Standardizing the desktop: Strategies for success
- 02 November, 2011 02:09
IT is often at the forefront of technology innovation -- but not always. When it comes to the concept of a standard desktop -- every employee's core install that consists of an operating system, applications, hardware drivers and a security suite -- IT has moved at a snail's pace.
Charles King, an analyst with Pund-IT, says companies have tended to live with older software because it works well enough for their needs. Enterprises don't always ramp up to the latest releases, especially in this era of "making do with less."
Then there are political issues, which can take the form of pushback from key end-user constituencies that want to do their own thing, and whom IT doesn't want to alienate in budget-challenged times. Plus, some people want to continue using whatever ancient software they've long since gotten used to using.
But now, it seems, the snail is picking up some speed. The use of a standard desktop is becoming more of a best practice. According to a February 2010 Gartner report, 50% of 300 people surveyed in a large company said they will be locking down more corporate computers, not allowing end users to install their own applications.
One major factor behind standardization is that security concerns are looming large. IT can make a strong case about rogue (untested) applications that can bring down the network, or vulnerabilities inherent in old software that crackers often pounce on.
IT managers who are implementing a more locked-down desktop say the strategy can lead to lower costs and smoother operations. King makes a point about the "overall fitness" of how organizations deal with software and handle operational budgets. A standard desktop forces IT to think about deployment strategies and, if handled correctly, ultimately reduces the number of approved desktops to just one or two.
Dealing with rogue employees
Some companies wrestle with the notion of standardization because they also want to allow some flexibility in how an employee does his or her job, says Pund-IT's King. There are approaches that can be used, including allowing employees to select new tools from a pre-approved applications library, or allowing employees to request new tools from IT.
Still, no matter what you do, some end users will insist on bending the rules, or breaking them outright, by downloading their own software.
In this case, King suggests, "If the app is fairly benign, simply note that the download is unapproved, explain why and have the worker scrub it from the system," he says. "In addition, creating a review mechanism for employees to submit applications for consideration/approval can be a good way for organizations to learn about new technologies and to reward workers for their initiative."
If an application is a known problem or contains potential dangers, or if the employee repeatedly downloads and installs unapproved software and is recalcitrant, "imposing some sort of sanctions seems appropriate," King says. These sanctions could range from formally noting the warning or event in the worker's file to building a case for suspension or dismissal. "Knowingly exposing an organization's IT assets or data to potential dangers is unnecessary and arrogant, and deserves to be addressed," he explains.
A number of organizations are successfully walking this line. Here's how four IT organizations are locking down their desktops while providing some flexibility for employees to do their jobs.
St. Luke's Hospital: Standardization with flexibility
Consistency across a large organization can be difficult. With 10 locations throughout Idaho, Saint Luke's Health System has been extremely careful about its standard desktop. For infrastructure manager Eric Johnson, one important goal was to give doctors and other staff flexibility around which hardware they can use -- from a list of approved devices -- and where they may work within the hospital.
"In moving from Novell to Microsoft for our back end, we had a blank slate," says Johnson. The organization decided to move from systems-based downloads for applications to user-based downloads. In other words, end users can choose from a library of pre-approved software that they download themselves.
This has led to significant time savings, he says. He declined to quantify the savings, but says it is mostly about freeing up IT staff to focus on managing the library rather than about them doing "one-off" application installs. He says the most significant challenge has to do with apps that are not yet in the repository, but that a department might need; the IT staff has to deal with this challenge on a case-by-case basis.
St. Luke's uses application virtualization software from Beyond Trust called PowerBroker Desktops. The rules-based engine can remove administrative rights from the user's desktop so that the person cannot install applications, and it watches for errant installs that did not complete correctly. A dashboard matches the look and feel of other Microsoft data center tools.
Johnson says his team uses PowerBroker to manage about 8,000 desktops in 90 buildings. He says the company has settled on Windows XP SP3, Office 2007, Adobe Flash, Microsoft Silverlight, the Citrix client and Microsoft Live Meeting as the core of its standard desktop.
