- Azure Sentinel—A real-world example - Tue, Oct 12 2021
- Deploying Windows Hello for Business - Wed, Aug 4 2021
- Azure Purview: Data governance for on-premises, multicloud, and SaaS data - Wed, Feb 17 2021
The main additions are vulnerability management, a comprehensive OS deployment story, browser security management, full mobile device management (MDM) coverage, and data protection officer dashboards for compliance with various regulations.
In this review, I'll look at all of these and how they can help your IT environment work more effectively.
Meet Desktop Central ^
If you read Tim's earlier review, he was very impressed with Desktop Central, particularly when comparing it with Microsoft's management tools such as Intune and System Center Configuration Manager (SCCM), and I wholeheartedly agree. It's a lot easier to get going with this very capable product than with Microsoft's offerings. Desktop Central supports up to about 25,000 devices, so say about 10,000 users given that most users have at least one PC and one smartphone. But that still covers a lot of businesses.
Desktop Central relies on having an agent installed on every endpoint you need to manage. I used the automatic deployment from the console for the PCs discovered in my domain, and it was lightning fast with five agents installed in less than a minute. The agent supports Mac OS Mojave (10.14) to Snow Leopard (10.6) along with Windows (XP to 10) and many Linux distributions. You can also deploy the agent using Group Policy Objects (GPOs), scripts, or do a manual installation.
The server itself can run on Windows Server 2008–2019 as well as Windows 7–10 (up to 5,000 endpoints). You can also use a distribution server in branch offices or in larger deployments to spread the load. For WAN links, you can use the built-in bandwidth controls. The main built-in performance management approach is that each agent only phones home every 90 minutes, which will spread out the network load on the server. You can manage both domain and workgroup computers.
If you have many roaming users, and you don't want to place the Desktop Central server in your demilitarized zone (DMZ), you can use the optional Secure Gateway Server.
An improvement since the last review is the addition of a Failover Server, which sits in standby mode, ready to take over if the primary server fails for some reason.
Asset management ^
Apart from the obvious collecting of hardware and software information from each endpoint, you can use Desktop Central to manage application licensing and usage. You can also block particular applications from running or even installing and gather software keys for installed programs. You can set up email alerts for hardware changes, application installations, and get warnings 120/60/30 days out for expiring SSL (TLS) certificates. You can also install/uninstall certificates on the endpoints, if required.
Configurations are a way to manage common tasks across Windows, Linux, and Mac endpoints, such as configuring printers, permissions, security policies, or Wi-Fi policies. You can also group configurations together into collections and define an organizational unit (OU), for instance, as a target. This lets you set baseline configurations. Simply adding a new PC or user account to an OU will configure that PC exactly how you want it.
The UEM edition (see below) gives you Modern Management for Windows 10 devices, adding options for selective wipe (only wipe corporate applications and configurations), Kiosk mode, geo-tracking, geo-fencing and Microsoft store app distribution via MDM.
OS and software deployment ^
The Windows OS deployment story is comprehensive, but it will take some time to get used to if you come from a traditional Microsoft tool background. For instance, you don't use a Sysprepped image, built-in tools let you assign a new security identifier (SID) to the image during deployment, and the image creator can actually build an image from a running PC a user is using. You can use both unicast and multicast methods for deployment, and it supports a preboot execution environment (PXE). You can not only deploy images to computers within the local office, but push them to remote sites as well. The best part of OS Deployer comes with the prebuilt driver repository, which facilitates the post-deployment customization.
Patch management ^
Patching in a timely manner at scale is a pain. Desktop Central manages it for Windows, Mac and Linux OS along with installed applications. Interestingly, ManageEngine actually tests patches in house, and then your server downloads the patches from them (security patches have a turnaround time of six hours; non-security patches should take no more than 12 hours). Note that, unlike Windows Server Update Services (WSUS), Desktop Central doesn't manage driver updates. You can deploy patches to a test group of PCs. If the patch works (you set the percentage for the number of successful installations), it will automatically deploy the patch to the rest of your fleet. Note that you also wake computers before deployment and reboot if necessary. As in other areas of Desktop Central, the aim is to make patching as automated and as hands off as possible, which it succeeded at in my test.
Remote control ^
The remote control uses HTML5 in your browser (earlier versions used an ActiveX control), handles multimonitor setups, and lets techs communicate with users using chat, voice, and video. You can also black out the screen for the end user when a tech needs to perform sensitive operations, and you can have a second tech connected to the same season in view-only mode.
Sometimes, taking over a remote PC's screen is overkill. Instead, you can see services and processes and start or stop them, check on event log entries, manage printers and local group memberships, and set up scheduled tasks. You can also manage power settings on the endpoint and set up Wake-on-LAN. The key addition to the remote control feature is the ability to record sessions for audit and training purposes. The remote session automatically gets reconnected and this works even after rebooting the remote PC.
Mobile device management ^
While Desktop Central traditionally has been strong for managing PC endpoints, the addition of a comprehensive MDM solution completes the UEM system. You can bulk-enroll devices, or users can self-enroll. You can then distribute apps or blacklist certain apps and gather information about each device. You can enforce security policies for devices, and you can set policies in profiles for particular departments in your business that should have the same settings. MDM also supports geofencing, so you can control behavior based on where on the planet the device is. Desktop Central now also supports Chromebooks as manageable devices.
Many Active Director (AD) reports give you an insight into the security posture of your directory and network, and security reports help you manage regulation compliance, such as the General Data Protection Regulation (GDPR). If you need to manage security of your users' browsers, Desktop Central integrates with Browser Security Plus, which gives you tight control over the whole browsing experience. If you need threat and vulnerability management (beyond what patch management includes), you can link Desktop Central to Vulnerability Manager Plus.
One interesting security feature is the ability to control USB devices based on vendor, device ID, or encryption setting.
There are five versions of Desktop Central. The Free Edition supports up to 25 computers and 25 mobile devices. The Professional Edition adds AD and user logon reporting. The Enterprise Edition adds many features, such as blocking software from running, license management, USB device management, and two-factor authentication (2FA). The UEM Edition includes MDM, OS deployment, and Modern Management for Windows 10. The fifth version is the MSP edition, specifically for managed service providers. A handy app for iOS and Android lets you manage on the go. You can perform all key endpoint management tasks like patching, installing and uninstalling software, establish remote connections right from your hand-held device.
Part of the value proposition of Desktop Central is the integration with the wider ManageEngine/Zoho ecosystem, such as ServiceDesk, Analytics Plus, and others. Desktop Central also plays nicely with Jira, Zendesk, ServiceNow, and Spiceworks.
My biggest gripe with Desktop Central is that it's an on-premises product that relies on running one or more servers in house or in a public cloud (you can run it in AWS and Azure). There is a cloud-hosted version coming in Zoho's own cloud, but it's not available yet. Many businesses have a "cloud-first" strategy for new software systems, and they'll be looking for a software-as-a-service (SaaS) solution.
Aside from this issue, I found Desktop Central to be a very capable system that's easy to get going with. I particularly like the configurations feature that makes it easy to configure endpoint settings easily.
Subscribe to 4sysops newsletter!
There is no wonder, that they have been a regular title winner to claim the “Customer Choice Award” by Gartner.