Indiana takes the remote
State makes early use of standardized tools for centralized desktop PC management
These days, when a desktop PC owned by the state of Indiana goes on the fritz, a member of the information technology support team might not have to visit the computer to fix the problem. The state is making early use of remote desktop management technology to let administrators solve problems by tapping into computers via a network, which is quite handy when the troublesome computer is hundreds of miles away.
Although remote desktop management software has been around for several years, Indiana is relying on a new set of standards for allowing computer motherboards to help mediate problems, which can be useful when the computer's operating system is no longer operable. Industry analysts call this approach out-of-band IT management.
'If there is an operating system or software issue, we can reimage the PC if it is blue-screened,' said Paul Baltzell, Indiana's distributed IT manager. 'If there is virus-like activity, we will be able to isolate the [operating system] from the network but still get to it to troubleshoot without a physical visit.
'All of this comes down to saving time in troubleshooting equipment, which allows not only the IT staff to be more productive but the users to have their issues resolved in less time.'
The capability came about as a byproduct of a standardization effort, Baltzell said. Several years ago, Indiana established the Indianapolis- based Office of Technology to centrally manage all the IT equipment and networks run by state offices. At the time, each agency made its own purchasing decisions, and the state suffered the usual fiscal and support headaches from the hodgepodge of equipment and software that resulted.
About 25,000 employees access the network via 650 statewide T1 lines.
When it signed a blanket agreement with Dell to provide state offices with Intel-based desktop PCs, Indiana specified that all computers purchased come with a technology on the motherboard that would allow administrators to log in to or even start up the computer via a network. Once logged in, they could perform routine maintenance and troubleshooting duties, possibly avoiding a site visit.
The technology behind this remote management is the Intel implementation of the Desktop and Mobile Architecture for System Hardware (DASH), a newly developed set of remote management interface standards set by the Distributed Management Task Force (see GCN.com GCN.com/1072).
DASH offers new possibilities for remote desktop management. Most remote desktop management products operate by placing a small program, or agent, on each end computer. However, this traditional approach has limitations when the operating system is so corrupted that the computer no longer works. Some hardware-based management options, such as the Bootstrap or Dynamic Host Control protocols, can handle tasks such as starting a computer via a network, but their functionality is limited.
DASH offers the ability to turn the machine on or off remotely, update the firmware, reinstall software, catalog hardware components and installed software, modify user and group permissions, take control of the mouse and keyboard, monitor the power supply, and handle many other tasks, including reinstallation of the operating system.
Intel's implementation of DASH on its own chips and chipsets is called vPro and is available on certain models of the Core 2 Duo and Pentium D processors. 'We embed a micro-controller'that is available to the network. As long as the PC is plugged in the wall and plugged into the network,' it is accessible, said Andy Tryba, an Intel marketing director. The administrative software communicates with a DASH-equipped target computer via Web services calls through Transport Layer Security protocol using ports 16992-16995.
In addition to supporting DASH, vPro also has a number of proprietary features that can be used only on Intel processors. They include the ability to do remote management via a wireless link, access nonvolatile memory when the PC is off, report if a user has switched off certain programs, monitor ports for malicious activity and let users request help directly from their computers.
Although Intel offers a basic interface for working with vPro, both vPro and DASH commands have been embedded into most enterprise remote desktop management software, such as Symantec, Altiris and LANDesk, said Stephen Kleynhans, an analyst at Gartner who co-authored a report on vPro. Indiana added the functionality to its own help-desk support tool, which bundles features from other administration tools such as Active Directory, Microsoft Systems Management Server and those found on Microsoft Windows OS. The state is also working with McAfee to integrate remote management capabilities into the company's antivirus software.
Baltzell was introduced to vPro through Dell. 'Quite honestly, I was a little bit skeptical. First time I sat down with Intel, I thought they were just there to make sure we bought Intel' instead of Advanced Micro Devices. But, he said, he found the remote management capabilities appealing.
'The key thing that excited me was imaging,' Baltzell said. 'We can remotely image that PC. Say you're a user who is three hours away. I don't have to send a tech out. If your PC is messed up, he can not only [access it remotely], he can reimage it.' Indiana keeps users' files on servers, so no work material resides primarily on the PC.
Besides streamlining IT support, remote desktop administration could also save money. Baltzell said that once remotely managed PCs are implemented statewide, Indiana could save $400,000 a year in power costs. Already, office workers no longer must keep their computers on at night for updates. With vPro, 'we will be able to shut down the PCs after hours and still turn them back on when patches need to be deployed,' he said. The state is devising a script that will turn on the computers whenever they need to be updated during off-hours.
By the end of the fiscal year in June, the state will have rolled out 4,500 vPro-enabled desktop PCs through a four-year refresh cycle supported by Dell.
Each year, the state will acquire 6,000 new PCs, all vPro-enabled. It also plans to start supporting vPro on new laptop PCs so the IT department can manage them when employees travel beyond the confines of the state's networks.
Intel first introduced vPro as a way to reinvigorate the desktop PC market, Kleynhans said. The company was not only looking for a way to set its products apart form those of its rival, AMD, but also competing with its own earlier sales. The company 'needed to have something to add to the product family that would cause corporate buyers to see that there was a reason to get a new PC,' Kleynhans said.
The first round of vPro-enabled systems came with a price premium that has largely evaporated, Kleynhans said. 'The difference is minimal. There really isn't a premium to go with a vPro box vs. a non-vPro box with the same specifications.'
'When vPro first came out, we applauded the concept but weren't big fans of the implementation,' Kleynhans said. 'It was a somewhat proprietary solution and initially had a cost premium.
Also, it had relatively limited third-party support. But Intel has addressed most of the issues. It beat the bushes for third-party support, the price premium effectively went away, and the company has ensured that vPro is compatible with industry standards like DASH.'
And for agencies, these improvements suggest that DASH-based implementations such as vPro might be worth exploring.