Remote Management and User Consequences? 139
NNWizard asks: "I work in a large university in Belgium where the people in charge of university computer systems want to install LANDesk on every single computer connecting to the university network. The aim is to be able to manage software and provide centralized remote user support. In the old days, every department had computer guys dedicated to the department, and they knew all about the users and their needs. Now, they want to make the management of computer resources global. In most non-engineering faculties this is well accepted, however in the Applied Sciences Faculty the users are computer savvy -- they do not like the idea of giving out control of their computers to people they don't know. What experience does Slashdot have with such a situation? Was the deployment of LANDesk (or a similar software package) a good or a bad thing for the users? How were the privacy issues tackled? Were people still able to use their computers the way they wanted to use them?"
At my company... (Score:5, Interesting)
If you are concerned about privacy, I'd look into something simple like VNC if you have the management software to know who's using what computer when. It works VERY well with us and is very versatile--I can't tell you how many times it has saved our butts from having to drive 300 miles when we just put a VNC connection over an SSH tunnel at a remote jobsite.
I don't think so.... (Score:5, Interesting)
That having been said, what the university wants to do is 1) completely different and b) a Very Bad Thing. In my case, *I* am the admin and the machines are *MINE* . The university is looking to force anyone who wants to use its network to give them root on their machines? Puh-lease. It's time for departments who don't want to lose control of their PCs at this university to start looking for an outside ISP. Chances are there's already money in the budget for it: they probably kick in to the general IT infrastructure budget already.
-J
Seems alright to me (Score:5, Interesting)
If they completely lock down the machines and take away your admin privilges, well that's life and it can be good or bad. Most often this is only a problem if need to install software and once this has been deployed for a short time and things are running more smoothly again this, too, should be relatively painless; just call or send an e-mail and someone can type in the password and install it. This kinda depends on the strength of your IT department, though. When I was in highschool the instructors machines were secured tightly and there wasn't enough staff to assist in installing software, preventing teachers from getting work done occasionaly. That was an extreme case, though (1 guy, hired as the Video Productions instructor, doing IT for the whole building...) I would expect that in your case it shouldn't be too painful.
As a disclaimer, I am an IT guy and our engineering college at the university has it's own IT group that engineering student fees pay for. I know our professors (and students) were less happy when IT was managed by the main campus group; we're more responsive and less politically hampered.
HIPPA and Remote Control (Score:4, Interesting)
This is a tough line. Someone other than the authorized personnel needs access to the files to be able to do the techie admin stuff. At the same time, they should not be looking stuff up, as it's illegal and an invasion of privacy. The whole thing of "Who's PC is it, ITs or the User's" adds another party, the person profiled in the data on that system. (Usually, it's the employer's PC, but that doesn't stop users, esp. ones with Dr. sized egos, from feeling & acting otherwise.)
I've worked in a hospital using Seagate / Funk Software Proxy. We had it set so that we could remote to a desktop, but the user had to grant permission to see the screen. Usually, this resulted in a decent situaton and an understanding - the user would clear all sensitive data from the screen before accepting, and if they got surley and decided not to accept, they got pushed to the bottom of the priority list (and they knew it). In return, the IT staff didn't abuse this ability, and for the most part would rather read slashdot than check out someone's PC.
Re:They're full of crap (Score:1, Interesting)
Re:They're full of crap (Score:2, Interesting)
I'm working in the developer group of an IT hosting services company. Until recently we had always been local admins of our own boxes, we had "direct" (read: 3 layers of firewalls) access to the internet so we could download patches, etc. and everything was rosy. With all the deadline pressures we hated *any* downtime so we made sure we didn't f**k-over our own machines, installed and maintained our own anti-spyware and anti-virus software (almost uniformly Ad-Aware, SpyBot and AVG), etc.
Recently, however, it was decided that the ISG group would take over admin'ing our boxes. Since then we've lost "direct" internet access having to go through a (not-so-)transparent authenticated and content-filtering proxy (which broke a number of our http apps), gained Trend OfficeScan (our machines are absolute dogs now, barely usable), gained Windows Firewall (CVS would *not* work, even with Application and port exceptions until we coaxed the admins to switch the damned thing off) and various machine-wide
The "Responsible Admin" has also come around trying to manually install some patches on our machines which he claimed couldn't be deployed by SUS. He so badly broke two machines that they had to be reimaged.
Granted, not all admins are so inept, but you get the picture.
Re:Dial-out assistance (Score:3, Interesting)
I've run into two problems that make it a challenge to use, for now: the encryption is buggy and sometimes won't connect, and as far as I know, the VNC protocol it serves has some non-standard stuff that won't run on Mac or *NIX VNC clients.
We lock them down, and have remote access (Score:3, Interesting)
The staff just love it. When they have a problem, can't remember how to do something, or come across a strange error message they don't understand, they just call the helpdesk, start TightVNC, give us their IP, and we take control of their desktop. We can show then how to do things, read the error messages for ourselves, watch as they go through the steps. Cuts our call times down, gives the users a greater sense of support, and virtually eliminates the "spend 20 minutes driving to a site to spend 5 minutes fixing the problem" kinds of workorders. Now, the onsite techs are only sent out for major problems.
