Home


About Network Testing Labs

Contact Network Testing Labs

Independent Reviews of Network Hardware and Software

 

NETWORK TESTING LABS REVIEW

Managing Desktops

 

 

Automating nearly every desktop administration function imaginable for diverse clients, LANDesk wins our Clear Choice award. However, the others were close behind.
By Barry Nance


Desktop (client) computers are just as important as servers – try getting along without client machines for a while. So why not apply the same standards for desktop management as you do for server management? Uptime and availability are as paramount for clients as for servers. Users need properly-configured desktop computing devices to get work done.

The ideal desktop manager is a multi-faceted umbrella that offers a framework of functions. These functions automate several network administration responsibilities. Operating system and application version control (i.e., OS image distribution, OS configuration recovery, remote application installation and patch management) are time-consuming and error-prone tasks for administrators. Asset inventory and management are great candidates for automation. License tracking is important if you want to avoid lawsuits. Remote control access to desktop machines, for either repair or for training, can save travel and time expenses. Backup and recovery of desktop files can save scads of user time. Coordination with an anti-malware tool can ensure all your desktops are protected – desktop security is crucial. The ideal tool should also manage mobile devices, detect USB port usage to alert administrators to the users who bring “memory sticks” into the office, provide both network access control and host-based intrusion detection and periodically report the result of desktop machine vulnerability analyses.

To find out which desktop management tool is best, we invited vendors to submit products to our Alabama lab. Kace sent two appliances, the KBox 1200 and KBox 2100. LANDesk shipped us its LANDesk Management Suite 8.8. Novell sent us ZENworks 10.0, and Symantec submitted its Total Management Suite 6.5 and Security Expressions 4.0, along with a copy of the Endpoint Protection 11.0 anti-malware tool. From their Web sites, we downloaded ScriptLogic’s Desktop Authority 7.7 and Aagon’s ACMP 3.3. The other vendors we invited declined to participate for a variety of reasons. Some were between versions, while others didn’t want to compete because their products didn’t offer features in each and every category we wanted to test.

LANDesk Management Suite’s rather comprehensive framework of desktop functions and supported client platforms earned the vendor our Clear Choice award. However, while LANDesk Management Suite bested the competition in this review, the margin was not overwhelming. Aagon’s ACMP gave us excellent asset inventory, license tracking and remote control. The Kace appliances were easy to set up, Novell’s ZENworks’ central console runs on either Windows or Linux, Symantec’s Total Management Suite offered both highly productive application deployment and security features and ScriptLogic’s Desktop Authority was very good at application deployment.


LANDesk Management Suite
LANDesk gave us virtually everything we wanted in desktop management – and more. Its asset inventory scans were quick, accurate and unobtrusive. The remote control feature gave us seamless, transparent access to any desktop machine in the organization. LANDesk Management Suite successfully delivered and configured application software packages (either initial installs or patch updates) to Windows, Linux and Mac clients. Operating system upgrades, service pack installations and security patch deployments were a breeze. Backing out service packs and security patches was similarly easy. It correctly and easily monitored our software licenses. LANDesk Management Suite monitored, updated and configured the LANDesk anti-malware component, but, unfortunately, LANDesk doesn’t support the monitoring and configuring of third-party anti-malware tools.

LANDesk Management Suite also includes DHCP Network Access Control (NAC), which integrated closely with Cisco devices’ NAC implementations on our network. LANDesk’s Host Intrusion Prevention System (HIPS) did an adequate but not perfect job of alerting us to the external threats with which we confronted it.

LANDesk Management Suite efficiently and accurately discovered our network and deployed agents to our Windows NT/XP/2000/2003/Vista clients via an easy-to-use wizard-guided console push operation. For Windows 95 and 98, we used login script entries, while for other clients (Mac OS X, Linux, etc.) LANDesk Management Suite we directed local network administrators to visit each client to run the agent install tool. Impressively, LANDesk’s agent watcher restarted the agents on the clients when, for example, “power users” attempted to end the agent processes on a client machine.

