Slashdot Mirror
Remote Management and User Consequences?
NNWizard asks: "I work in a large university in Belgium where the people in charge of university computer systems want to install LANDesk on every single computer connecting to the university network. The aim is to be able to manage software and provide centralized remote user support. In the old days, every department had computer guys dedicated to the department, and they knew all about the users and their needs. Now, they want to make the management of computer resources global. In most non-engineering faculties this is well accepted, however in the Applied Sciences Faculty the users are computer savvy -- they do not like the idea of giving out control of their computers to people they don't know. What experience does Slashdot have with such a situation? Was the deployment of LANDesk (or a similar software package) a good or a bad thing for the users? How were the privacy issues tackled? Were people still able to use their computers the way they wanted to use them?"
We simply use the freeware version of RealVNC. When employees first join, they have to give up rights to "privacy" for the I.T. people. We respect official business, but unless it's someone high up in the company is working on some sensitive information, we typically assert our authority as our workers should only be working on official business.
If you are concerned about privacy, I'd look into something simple like VNC if you have the management software to know who's using what computer when. It works VERY well with us and is very versatile--I can't tell you how many times it has saved our butts from having to drive 300 miles when we just put a VNC connection over an SSH tunnel at a remote jobsite.
I gotta say: As an admin, I enjoy having the ability to remotely see what's going on on my machines. If they're users' desktops, it's much easier to just get a view of their screen (think PC-Anywhere) than to keep asking them what they see now only to get half answers and useless replies.
That having been said, what the university wants to do is 1) completely different and b) a Very Bad Thing. In my case, *I* am the admin and the machines are *MINE* . The university is looking to force anyone who wants to use its network to give them root on their machines? Puh-lease. It's time for departments who don't want to lose control of their PCs at this university to start looking for an outside ISP. Chances are there's already money in the budget for it: they probably kick in to the general IT infrastructure budget already.
-J
People who believe that they 'know about computers' are the biggest problems from an administration standpoint. Of all of my users, the ones who don't think they know how to manage their computer end up doing a lot less damage than those users who think they know what they are doing.
And the worse part is, people who THINK they know all about computers are also the ones who will blame YOU when they hose their installation of Windows. Frankly, I find it unlikely that these engineers need the control of their computers. More likely they want to install unapproved software and various adware bullcrap which will bring your network to a crawl.
I say this from experience. Initially I thought it would be OK to give some 'expert' users local admin rights, so that they wouldn't have to call the help desk in those situations where they simply want to install real player to listen to Rush Limbaugh or whatever else these dopes do. However, they instantly manage to get spyware, trojans, keyloggers, and other worms and viruses. They do this despite fully updated Microsoft Spyware (granted, it is a beta) and fully updated antivirus software.
It is only recently, as we moved to managed antivirus software, that I began to understand the amount of damage these people were doing. I now get reports of virus activity, and I am never going to make the mistake of giving a user local admin rights again. It is easy to do, but they will abuse it, and taking it away is 1000x as hard as just sticking to a policy of never doing it. Once you give in they will know that you can bend the policy, and when you take it away you are telling them through your actions that you don't trust them to know what they are doing.
And the one thing these people always think is that they somehow know what they are doing.
Let me make it a simple maxim: 'If you are not responsible for the maintenance of a computer, you WILL NOT UNDER ANY CIRCUMSTANCES have administrator rights on said computer.'
I don't have any experience with LanDesk, but I think remote management/remote control software in general isn't so bad. If it's just remote control, that really isn't any big deal and comes in quite handy if you ever do have to call them for help.
If they completely lock down the machines and take away your admin privilges, well that's life and it can be good or bad. Most often this is only a problem if need to install software and once this has been deployed for a short time and things are running more smoothly again this, too, should be relatively painless; just call or send an e-mail and someone can type in the password and install it. This kinda depends on the strength of your IT department, though. When I was in highschool the instructors machines were secured tightly and there wasn't enough staff to assist in installing software, preventing teachers from getting work done occasionaly. That was an extreme case, though (1 guy, hired as the Video Productions instructor, doing IT for the whole building...) I would expect that in your case it shouldn't be too painful.
As a disclaimer, I am an IT guy and our engineering college at the university has it's own IT group that engineering student fees pay for. I know our professors (and students) were less happy when IT was managed by the main campus group; we're more responsive and less politically hampered.
Replying to my own post: I shouldn't have been so quick to blame the poster. He seems to be opposed to the policy.
The point stands, however, when applied to the administrators in charge.
