My organization’s security team (which I’m not on) has been tasked with researching patching solutions for our environment which includes mostly Windows workstations but a good amount of Linux systems as well. Total amount of workstations covered is approximately 13,000 spread across about five main sites.
We’ve been using SMS 2003 / SCCM 2007 for over a decade but unfortunately the out-of-the-box Linux support in the patching arena remains to be relatively limited even in the most recent versions of SCCM. We’ve also had SCCM client health issues which has hindered the deployment of some patches and/or patching status reporting. Recently, we’ve written a few scripts to help with the client health issues but the Linux support issues still remain.
The current proposal, which I’m reviewing, is to move all Linux and Windows patching over to use the IBM Endpoint Manager (BigFix) product. To this end, I’ve got a few questions to throw out there for general feedback.
Has anyone had any real-life positive or negative experiences both SCCM and IBM Endpoint Manager they’d like to share, especially in relation to the patching component?
Has anyone attempted to integrate BigFix patch deployment into SCCM OSD deployment and/or have thoughts on how to prevent SCCM mandatory deployments from interfering with BigFix activity.
SCCM is generally plagued with Client Health issues. Has anyone noticed similar issues with the BigFix client (need to reinstall, restart services, problems with dependent services, etc)?
Well this is a real loaded question as you will find that nobody would agree on the two camps. I will state that I have not done much with SCCM (2007/12) but I do know some that have used both and they really liked the way IEM works in many ways compared to SCCM.
To answer your specific questions first
IEM is really good at reporting the status/compliance of a device against all patches for the OS. This is the same for all the various OSs that IEM supports. Unlike SCCM, IEM supports patching for Red Hat, Debian Ubuntu, SLES, SuSE, AIX, Solaris, Mac OSX and CentOS. It also supports 3rd party patching for Java, Adobe, Winzip and a couple others. This is more than what the Updates Publisher does as that is a manual process and only works for some vendors that decide to provide the content. IBM pre-builds all the fixlets (packages) for you. Another thing with IEM is that this is all reported in near-realtime. What I mean by this is that the agent re-evaluates the relevance to the patches about every 15 minutes. To note, it does this while only using a max 2% of the cpu (default and configurable)
I have not integrated the SCCM OSD into IEM, but IEM uses MDT, USMT and other MS provided standards so it is not re-inventing the wheel for this process. Also you can take the WIM file you created in SCCM and deploy it with IEM (might depend on the WIM content).
I have not seen any real issues with the agent. I have heard some reports in strange situations where the CPU might use more than expected, but I have not experienced this myself. I know one of the issues on the SCCM agent is that WMI is crucial to the operation. IEM base agent does not use WMI to function, so if the system has WMI issues, you can still use the agent and it still reports. There are a couple analysis (inventory scans) that will use WMI, but IBM tries to avoid the use when possible with the creation of inspectors. I have use the reports to generate lists of targets with failing WMI and deployed fixlets to attempt to repair WMI.
A couple other notes on IEM vs SCCM
Port usage: IEM uses one port (52311) for all communications. So when you are setting up the firewall rules, that is all you need. There are some extra ports depending on what you are using, such as LDAP (389), SSL (443), iOS management (2195).
Internet connected devices: To manage internet connected devices, all that is needed is a relay. This is the exact same as the relays that you use internaly, so nothing special to set up.
Install, setup and upgrade: Probably should have stated this first, but I can tell you for 100% certainty that IEM is easier! My first experience with IEM (Bigfix) I downloaded the trial code and installed it. I had heard it was easy, so I set up a Windows server and ran the installer. In about 1 hour, I had the server running, 5 agents deployed and patching. I also did this without reading any guides and had no experience with Bigfix. About 2 months ago, I started on installing SCCM just to do basic patch and inventory. I will tell you that the install took me a lot longer than 1 hour and I could not do it without doing a bunch of reading. Now you will say that I should have done that anyway for both, but I wanted to test out the simplicity of a product. In real-life I would have researched before attempting either From an upgrade perspective, since you have used SMS and SCCM, you will know that this is not a simple process. I have heard from many companies that an upgrade is a multi-week/month process and usually requires some MS services to get it done. Upgrading IEM is the simplest thing I have upgraded and is very quick. IBM provides all the fixlets to upgrade every component of the IEM environment. Now the only thing I do somewhat manually is upgrade the server, but I do this mainly because I am sort of a control freak and need to see the progress indicator. I have done it with the fixlet, and it works perfectly fine.