LANDesk Management Suite consists of one or more Core servers, a console (user interface), a Web server (for browser-based access to administrative functions), a Core database and a Core Rollup database. A Core server is the center of a management domain. All the key files and services for LANDesk Management Suite are on the Core server. The Core database stores desktop management detail, while the Core Rollup database summarizes data from multiple Core databases. The Core Rollup database, which is optimized for queries, is the source of report data requested through the Web browser interface. A small organization might choose to run all these components on a single server, but enterprises should run each one, especially the core server and database, on dedicated servers.


LANDesk Managment Suite’s user interface is intuitive and easy to navigate. For tasks that would otherwise be complex and subject to possible setup errors, LANDesk supplies a set of wizards. Even though we were new to LANDesk Management Suite, these wizards made the administration of our desktop machines foolproof and painless. The comprehensive and thoughtfully-designed Web server-based user interface allowed us to perform LANDesk actions from anywhere on the network.

We also tested LANDesk’s Management Gateway, a useful appliance that encrypts and forwards desktop managemenLANDesk Managment Suite’s user interface is intuitive and easy to navigate. For tasks that would otherwise be complex and subject to possible setup errors, LANDesk supplies a set of wizards. Even though we were new to LANDesk Management Suite, these wizards made the administration of our desktop machines foolproof and painless. The comprehensive and thoughtfully-designed Web server-based user interface allowed us to perform LANDesk actions from anywhere on the network.

We also tested LANDesk’s Management Gateway, a useful appliance that encrypts and forwards desktop management traffic from subnet to subnet so that we didn’t have to reconfigure our firewalls to specially allow that traffic.

LANDesk Managment Suite runs on Windows Server 2000/2003. It can use the Microsoft Data Engine (MSDE) to store data for fewer than 100 clients, but larger organizations will need to separately license one of the relational databases that LANDesk Management Suite can work with, either SQL Server or Oracle.

Supported client platforms include handheld devices running Java, Palm or Windows Mobile; embedded devices running Wyse, HP or Teklogix; Neoware and Capio One devices running the Windows CE image; desktops and laptops running Windows, Mac OS, HP-UX, IBM AIX, Mandrivia, Novell NetWare, Linux and Solaris.t traffic from subnet to subnet so that we didn’t have to reconfigure our firewalls to specially allow that traffic.

LANDesk Managment Suite runs on Windows Server 2000/2003. It can use the Microsoft Data Engine (MSDE) to store data for fewer than 100 clients, but larger organizations will need to separately license one of the relational databases that LANDesk Management Suite can work with, either SQL Server or Oracle.

Supported client platforms include handheld devices running Java, Palm or Windows Mobile; embedded devices running Wyse, HP or Teklogix; Neoware and Capio One devices running the Windows CE image; desktops and laptops running Windows, Mac OS, HP-UX, IBM AIX, Mandrivia, Novell NetWare, Linux and Solaris.


Symantec Total Management Suite and Security Expressions
If you’ve already made a Symantec anti-malware tool (Endpoint Protection, for example) part of your IT environment and are looking for a good desktop manager that integrates well with the anti-malware tool, Symantec’s acquisition of Altiris may be good news for you.

The Symantec Total Management Suite discovery process was quick and accurate. It used IP address ranges, domain names or computer names that we specified in order to locate client machines. Installation of Total Management Suite agents on clients (termed agent rollout by the vendor) via the central console’s push function was a breeze. Using the console’s list of discovered desktop PCs, we only had to pick the management functions we wanted to enable, such as remote control, application usage tracking, patch management, asset inventory and application deployment, and then select the clients to receive the agents. We also noted that we could add management functions to agents later, if we wished.

Asset inventory and management was always accurate and up-to-date. We liked the database relationships that Total Management Suite set up for asset details. These relationships let us explore the database to find out, for instance, which of our desktop clients used AMD CPU chips.





