So how do you manage remote users?
According to reader experts
You the Expert We set you a challenge to join our expert panel and answer questions from our readers on how to deal with your desktop, and mobile desktop, environment.
This week we've got the first of what promises to be regular installments on this topic. We welcome the first contribution from our resident reader experts, Adam Salisbury and Trevor Pott.
You can read their advice, along with advice from Intel and Freeform Dynamics, below.
The question this week is:
How can I manage remote users better, particularly roving users who are only connected to the network on a sporadic basis?
Name: Adam Salisbury
Job Title: Infrastructure Support Engineer
Managing remote users has, and probably always will be, a major challenge to any business even with today’s high speed home broadband offerings and ever improving secure remote access solutions. While the challenges of managing dial-up sales users were limited remote access and support and limited access to regularly update the OS and installed applications, now there are more updates than ever and more demands for more of the resources previously confined to the corporate network.
It should go without saying that the key to successful remote user management is a rock solid, remote access system and there is huge range to choose from. Invest in remote access tokens to authenticate your mobile workforce and develop and maintain a well thought out rules based access policy. Resist the urge to merely adopt an ‘Any, Any, All’ policy no matter how secure you feel you are with your access tokens and SSL VPN. You should also invest the time in developing good end-point checking too and make sure the corporate AV can get its updates in the wild if users aren’t connected to the corporate network.
Software update management software is another solid investment to maximise the efficiency and quality of service provided to your roaming workforce. Keep them as fully updated as possible at all times to avoid diminishing performance, reliability and to maintain as secure a platform as possible. Mobile users are those most likely to become a victim of an outbreak or vulnerability just by virtue of being mobile, hence as much should be done as possible to maintain their systems as they travel around and actively engage in a preventative maintenance strategy on the occasions they do grace the office with their presence.
Encrypt those notebooks. This is an obvious but often overlooked security measure and not just by the SMBs of the world either, I’ve worked for a “five nines” managed service provider who didn’t have a mobile worker encryption strategy. Few encryption tools these days present the system with a tangible performance overhead, and more and more systems ship with SSDs, so that difference will narrow even further. Go for a good product which incorporates full device control; the ability to secure USB sticks and CDs and DVDs.
One of the biggest challenges for managing remote users is, or at least has been, how to keep data backups. It is getting far easier to tunnel into the LAN and allow users access to network shares, intranets and CRM systems. But the user with their last four years of work sat on the C: drive is still out there - as are the users carrying their own weight in email in PST files. Having enough secure, accessible and available storage on tap for user backup can be costly but is it more costly that million-pound bid that got away after your top salesmen dropped his laptop?
Review your group policy (or equivalent); too loose and you risk a horde of malware infected systems, perhaps even embarrassing or costly data leakage, but too restrictive and the service desk will be swamped as the mobile masses log cases for printer installations and firewall exceptions. There are a myriad of solutions and configurations out there, some will work and some will be non-starters, find the ones that fit and embrace them.
Name: Steve Cutler
Job Title: Technical Marketing Manager, End User Solutions, Intel®
If you have Intel® VPro™ technology systems you can start using a technology in the platform called Active Management Technology (AMT). AMT gives you a separate management engine in the platform which can communicate with your management console out of band from the main operating system. This means you have remote management capabilities whether the OS is running or not - and even if the system is powered off.
There are several options. A laptop still within the company environment (firewall) can be accessed and managed using AMT in the same way as a desktop client. A laptop outside the company will again be picked up in the same way as a desktop and required maintenance tasks can be carried out the next time it accesses the company intranet.
The third situation is to use the VPro™ feature known as “Fast Call for Help” in which the user can hit a button on the laptop or use a special key combination to cause the management engine in the VPro™ system to “call home” for help from the company support desk. Once the connection is made to the company management console, it can again be managed as if it was internal to the company. The only difference is that the connection request was initiated by the client. In particular this means remediation features such as Serial over LAN and IDE Redirection are available to help the support desk to diagnose and correct problems with the end users system.
