Q&A: How one college embraced UEM to manage endpoints at five campuses
- 11 September, 2019 20:00
Steve Malaglowicz was hired 25 years ago by Truckee Meadows Community College in Reno, Nev. to oversee the rollout of Novell ZENworks and to bring desktop imaging to the institution. Over time, Malaglowicz, the school's senior technician, said ZENworks became too expensive and Novell too difficult to work with for a college with a tight IT budget.
In 2009, the college chose to replace Novell ZENworks with a less expensive application and virtualization management product from Quest KACE, which the IT team used to help unify its approach to endpoint management. Today, the school can use a single console to manage 3,300 desktop or mobile endpoints across five campuses; it has four full time IT staffers, and trains and mentors three to six student workers who do more of the physical tech labor.
Before fully deploying a unified endpoint management (UEM) strategy, Malaglowicz would find himself travelling between campuses "all the time." After the UEM rollout, he said he's left his desk to address problems "maybe twice" in recent years.
The following are excerpts from an interview with Malaglowicz about the school's UEM shift:
How did you start your journey at Truckee Meadows? "They hired me to come in and work with ZENworks and get them organized and imaging to begin with. That's really when the college started with UEM – getting the unified image out to every machine and being able to deliver that.
"That was the first strategy we attacked, even before trying to manage the desktops. I did Zen for years. It just got so expensive and Novell was such a pain to work with; we started looking at other systems in 2009 and settled on KACE just because of its cost at the time. We've been with them ever since. It's a good product."
You've been doing this a long time; why did you move from Novell? "With ZENworks we were using it to push out applications and the ZEN imaging to deliver the initial desktops. In our academic environment we had 22 other machines and we had Centurian on them at the time to lock them down. People couldn't modify them after we imaged them. We've gone to Deep Freeze since then.
"We have the ability through KACE or the Deep Freeze console to freeze or thaw the machines. When they're frozen, you can walk up to an academic machine, format the hard drive, give it a virus, anything. Turn it off and turn it back on and it's right back to where it was originally. It's a very useful tool in an academic environment. It prevents them from modifying things without your knowledge.
"That is really one of the best things in our UEM strategy – we use the KACE [System Deployment Appliance] to push off images and freeze them. Then, when we have to do updates to some desktops, we use the KACE [Systems Management Appliance] to do any changes and just refreeze them again." [The college has also been using KACE Cloud MDM since January.]
What do you have for mobile devices? "The classrooms have been running a lot of tablets. We've got Android and iPads both. We went to the KACE MDM solution just because it plugs straight in. We don't have to go learn a whole other product.
"That was the beauty of trying to stay with just one company. The cost of training is phenomenal out there. My only complaint with this MDM thing they're forcing is it's a subscription cost. So, you go out and buy a $300 tablet and we pay KACE $30 per license. So, in five years – the life of the tablet – we pay an additional [$150]. So now it's a $400 tablet. So, your total cost of ownership goes up on a device if you use an MDM strategy.
"JAMF was even worse. They were twice the cost. But, it's something you're forced to do. All these companies are going to subscription models and it really hurts small enterprises. They can't afford to do that year in and year out with licensing."
Even so, you went with a subscription model? "Yeah, because there's no other choice out there. I don't know who originally got the subscription idea going, but all these companies are jumping onboard, and it really sucks for enterprise management because you don't own the software and so it's hard to work with; and, a lot of times it's hard to deploy an image."
Why is it hard to deploy a desktop or tablet image? "Take Adobe, it requires log-ins. Even though we can put the base software on there, they have to log in and it pushes more stuff to the desktop for the user depending on what the subscription is. Office 365 works the same way. So, software-wise, the subscription model is really ludicrous.
"With MDM you have no choice, and I understand why they do that. You can control a tablet anywhere in the world. If someone steals one, we can find it and shut it down and tell police where it is. So, you kind of need that strategy."