Infrastructure requirements: IEM will require less infrastructure than SCCM. With one server you can manage up to 250k endpoints. You will need relays, but these can be on a shared box and can be anything from a desktop to server running Windows or Linux. The relay is like a site server as far as functionality and is more functional than a DP. You do not need a SQL database for the relay either.
Near real-time reporting: I mentioned this before, but this is a very key thing to IEM. the information you see in the console/web reports is the most up to date you will see in any system that I know of. Also it is very quick to report on new analysis. As an example, I was asked to report on some registry settings for about 3500 Windows servers. I was able to create the analysis in about 15 minutes, activate it and see results from about 80% of the servers in < 30 minutes and within the hour I saw 100% of the systems report with the data. This is also similar to reporting on patches, if a system is manually patched, this will be reflected in IEM within 15 minutes. Also if someone removes the patch, you will see that also.
Now there are quite a few other things I can say about IEM, but one last thing I will say is that this is probably the first product that I have really enjoyed working on. The capabilities are almost limitless. If you think about anything that you do with a computer, you can probably do it with IEM (within reason of course).
If you would like to talk more, we could set up a call to discuss.
Thank you for the information – that was indeed helpful. Do you know if IEM update catalog includes non-security Windows updates other than service packs (i.e. does the catalog include all of the stuff I’d see in Windows Update … excluding the drivers)? I can’t find a definitive “yes” or “no”.
If anyone else has feedback, I’d appreciate that as well.
Well there is not really a yes and no answer to that
So classically, IEM was more concerned with the security patches. IBM has recently started adding some of the non-security patches and it seems to be expanding to more of the content to include these non-security related patches. So the product does not have all of them but more are being added and it seems that IBM is being responsive to requests for updates. I did find this link with some more info: https://www.ibm.com/developerworks/community/wikis/home?lang=en#/wiki/Tivoli%20Endpoint%20Manager/page/Supported%20OS
I would add that building a fixlet in IEM is pretty easy, the only hard part is getting the idea of the relevance language and honestly that is not too bad at all. To me, it was easier that VBS/Powershell/BAT
One other thing I forgot to mention previously that I think is important with IEM is that you see all those managed devices in the one console. This means that a person can see every desktop, laptop, server and mobile device in one place. You can also create roles to restrict views to devices at a very granular level. This also goes for the web reporting side of the product.
We use BigFix/IEM extensively. For us, client health issues are extremely rare and the majority of issues are during initial installation, not once installed and working. We use BigFix/IEM for not just patching, but configuration & software deployment. We image machines using a custom USB key that installs Windows + Drivers + Patches, joins to the domain (optional), and installs the BigFix/IEM client. We then deploy all software through BigFix/IEM, which can be as much as 100gb or more.
On our computer labs, we have both BigFix/IEM and SCCM installed. We do not use SCCM for much of anything, except for managing forefront I believe.
I don’t have much SCCM experience, so I cannot compare it well. Some of the things that are difficult with BigFix/IEM are doing things that are “per user” instead of “per machine”. I have frequently been frustrated by the lack of depth of the BigFix/IEM documentation, and support can be frustrating sometimes, and great others. There seems to be a lot of information and support only available by paying extra for IBM’s AVP program or professional services, which is a bit insulting when we are already paying for the product & support.
All that said, I really like the way BigFix/IEM works. I write a lot of custom content on top of the BigFix/IEM platform, and I really enjoy it. I contribute nearly all of the custom work I do in BigFix/IEM here: http://bigfix.me/site/details/30?sc=true
Sharing things publicly like that forces me to think differently and try to produce something that could be used in any BigFix instance with preferably no modification. It can be a challenge, but I think my work is better for it. I also use bigfix.me as a way to learn from examples, including my own. I also use it as version control, which is sorely lacking in BigFix for custom content. I do wish that more would share their work on BigFix.me