The IT department is often at the forefront of an organization’s technology innovation — but not always. When it comes to the concept of a standard desktop — every employee’s core install consisting of an operating system, applications, hardware drivers and a security suite — IT has moved at a snail’s pace.
Charles King, an analyst at Pund-IT, says companies have tended to live with older software because it works well enough for their needs and because they don’t want to incur the expense of upgrading to the latest releases in this era of “making do with less.”
Then there are political issues. Key users who want to do their own thing might resist change, and IT may not force the issue in order to avoid running afoul of influential employees in these budget-challenged times.
But now, it seems, the snail is moving a bit faster. The use of standard desktops is becoming a best practice. In a 2010 Gartner survey of 300 IT professionals at large companies, 50 per cent of the respondents said they will be locking down more corporate computers.
One driving force behind the push to standardize is concern about security. IT can make a strong case that rogue applications can bring down the network, or that old software has vulnerabilities that hackers pounce on.
Another factor is the advent of virtualization, which makes it easier to standardize. More companies are using virtualization tools to create a “gold standard” — one desktop version that gets pushed to all end users.
IT managers who are locking down desktops say the strategy can lead to lower costs and smoother operations. King makes a point about the “overall fitness” of how organizations deal with software and handle operational budgets. A standard desktop forces IT to think about deployment strategies and, if handled correctly, ultimately reduces the number of approved desktops to just one or two.
Yet, some companies wrestle with the notion of standardization because they want to give employees some flexibility in the way they do their jobs, says King. There are ways to allow some flexibility with standardized desktops, including allowing employees to select tools from a pre-approved applications library, or allowing employees to request new tools from IT.
Still, no matter what you do, some end users will insist on bending the rules, or breaking them outright, by downloading their own software.
In that case, King suggests, “if the app is fairly benign, simply note that the download is unapproved, explain why and have the worker scrub it from the system,” he says. “In addition, creating a review mechanism for employees to submit applications for consideration/approval can be a good way for organizations to learn about new technologies and to reward workers for their initiative.”
Here’s how three IT organizations are locking down desktops while providing some flexibility for employees.
St. Luke’s Health System: Standards Plus Flexibility
Consistency across a large organization can be difficult. With 10 locations throughout Idaho, St. Luke’s Health System has been extremely careful about its standard desktop. For infrastructure manager Eric Johnson, one important goal was to give doctors and other staffers flexibility around which hardware they can use — allowing them to choose from a list of approved devices — and where they may work within the hospital.
“In moving from Novell to Microsoft for our back end, we had a blank slate,” says Johnson. The organization decided to move from systems-based downloads for applications to user-based downloads. In other words, end users can choose from a library of pre-approved software that they download themselves.
This has led to significant time savings, he says, because IT staffers have been freed up to focus on managing the library rather than about doing “one-off” application installs. He says the most significant challenge has to do with apps that are not yet in the repository, but that a department might need; the IT staff has to deal with this challenge on a case-by-case basis.
St. Luke’s uses application virtualization software from Beyond Trust called PowerBroker Desktops. The rules-based engine can remove administrative rights from the user’s desktop so that the person cannot install applications, and it watches for errant installs that did not complete correctly. A dashboard matches the look and feel of other Microsoft data centre tools.
Johnson says his team uses PowerBroker to manage about 8,000 desktops in 90 buildings. He says St. Luke’s has settled on Windows XP SP3, Office 2007, Adobe Flash, Microsoft Silverlight, the Citrix client and Microsoft Live Meeting as the core of its standard desktop.
A new employee is added to multiple groups as appropriate — say, advertising, marketing and general business. For each group, the employee can then download multiple applications from the approved list, obtain file permissions to gain access to network servers for those applications and configure some options locally, such as IE toolbars and Outlook menus.
One other challenge at St. Luke’s, and for most companies dealing with a standard desktop, has to do with versioning. The facilities use a core image for their base OS and apps, and tend to stick with one version for long periods of time. Yet, Johnson says the organization manages about 22 different versions of Java through application virtualization — and this argues against including Java in a standard desktop.
By virtualizing, St. Luke’s IT staffers can root out incompatibilities between applications that use Java. For example, they can determine that the standard desktop for accounting always needs a specific Java plug-in. Yet, they keep the core the same and deliver Java versions as needed, outside of the standard desktop.