So, can you truly control all your endpoints – desktops, tablets, smartphones – from a single console? "For UEM, we have the KACE SMA [Small Management Appliance]; it handles all our Windows and Macs out there. We have 2,500 academic and 750 on the Administration side, so a little over 3,000 machines. The SMA, we handle that and train the students how to use that. We also bring in all the MDM data through the SMA for inventory purposes. So, all the higher ups, if they need reports on that, they can go to that one console.
"There are two of us who actually log into the MDM to set the policies. We do everything up there in MDM and all the bosses look at the SMA to get reports and all the inventory. It's all in one place for them."
How many mobile devices do you manage? "Right now, we're just ramping it up. With the changes that Apple made we were forced to go to MDM for even the iMacs. Right now, we have about 80 devices in there. ...We're running about 230 iPads in the classrooms and the iMacs will have to come in, as well; there's 110 of those. Those will be run through MDM in the future."
So, you can see both mobile and desktop? "Yes, you can see who's online and who's using it. The other nice thing about it is if something breaks, I only need to call one phone number and work with them to figure out what's going on. We used to have three or four different consoles and the vendors would point fingers at each other and say, 'It's them, not us.' That was a constant headache when you had to call support."
What would you say continues to be a challenge? "The one thing is whatever you choose for an UEM solution, they need to be up to date on any OS changes companies are putting out. That was one thing Novell that was frustrating. They'd come out with new drivers or an operating system and it would be six months before we'd get a new disk to do our job again. With KACE, it's usually within a week. Patching was lagging for a while there, but I know with the new version 10 coming out, they've brought patching back in-house, so that's supposed to get rid of that frustration.
"With security and malware, you've got to be up on the newest stuff constantly, or they [hackers] will find a hole. That's our biggest concern. Keeping up with patching and keeping security up to date.
"I run the system and there are two people under me. So, we really are doing it with minimal staff."
You mentioned IoT devices you also manage. Can you explain that? "That's the projectors in the classrooms, the smart TVs and equipment like that. The IoT stuff we're handling through the network people who use an SNMP monitor [from SolarWinds MSP]. They monitor them that way. We would have to buy extra licenses to manage them through KACE.
"That's one thing that drives a lot of our direction is budgets and funding. Being a community college and all the cutbacks, we're really got to think about where we spend our money."
How have Apple's policies changed and affected your management of devices? "With Maverick and the newer systems, you cannot load your own OS on Macs anymore, so we can't image them. To image a Mac now, you download the OS from Apple over the internet and that sets up the basic machine, and then we enroll it into the MDM automatically as we purchase them through the DEP [Device Enrollment Program]. Any policy or applications we want, once they get enrolled and get their base imaging on them, they get delivered to them. Before, we used to build the whole image and just cast it out to the Macs. That's no longer possible..., you know, tightening security; it's understandable. Microsoft is getting the same way with images."
So, do you see adding anything else into the UEM strategy? Smartphones, for instance? "Eventually, we do have company phones and we will be bringing them into it. Right now, it's just tablets and desktops. No other major changes to our strategy in the future, unless the paradigm shifts out there and we'll have to react and work with it; we're a community college and have to teach what's out there to our students."
Do you have any advice for others considering going down the UEM path? "What we did was look at three or four different products and did some light training on them to see how hard they were going to be able to use. That's going to be the biggest problem people will run into; they're going to buy into something and not realize they really have to have all this training to be able to use it properly, or they only utilized 10% of the product and they're just throwing money away. That's a big hurdle I see other people run into. They jump into things and dump it on their technicians, who end up scratching their heads and saying, 'I don't know how to use this.' And, there's no money to train them, so they have to figure it out on their own.
"That's the other thing. Is there a community to help support you if you have to learn it on your own; make sure that's out there and available. Budget training. That's something most businesses never think about. Just going to UserCon alone is about $3,000 or $4,000 per person. We've had a couple other products we've gone to who have three or four classes that are never near you. It's just really expensive in the end."