Application deployment was a strong suit for Symantec Total Management Suite. We used its Wise Package Studio component on the Notification Server to productively build application images for distribution, and the Deployment Solution rapidly transferred the applications to our chosen clients. We also used the Software Virtualization Solution to deploy applications in a virtualized client environment. This client environment gave us the ability to enable or disable a specific application, and the virtual execution world kept the application from conflicting with or altering a client’s base Windows configuration. And we appreciated the PC Transplant Pro component’s allowing us to migrate one machine’s files and configuration to another machine.

Remote control, via the venerable Carbon Copy utility that Symantec acquired from Intel, was a straightforward and unsurprising. The Altiris vulnerability analysis tool, Security Expressions, did an excellent job of examining our desktop PCs for potential security problems.

Total Management Suite’s Notification Server, the heart of the product, uses plug-ins called Solutions – such as Deployment Solution, Software Virtualization Solution, Carbon Copy Solution, Inventory Solution and Patch Management Solution – to perform desktop management functions. Symantec recommends using SQL Server, which you need to separately license, as the desktop data repository for all but the smallest companies. Notification Server runs on Windows Server, and clients must run Windows. However, Deployment Solution can distribute both Windows and Linux OS images.


Novell ZENworks
ZENworks is a solid, mature desktop manager with several useful features. Its asset inventory process gathered myriads of detail about our Windows, Mac OS X and Linux clients, and it even collected data from our NetWare, AIX and Solaris servers. Novell says its inventory function also supports HP-UX, which we didn’t test. Novell further says the other, non-inventory ZENworks functions only support Windows clients.

ZENworks’ deployment of application software packages, via the ZENworks agent we pushed onto our Windows clients, worked well. We were impressed by ZENworks’ ability to deploy not only the application but also any other software components the application might depend on (the vendor terms this Application Chaining). For instance, for application packages needing a particular version of the Internet Explorer browser, ZENworks distributed the correct browser version as part of the application deployment. For the other products we reviewed, we had to include the other software components as part of the application image we wanted to deploy. We could even use ZENworks to convert legacy applications to MSI format for easy deployment via ZENworks. Similarly, ZENworks’ patch manager did an excellent job of making sure each of our clients had the appropriate security patches applied.





ZENworks’ remote control feature was a joy to use. It let us hide operations on the remote machine from the machine’s user, if we wished, and it gave us a special remote diagnostics mode in which we examined the machine’s system information, ran diagnostic programs and edited the machine’s registry. For after-hours application deployment, the remote control feature also has remote wake and integrated wake-on-LAN that we used to make our application installations a truly unattended affair.

At our behest, ZENworks installed its Preboot Execution Environment (PXE) on our clients. Via PXE, we set up scripts that automatically saved (or, if we wished, later restored) file-oriented images of each machine’s hard drive. We thus ensured that we could always revert a desktop PC to a known-to-be-good working state. The result worked well and saved us from many a (simulated) thumb-fingered user error.

The ZENworks user interface is the Control Center management console. It wasn’t terribly intuitive to use, but, once we got the hang of it, we found Control Center responsive and well-organized. We also used Novell’s Web-based ZENworks interface, which offers many of Control Center’s functions via a browser window.

ZENworks’ central console runs on Windows Server or Linux. Novell bundles a perfectly adequate Sybase SQL Anywhere relational database with ZENworks, and we also successfully tested the storage of ZENworks data in Sybase Adaptive Server and Microsoft SQL Server databases.


Kace KBox 1200 and KBox 2100
The easy-to-set-up Kace appliances subsumed a number of our most onerous desktop management chores, and we found that the two Kace appliances complemented each other nicely. The model 1200 device handled software deployment, OS patch management, asset management, license tracking and vulnerability scans. The 1200 also included a helpdesk feature for issuing and tracking trouble tickets. The model 2100 deployed entire OS images to our desktops.

Both Kace models feature a Web browser user interface for ongoing use. However, installation required the temporary attachment of a keyboard and a monitor so we could assign a local IP address. The browser-based interface took some getting used to, but was otherwise unremarkable. We noted that the appliances’ administrative interfaces let us delegate different functions to different people, according to roles we set up. The grouping of managed clients, termied labeling by the vendor, is flexible enough to allow a client to be in multiple groups – if we wished.