A new employee is added to multiple groups as appropriate -- say, advertising, marketing and general business. For each group, the employee can then download multiple applications from the approved list, gain file permissions to gain access to network servers for those applications and configure some options locally, such as IE toolbars and Outlook menus.
St Luke's uses a committee approach to choosing the core software included in its standard desktop. For example, in choosing Live Meeting, Johnson said six different departments gave recommendations by looking at popular videoconferencing systems. They came to a consensus, and then IT started its testing and final approval process.
One other challenge at St. Luke's, and for most companies dealing with a standard desktop, has to do with versioning. The hospitals use a core image for base OS and apps, and tend to stick with one version for long periods. Yet, Johnson says the hospital manages about 22 different versions of Java through application virtualization -- and this argues against including Java in a standard desktop.
By virtualizing, St. Luke's IT staffers can root out incompatibilities between applications that use Java. For example, they can determine that the standard desktop for accounting always needs a specific Java plug-in. Yet, they keep the core the same and deliver Java versions as needed, outside of the standard desktop.
Interestingly, one of the lessons Johnson has learned is to avoid tweaking the standard desktop -- even when it comes to IT staff. "Less than 1% of our IT staff have admin rights," says Johnson. "But we do give people room to roam. We don't say you can't use that application. We're happy to deliver it, as long as we can deliver it virtually," to any employee.
St. Luke's is a bit unusual in how it locks down administrative rights even for IT staff. Ed Boyle, a consultant with SecurityCurve, says the tactic makes the enterprise more secure. In the long term, there are "saved dollars in overall fewer security issues."
Starwood Hotels: Managing consistency
Starwood Hotels owns Sheraton, Westin, Four Points and many other hotel chains; all told, it operates about 1,000 properties around the world. In the U.S., Starwood North manages approximately 160 of those hotels and about 15,000 desktops.
One major goal is to improve consistency. This is the golden rule of hotels, says Michael Van Lare, the vice president of IT: Make the experience the same in every brand. "We had a problem with consistency, even around the brand of computer, the specs, and the model we used. This made things very difficult to manage."
Van Lare says each hotel also uses a different merchant for payments. They discovered that the wide disparity of applications was causing incompatibilities with the other applications.
To achieve more consistency, the hotels now use ScriptLogic Desktop Authority, which manages the desktop OS, the applications and the user settings. The software helps create a standard for various departments within each hotel and configures user settings such as which printer to use, any system registry tweaks and even the application shortcuts used on the desktop.
Van Lare says they choose which applications to include in the standard desktop by going through a rigorous testing process. He says most of the testing occurs in the field rather than within IT because each hotel brand is slightly different -- an upscale Westin might need a certain version of Microsoft Office that a different Starwood hotel would never need.
Another example: The front office's property-management system, which Van Lare declined to name, by necessity often dictates the packages included with a standard. That's because, as Van Lare described it, the most critical systems are those that are used in the front lobby when a guest first checks in, some of them custom-developed. He says the check-in process, payment, room-key generation and other steps must flow smoothly.
Van Lare says Starwood is fairly aggressive about keeping up with the latest software versions. The company typically has an enterprise agreement with vendors, so there is no reason to delay an upgrade. On the desktop, the major software in use is Microsoft Windows and Office software, plus the front-office software and the McAfee endpoint security suite.
Starwood has not only standardized on the OS and apps, but also on Outlook email signatures. That brand-management step is important, he says, so hotel guests receive similar e-mails from all Starwood hotels.
Pund-IT's King says Starwood is on the right track by having multiple standards, even though that can cause management headaches. King says the goal is not necessarily to have just one global desktop standard across the entire chain, but to have the standard that each hotel brand needs and make sure employees have the tools they need.
The real challenge is not in managing the standards, but in managing the user requirements, which can change dramatically depending on the business' needs and growth, King says. That said, there is a big advantage in having as few standards as possible. Fewer standards means fewer headaches with configurations, licensing, and support for those applications -- and, ultimately, lower IT support costs.