Re:They're full of crap (Score:1, Interesting)
How glad I am, to be out from under your Reichstag ways.
We have many of you, where I work, MCSE BOFHs by the bucketfull, stomping about in your big important boots.
Our department got around you by running Macs, which you are inclined to preternaturally fear and loathe. Every drone in the office installs whatever they want, does their own maintenance, and helps the others when things go wrong. The only time we have a problem is when your IIS servers crash. Needless to say, your scary spyware and virii are not a problem.
Meanwhile, Vice Presidents above us are running crippled XP boxes and have to call the "Help" Desk to take a piss, much less download Firefox.
I don't miss you much.
Re:They're full of crap (Score:3, Interesting)
You don't always need the Service pack to be securely patched. You need to know what is a critical patch and what is just a bug fix that might fubar a server. Just because Windows update tells you to patch doesn't mean you patch blindly. Firewalls, real hardware ones, not just software ones, are essential in this case.
You have to test your patches and need to know which ones you can back out of. You need to be able to re-image the machine back to its original state if you fubar a patch. Imagecast and ghost are great for these. You need to know what tools are available to you. I work in a small group under a slightly larger group that dictate the rules, but most of their windows admins don't know how to use the Windows resource kits or script things. They don't come from a unix world, so they all drag and drop. I do both Unix and Windows, so I know how to patch, compile, script, and program on both systems. I started as a programmer.
You need to know which apps require admin priveleges and how to set them up so users can still use them without giving them full access to fubar things. Filemon and Regmon from systernals are quite usefull for that. I also admin unix and unix users should not have or need any Admin priveleges to do their work. Unfortunately, in the Windows world, you have to do a lot more work to get Apps to work properly in user space. A lot of Windows programmers just don't know how to program for users. Many just set up their box and run as an Admin and forget about users, so they write all these broken apps that work Only for admins. Windows makes it a complete PITA to properly write apps for user space.
Visual Studio is just broken. I can't believe the number of people who waste time and use the IDE to build their entire projects instead of doing it 5-10 times faster by exporting it to a make file and run nmake. Yes Visual Studio can do Make files. Windows people are stuck to the GUI. It's a crutch. They like watching a useless GUI display things slowly. There's so many things on windows that can be done quicker and easier on the command line, unix style. You can compile faster. The IDE is a crutch. I can't believe so many users are using eclipse on Windows, an utter waste of CPU and RAM on both Unix and Windows. Eclipse just doesn't play nicely in Windows user space. I install it in c:\temp with full user control so users can clobber each other's work. If I had a choice I'd force them back to the command line.
Good admins don't come to fubar your machine just because it needs patching. They track the patches and install ones that work. They know which patches break things because they've tested them. The problem with Windows is that most MSCE certificates are only good for toilet paper. I don't put my faith on paper admins.
A good admin has some scripting and/or programming experience, a more common trait in the unix world than in the windows world. It's amazing how many MCSE's don't bother to learn either batch file scripting or VB. Both are as usefull as unix shell scripting. Windows only needs ssh to be able to match unix in ease of admining. Terminal Server is just a hog at times. It would be nice to have an ssh server always turned on instead of doing things in a round-about way when you wish to remotely script things on several machines securely.
Re:At my company... (Score:2, Interesting)
need to purchase another XP license? [realvnc.com]
Re:The choice of LANDesk... (Score:2, Interesting)
It can install itself on the client, and you can do a lot remotely without bringing up the screen of the luser. I respect their privacy and often try and fix stuff in the background while they do their job. If I need to have their screen I phone them up and ask for permission. Then I go in and they see a big warning that I remotely took control.
In the beginning I was worried that the lusers would question privacy, but none have done so since I installed DameWare a year ago. When asked, they feel confident in that popup warning.
As a single admin responsible for 10 servers and 260 lusers spread across 6 locations (two of which require boat for access, one require a 2 hour drive...) this is absolutely godsent. Those long travels are replaced with radio links and remote management and everyone is happy.
Before this the luser had to wait up to weeks for me to find time to dedicate an entire day to traveling and fixing their small problem.
Cheap too!
For patches I use WSUS and for software deployment I use Group Policy (AD is the directory service around here, Windows on desktops, but mostly Linux servers).
Re:They're full of crap (Score:2, Interesting)
Well, maybe it's true for big universities like OP is talking about, but as far as anything less than that, don't expect to get anywhere...
I happen to be a high school student myself, and apparently my school district really hates me now. The entire network is basically a bunch of Windows XP machines with every possible lockdown technique imaginable – can't clear browsing history, can't even lock the screen any more. And of course they spy on everyone 24/7, even if whoever they're spying on hasn't even done anything.
Why do they hate me? Because I was using PuTTY and VNC to tunnel my Linux box's desktop at home to the school machine so I could work on a LEGITIMATE SCHOOL PROJECT that happened to be stored at home. (Namely, my Linux distribution [distrowatch.com] that I'm doing for an IB personal project this year.)
And now the really good part – they're now working on converting all the high schools to wireless, even though they don't allow personal computers from home to be brought in anyway. The entire place is already wired up for all their machines, so it's not like we really need any more connectivity stuff.
Makes you wonder if they even know what they're doing sometimes.