Pushing agents to our Windows clients was simply a matter of supplying an IP address range to the KBox 1200. We installed non-Windows clients “by hand,” via the 1200’s Samba file server sharepoint. The model 1200’s desktop management functions worked well with diverse client platforms: Windows, Mac OS X, Solaris and Linux.




The KBox 1200’s inventory of our clients was quick and accurate. We especially liked the way its asset management and license tracking features let us relate those assets and licenses to particular organizational groups (such as departments or divisions of a company). When we set up a “per use” license (as opposed to a “per seat” license), we were able to use the 1200’s software metering feature to ensure that we didn’t exceed the usage threshold specifed in the license. The model 1200 flawlessly distributed and later upgraded a number of applications across our network, and its patch management kept our Windows and Mac clients perfectly up to date. The unit’s vulnerability scan, which is based on the Open Vulnerability and Assessment Language (OVAL), is closely integrated with patch management.

The 1200’s helpdesk feature is rudimentary but adequate. We could use the browser interface to enter trouble tickets, or we could e-mail the trouble ticket data to the 1200. The appliance let us assign the tickets to administrators, track their progress and, when we wished, escalate problems.

The KBox 2100 made the provisioning of our clients with OS images fairly easy, but the unit could manage the transmission of only about 15-20 concurrent images. The box’s user interface included guidance to help ensure the right OS image goes to the right machine, and the appliance maintained what the vendor terms K-images to represent our complete, ready-for-deployment file-oriented OS images. The KBox Deployment Console, part of the Web GUI, gave us editing tools that we used to make each OS image contain exactly the files we wished. We used the KBox 2100 to successfully instantiate several Windows- and Linux-based OS images to clients. The model 2100 doesn’t support the deployment of other OSes.


ScriptLogic Desktop Authority
The Desktop Authority repertoire of management functions we tested included hardware and software inventory, application deployment, remote control, patch management and centrally-controlled desktop configuration. Desktop Authority watched for USB port usage, it came with (and was tightly integrated with) an anti-spyware tool and it optionally added firewall functions, such as Network Address Translation, to each of our desktop machines. Additionally, at our behest, Desktop Authority powered down client PCs, regardless of whether users were logged on to the PCs.

Desktop Authority’s asset inventory collected useful data, but we found that the other products did a better job of both collecting and presenting that data. Desktop Authority’s forté was its ability to deploy and configure application software packages across our network. Desktop Authority MSI Studio, which was closely linked to the application deployment function, made quick work of creating a distributable application package. Deploying the package required only that we select the client targets and click to trigger the automatic distribution. Particularly noteworthy was Desktop Authority’s ability to not only configure each client machine at application deployment time but also refresh that client’s configuration periodically, at intervals we could set, to ensure that our corporate standards and security policies were always enforced. As a nice touch, we could – if we chose – allow users to defer the installation of updates or the associated reboot of the client PC following an application package deployment.


Each Desktop Authority agent consisted of several components: Anti-spyware, patch management, USB port watcher, client services and network communications. Installing agents on desktop clients required changing logon scripts, so that Desktop Authority could take control of the client during the logon process. Desktop Authority did not offer us an agent push option.

ScriptLogic says that its Remote Management feature requires a Java-enabled browser supporting 128-bit encrypted SSL. We found that Desktop Authority’s remote control, when hard-pressed to keep up with a barrage of activities, faltered somewhat and lacked the crisp responsiveness we expected.

If you have users who log on to different client machines from time to time and yet want a consistent Microsoft Exchange e-mail experience, you’ll welcome Desktop Authority’s ability to manage Exchange profiles. Desktop Authority automatically created mail profiles for our users as they roamed from PC to PC.

