Asset management on the move

The same software makers that specialize in desktop PC asset management are answering the call for software dedicated to mobile devices.

Editor's note:The "Handheld Management Suite" sidebar was updated Dec. 13, 2005, at 1:20 p.m. The previous version incorrectly stated that the Altiris Handheld Management Suite costs $92 per node. It actually costs $35 per node, and the Altiris Client Management Suite costs $92 per node.

In the good old days — before personal computers and copy machines — managing information technology assets was pretty much limited to ensuring that typewriters worked and nobody walked out the door with confidential documents stuffed in their jacket. Each new technology, however, presents new capabilities for users and new challenges for IT employees who need to maintain and secure those assets.

The current challenge for IT workers is mobile devices. Asset management programs that have been available for some time make it easy to manage hard-wired networks of servers and desktop PCs. And those solutions have also been adapted to provide at least some of the same functionality for notebook PCs. However, personal digital assistants (PDAs) and smart phones — which often run on proprietary operating systems and might not support standards found on most enterprise networks — present special challenges.

Some managers might prefer to provide end users only with technologies that can be effectively managed. But the popularity of portable devices and their ability to intrude on enterprise networks are forcing IT employees to adapt.

In some cases, users are buying such devices on their own and discovering that they have enterprise client hooks. For instance, some PDAs have the ability to access agency or departmental e-mail servers, so users often pressure IT departments to deploy those features. Furthermore, such devices are useful to federal workers in the field. For example, BlackBerries and camera phones offer powerful mobile tools for a variety of jobs, from law enforcement to emergency response teams.

The challenges of mobility

The fundamental features of asset management are pretty much the same for mobile devices as they are for networked, hard-wired systems: discovery, configuration and software management, help-desk and repair tools, and security.

But integrating those devices into network plans that were designed primarily for stationary, wired clients creates several new wrinkles. Foremost is a pronounced loss of IT control. Users take these devices with them, and it's almost impossible to keep them from being used for more than simple business tasks.

Finally, there's the potential for loss. Lost and stolen notebooks, PDAs and smart phones represent more than a simple loss of hardware dollars because there's the dangerous potential for data loss. Boeing, for example, announced in November that a stolen notebook PC contained personal data on 161,000 employees and contractors.

Fortunately, industry and government leaders are developing best-practice guidelines for managing mobile clients. And the same software makers that specialize in desktop PC asset management are answering the call for software dedicated to mobile devices.

We reviewed the mobile capabilities of three popular desktop asset-management packages: Altiris' Handheld Management Suite, LANDesk Software's LANDesk Management Suite and Novell's ZENworks Suite.

Discovery

The first step in asset management is getting an accurate idea of what already exists in your agency's mobile landscape.

Most asset-management packages, including the three I tested, have similar architectures: A server-based application integrates with a database. We were able to use Microsoft SQL Server for the Altiris and LANDesk products, and MySQL for ZENworks. The applications are accessed via a management console on a separate workstation. Clients are accessed via a variety of protocols, depending on the product. Altiris' and LANDesk's handheld managers can run as stand-alone applications or integrate into the larger desktop management framework each company sells. This approach allows administrators to manage handhelds, notebooks and desktops from a single management console. However, Novell is a little different in that it simply extended its ZENworks Suite capabilities to include support for handhelds.

The three packages include wizards to automate common tasks, including discovery. LANDesk, for example, had a discovery wizard that could search for clients, servers and even network infrastructures. Such a process must be run multiple times for handheld devices, however, because you can never be sure when users will connect new devices. Backing up discovery data with purchasing and client information should give you an accurate idea of what's being used on the handheld front.

The discovery process shouldn't simply tell you who has what, it should also create a complete asset record of installed devices in the application's database with basic configuration information — such as product brand, model name and operating system — and an asset tag number.

I found the asset-management solutions to be pretty effective at discovering PDAs and notebook PCs. But be prepared for oversights: The Novell and LANDesk products successfully discovered both the PDAs on my network, one of which was a Treo Smartphone, but Altiris didn't detect the Treo.

Overall, I found Altiris and Novell products to have a slightly more mature feature set for handheld management than LANDesk, but they all support a wide range of PDA/smart phone operating systems, data encryption and password enforcement. The Novell solution also offers the ability to synchronize PDA and desktop PC passwords.

Configuration and software management

The next major phase of asset management is ensuring that all of the authorized devices are configured according to the organization's policy — that is, IT staff must ensure that the device has properly configured and updated antivirus protection, has properly licensed applications, and is configured to adhere to established security and privacy policies.

