Asset management on the move

Editor's note:The "Handheld Management Suite" sidebar was updated Dec. 13, 2005, at 1:20 p.m. The previous version incorrectly stated that the Altiris Handheld Management Suite costs $92 per node. It actually costs $35 per node, and the Altiris Client Management Suite costs $92 per node.

In the good old days — before personal computers and copy machines — managing information technology assets was pretty much limited to ensuring that typewriters worked and nobody walked out the door with confidential documents stuffed in their jacket. Each new technology, however, presents new capabilities for users and new challenges for IT employees who need to maintain and secure those assets.

The current challenge for IT workers is mobile devices. Asset management programs that have been available for some time make it easy to manage hard-wired networks of servers and desktop PCs. And those solutions have also been adapted to provide at least some of the same functionality for notebook PCs. However, personal digital assistants (PDAs) and smart phones — which often run on proprietary operating systems and might not support standards found on most enterprise networks — present special challenges.

Some managers might prefer to provide end users only with technologies that can be effectively managed. But the popularity of portable devices and their ability to intrude on enterprise networks are forcing IT employees to adapt.

In some cases, users are buying such devices on their own and discovering that they have enterprise client hooks. For instance, some PDAs have the ability to access agency or departmental e-mail servers, so users often pressure IT departments to deploy those features. Furthermore, such devices are useful to federal workers in the field. For example, BlackBerries and camera phones offer powerful mobile tools for a variety of jobs, from law enforcement to emergency response teams.

The challenges of mobility

The fundamental features of asset management are pretty much the same for mobile devices as they are for networked, hard-wired systems: discovery, configuration and software management, help-desk and repair tools, and security.

But integrating those devices into network plans that were designed primarily for stationary, wired clients creates several new wrinkles. Foremost is a pronounced loss of IT control. Users take these devices with them, and it's almost impossible to keep them from being used for more than simple business tasks.

Finally, there's the potential for loss. Lost and stolen notebooks, PDAs and smart phones represent more than a simple loss of hardware dollars because there's the dangerous potential for data loss. Boeing, for example, announced in November that a stolen notebook PC contained personal data on 161,000 employees and contractors.

Fortunately, industry and government leaders are developing best-practice guidelines for managing mobile clients. And the same software makers that specialize in desktop PC asset management are answering the call for software dedicated to mobile devices.

We reviewed the mobile capabilities of three popular desktop asset-management packages: Altiris' Handheld Management Suite, LANDesk Software's LANDesk Management Suite and Novell's ZENworks Suite.

Discovery

The first step in asset management is getting an accurate idea of what already exists in your agency's mobile landscape.

Most asset-management packages, including the three I tested, have similar architectures: A server-based application integrates with a database. We were able to use Microsoft SQL Server for the Altiris and LANDesk products, and MySQL for ZENworks. The applications are accessed via a management console on a separate workstation. Clients are accessed via a variety of protocols, depending on the product. Altiris' and LANDesk's handheld managers can run as stand-alone applications or integrate into the larger desktop management framework each company sells. This approach allows administrators to manage handhelds, notebooks and desktops from a single management console. However, Novell is a little different in that it simply extended its ZENworks Suite capabilities to include support for handhelds.

The three packages include wizards to automate common tasks, including discovery. LANDesk, for example, had a discovery wizard that could search for clients, servers and even network infrastructures. Such a process must be run multiple times for handheld devices, however, because you can never be sure when users will connect new devices. Backing up discovery data with purchasing and client information should give you an accurate idea of what's being used on the handheld front.

The discovery process shouldn't simply tell you who has what, it should also create a complete asset record of installed devices in the application's database with basic configuration information — such as product brand, model name and operating system — and an asset tag number.

I found the asset-management solutions to be pretty effective at discovering PDAs and notebook PCs. But be prepared for oversights: The Novell and LANDesk products successfully discovered both the PDAs on my network, one of which was a Treo Smartphone, but Altiris didn't detect the Treo.

