A guide to desktop management

Desktop (and notebook) PCs present a huge headache for IT managers: looking after hardware and software inventory, configuration, security, patching and software licences, for example, can make serious inroads into the IT budget. We examine the technologies and tools that can make the job easier.

The desktop PC may be an invaluable business tool, but it also presents huge challenges in terms of day-to-day management and support — especially when it comes to large organisations with hundreds, if not thousands, of them to cope with.

Just keeping track of who has what hardware and where can be a real headache, let alone making sure it’s all configured correctly with the right application software, the latest patches, suitable firewall, antivirus and other security tools, and so on. Factor in the human element — users — and it’s easy to understand why desktop management can account for the lion’s share of any IT budget.

Desktop management: the story so far
There are plenty of available products designed to address the issues of desktop management. Most start with some kind of inventory tool, to discover and identify desktop assets and how they’re configured. To this can then be added tools to distribute applications, patches and other software, along with utilities to ensure that licence counts are enforced and yet more to enable support staff to remotely diagnose and fix faults when they arise.

Some of these tools are now built into the Windows desktop itself, but that’s a fairly recent innovation. Most are, therefore, implemented as standalone third-party applications or, more commonly, as part of larger integrated management suites from vendors such as Computer Associates, HP, Microsoft, Novell, Symantec and others.

Software-based management solutions are far from perfect, though. For a start, one or more client agents will normally have to be installed on each and every desktop PC for them to work. Distribution of these agents can be complex and presents a logistical challenge in itself. More importantly, most only work while the client PC is turned on and running a fully functional operating system. When users turn their systems off — at the end of the day, for example — management is effectively blocked except where specialised hardware features, such as Wake-on-LAN (WOL), enable them to be remotely powered back on.

Unfortunately WOL doesn’t help that much because even when desktops are on, the operating system needs to be fully operational. There are additional security and performance issues. For example, in most cases there's no encryption to protect the traffic sent between the remote management agents and central consoles; management traffic is also carried along with everything else over standard shared Ethernet LAN/WAN links — which are, again, only available with a fully functioning OS in place.

Compatibility can be an issue too, with only very basic common standards to insure interoperability between the hardware and software being managed, and the tools designed to facilitate that management. Finally, the whole setup can be compromised by a general lack of security on the desktop itself. Indeed, no matter how well you manage your desktops, it’s still hard to prevent users — or worse still, viruses and other malware — getting through the defences and messing them all up again.

Enter vPro
Intel’s answer to these and other desktop management issues is to take the functionality currently provided by software-based management clients, add extra features, make it more secure and build it into the PC. An approach it calls vPro, although as with the Centrino mobile platform and Viiv, Intel’s digital entertainment brand, vPro is more of a marketing concept than a single discrete technology. Indeed, just as with those brands, vPro really describes a collection of technologies. Some are new and others have been around for a while, but all are designed to work together to address desktop management issues.

Announced towards the end of 2006, the various bits of hardware and software required for vPro have taken a while to develop and deliver, but are starting to appear. The latest vPro development adds wireless support, about which more later.

In the meantime one of the most important of the vPro components is AMT (Active Management Technology), which has actually been around for a number of years. It’s the second generation of AMT, which is now built into Intel’s Q965 chipsets, which forms the core of what vPro is all about.

AMT at the core
One of the main things AMT does is take over where hardware enhancements such as Wake-on-LAN leave off, by making sure a desktop PC is always available to be managed, no matter what its power or operational status. In fact, as long as the PC is connected to a power supply, AMT makes sure the desktop is always accessible to management software, even when it’s otherwise switched off or there’s no functioning operating system.

To facilitate this always-on availability, AMT adds a secure communication channel connected via another key vPro component — an integrated Intel Gigabit Ethernet adapter. Described as 'out-of-band', this new secure channel is implemented using a logically separate and independent networking stack implemented in the hardware. This, like the other parts of vPro, is always available whether or not the PC is powered up or the host OS loaded. It’s also accessible using standard TCP/IP and addressing rather than a special communications protocol as with WOL.

Using this secure channel, a PC can be remotely powered up or down and crashed PCs rebooted even when the OS has hung. Moreover, using another vPro component — IDE-Redirect — it’s possible to remotely boot a PC to a known clean state by redirecting the boot device to a clean image on local storage, a CD mounted at the help desk or an image held on another remote drive.

Error logs and inventory information can, similarly, be accessed regardless of desktop state, the AMT firmware storing inventory data in secure non-volatile memory every time the PC is powered up.

The secure AMT channel can also be used by support staff to diagnose and resolve problems remotely. Indeed, using yet another vPro component technology — Serial-over-LAN (SOL) — engineers can remotely manage the PC independent of the OS, right down to editing BIOS settings remotely over the network.

All of this can be performed over secure encrypted links with access controlled by an Access Control List (ACL), which is stored in the non-volatile memory managed by vPro. The AMT firmware itself (digitally signed and encrypted) is also stored in this memory, along with third-party code and data for use by management applications, which make up another part of the vPro story.