All three applications support the creation of operating system images, which makes it easier to deploy configured operating systems. An image is a complete snapshot of a target operating system, configured for a specific device and often a specific duty.

For example, you might have a general Windows XP Professional image with all drivers ready to go for an IBM ThinkPad T42p. But you could have different images for devices configured separately for the accounting and management departments complete with the software applications those jobs require, such as Quickbooks or Goldmine.

Asset-management applications save such images in a server-side library and can then load those images on target devices connected to the network. This is especially helpful in emergency situations. If a notebook PC has an unrecoverable crash or a nasty virus infection, for example, a systems manager could simply access the appropriate image for that device and that user's role, and regenerate the machine with a single mouse click. The loading process might take half an hour, but that's still a huge savings over several hours spent tracking down an infected file.

The exception to the OS image toolkit, for the moment anyway, is handheld devices. None of the tools I tested was able to completely regenerate a PDA or smart phone using an OS image. Reportedly, vendors are working on adding this capability, but no one will say when it might be available. For now, systems administrators need to educate users not to update handheld devices themselves and follow clearly publicized policies regarding which OS versions are appropriate for departmental use.

However, software deployment technology is also used to install new applications, software updates, operating system patches and security updates — and here, PDAs play right along with laptops, which means you can configure your asset-management tool to keep all your mobile hardware in sync with security and licensing policies.

Most administrators prefer to install security patches on a scheduled basis, and all three applications supported this approach for laptops and handhelds. If a device misses a scheduled update because it wasn't connected to the network at the right time, the update is queued and processed the next time the device logs in. What's more, you only need to create a new security update package once, assign a target group and schedule a time, and the asset tool takes care of sending the package to all devices automatically —including handhelds.

An important deployment distinction for mobile management, however, is that such devices, especially handhelds, don't always log in via a fast-wired Ethernet connection. Some users log in on low-bandwidth telephone lines, spotty cellular or public wireless connections, or even piggyback connections when they're syncing to a desktop station via USB, in the case of handhelds. Mobile asset managers must take this into account.

Altiris, for example, can adjust the transmission speed for software updates depending on the connection speed it senses from the client. Should the connection be interrupted during transmission, Altiris saves the transmission data and resumes the transmission as soon as the client re-connects. All three of the test applications had some support for this feature, although I thought Altiris managed it more smoothly.

Full data on which software is installed on all managed devices, including patch levels, version numbers and licensing, must be included in the tool's database record. This is a requirement not only for purchasing (making sure your licenses are up-to-date), but also for compliance reporting data.

Altiris also did a great job of transforming this information into easily analyzed reports, a critical feature for developing and maintaining current security, fair use and licensing policy documentation. LANDesk offers decent reporting tools but is heavily focused on querying the inventory database. Altiris' Web Reports offers similar queries but can extend those to include compliance-specific reports if integrated with Client Manager, which is what you'd use to manage notebooks in this framework.

Novell's Handheld Management does similar reporting to LANDesk's suite out of the box, but when combined with ZENworks' desktop management and eDirectory product, it can probably be extended to do everything Altiris does. It will just require more work than the canned reports Altiris generates.

Help-desk and repair tools

Help-desk, diagnostic and repair tools are important for managing your department's IT assets, but in most cases they are sold separately. In some cases, as with several brands of notebook PCs, diagnostic tools are integrated into the device itself.

Each of the three solutions offers some degree of integration between asset-management and help-desk functions. LANDesk, for example, incorporates help-desk organization such as work requests, trouble ticket assignments and job tracking, and communication in the form of remote control.

All of the features are native to the LANDesk Management Suite, which is recommended as a baseline for LANDesk Handheld Manager. Administrators can manage assets and help-desk tasks from one central console.

ZENworks is more limited because it only has remote monitoring and diagnostics. LANDesk allows an administrator to receive a phone call from a user, immediately see what the user is seeing on the machine and take control of the machine to help resolve what's going on, but ZENworks only sends detailed information to the administrator. To remotely control a target machine, you'd need a third-party program.

Altiris offers a stand-alone help-desk application that is not directly integrated with its asset-management suite. Asset-management data, however, can be used to update Altiris' help-desk application, so help-desk staff have the latest information about what's running in and on target PCs.

Increasingly, device manufacturers are providing built-in tools to help with diagnostics and asset management. Most corporate-oriented notebook vendors now include asset tags with all their desktop and notebook PCs.