Overall, I found Altiris and Novell products to have a slightly more mature feature set for handheld management than LANDesk, but they all support a wide range of PDA/smart phone operating systems, data encryption and password enforcement. The Novell solution also offers the ability to synchronize PDA and desktop PC passwords.

Configuration and software management

The next major phase of asset management is ensuring that all of the authorized devices are configured according to the organization's policy — that is, IT staff must ensure that the device has properly configured and updated antivirus protection, has properly licensed applications, and is configured to adhere to established security and privacy policies.

All three applications support the creation of operating system images, which makes it easier to deploy configured operating systems. An image is a complete snapshot of a target operating system, configured for a specific device and often a specific duty.

For example, you might have a general Windows XP Professional image with all drivers ready to go for an IBM ThinkPad T42p. But you could have different images for devices configured separately for the accounting and management departments complete with the software applications those jobs require, such as Quickbooks or Goldmine.

Asset-management applications save such images in a server-side library and can then load those images on target devices connected to the network. This is especially helpful in emergency situations. If a notebook PC has an unrecoverable crash or a nasty virus infection, for example, a systems manager could simply access the appropriate image for that device and that user's role, and regenerate the machine with a single mouse click. The loading process might take half an hour, but that's still a huge savings over several hours spent tracking down an infected file.

The exception to the OS image toolkit, for the moment anyway, is handheld devices. None of the tools I tested was able to completely regenerate a PDA or smart phone using an OS image. Reportedly, vendors are working on adding this capability, but no one will say when it might be available. For now, systems administrators need to educate users not to update handheld devices themselves and follow clearly publicized policies regarding which OS versions are appropriate for departmental use.

However, software deployment technology is also used to install new applications, software updates, operating system patches and security updates — and here, PDAs play right along with laptops, which means you can configure your asset-management tool to keep all your mobile hardware in sync with security and licensing policies.

Most administrators prefer to install security patches on a scheduled basis, and all three applications supported this approach for laptops and handhelds. If a device misses a scheduled update because it wasn't connected to the network at the right time, the update is queued and processed the next time the device logs in. What's more, you only need to create a new security update package once, assign a target group and schedule a time, and the asset tool takes care of sending the package to all devices automatically —including handhelds.

An important deployment distinction for mobile management, however, is that such devices, especially handhelds, don't always log in via a fast-wired Ethernet connection. Some users log in on low-bandwidth telephone lines, spotty cellular or public wireless connections, or even piggyback connections when they're syncing to a desktop station via USB, in the case of handhelds. Mobile asset managers must take this into account.

Altiris, for example, can adjust the transmission speed for software updates depending on the connection speed it senses from the client. Should the connection be interrupted during transmission, Altiris saves the transmission data and resumes the transmission as soon as the client re-connects. All three of the test applications had some support for this feature, although I thought Altiris managed it more smoothly.

Full data on which software is installed on all managed devices, including patch levels, version numbers and licensing, must be included in the tool's database record. This is a requirement not only for purchasing (making sure your licenses are up-to-date), but also for compliance reporting data.

Altiris also did a great job of transforming this information into easily analyzed reports, a critical feature for developing and maintaining current security, fair use and licensing policy documentation. LANDesk offers decent reporting tools but is heavily focused on querying the inventory database. Altiris' Web Reports offers similar queries but can extend those to include compliance-specific reports if integrated with Client Manager, which is what you'd use to manage notebooks in this framework.

Novell's Handheld Management does similar reporting to LANDesk's suite out of the box, but when combined with ZENworks' desktop management and eDirectory product, it can probably be extended to do everything Altiris does. It will just require more work than the canned reports Altiris generates.

Help-desk and repair tools

Help-desk, diagnostic and repair tools are important for managing your department's IT assets, but in most cases they are sold separately. In some cases, as with several brands of notebook PCs, diagnostic tools are integrated into the device itself.

