’t perform most of the ZENworks management functions through the Web interface, but Novell says more functionality will be provided in future releases. ZENworks for Linux has a Web-based control center that does give you this functionality on the Linux platform.

For security, Novell relies on eDirectory to drive what it calls policy-driven automation. The system uses identity as the basis for granting access to network resources, installing applications and changing a desktop’s configuration. ZENworks for Handhelds includes several security features, including the ability to self-destruct or wipe out all user data if some predefined number of authentication attempts is exceeded. Novell supports a wide range of handhelds: BlackBerry 850 and 857 devices, using the DataTAC network; BlackBerry 950 and 957 devices, using the Mobitext network; Palm OS devices, Version 3.5 and later; and Windows CE devices, Version 2.11 and later, including Pocket PC devices.

Novell also has a close relationship with PatchLink and uses the company’s patch-management system in conjunction with ZENworks to keep desktop systems up to date. PatchLink uses a subscription model to provide updates for new security threats at an additional charge.

The ZENworks Asset Management application has been added since our last tests. A Web-based reporting component makes generating or reviewing reports a snap. ZENworks’ cross-platform capabilities make it possible to monitor and manage a mix of operating systems installed on desktops or servers.

Novell’s answer to user file backup and restore problems is iFolder. It uses an automatic synchronization capability to keep files on a user machine backed up and synchronized on a server. A peer-to-peer workgroup version of iFolder works across Linux, Macintosh and Windows platforms.

Microsoft

In previous years, our tests of Microsoft’s System Management Server (SMS) harped on the difficulties of installation, the lack of adequate reports and missing features, such as a method for client imaging. Many IT departments have no say in the matter when it comes to their desktop management tools. Because of Microsoft’s corporate licensing agreement, companies get SMS as part of the package.

SMS 2003 has come a long way since the last time we tested it. Several new companion products, including Data Protection Manager, have addressed previous shortcomings. Microsoft still lags behind in other areas, including support for desktops with Intel’s AMT features or Cisco’s NAC security infrastructure.

For deployment, Microsoft addressed the lack of an imaging solution with the release of the SMS 2003 Operating System Deployment (OSD) feature pack. A companion to the imaging tool is the Windows User State Migration Tool. Both integrate well into the overall SMS environment and meet the needs of the help desk deployment user.

One thing to be aware of is an issue with the version of OSD released on Nov. 16, 2004, which could affect the SMS Site Control File. The version released Dec. 17, 2004, addresses this issue, and should be run over the previous version if the older one is installed.

Microsoft gives the help-desk user multiple options for remote control. Basic capabilities for remote assistance come as a standard tool with Windows XP. SMS adds the Remote Tools Client Agent for additional functionality, such as pushing files to a remote client, initiating a chat session, executing a program or running remote diagnostics. There are a number of solution accelerators that Microsoft offers to current users at no cost, including the Desired Configuration Monitoring solution accelerator. This tool helps maintain a consistent configuration across all server roles and hardware types, but it could be used for user configurations as well.

The SMS Extended Security Update Inventory tool is a scanner that helps identify SMS client computers that may need security updates but that can’t be detected by the existing SMS Security Update Inventory tool built on the Microsoft Baseline Security Analyzer. Like the regular tool, the extended tool can locate each applicable update, download it from Microsoft and deploy it using SMS.

Reporting tools have been one of the weak spots in previous releases of SMS. This deficiency should get significantly better with the upcoming release of System Center Reporting Manager 2006. The current version of SMS has a large number of predefined reports but still lacks some of the Web-based reporting and customization ease found in the other products we tested.

For end users Microsoft recently debuted its Data Protection Manager product targeted at solving the problem of data backup. Microsoft Identity Integration Server (MIIS) is another product that would help with user authentication and password resetting, but it isn’t part of the SMS 2003 product. MIIS does offer self-service and help desk-initiated password resetting.

Conclusion

Altiris and LANDesk offer a lot of capabilities that address our user areas very well. Altiris takes more of an à la carte approach to picking and choosing modules to meet specific needs, but LANDesk offers virtually everything we needed in its LANDesk Management Suite. For the most part, Microsoft covers all the bases, but not with the winner’s flair and added capabilities, such as integration with Cisco’s NAC security framework.

Ferrill has been writing about networking hardware and software for almost 20 years. He can be reached at paul.ferrill@verizon.net.

Ferrill is also a member of the Network World Lab Alliance, a cooperative of the premier reviewers in the network industry, each bringing to bear years of practical experience on every review. For more Lab Alliance information, including what it takes to become a member, go to www.networkworld.com/alliance.