For example, look on any Dell PC's Windows Start menu and you'll see a heading for "Dell" that includes an asset number, which is also on the PC's case. Type this number into Dell's Web site, and it will respond with everything Dell knew about the PC when it shipped, including hardware configuration, components and basic software library. You can then use your asset manager to update those records.

Security

Thieves target notebook PCs and PDAs, for obvious reasons, and vendors are responding by producing a wide array of options to help protect portable devices.

First, there are physical devices, such as APC's notebook-ready cable locks. Then there are service Web sites, such as WinLocate.com, that install a background application on designated PCs. The application records and publishes pertinent tracking information to the Web site, including current IP address, the Internet service provider the device is currently using and any geographic locators such as the nearest Internet routers the device has accessed. Combined, this information can be used to track stolen PCs via the Internet. [See "Laptop trackers," Federal Computer Week, Feb. 7, 2005.]

Third-party applications such as SyNET's nTracker perform similar tasks, except they often attempt to have the stolen hardware send this information in hidden messages the next time it is connected to the Internet.

All of these systems are good, but professional thieves can circumvent them. In the future, manufacturers will incorporate radio frequency identification chips into their machines. The service is complex, however, because it must access Global Positioning System data to let authorities know the locations of stolen devices. At the earliest, those systems might be available in late 2006.

In many cases, however, it's the data in the device and not the device that is the real concern. Notebook PCs, of course, can be configured for automatic backups when connected to the network. Handhelds, however, generally require third-party client software for data backups, and they can't be managed centrally by an asset manager.

ZENworks Handheld Management offers a tool that will automatically back up designated data on the handheld device at scheduled intervals or whenever it has a desktop or network connection. That means lost devices still leave behind a copy of the data. I couldn't find a similar feature on Altiris' or LANDesk's tool.

Erasing data from a lost or stolen device is in many cases an even greater concern. Unfortunately, it is not yet a universal feature among handheld or mobile managers. Both Altiris and Novell support a device "self-destruct" feature, which means a device will erase all its data if it is lost or stolen. The self-destruct operation can be triggered by too many incorrect passwords being entered or a text message sent to the device with an appropriate keyword.

Stick to the basics

Effectively managing mobile devices relies most heavily on policies set by agencies and departments. The software tools I tested are only as strong as the management muscle behind them.

Mobile devices need fair-use and security policies, which must include information on which software can and can't be installed on the machines and an ongoing record of acceptable security states for each machine.

Standardization is also important, especially for centrally managing handheld devices. If users are allowed to choose their own, you'll end up with a collection of everyone's favorite PDA toy, which makes central management impossible. There are too many operating systems, too many applications and too many access methods to effectively manage all PDAs. Choose and keep one platform that can meet the needs of all users.

Rist is a freelance technology journalist and president of FB2 Corp., a software development firm.

Handheld Management Suite

Altiris
(801) 805-1105
www.altiris.com

Pricing: The Altiris Client Management Suite costs $92 per node. The Altiris Handheld Management Suite costs $35 per node.

Pros: The suite has good reporting features and comes with remote data security and policy enforcement tools.

Cons: It is fairly expensive and only supports Microsoft Windows for laptop PCs.

Platforms: Windows 98 and XP Pro for laptop and tablet PCs; PalmSource's Palm OS, Research in Motion's BlackBerry and Windows Mobile for PDAs.

LANDesk Management Suite

LANDesk Software
(800) 982-2130
www.landesk.com

Pricing: LANDesk Handheld Manager costs $55 per node. LANDesk Management Suite costs $89 per node.

Pros: LANDesk Handheld Manager is easy to install and has excellent wizard support, a thorough inventory database and strong reporting features.

Cons: Handheld Manager requires LANDesk Management Suite for installation and lacks device-specific security features.

Platforms: Windows 98 and XP Pro for laptop and tablet PCs; PalmSource's Palm OS, Research in Motion's BlackBerry, and Microsoft's Windows Mobile, Windows CE and Pocket PC.

ZENworks Suite

Novell
(800) 529-3400
www.novell.com

Pricing: ZENworks Handheld Management costs $59 per node. ZENworks Suite costs $130 per node.

Pros: ZENWorks Handheld Management offers broad client and server support, and it integrates with directory and identity management services. It can run alone or integrate into Novell's larger asset management suite. It offers strong notebook and handheld security features.

Cons: The installation process is somewhat complex, and the laptop PC clients work better when the full Novell network client is installed.

Platforms: Novell's Open Enterprise Server, SUSE Linux Enterprise Server 9, and NetWare 6.0 and 6.5; and Microsoft's Windows Server 2000 and 2003.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.