System management appliance improves school's software deployment

A network manager looking to refresh 200 desktop computers sought out a product that combined patch management, asset management and software deployment in one box.

It was a project to refresh 200 desktop computers at St Hilda's Church of England High School in Liverpool that drove network manager Lee Ellis to look for a better way of managing his systems.

That was in 2007, and it took three weeks to get the machines properly configured and the right software installed, using tools that had clearly ceased to be adequate for the job.

At the time, he and his team of two technicians relied on WinInstall to deploy software to a total of 300 desktop machines and a further 180 laptops, but the DOS-based tool was limited to batches of 10 machines at a time. "We needed a tool that would at least allow us to update an ICT suite of 30 to 32 machines in one go,"Ellis said.

Ellis looked at upgrading to a more powerful version of WinInstall, which he said was quite expensive and in tests failed to deliver what he wanted. "We found that reporting on the machines that did not complete set tasks was very poor. If we tried to upgrade 30 computers, it might tell us five had failed, but it didn't say what they failed on. And it wouldn't tell us which applications had deployed successfully and which hadn't."

More on network security at school

To provide a more efficient network service for school staff and pupils, Mark Gosden, network manager at Sutton Valence School in Kent, tried out a new NAC product.
It was intended to be a product that could run at off-peak hours overnight, but the unreliable results made it impractical. "When we tested it, we'd have two-thirds of the computers that had rebuilt the OS, but of those, you might have 80% that installed the applications, and then you had some machines that were still sitting there with a DOS screen, having done nothing. It was a mess," Ellis said.

He then briefly examined a number of virtual desktop products which would allow software to be managed from a server and would therefore be easier to manage. "There were some nice benefits to that approach, but in the end we decided to stick to what we knew and do our physical installation," he said.

It was around this time that he came across KBOX, a system management appliance from the U.S. vendor Kace Networks Inc., which was only then dipping a toe into the U.K. market. A prolonged evaluation of the product convinced Ellis that it would not only solve his immediate problem of keeping machines properly configured, but it could also save money by replacing other software tools he was using.

The KBOX 1000 was installed just before a further 160 new machines were due to be introduced, and which needed to be installed with up-to-date system images. The process this time took just two days, and required no manual follow-up.

The system has not only allowed him to retire WinInstall, but it has provided savings from some other sources, too. Ellis had been using the HFNetChk tool from Shavlik Technologies LLC to carry out patch management, but now the KBOX administers that as well, although he admits "it lacks a few of the niceties of some other patching solutions."

Kace said that with its new version 4.3 , which Ellis eagerly awaits, patch management and remediation (enabled by an OEM deal with PatchLink Corp. and Lumension Security Inc.) will provide the necessary improvements.

Software asset management had been handled using Visual Audit Pro from Visionsoft Ltd., but that too is now redundant with KBOX, which also does software metering. The metering function allowed Ellis to see what packages are not being used and to remove them.

A final saving comes from the help desk functions incorporated in the KBOX. Ellis said the school had been looking at some expensive packages to handle help desk functions, but that is now one investment he will not have to make.

The main benefit, however, comes from being able to manage the PC estate centrally. Combining KBOX facilities with Microsoft Active Directory, Ellis is able to deploy different software to different rooms in the school, using a system of labels that link machines to a certain room. This means that if they need to rebuild a machine from scratch, the whole process can be done automatically with the machine being assigned to the right domain, and then being installed with the software that is associated with the room where it is located.

"With WinInstall, if software wasn't packaged in an MSI file, we had to package it up ourselves because it would not deploy executables. With KBOX, we can have a choice: we can deploy from an executable, we can create a batch file to call the installation; we have multiple ways to do the installation. It works very well," he said.

"It is much easier than before. When we needed a test machine, we had to package it all up into an MSI file then deploy it as an MSI package, and make sure it was not conflicting with anything else. Now I can just use the manufacturers' executables setup and just call it as a silent install. It works, and it's saved us an awful lot of time."

Not that Ellis is completely happy with KBOX. The patching, as he said, leaves much to be desired, although the next version, 4.3, promises to solve that and other shortcomings. "We are waiting for the next version of KBOX to come out to help us fix a few things -- mainly around the scheduling side," he said. "At the moment, it decides to run things whenever it wants rather than when it's supposed to. That has caused us a few problems with messages going out at the wrong time, and computers getting shut down at the wrong time."

He also hopes that the next version will enable him to schedule automatic shutdown of systems at night, which will offer further energy cost savings.

Read more on Endpoint security