On Windows machines, our remote access software asks for permission. It's a hassle in we-the-supportings' eyes because if someone decides to get up and grab a cup of coffee or something we're stuck with our thumbs in your pie until you get back.
Conversely on the Macs, there's no "Do you want to allow this user?" involved at all.
If I had it my own personal way, every machine would have RealVNC on it, with local user lockout so that they can't screw around while we're remoting to their machine.
What I'd prefer, is something cross-platform that would let my user's dial me. Really, there's not much need to poke into a user's machine when no help is needed, and for the mostpart I have a heck of a time dealing with friend's who have VNC, but haven't configured the router, etc to let me in.
I control my own inbound routing, so having the ability to control which connections are sent through the routing machine to my PC would make it much easier for me to have other's "dial-out" for assistance from me... rather than having them configure a router to allow me to "dial-in" to their machine.
Something to consider that may not directly apply here, but will in related fields, is the legality of a non-authorized person having access to data, even though they administer a system. Specificaly, it is against HIPPA regulations for someone to look at medical records without permission or need for their job. For example, an IT guy would not be allowed to look at a medical record on someone's screen, if, say, they remoted in (or walked by, or had network access to a share).
;-)
This is a tough line. Someone other than the authorized personnel needs access to the files to be able to do the techie admin stuff. At the same time, they should not be looking stuff up, as it's illegal and an invasion of privacy. The whole thing of "Who's PC is it, ITs or the User's" adds another party, the person profiled in the data on that system. (Usually, it's the employer's PC, but that doesn't stop users, esp. ones with Dr. sized egos, from feeling & acting otherwise.)
I've worked in a hospital using Seagate / Funk Software Proxy. We had it set so that we could remote to a desktop, but the user had to grant permission to see the screen. Usually, this resulted in a decent situaton and an understanding - the user would clear all sensitive data from the screen before accepting, and if they got surley and decided not to accept, they got pushed to the bottom of the priority list (and they knew it). In return, the IT staff didn't abuse this ability, and for the most part would rather read slashdot than check out someone's PC.
The whole thing is not about better support, privacy, security, whatsoever. People are using the Internet since two decades. No, those who deploy such software and restrictions only want to secure their jobs. It is that simple.
Who paid for the computers? If department paid out of its budget, it should manage the computers. If the central IT department paid, then they should manage them.
This isn't a technology issue. Any time that authority and responsibility become decoupled, it's a sign of poor management. If IT is responsible for keeping the computers running, then they need the authority. If the department wants the authority, then they get the responsibility.
Follow the money. Whoever has power over the budget is who is responsible for managing the resources purchased with that budget.
The whole central IT management is like herpes. Once you caught it, you never get rid of it.
As for your questions, I don't think the privacy question needs to really become an issue. Pretty much every place I've worked in IT or Tech Support, I've had system privileges that gave me access to damn near anything on institution-owned equipment, from the president's e-mail to the custodian's bowling-league stats. And I've told them that... with the assurance that even though I could get at this stuff, I had no intention of doing so. I'm too busy to monitor people's private stuff and it's none of my damn business. I tell them that techies are just like janitors: we have keys to everything. {shrug}
What's likely (hell: inevitable) to become an issue is autonomy. If people have to come to you to do things they're used to being able to do themselves, they'll understandably resent you for it. The only solution I can suggest to that problem is to give them the same level of service they're used to getting from themselves. e.g. If they want some software installed, you get the software installed. ASAP. (This is why you probably need more staff.) If you make it clear to them that you're trying not to get in the way of their work, they'll resent it less. And when you can't deliver, or have to say "no", they'll hopefully be more understanding if they know it's not just you being a control freak or lazy or not caring.
http://alternatives.rzero.com/
oh wait, youre more equal
I have my Mom's Windows system set up to connect to me with PuTTY and VNC. I have a static IP, she doesn't. So she reads from the cheat sheet that I made for her, clicks one icon to start a preconfigured VNC server, then clicks another icon to start a preconfigured PuTTY client, and types in the passphrase for the SSH key. The PuTTY ssh session forwards the VNC port to my firewall. I ssh into my firewall, again forwarding the VNC port, and start the VNC client. I don't have to be at home to do this, all I need is a VNC client and the ability to ssh into my firewall.
You can VNC between any two systems with unknown IP addresses by tunneling through sshd on a third system with a known address. Three-way (or more) ssh tunneling is quite useful, once you figure out the syntax.
Um, your point? (Other than let us all know you are a bureaucratic control freak?) Where do you profit by devoting all this effort into stamping into everyone's head that they do not own the computer?