Each of the three solutions offers some degree of integration between asset-management and help-desk functions. LANDesk, for example, incorporates help-desk organization such as work requests, trouble ticket assignments and job tracking, and communication in the form of remote control.

All of the features are native to the LANDesk Management Suite, which is recommended as a baseline for LANDesk Handheld Manager. Administrators can manage assets and help-desk tasks from one central console.

ZENworks is more limited because it only has remote monitoring and diagnostics. LANDesk allows an administrator to receive a phone call from a user, immediately see what the user is seeing on the machine and take control of the machine to help resolve what's going on, but ZENworks only sends detailed information to the administrator. To remotely control a target machine, you'd need a third-party program.

Altiris offers a stand-alone help-desk application that is not directly integrated with its asset-management suite. Asset-management data, however, can be used to update Altiris' help-desk application, so help-desk staff have the latest information about what's running in and on target PCs.

Increasingly, device manufacturers are providing built-in tools to help with diagnostics and asset management. Most corporate-oriented notebook vendors now include asset tags with all their desktop and notebook PCs.

For example, look on any Dell PC's Windows Start menu and you'll see a heading for "Dell" that includes an asset number, which is also on the PC's case. Type this number into Dell's Web site, and it will respond with everything Dell knew about the PC when it shipped, including hardware configuration, components and basic software library. You can then use your asset manager to update those records.

Security

Thieves target notebook PCs and PDAs, for obvious reasons, and vendors are responding by producing a wide array of options to help protect portable devices.

First, there are physical devices, such as APC's notebook-ready cable locks. Then there are service Web sites, such as WinLocate.com, that install a background application on designated PCs. The application records and publishes pertinent tracking information to the Web site, including current IP address, the Internet service provider the device is currently using and any geographic locators such as the nearest Internet routers the device has accessed. Combined, this information can be used to track stolen PCs via the Internet. [See "Laptop trackers," Federal Computer Week, Feb. 7, 2005.]

Third-party applications such as SyNET's nTracker perform similar tasks, except they often attempt to have the stolen hardware send this information in hidden messages the next time it is connected to the Internet.

All of these systems are good, but professional thieves can circumvent them. In the future, manufacturers will incorporate radio frequency identification chips into their machines. The service is complex, however, because it must access Global Positioning System data to let authorities know the locations of stolen devices. At the earliest, those systems might be available in late 2006.

In many cases, however, it's the data in the device and not the device that is the real concern. Notebook PCs, of course, can be configured for automatic backups when connected to the network. Handhelds, however, generally require third-party client software for data backups, and they can't be managed centrally by an asset manager.

ZENworks Handheld Management offers a tool that will automatically back up designated data on the handheld device at scheduled intervals or whenever it has a desktop or network connection. That means lost devices still leave behind a copy of the data. I couldn't find a similar feature on Altiris' or LANDesk's tool.

Erasing data from a lost or stolen device is in many cases an even greater concern. Unfortunately, it is not yet a universal feature among handheld or mobile managers. Both Altiris and Novell support a device "self-destruct" feature, which means a device will erase all its data if it is lost or stolen. The self-destruct operation can be triggered by too many incorrect passwords being entered or a text message sent to the device with an appropriate keyword.

Stick to the basics

Effectively managing mobile devices relies most heavily on policies set by agencies and departments. The software tools I tested are only as strong as the management muscle behind them.

Mobile devices need fair-use and security policies, which must include information on which software can and can't be installed on the machines and an ongoing record of acceptable security states for each machine.

Standardization is also important, especially for centrally managing handheld devices. If users are allowed to choose their own, you'll end up with a collection of everyone's favorite PDA toy, which makes central management impossible. There are too many operating systems, too many applications and too many access methods to effectively manage all PDAs. Choose and keep one platform that can meet the needs of all users.

Rist is a freelance technology journalist and president of FB2 Corp., a software development firm.