Original URL: http://www.theregister.co.uk/2009/10/19/remote_user_management_expert_advice/

So how do you manage remote users?

According to reader experts

By Phil Mitchell

Posted in PC Management, 19th October 2009 13:24 GMT

You the Expert We set you a challenge to join our expert panel and answer questions from our readers on how to deal with your desktop, and mobile desktop, environment.

This week we've got the first of what promises to be regular installments on this topic. We welcome the first contribution from our resident reader experts, Adam Salisbury and Trevor Pott.

You can read their advice, along with advice from Intel and Freeform Dynamics, below.

The question this week is:

How can I manage remote users better, particularly roving users who are only connected to the network on a sporadic basis?

Name: Adam Salisbury

Job Title: Infrastructure Support Engineer

Managing remote users has, and probably always will be, a major challenge to any business even with today’s high speed home broadband offerings and ever improving secure remote access solutions. While the challenges of managing dial-up sales users were limited remote access and support and limited access to regularly update the OS and installed applications, now there are more updates than ever and more demands for more of the resources previously confined to the corporate network.

It should go without saying that the key to successful remote user management is a rock solid, remote access system and there is huge range to choose from. Invest in remote access tokens to authenticate your mobile workforce and develop and maintain a well thought out rules based access policy. Resist the urge to merely adopt an ‘Any, Any, All’ policy no matter how secure you feel you are with your access tokens and SSL VPN. You should also invest the time in developing good end-point checking too and make sure the corporate AV can get its updates in the wild if users aren’t connected to the corporate network.

Software update management software is another solid investment to maximise the efficiency and quality of service provided to your roaming workforce. Keep them as fully updated as possible at all times to avoid diminishing performance, reliability and to maintain as secure a platform as possible. Mobile users are those most likely to become a victim of an outbreak or vulnerability just by virtue of being mobile, hence as much should be done as possible to maintain their systems as they travel around and actively engage in a preventative maintenance strategy on the occasions they do grace the office with their presence.

Encrypt those notebooks. This is an obvious but often overlooked security measure and not just by the SMBs of the world either, I’ve worked for a “five nines” managed service provider who didn’t have a mobile worker encryption strategy. Few encryption tools these days present the system with a tangible performance overhead, and more and more systems ship with SSDs, so that difference will narrow even further. Go for a good product which incorporates full device control; the ability to secure USB sticks and CDs and DVDs.

One of the biggest challenges for managing remote users is, or at least has been, how to keep data backups. It is getting far easier to tunnel into the LAN and allow users access to network shares, intranets and CRM systems. But the user with their last four years of work sat on the C: drive is still out there - as are the users carrying their own weight in email in PST files. Having enough secure, accessible and available storage on tap for user backup can be costly but is it more costly that million-pound bid that got away after your top salesmen dropped his laptop?

Review your group policy (or equivalent); too loose and you risk a horde of malware infected systems, perhaps even embarrassing or costly data leakage, but too restrictive and the service desk will be swamped as the mobile masses log cases for printer installations and firewall exceptions. There are a myriad of solutions and configurations out there, some will work and some will be non-starters, find the ones that fit and embrace them.

Name: Steve Cutler

Job Title: Technical Marketing Manager, End User Solutions, Intel®

If you have Intel® VPro™ technology systems you can start using a technology in the platform called Active Management Technology (AMT). AMT gives you a separate management engine in the platform which can communicate with your management console out of band from the main operating system. This means you have remote management capabilities whether the OS is running or not - and even if the system is powered off.

There are several options. A laptop still within the company environment (firewall) can be accessed and managed using AMT in the same way as a desktop client. A laptop outside the company will again be picked up in the same way as a desktop and required maintenance tasks can be carried out the next time it accesses the company intranet.

