Controlling installation of software from the cloud

Controlling installation of software from the cloud

Author
Discussion

giveitfish

Original Poster:

4,030 posts

213 months

Thursday 25th May 2017
quotequote all
Interested to hear of peoples experiences and recommendations please?

I manage an estate of > 200 Windows 7 Pro and Windows 10 Pro desktops and laptops spread over 15 sites. A lot of the remote sites have just a handful of computers, no server and are not VPN'd to the head office - they just have a BT broadband link to access corporate web-based software.

I'd like to audit the software installed on each PC remotely and also limit installations via a whitelist. As the PCs are not in a single domain I'm looking for something cloud based to do the central management. The easier and cheaper the better, with "easy" taking precedence over "cheap" if required.

What's the best approach?

Thanks in advance!

colin79666

1,808 posts

112 months

Thursday 25th May 2017
quotequote all
Not sure about audit but you can use InTune MDM to manage PCs as well as mobile devices:
https://docs.microsoft.com/en-gb/intune-classic/de...

djfaulkner

1,103 posts

217 months

Thursday 25th May 2017
quotequote all
You could probably use SCCM to audit and maybe manage the PC'S, not sure if it can be do via the cloud though.
Or maybe puppet or chef


Windows 2012 can do application whitelisting, but it would need to be part of a domain, Avecto might be worth a look.

Roy the Boy

462 posts

220 months

Friday 26th May 2017
quotequote all
We're looking at this for our school as we now provide support for some others too.

https://senso.cloud/#home


giveitfish

Original Poster:

4,030 posts

213 months

Friday 26th May 2017
quotequote all
Cheers guys. It's the whitelisting in particular I'm interested, would like to go for Cyber Essentials certification for the company. Want to control what is installed on each PC.

I've been reading up on Carbon Black today: https://www.carbonblack.com/products/cb-protection...








giveitfish

Original Poster:

4,030 posts

213 months

Friday 26th May 2017
quotequote all
Hadn't realised you could use InTune to mange PCs so that's interesting too.

ging84

8,832 posts

145 months

Saturday 27th May 2017
quotequote all
I don't know your setup but I would be very surprised if software management is the only thing stopping your remote offices being compliant.
Usually in this situation companies are better off doing what they need to do to ensure the remote office pcs are outside the scope of the certification. Otherwise not only are the pcs in scope, the whole network is.

giveitfish

Original Poster:

4,030 posts

213 months

Saturday 27th May 2017
quotequote all
It's not the only thing, but application control is the bit I'm interested in right now. All the sites are in scope unfortunately.

ging84

8,832 posts

145 months

Sunday 28th May 2017
quotequote all
I would suggest you don't look at this in isolation, as you may find once you have done everything you need to do in terms of networking much better / easier solutions become available and / or your initial solution becomes less viable.

bitchstewie

50,814 posts

209 months

Sunday 28th May 2017
quotequote all
giveitfish said:
Cheers guys. It's the whitelisting in particular I'm interested, would like to go for Cyber Essentials certification for the company. Want to control what is installed on each PC.

I've been reading up on Carbon Black today: https://www.carbonblack.com/products/cb-protection...
You don't need to do that for Cyber Essentials or Cyber Essentials Plus.

Wanting to control what's installed is sensible, but Cyber Essentials is around much more basic sensible things such as not giving everyone in the company admin rights.

Blown2CV

28,699 posts

202 months

Sunday 28th May 2017
quotequote all
how can you say you manage the desktop estate if you have no control software which allows you to effectively do so? What are you managing exactly? I think you mean you support the estate, basically.

Small companies boggle my mind sometimes.

giveitfish

Original Poster:

4,030 posts

213 months

Sunday 28th May 2017
quotequote all
Thanks for the genuinely useful help, it's appreciated.

The condescending and critical responses based on huge assumptions, not so much.

Blown2CV

28,699 posts

202 months

Sunday 28th May 2017
quotequote all
well from what you've said it sounds like you have insufficient control over the machines, so it's hardly an assumption. I hope the employees you support don't have access to customer data or anything that might leave your employer exposed, but if you don't know what apps they use you probably don't know what data they are using either.

giveitfish

Original Poster:

4,030 posts

213 months

Sunday 28th May 2017
quotequote all
Sorry I was a bit snippy, but you're just reinforcing my point.

The whole point of my original question was to get a feel for how others are doing exactly that - controlling what software is installed - in an environment which does not look like a large corporate setup.

I'm sure everything is very pretty looking down from your ivory tower, but in my current organisation there will be no tower until I've first laid some foundations. At this stage that won't involve a corporate WAN or VDI but if I can find a decenct endpoint management and control tool that will be a start.

Edited by giveitfish on Sunday 28th May 21:54

bitchstewie

50,814 posts

209 months

Monday 29th May 2017
quotequote all
giveitfish said:
The whole point of my original question was to get a feel for how others are doing exactly that - controlling what software is installed - in an environment which does not look like a large corporate setup.
Admin Rights is the single biggest thing you can do here.

Blown2CV

28,699 posts

202 months

Monday 29th May 2017
quotequote all
bhstewie said:
giveitfish said:
The whole point of my original question was to get a feel for how others are doing exactly that - controlling what software is installed - in an environment which does not look like a large corporate setup.
Admin Rights is the single biggest thing you can do here.
closing the door after the horse has bolted now though eh? Should prevent further installs, but no control over the stuff that's there, unless it needs admin to run.

LeeThr

3,122 posts

170 months

Tuesday 30th May 2017
quotequote all
Are all the devices owned by the company? Or is it a bring your own device scheme?

If the first, then why not look at Azure's cloud hosted active directory? Offers the same Group Policy settings as a full blown server, but allows the flexibility of connectivity across multiple sites without VPN's etc.