I can’t say we’ve done a comparison, but we are in the process of dumping Puppet for BigFix, primarily for BigFix’s patch management. This is on Linux. RHEL and Ubuntu. On the server side, we used Ansible for years and still do. Manage and patch a few hundred servers. But then we were tasked to handle compliance of a couple thousand Linux clients, including patching. Ansible didn’t work because in many instances the target clients were off-line. Ansible would time out and the systems never got patched.
We looked around for something that would have the clients check-in when they were on-line. We looked at Puppet/Chef/Salt and went with Puppet. Puppet was fine with handling the compliance and systems checking in, but we didn’t really have any insight to what was being done. And it’s not a patch management tool. The assumption with Puppet seems to be that you have a gold image and “patching” is bringing everything up to that gold image. Like defining your own fixlets to “upgrade” everything. We tried setting up a job to run yum update/apt-get dist-upgrade but all we got in feedback from Puppet was that the job ran. Nothing on whether it actually patched or not.
We are in the process of doing or first time patching with Big Fix. So far so good. The action reports show me which systems completed and which failed. I can use the WebUI to check on vulnerabilities or look at Fixlets that are still relevant. Puppet doesn’t have any of this or if it does, it’s in the pay for version which 2 years ago was priced at $100/client. That’s the trouble with Linux, most vendors assume Linux is on a server. The Windows Client and Mac teams laughed at me when their Endpoint Management software is only $5-$9 per system. Bigfix fit into the price range also.