Travelport: Taming the rogue employee
Based in Langley, UK, Travelport is a 3,500-person firm, with offices in over 160 countries, that provides transaction processing for the travel industry, including many major airlines. For its standard desktop, the company has taken a fairly aggressive stance about administrative rights and whether an employee can install his or her own apps.
The company uses Altiris, now owned by Symantec, to manage the standard desktop. Moore explains that as soon as a new employee turns on his or her work computer, the core OS image is updated with a few standard applications such as Microsoft Office 2010, Adobe Flash and Adobe Visual Communicator.
Requesting software outside of the norm is a fairly easy process and involves a call to the help desk to gain access to a software repository, which contains hundreds of applications; Moore declined to give an exact number. The company chooses software that will not interfere with the core enterprise applications, and it upgrades to the latest versions only if Moore's team knows the back-end processing required for core applications has not changed too much. The 25 to 30 people on the help desk are well-acquainted with the approved applications.
However, because of a highly distributed workforce in many countries, Moore says Travelport has locked down workstations more than most companies. He says users can request a unique application like Google Chrome, but it won't become part of the core offering. In fact, he says, since streamlining the standard desktop, rogue installs are extremely rare. An industrious end user would have to re-build the computer from scratch.
Travelport also uses the standard desktop process to manage licensing: staffers can run reports to see if an approved application that had been used by 300 people is now being installed by 3,000. This could happen, he explains, if one department suddenly starts making more use of a CRM tool to match up with its own needs or to deal with a business issue.
One lesson Moore has learned is: Maintain a core standard desktop that is hardware-independent, even as you develop standard images that are department-specific. There may be some variance, but he says most of the efficiency in the organization comes from having the fewest possible deviations.
Advocate Health Care: The challenges of a larger enterprise
For a smaller company, a standard desktop is easier to develop and the processes are often easier to manage. But for larger firms, every change to the standard image and core applications is compounded quickly.
That's why it's no surprise that, of the companies we interviewed for this story, Advocate Health Care in Chicago, which serves central Illinois, is using some of the oldest software in its standard desktop. The 30,000-employee firm still uses Windows XP SP2 and Internet Explorer 7 (IE7) in its standard image, mostly because IE8 would cause problems with a core set of proprietary business applications used in the branch offices.
"It's a tricky process because we want to stay current and near the curve, but we can't use an OS or a browser that cripples the business unit just to be current," says Dan Lutter, the director of field technology services at Advocate Health. The timing might not be right for the Advocate support staff to deal with new applications because they are still rooting out problems with existing installs, and the new version may not be fully tested for security vulnerabilities.
Lutter explained a recent scenario where users started requesting that IT make Mozilla Firefox available as part of the standard desktop. Ultimately, he decided against it. The company never actually tested Firefox because the timing was not right to deal with incompatibilities.
"When key business apps will not work properly, there is a loss of productivity, more frequent calls into the help desk so that support services staff have to get involved and remove the app, which confuses the customer. We don't want to have apps on our standard desktop that we manage that cause our customers to have a non-satisfactory business experience," he says.
Advocate uses the LANDesk Management Suite for managing the standard desktop and the software repository. Lutter says one of the benefits of using this tool is that his team receives alerts when someone attempts to install a rogue application. He says Advocate has spent the last seven years fine-tuning the standard desktop process, and one recent lesson they've learned is to keep the core standard as minimal as possible. Today, they have one core for all laptops, one for desktops and a third for tablets.
"The effort required in planning, testing and migrating [operating system and apps] is all compounded when you are talking about a very large environment, so it's not unusual at all to find much older systems used in large firms when IT staff time is at a premium," says Boyle.
In the end, whether using a standard desktop helps save valuable IT time and effort, roots out rogue installs or improves overall security, every company has to develop its own standards to meet employee requirements. As SecurityCurve's Boyle noted, in the age of the cloud and mobile devices, a standard desktop is more important than ever, especially if the goal is better IT efficiency.
John Brandon is a former IT manager at a Fortune 100 company who now writes about technology. He's written more than 2,500 articles in the past 10 years. Follow his tweets at @jmbrandonbb.