As discussed in the previous blogpost (The Modern Workplace), requirements of today’s end user computing devices have changed significantly. Lets view these developments from a management perspective. In this blogpost we will see why the traditional management approach is not fitting well to modern workplaces and must be reconsidered.
One
significant difference to a traditional workplace is, that a modern workplace
is highly mobile. Today’s workforce is not limited any more to physical office
boundaries or strict working times, but is used to perform their work from any
place and at any time. So, it can’t be expected that modern workplace devices
are reachable on a well known, secure network. Actually, these devices will be
connected to the Internet most of their online time, rather than to an internal
network and the time when they will be online is unpredictable. Management
concepts which rely on push connections from a management server to a device
and require a stable connection for their transmission of messages and software
packages do not really fit into this new scenario.
Another
aspect is the diversity of devices and operating systems. Traditional
management focuses on Windows devices only. However, Windows PCs are only a
part of today’s end user computing device landscape. We see more and more
MacBooks gain ground in the enterprise space. Beside the diversity on the
computer device side, more and more devices with mobile operatring systems (iOS
and Android) are used to perform work and require management.
This all
leads to the following approach differences of management solutions:
Traditional
management
- Actions originates from the management server and are pushed to the endpoints
- Strict control over when things happen where
- Influence of the end user is very limited and actually not welcomed
Modern
management
- Actions are pulled from the device when it is online and can reach the management server
- Control when things happen is based on the end user device
- Most tasks are conceptually based on end user self service actions
I will
now explain these different approaches on some basic examples:
Operating system patching
In a
traditional environment, patches are downloaded from the OS vendor, tested and
placed on a management server for push distribution. By starting the
distribution it is expected that all online end points will receive the updates
immediately, so after a rather short period of time, all end points can be
considered patched.
In a
modern workplace environment, the end points are configured to look for patches
either directly at the vendor or at an internal management server. Whenever new
patches are available the end points will start downloading them based on their
polling interval and configuration, and install them automatically. However,
the polling interval might be several hours and the download of the patches
might be interrupted due to the loss of connectivity and resumed at a later
point in time. Although the patches are finally downloaded and installed, the
exact point in time when this will happen is not predictable. Further more,
there is no way to distribute emergency patches immediately. However, to reduce
patch delays, the polling interval can be reduced – leading to higher network
consumption.
Software distribution
Installing
software on an end user device is strictly controlled, too in a traditional
environment. Applications are pushed down to the device. If mass rollouts are
performed, the push jobs are handled in deployment queues and packages are
directly distributed to the end points. Again, after initiating the
distribution job, it is expected that the task is performed on all online
endpoints immediately without delays.
On modern
workplaces, we have two options on how software is deployed. The mandatory
option would prepare the software for installation. However, the download and
installation will be initiated by the end point rather than the management
server. Depending on the end point’s polling interval, the client will check
for new jobs available on the server, download and install the software if
prepared for it. An exact point in time when this will be happen is not
predictable.
The second option is to offer the software in a self service portal. In this case, the user can decide himself when he will install the software. It’s assumed that the end user can judge best when the time is appropriate as he knows about current connectivity and his further plans and working schedules.
Software updates
Traditionally software updates are pushed out to the end points similar to OS patches or new software installations. On a modern workplace, we also use modern software packages technologies. These new technologies include auto update functionality. The software checks itself for updates and keeps itself up to date without any operator intervention. This is very handy as no effort must be taken for packaging updates and send them out to the endpoints. On the other hand, control is lost when exactly the end point is updating a specific software package.
Bottom
line is, that in a traditional environment, all devices are expected to have
all required changes applied (otherwise a certain distribution is considered
failed and requires investigation). In a modern workplace management
environment the situation is not so easy. The operator can define a so called
“desired state”, but if this state was (already) applied by the end
point can’t be guaranteed. To mitigate risks that arise from the fact that not
all changes were applied yet, the concept of “compliant state” was
introduced. An endpoint is considered compliant when all defined requirements
are met. If there is the requirement of a certain software package or secuirty
patch to be installed this can be configured as a criteria for compliance. As
long as an end point has not installed the patch it is considered uncompliant.
Based on this information access to certain sensible resources can be
restricted.
Summary
While
traditional management is based on strict control, expecting the end points to
be reachable at any time, modern concepts must deal with end points online on
the Internet only now and then. This is why the decisions when things are
performed moved from the management server to the end point. Based on polling
intervals, jobs are collected from the server and fulfilled asynchronosly. To
make sure only end points meeting the required security criterias may access
resources, compliance states can be configured.