The 'My' in My Machine can also mean "The machine assigned to me by the company to get my work done'.
Let me guess, you're from the psuedo-side of IT - the Fix-It Monkeys, rather than the software developers. All you do is play with install disks and poke around with config files. Both the software on the install disks and the config files were not created by you. You're a trained monkey, nothing else. You're not an artist, you're a tracer.
You're not an artist
People who confuse computing with art get outsourced.
Whoosh! You totally missed the Kevin Smith/Banky Edwards reference.
We do something similar. All the computers that go out to users are locked down with DeepFreeze, with TightVNC installed (with a nice Helpdesk icon on the desktop). We don't do remote management, just remote control and remote support.
The staff just love it. When they have a problem, can't remember how to do something, or come across a strange error message they don't understand, they just call the helpdesk, start TightVNC, give us their IP, and we take control of their desktop. We can show then how to do things, read the error messages for ourselves, watch as they go through the steps. Cuts our call times down, gives the users a greater sense of support, and virtually eliminates the "spend 20 minutes driving to a site to spend 5 minutes fixing the problem" kinds of workorders. Now, the onsite techs are only sent out for major problems.
Hey you, RTFM!
Vnc has supported this for quite a while.
The mods must be on crack today...
The choice to shell out money for what's essentially VNC?
Or, what's the difference?
Maybe there's some cfengine-like stuff going on? But in that case, why not use cfengine?
I would not want to give control to a bunch of admins who jump over the first shiny product that comes along, without being aware of the free (as in beer) solutions that already exist. If they make stupid purchases, they'll probably make other stupid decisions.
Don't thank God, thank a doctor!
Damn, what incredile assholes. Who do you work for, so I can ensure I never apply there? My brain would melt in short order if I had to focus on work only all day, and couldn't kick back for a minute here and there to check Slashdot or a web comic or two.
But, I've worked in three somewhat different academic research environments.
1 - One central admin for all the desktop machines in a massive department, no one else gets root on any machine.
2 - One central admin who is mostly an advisor, people are allowed to administer their own desktop machines if they want.
3 - Free-for-all, in which most groups have one or two principle computer gurus who handle multi user servers and almost everyone administers their own desktop machines.
#3 is far and away the best. In #2, no one that I knew of actually took them up on the remote administration option, essentially reducing it to #3. #1 was a nightmate for everyone. When the deparment computing committee tried to talk everyone into switching to something closer to #1, we all resisted fiercely and eventually they backed down.
In an environment where people are actually using their computers as research tools, rather than as expensive notepads with which to writeup the results of their research, it pays to place control at the lowest feasible level. Every time a user is forced to ask someone else to fiddle with software, it adds *days* to what should be simple tasks.
Sure, you create an occasional security risk when a bad user fails to install patches. But, there's no comparison between the number of man hours spent on dealing with those sort of incidents and the amount of wasted energy in trying forcing every minor change to go through a central administrator.
In a computer lab or a corporate environment, you might be able to make a case for central administration. For academics, it's just crazy. (And I suspect enforcing it will just drive everyone to switch to personal laptops instead, in addition to pissing them all off.)
But at our company we use Netsupport Manager, which amongst many useful features has an option to require the user sitting at the computer to click a button to allow the support engineer to connect. This allows us to reassure the user that we won't take over their computer without their knowledge.
~~~~~ BigLig2? You mean there's another one of me?
it's not what you think you know, it's what you're responsible for. Your IT department are responsible for the integrity of the IT systems. Someone who works in a lab but likes tinkering may have knowledge about the IT systems, but they're not responsible for them: it's not their job.
local admin can still be restricted by group policy in the windows world. our users can crack local admin, but they still have account restrictions that stop them doing anything *really* bad that might threaten the integrity of our network.
UltraVNC is the best VNC, in my experience.
--
Loose Change. Interesting free movie.
I haven't tried it, but what about Hamachi?
Interesting comment about the tunneling. Therefore, mod 'em up.
Poster is but not willing (allowed?) to say so out loud
I wonder if the LANDesk client runs under Windows under VMWare.
A honeypot of sorts.
Just another "Cubible(sic) Joe" 2 17 3061
My experience working in a R&D role in a major corporation with outsourced centralized support was very frustrating. Support was geared towards secretaries and business managers using MS-Office and some AS-400 applications over a terminal emulator. Anything other than that and you had problems because it wasn't covered under the support contract. If I needed to run an NMR modeling tool that required extra RAM on my PC, forget it. That was a non standard configuration and thus you weren't allowed to order the stuff needed to make it work.