Desktop Authority’s server component runs on Windows Server, while client desktops can run Windows 95/98/ME/NT 4/XP/2000/2003. The USB port usage detector worked only with Windows 2000 and Windows XP (exactly as the vendor claims). Having more than about 50 clients means you’ll need to separately license SQL Server to use as Desktop Authority’s client data repository.


Aagon ACMP
ACMP gave us a basic set of desktop management functions, but the tool lacked a number of significant features. As we explored ACMP, we found no support for OS deployment and configuration, no vulnerability threat analysis and no intrusion detection capability. Moreover, ACMP’s network discovery feature sometimes missed clients it should have seen. ACMP also exhibited an awkward user interface.

ACMP’s agents did an excellent and accurate job of enumerating a wealth of detail regarding each client. The resulting asset inventory would’ve put a smile on the face of even the most critical company auditor. ACMP’s distribution of software and patches, along with its monitoring of licenses, made quick and painless work of ensuring that each client had the right version of each application and that each client was licensed to run that software. Its remote control feature was a delight to use, and, for the sake of security and simplicity, it even let us optionally hide our remote-access command sessions from the foreground user. ACMP also did a good, consistent job of ensuring that each desktop PC had the screen, registry and application configurations that we chose to enforce across the network.

ACMP’s security monitor component successfully tracked the anti-virus activities of products from F-Prot, FSecure, McAfee, Symantec and Trend Micro. ACMP started and stopped F-Prot, McAfee, Symantec and Trend Micro AV services, and its ability to distribute AV configuration settings worked only with Symantec’s Endpoint Protection product.

ACMP’s discovery process identified clients in a manner reminiscent of Windows’ “Network Neighborhood” folder. We were disappointed to find ACMP missed some of the clients on the network.



ACMP’s modules include ACMP Pro, the base client management component, SWdetective, which performs software inventory and license management and AVdetective, which controls third-party anti-malware products.

ACMP allowed us to create named groups and put users into these groups in whatever ways we wanted. ACMP uses a container metaphor to denote the groupings of users.

For virtually every operation we wanted to execute in the central console, ACMP forced us to first perform a query. The query, which thankfully we could save from operation to operation, produced the list of clients we could work on. We found this paradigm to be an awkward and unproductive obstacle to managing our clients. Furthermore, sorting on-screen report columns involved dragging and dropping the column header into a special screen area rather than simply clicking on the column header. To its credit, we were able to delegate specific ACMP administrative tasks to particular users.

Installing ACMP’s agents on client machines is accomplished by using the central console’s “push” feature or by visiting each client to individually run an agent installer. The “push” feature worked well for NT-based OSes (NT/XP/2000/2003/Vista), but it required that the central console have successfully identified the target client PCs via the client discovery function. For Windows 95 and 98, inserting entries into login scripts worked best.

A surprising Aagon restriction says ACMP’s central console needs Windows NT 4.0 with Service Pack 5 and clients must be running Windows 95. However, we found ACMP clients could also run Windows XP/NT/2000/2003/Vista. For more than 50 clients, ACMP requires that you separately buy Microsoft SQL Server. In contrast to the documentation of other products we reviewed, Aagon’s user manual was quite sparse. It also suffered from German-to-English translation problems.


Conclusion
LANDesk Management Suite only narrowly beat out the competition in this review, and we think each of these desktop managers is worth a close look. Each has its strengths and its supported client platforms.

If a simple-to-install appliance appeals to you, if your clients are mainly Windows-based and if you’re primarily interested in asset management and license tracking, then the Kace units may be in your future. If you want a desktop manager that integrates with Symantec’s Endpoint Protection desktop-based anti-malware tool (and is likely to integrate even more tightly in the future), the vendor’s Total Management Suite is a good choice. Aagon’s ACMP is very good at asset inventory and management, and ScriptLogic’s Desktop Authority excels at deploying and configuring applications. Because its central console runs equally well on Linux or Windows, we feel Novell’s ZENworks is appropriate for predominately Linux-based shops.