Interestingly, one of the lessons Johnson has learned is to avoid tweaking the standard desktop — even for IT staffers. “Less than one per cent of our IT staff have admin rights,” says Johnson. “But we do give people room to roam. We don’t say ‘You can’t use that application.’ We’re happy to deliver it, as long as we can deliver it virtually,” to any employee, he says.
St. Luke’s is a bit unusual in how it locks down administrative rights, even for IT staff. Ed Boyle, a consultant with SecurityCurve, says the tactic makes the enterprise more secure. In the long term, there are “saved dollars in overall fewer security issues.”
Travelport: Taming the Rogue Employee
Based in Langley, England, Travelport is a 3,500-person company with offices in more than 160 countries that provides transaction processing for the travel industry, including many major airlines. For its standard desktop, the company has taken a fairly aggressive stance about administrative rights and whether an employee can install his own apps.
The company uses Altiris, now owned by Symantec, to manage the standard desktop. Senior architect Rob Moore explains that as soon as a new employee turns on his work computer, the core OS image is updated with a few standard applications such as Microsoft Office 2010, Adobe Flash and Adobe Visual Communicator.
Requesting software outside of the norm is a fairly easy process and involves a call to the help desk to gain access to a software repository, which contains hundreds of applications; Moore declined to give an exact number. The company chooses software that will not interfere with the core enterprise applications, and it upgrades to the latest versions only if Moore’s team knows that the back-end processing required for core applications has not changed much. The 25 to 30 people on the help desk are well acquainted with the approved applications.
However, because the company’s workforce is highly distributed throughout many countries, Moore says Travelport has locked down workstations more firmly than most companies do. Users can request a unique application like Google Chrome, but it won’t become part of the core offering. In fact, he says, since streamlining the standard desktop, rogue installs have been extremely rare. To add software, an industrious end user would have to rebuild his computer from scratch.
Here’s one lesson Moore has learned: Maintain a core standard desktop that is hardware-independent, even as you develop standard images that are department-specific. There may be some variance, but most of the efficiency in the organization comes from having the fewest possible deviations.
Advocate Health Care: A Large Enterprise
For smaller companies, standard desktops are easier to develop and the processes are often easier to manage. But for larger companies, every change to the standard image and core applications is compounded quickly.
That’s why it’s no surprise that, of all the companies interviewed for this story, Chicago-based Advocate Health Care is using some of the oldest software in its standard desktop. The 30,000-employee operation, which serves central Illinois, still uses Windows XP SP2 and Internet Explorer 7 in its standard image, mostly because IE8 would cause problems with a core set of proprietary business applications used in the branch offices.
“It’s a tricky process because we want to stay current and near the curve, but we can’t use an OS or a browser that cripples the business unit just to be current,” says Dan Lutter, the director of field technology services at Advocate. The timing might not be right for the Advocate support staffers to deal with new applications because they are still rooting out problems with existing installs, and the new version may not be fully tested for security vulnerabilities.
Lutter explains a recent scenario where users started requesting that IT make Mozilla Firefox available as part of the standard desktop. Ultimately, he decided against it. The company never actually tested Firefox because the timing was not right to deal with incompatibilities.
“When key business apps will not work properly, there is a loss of productivity, more frequent calls into the help desk so that support services staff have to get involved and remove the app, which confuses the customer. We don’t want to have apps on our standard desktop that we manage that cause our customers to have a unsatisfactory business experience,” he says.
Advocate uses the LANDesk Management Suite for managing the standard desktop and the software repository. Lutter says one benefit of using this tool is that his team receives alerts when someone attempts to install a rogue application. He says Advocate has spent the last seven years fine-tuning the standard desktop process, and one recent lesson they’ve learned is to minimize the core standard. Today, they have one core for all laptops, another for desktops and a third for tablets.
“The effort required in planning, testing and migrating [an operating system and apps] is all compounded when you are talking about a very large environment, so it’s not unusual at all to find much older systems used in large firms when IT staff time is at a premium,” says Boyle.
In the end, whether using a standard desktop helps save valuable IT time and effort, roots out rogue installs or improves overall security, every company has to develop its own standards to meet employee requirements. As SecurityCurve’s Boyle notes, in the age of the cloud and mobile devices, a standard desktop is more important than ever, especially if the goal is better IT efficiency.