Eventually we were able to get an exception for so-called 'scientific instrumentation' but that stuff wasn't allowed to connect to the site network, which was some brain-damaged token ring thing.
In any scientific enviroment you are going to have out of the box requirements that a central support organization isn't going to be able to handle - if you don't you aren't doing your job. You had better get consideration of that in any IT support/management plan up front.
I have been in a couple situations where IT could take complete control of the computer, once at a University and at a fairly large company. In both cases IT never once cared if you took some time to read slashdot, play a game demo or anything else anyone wanted to do, as long as it wasn't porn. The people who weren't allowed to do that had stupid bosses who wouldn't let them, IT doesn't really care (except occasionally in the case of playing LAN games that used up too much bandwidth). Fortunately I have had bosses who realized that a happy worker is a more productive worker.
I have to manage three physically separate offices, so remote administration is the only way to go. Almost everyone is on Windows XP so we just use a domain policy to allow us to offer unsolicited remote assistance to the users. They get a request for us to connect and a chat window to talk with us (although I do prefer to call them on the phone first, or have them call me). If it isn't a problem directly related to their session, then we Remote Desktop in for software installs and other administrator level issues after they log out. It's all built right into Windows, which, despite what many people here seem to think, has some very robust enterprise level abilities.
That's about how it works here.
We were fed up with lost productivity, the M$ only policy, and slooooow response from IT when we finally fragmented and broke away from IT after an M$ virus took down the net and several of our machines. BTW, that was a nicely executed power play by our PHB. Now there is a firewall/filter/cache between us and the rest of the company network. We(three of us whenever needed) manage our own mix of M$/Sun/Linux/and now even an Apple, boxes. We don't have to wait for IT to come and install something, or build, or buy something new. We just do it. All we pay IT for is bandwidth.
Good judgement comes from experience, and experience comes from bad judgement.
- W. Wriston, former Citibank CEO
Everybody is going on and on about remote access, which is fine and should be a topic to be disucssed and not a policy handed down from on high. Unlike VNC, LANDesk is a remote MANAGEMENT package. Yes it has remote control software built-in, but it is also an inventory system (which is an absolute godsend when you can't find a PC) and a software distribution system. I work for a very very large company and LANDesk allows us to deploy software in hours in what would take days to do by hand. Instead of doing all installations by hand, we can push a "package" with the installation options preset. It's very helpful in upgrade situations and the packages can still be run by hand later if the machine wasn't connected to the network doing the push (e.g. laptops).
Yes VNC is a free (as in beer) and very good piece of software, but in the grand scheme of things a remote management package is much better, especially for a medium to large network. As for the current "gurus" who manage the individual departments, I would say don't just cut them off and leave them for dead. They are still helpful and many people still trust them. I would say that this is more of a consolidation of resources and will allow for better service. To ease the pain, I would probably give access to the LANDesk console and allow the "gurus" to play a part in the support world. Nothing beats having someone in the field that knows the lay of the land and the people in it. I would say go forth with LANDesk, but don't immediately cut off the previous "gurus"
i believe the way to calm thier nerves is to point out the benefits to them. remote control, whether they use a central helpdesk or thier own the users can get better and faster service via remote control. Security and patch manager, explain the time consuming procedures in updating security and patch fixes. explain how letting individual users do this on thier own can cause inconsistent results from machine to machine. explain that using the software monitoring tools can help when deciding on purchasing licenses for software. they may be buying 10 copies of an expensive package only to find out that when LANDesk inventories and reports the usage of the package they are only using 4 or 5 copies. this money could then be redirected in a more productive manner. i could go on and on however the main point is sell the benifits and lessen thier fear of centralized control.
There are three types of users/computers.
1. Office droid workstations. They need access to a small set of apps (SAP, Word, etc.). Remote administering these computers should be the job of IT. It can do a good job here and save lots of money.
2. Servers. These are common resources, and should be administered by a common group, such as IT.
3. High-tech/engineering users/computers. This includes programmers, research setups, specialized instalations, etc. IT cannot administer these and will make EVERYONE mad if they try. Only the people at each computer can know what software needs to be on that computer. Programmers are making new software, so how can IT administer what does not exist yet? And is subject to change at random times!
Give up on administering anything in group 3. You will cost your organization time and money. It is OK to say to the folks in group 3 "You administer these computers, but you are not on the common network/internet".
Draw a clear line of what is mine and what is yours, then stay on your side of the line. If you can do this, then everyone wins.