If you do not have VPro™ systems in your laptop fleet – investigate the remote access solutions available, starting with windows remote desktop/remote assistance. There are also third party products that will allow a support desk engineer to take control of a remote user system to diagnose and correct many problems. See what options there are in the client build to provide localised diagnostic tools – such as separate maintenance partition on the disk. This would help mitigate the worst case failure where a key OS file is damaged or for some reason a network connection cannot be made.
Great idea, have the data hosted somewhere where internet access is required at all time (no offline working), reliant on a 3rd party (security, downtime...?) and then pay for it too. Google and Danger/Microsoft both showed that the cloud has it's place, but not for day-to-day business work as the main source.
Locked down hardware and websites that can be accessed (as well as a few other restrictions) via LOCAL Group Policy. Machine runs Vista with auto updates turned on, AV gets DAT's from the internet at 3pm daily and is encrypted with TrueCrypt.
Had Word, PowerPoint and Excel installed locally.
Juniper SA series device for SSL VPN. However we don't use the VPN side of it, just use it as a Citrix, WebDAV and web proxy. Authenticates users with RSA tokens against AD and checks for keylogging viruses, scans to ensure AV DAT's are up to date and has recent Windows patches.
Once logged in, if the user is running the site from our company hardware (check's AV and a reg key) then they can download files/folders via WebDAV, access internal and external websites (via a proxy of course!) and can fire up a full Citrix desktop (or just the odd app). Provides ability to download files for offline working (only if it's our laptop though) and end users can even print to their local printer from Citrix. No VPN used and it's all over SSL.
Once a user is in Citrix we can shadow, but if they can't get that far we use a "Secure Meeting" (think WebEx but hosted on the Juniper SA appliance) and the users have a shortcut to the URL from their desktop.
All done via SSL. We lock down the hardware that can be plugged into the laptop, and disabled CD/DVD burning too via GPO's. AV updates daily, and Windows Updates are automatic. Full drive encryption. Gateway requires RSA token for authentication. We block all sites other than a couple for testing, the gateway and the big-name wifi-providers that have a payment page by putting in a fake proxy in IE and lock it down. Users can only download data to the local machine if they have the right registry keys and are using our AV. Gateway check for AV version, independantly checks for keyloggers and also has a cache cleaner too.
Users can access the remote site from any Windows PC that has either Java or they have admin rights too. Therefore should they have a problem with their PC they can use any other internet enabled Windows PC to get to a full Citrix session. Can also print to any local printer...!
Users also have encrypted work mobile phone that has push-email enabled.
The cloud poses its own problems. The biggest of the issues is the lack of control over your own data. I agree with you that many of the applications becoming available from "utility computing" vendors will eventually find business uses. What is remote computing except tapping into the "corporate cloud" to accomplish work?
The issue at hand is one not only of information control, but of legal liability. At current, cloud vendors disclaim all legal liability for loss or theft of data, security breeches, and downtime. While you may feel that us regular IT Joes have "over inflated wages" (as compared to who?) the reality is that we exist to support corporate infrastructure that itself exists for legitimate business reasons. Like it or not, business owners, managers, and other people who (in theory) have to accept the responsibility for failures do very much so enjoy having "someone to flog" when the excreta meets the rotating air circulation mechanism.
If you control your infrastructure and your geeks, then you have a much better chance of controlling the information you want kept private, and of ensuring those systems are available and operational when you need them.
The third-party cloud will remain a non-core component of business computing until vendors can meet two qualifications. The first, and most important is that vendors must become legally liable (for downtime, data loss, security breeches, theft etc.) They must also offer a method by which customers can reach out and taser a geek when thing go boom. (“No new information” posts, or sitting on hold for hours at a time is something most businesses would view as unacceptable for mission-critical computing.)
So until that day arrives, I guess you, and the rest of the world is stuck with us “over inflated wage” numpties. (Really? Over inflated? John Q Random couldn’t do my job, and I sure as heck don’t take in the Corporate American Executive Screw-The-Little-Guy remuneration package. Please do detail your issues with the pathetic wages we IT folk get paid, and why you feel it is unjust.)
Lolz.. Clouds .. Auto updates .. AV
How about "ssh -X"? Not much that can't handle. Oh, and if the user really has to work offline, then there's "scp" too :-P