Modern Workplace Management

As discussed in the previous blogpost (The Modern Workplace), requirements of today’s end user computing devices have changed significantly. Lets view these developments from a management perspective. In this blogpost we will see why the traditional management approach is not fitting well to modern workplaces and must be reconsidered.

One significant difference to a traditional workplace is, that a modern workplace is highly mobile. Today’s workforce is not limited any more to physical office boundaries or strict working times, but is used to perform their work from any place and at any time. So, it can’t be expected that modern workplace devices are reachable on a well known, secure network. Actually, these devices will be connected to the Internet most of their online time, rather than to an internal network and the time when they will be online is unpredictable. Management concepts which rely on push connections from a management server to a device and require a stable connection for their transmission of messages and software packages do not really fit into this new scenario.

Another aspect is the diversity of devices and operating systems. Traditional management focuses on Windows devices only. However, Windows PCs are only a part of today’s end user computing device landscape. We see more and more MacBooks gain ground in the enterprise space. Beside the diversity on the computer device side, more and more devices with mobile operatring systems (iOS and Android) are used to perform work and require management.

This all leads to the following approach differences of management solutions:

Traditional management

  • Actions originates from the management server and are pushed to the endpoints
  • Strict control over when things happen where
  • Influence of the end user is very limited and actually not welcomed

Modern management

  • Actions are pulled from the device when it is online and can reach the management server
  • Control when things happen is based on the end user device
  • Most tasks are conceptually based on end user self service actions

I will now explain these different approaches on some basic examples:

Operating system patching

In a traditional environment, patches are downloaded from the OS vendor, tested and placed on a management server for push distribution. By starting the distribution it is expected that all online end points will receive the updates immediately, so after a rather short period of time, all end points can be considered patched.

In a modern workplace environment, the end points are configured to look for patches either directly at the vendor or at an internal management server. Whenever new patches are available the end points will start downloading them based on their polling interval and configuration, and install them automatically. However, the polling interval might be several hours and the download of the patches might be interrupted due to the loss of connectivity and resumed at a later point in time. Although the patches are finally downloaded and installed, the exact point in time when this will happen is not predictable. Further more, there is no way to distribute emergency patches immediately. However, to reduce patch delays, the polling interval can be reduced – leading to higher network consumption.

Software distribution

Installing software on an end user device is strictly controlled, too in a traditional environment. Applications are pushed down to the device. If mass rollouts are performed, the push jobs are handled in deployment queues and packages are directly distributed to the end points. Again, after initiating the distribution job, it is expected that the task is performed on all online endpoints immediately without delays.

On modern workplaces, we have two options on how software is deployed. The mandatory option would prepare the software for installation. However, the download and installation will be initiated by the end point rather than the management server. Depending on the end point’s polling interval, the client will check for new jobs available on the server, download and install the software if prepared for it. An exact point in time when this will be happen is not predictable.

The second option is to offer the software in a self service portal. In this case, the user can decide himself when he will install the software. It’s assumed that the end user can judge best when the time is appropriate as he knows about current connectivity and his further plans and working schedules.

Software updates

Traditionally software updates are pushed out to the end points similar to OS patches or new software installations. On a modern workplace, we also use modern software packages technologies. These new technologies include auto update functionality. The software checks itself for updates and keeps itself up to date without any operator intervention. This is very handy as no effort must be taken for packaging updates and send them out to the endpoints. On the other hand, control is lost when exactly the end point is updating a specific software package.

Bottom line is, that in a traditional environment, all devices are expected to have all required changes applied (otherwise a certain distribution is considered failed and requires investigation). In a modern workplace management environment the situation is not so easy. The operator can define a so called “desired state”, but if this state was (already) applied by the end point can’t be guaranteed. To mitigate risks that arise from the fact that not all changes were applied yet, the concept of “compliant state” was introduced. An endpoint is considered compliant when all defined requirements are met. If there is the requirement of a certain software package or secuirty patch to be installed this can be configured as a criteria for compliance. As long as an end point has not installed the patch it is considered uncompliant. Based on this information access to certain sensible resources can be restricted.

Summary

While traditional management is based on strict control, expecting the end points to be reachable at any time, modern concepts must deal with end points online on the Internet only now and then. This is why the decisions when things are performed moved from the management server to the end point. Based on polling intervals, jobs are collected from the server and fulfilled asynchronosly. To make sure only end points meeting the required security criterias may access resources, compliance states can be configured.