Sounds like you have a bunch of people who don't understand the meaning of "corporate assets." If people are concerned about what administrators can access on their computers, they should use a standalone computer that doesn't connect to the network. Administrators have to be able to do what they need to do for the good of all users on the network. The school's IT policy should have made this very clear.
It's only funny until someone gets hurt. Then, it's hilarious.
Our desktop techs still know our users very well because they can't always handle tickets via remote control. Desktop visits still happen often enough. And it sure saves time being able to remote in so tickets get handled quicker in general. Some of our small offices are 15 minutes away by car.
No one is worried about privacy here because all the tools we use either prompt the user to allow the connection or they put up a notice.
The meme police, They live inside of my head
If users on *your* network have a problem with their pc being managed, regardless of the tool you use, then they should not be allowed on your network. This isnt their home network, its yours. You are responsible for its upkeep and the only way to keep your network safe, and your users productive, is to keep control.
Sounds like its time to set some policies and enforce them.
---- Booth was a patriot ----
Yes, it seems easier than SSH tunneling. What has been your experience with Hamachi?
UltraVNC is great for remote maintenance, but does not go around NAT routers very well, I understand. And, I've never been able to make the UltraVNC encryption work.
They are the Universities computers.
The company I work for (well over 1000 users) has regional IT folks who have access to all desktops in their sphere of influence, and have also:
1. Left the indication that the PC is being viewed remotely always in the taskbar, so the user knows if an admin is on their system. It's a simple Red/Green thing.
2. They have all IT personnel make a serious attempt at not ever connecting unless asked to, or until they've spoken with the employee in person before connecting.
This gives the IT group the visibility they need, while still retaining some semblance of "privacy" for the user.
Of course, nothing is private on a company network, but it at least "feels" fair. I haven't ever heard of PC user complaining about our IT department ever sticking their noses in and bothering them or anything like that.
It's a nice "open" feel, and gets the job done... one of the better IT policy decisions I've seen in recent years.
A typical use might be:
"Hey, I noticed that my manager has a Visio license for all of us in our group, but the new laptop doesn't have Visio installed."
"No problem, do you mind if I connect to your laptop and install it for you?"
"Sure... hang on let me send this e-mail to a customer... okay, all yours."
Could they override it and watch anyway? I'm sure they could. We all "understand" that, but the need for secrecy in 99.9% of the cases, just isn't there. I'm guessing there's some sort of IT policy requiring a written sign-off to do that, too.
One of the sysadmins threatened to quit when he was asked to do something he felt was unethical once, and management actually backed off at the thought that they'd lose him. (Proof that sanity does sometimes win.)
+++OK ATH
I'm an IT Consultant and actually certified in and experienced with LANDesk.
I need more information to comment on your situation, but what would be the typical almost universal impetus for an initiative like this is that:
The University is looking to cut IT costs in the long run.
The IT Depertment is looking to have more uniform standards and faster deployment of security fixes.
The IT Department is concerned with damage caused by various kinds of malware and by locking down administrative control to a smaller group of people hope to help slow it down.
The IT Department is concerned with illegal P2P networking hogging bandwidth and wants to prevent their installation, while the administration is concerned with the legal liability if the IT depertment isn't effective.
The IT Department and Administration are concerned about the huge legal liability from pirated software being installed on university computers.
Whether the University plan is overall good or bad I can't tell from your post. The impact of the plan on your department may be significant or it may be very much a territorial issue. Another complication is if a lot of the computers belong to students and faculty rather than the university.
I've actually had to deal with this in corporate situations where employees had to provide a computer that they would use for the job. Then the IT department was essentially treating it like a corporate owned computer. My recommendation, always overruled, in these situations has been suggesting that they restructure the contract so that they were paying for the computers on the backend (out of commissions) rather than on the front end (out of pocket), and create a clear point that these were work computers and belonged to the company.
minds, get scrambled like eggs, abused and erased. Hard Hearted Alice is who you want to see.
Is Hamachi a security risk?
Working for an engineering school in the IT department supporting individual academic departments, we have a fine line to walk, we need to be able to manage the computers and provide support, however we have to keep in mind that this is an educational institution, we're there to help the students first and foremost. We try to do as many things as unobstrusively as possible (SSH-based for Linux machines, Domain Policy based for Windows machines), and while we have been taking to turning RDP on machines, it's on a request basis. For the users who feel they are capable of maintaining their own machines, we provide them the option of doing just that, with the understanding that, if they break it beyond their abilities, repair work for their machine is the lowest priority. We get this understanding in writing and it only applies to that faculty members' desktop(s); lab machines are kept under our control as they are for the benefit of all users in the departments we work for.