The software connection
The vPro components provided by Intel are of little value without management software. These tools are needed to read the inventory data, issue the reboot commands, provide the remote diagnostics and generally take advantage of what the new hardware technologies have to offer. To this end, Intel publishes an API and a development toolkit for third-party developers, which most of the big-name software houses are starting to adopt.

Companies such as Altiris (now part of Symantec) for example, whose software supports AMT and other VPro components and is bundled with HP business desktops, many of which are now also vPro-enabled. Microsoft, too, supports AMT in its desktop management products, as does Computer Associates and others, although the level of support varies and integration is still at a fairly embryonic stage even among the top names. You can find a list of vPro-compliant management software on Intel's web site.

A virtual piece of the puzzle
Another key component of the vPro solution is the dual-core Intel Core 2 Duo processor, which provides sufficient processing power to run the management and security features without impacting on the desktop PC's primary uses. More than that, thanks to its Intel VT virtualisation extensions, the Core 2 Duo processor enables custom security appliances to be run in the background in their own secure virtual environments.

These virtual appliances sit between the desktop and the network and so are able to filter in-bound and out-bound traffic for potential threats that might otherwise compromise the PC’s viability. Such virtual appliances will also be able to set rate limits and fully isolate a PC from the network when a potential threat is identified, providing a more secure disconnect than traditional software-based quarantine services, which can be circumvented by hackers, viruses, worms and user tampering.

Here again, implementation will be dependent on third-party developers coming up with code to run in the virtual environment provided through vPro and the Core 2 Duo processor. However, a number of vendors, including Red Hat, have already announced their intention to do just that. Furthermore, in the latest implementation of AMT, Intel has introduced its own filtering tools built into the firmware as standard.

And wireless too
One major hurdle facing any desktop management solution has to be the increasing mobility of the business workforce. Notebooks and Wi-Fi wireless networking are now commonplace, making it even harder to keep a company's PCs properly configured and secure.

Intel’s answer is to enhance its AMT technology to support secure remote management over wireless as well as conventional wired Ethernet networks. This is now possible using Centrino Pro-branded notebooks based on the Mobile Intel 965 Express chipset, which includes the latest AMT 2.5 firmware. Centrino Pro notebooks are now available from from most of the major vendors.

When connected to a corporate network, Centrino Pro notebooks can be managed wirelessly alongside wired vPro-enabled desktops — from the same management consoles using the same secure out-of-band communication channels, remote power up and boot facilities and so on. They can also be managed when outside the corporate firewall over a standard OS-dependent VPN connection, although functionality will be reduced in such circumstances.


vPro: issues and alternatives
On the face of it, Intel’s vPro solution would seem to provide many of the answers to the desktop management issues that have plagued the enterprise market since PCs were first introduced. The technologies it involves are also gaining support, both from hardware vendors and from developers of management applications. So, for example, you can already buy vPro-enabled desktop PCs and notebooks from vendors such as Dell, HP, IBM, Lenovo and others, and manage them using a growing number of management products. However, there are some caveats that may put a brake on the take-up of vPro.

Because it’s based on Intel components, vPro is very much a proprietary solution, only available to buyers of the latest Intel-based systems. Obviously this is a good move for Intel in terms of differentiating its products from those based on AMD silicon, for example. However, it's not so good for customers seeking the best deal when buying or replacing desktop hardware. Furthermore, it’s not available on Apple Macs, RISC-based workstations or handheld computers.

It’s also very much dependent on vendors of management tools developing software to take advantage of vPro and its proprietary API. Most are, but nearly all already have their own solutions that may clash with vPro; they also need to be able to offer management tools that can work with the full range of installed hardware not just vPro-enabled desktops. As a result, software vendors aren’t necessarily giving vPro as much attention as Intel might want or expect.

And there are alternatives to vPro. Such as DASH (Desktop and mobile Architecture for Systems Management Hardware), an initiative from the DMTF (Distributed Management Task Force) which shares many of the same aims. DASH, however, is much more of an open standard, leveraging other standards-driven technologies, such as the Common Information Model (CIM) already implemented and supported by vendors of management software. Potentially, this makes DASH quicker and easier to implement.

Desktop management: where next?
Intel has said that it aims to support DASH in a future release of vPro, but neither the timing nor the level of integration have yet been disclosed. AMD’s involvement in DASH is likely to further muddy the waters, Intel's rival having announced a vPro equivalent — Simfire — which will be DASH compliant. And because nobody can predict what will happen, systems vendors and software developers alike are openly backing vPro, DASH and other initiatives in equal measure.

However, Intel does have an advantage in that the technologies behind vPro are well defined. More than that, they are available to buy now from business hardware and software partners. The ability to manage notebooks over wireless is another key vPro differentiator, with no real equivalent from other players in this market at present.