The third situation is to use the VPro™ feature known as “Fast Call for Help” in which the user can hit a button on the laptop or use a special key combination to cause the management engine in the VPro™ system to “call home” for help from the company support desk. Once the connection is made to the company management console, it can again be managed as if it was internal to the company. The only difference is that the connection request was initiated by the client. In particular this means remediation features such as Serial over LAN and IDE Redirection are available to help the support desk to diagnose and correct problems with the end users system.

If you do not have VPro™ systems in your laptop fleet – investigate the remote access solutions available, starting with windows remote desktop/remote assistance. There are also third party products that will allow a support desk engineer to take control of a remote user system to diagnose and correct many problems. See what options there are in the client build to provide localised diagnostic tools – such as separate maintenance partition on the disk. This would help mitigate the worst case failure where a key OS file is damaged or for some reason a network connection cannot be made.

Name: Trevor Pott

Job Title: Systems Administrator

Roaming users have requirements for offline data, as they get only infrequent chances to access the internet and thus connect to the corporate network. Unfortunately, many networks to which your users may gain access block all traffic except HTTP and SSL. Fortunately, in many cases supporting the secure synchronisation of data is possible relatively securely without the hassle of a VPN.

Outlook Anywhere (as one example) works fine over an SSL connection, and so does WebDAV. Numerous other technologies exist to solve the problem of getting information into the users’ hands with varying levels of security. Another consideration is that a significant amount of information required offline is something that can be synced to a smart phone. Some smart phones (such as Blackberries) integrate very well with corporate networks, can be easily secured and even remotely wiped in case the device is lost while containing sensitive data.

If your users have more than very sporadic access to the internet, I heartily recommend embracing Virtual Desktop infrastructure (VDI).

Sensitive information never has to leave the network, and virtual desktops can be managed far easier than (for example) a roaming user’s notebook. With the myriad of solutions available to access a given desktop over HTTP or SSL, VDI is also a solution that frequently works where VPNs are blocked. If your users can function with VDI and a secured smart phone you do not have to spend time trying to police what users can and can not do with their notebooks.

As for the question of usability; depending on bandwidth availability, RDP enhancements from companies like Wyse can do some amazing things. If you search El Reg’s back articles, you’ll find several relating to companies that are offering VDI/RDP enhancements; and IBM is even jumping in and trying to make a profit from this very concept hosted on a large scale. Internet access is ubiquitous, and you don’t need a very big pipe for a basic RDP session.

VDI certainly doesn’t solve every remote access usage scenario; but it certainly simplifies things when and where it can be applied. Start with VDI in mind and ask yourself what information your roving users require that can’t be adequately served by a remote session. The more information you must remove from the network, the more you must lock down devices that can access that information. Depending on your situation, the cost of an Air Card and contract might be far less than the hassle of offline synchronization.

Name: Jon Collins

Job Title: Managing Director, Freeform Dynamics

Managing mobile or home-working desktop users can be difficult for a number of reasons, not just the lack of proximity but also (for example) that it is harder to control what is being used: external drives, printers, broadband networking can all add to the mix.

As well as remote management capabilities in the hardware we have talked previously about in relation to power, we would recommend considering two options. The first is remote desktop control software, from the likes of Citrix (GoToMyPC). With such tools you can actually use the remote desktop as though it was your own, speeding up fault diagnosis considerably – it also becomes easier to see if anything untoward has been installed.

Second, be sure that your remote management toolsets and policies tie in with your security strategy. Depending on your configuration, you may have a combination of technologies including virtual private networking (VPN), which will influence how you manage users remotely.

And speaking of security, virtualisation and thin client approaches offer a number of options when it comes to remote desktops, enabling (for example) home workers to use a locked-down virtual desktop from the likes of Becrypt. Some approaches allow for virtual machines to be “checked out” when good enough bandwidth is available, such as when visiting HQ or when working in a branch office, to ensure that the latest version is available. As a final point however, it is well worth reviewing all of the features that are available in modern operating systems and hardware platforms. A number of remote management features are available ‘out of the box’ or can be easily augmented with third-party products.

If you think you can do better, head over to the comments and let us know how you think remote workers should be managed.