Net Results
LANDesk Management Suite 8.8
Score: 4.5
Company: LANDesk (an Avocent subsidiary)
www.landesk.com
Cost: $89/user
Pros: Diverse client support; intuitive user interface
Cons: Doesn’t integrate with third-party anti-malware products

Total Management Suite 6.5 and Security Expressions 4.0
Score: 3.8
Company: Symantec
www.symantec.com
Cost: Starts at $203.80/node
Pros: Excellent network discovery and application deployment
Cons: License tracking is feature-sparse

ZENworks 10.0
Score: 3.8
Company: Novell
www.novell.com
Cost: $225/user for Enterprise version
Pros: Application deployment, OS image deployment, superlative remote control
Cons: Unintuitive user interface

KBox 1200 and KBox 2100
Score: 3.7
Company: Kace
www.kace.com
Cost: KBox 1100 starts at $9900 for 100 nodes, KBox 2100 starts at $4900 for 100 nodes
Pros: Easy set up; good asset management and license tracking
Cons: User interface isn’t intuitive; the 2100 can handle only 15-20 concurrent OS image deployments

Desktop Authority 7.7
Score: 3.4
Company: ScriptLogic
www.scriptlogic.com
Cost: $39/seat, plus $10/seat each for USB port security, patch deployment and anti-spyware
Pros: Impressive application deployment and configuration
Cons: Asset inventory and license tracking too rudimentary; remote control was sluggish at times

ACMP 3.3
Score: 3.4
Company: Aagon
www.aagon.com
Cost: - $26.00/user for ACMP Pro (for 1000 or more users)
Pros: Good asset inventory
Cons: Network discovery missed some clients; poor documentation; awkward user interface


Scorecard

 

Asset inventory

 
(20%)

License tracking

 
(20%)

OS, application and patch diistribution

(20%)

Anti-malware tool integration

 
(10%)

Other features

 

(10%)

Ease of Use

 
(10%)

Installation and Documentation

 
(10%)

 Total

Score

LANDesk Management Suite 8.8

5

5

5

3

4

5

3

4.5

Symantec

Total Management Suite 6.5 and Security Expressions 4.0

5

3

5

3

3

3

3

3.8

Novell

ZENworks 10.0

4

3

5

3

5

3

3

3.8

Kace

KBox 1200 and KBox 2100

5

5

3

3

4

3

4

3.7

Script Logic

Desktop Authority 7.7

3

3

5

3

3

3

3

3.4

Aagon

ACMP 3.3

5

3

3

5

3

2

2

3.4


How We Did It
Virtually all our testing took place across 512 kb/s frame relay, T1 and T3 WAN links. The testbed network consisted of six Fast Ethernet subnet domains routed by Cisco routers. Our lab's 150 clients used computing platforms that included Windows NT/98/2000/2003/ME/XP/Vista, Red Hat Linux and Macintosh OS X. AIX and Solaris computers were also part of the network. The relational databases on the network were Oracle 8i, IBM DB2 Universal Database, Sybase Adaptive Server 12.5 and Microsoft SQL Server 2005. The network also contained three Web servers (Microsoft IIS, Netscape Enterprise Server and Apache), three e-mail servers (Exchange, Notes and Sendmail) and two file servers (Windows 2003 Advanced Server and Netware).

A Compaq Proliant ML570 computer with four 900 Mhz CPUs, 2G bytes RAM and 135G-byte hard disks, running  Windows 2000 Advanced Server, Windows 2003 Advanced Server and, at other times, Red Hat Enterprise Linux, was our test platform for all the products’ server components.


We assessed each product in the following areas:

Asset auditing and inventory management
Operating System deployment and configuration
Virtual machine management capabilities
Software license monitoring
Software distribution and patch management
Remote control capabilities
Mobile device management
Network access control capabilities
Desktop vulnerability threat analysis
Host-based intrusion detection
Virus detection and removal, or management ties to a third-party AV product
Spyware detection, removal and blocking, or management ties to a third-party anti-spyware product
USB Device management
Backup and recovery features



Copyright © 2012 Network Testing Labs


  
Home

About Network Testing Labs

Contact Network Testing Labs