7MS #277: Patching Solutions Bake-Off - Part 3

The patching solutions review continues this week with Manage Engine's Desktop Central. As a quick reminder, here's where our bake-off currently sits:

  • Ninite (covered in 7MS #275)
  • ManageEngine (covered today)
  • Ivanti (coming up in a future episode)
  • PDQ (coming up in a future episode)

Quick reminder: none of these solutions are bribing me with fat wads of cash to plug their products. Some day I hope to have such problems, but today is not that day.

ManageEngine Desktop Central

Overall, I have to bluntly say that I really enjoyed playing with ManageEngine's solution. It's got a crap-ton of features built into it - above and beyond patching - that I think IT/security folks will really appreciate.

Pros

  • Agent or agentless management of systems

  • MDM (didn't play with it but it certainly looks feature-rich)

  • Application white/blacklisting

  • Ability to push out configurations for things you'd normally use GPOs for - i.e. setting a login banner, enforcing screen locks, setting IE homepage and search engine, etc.

  • Patch management is full-featured - it's easy to setup a simple "scan systems, download and deploy missing patches." Or just a "scan to identify missing patches" kind of thing. It's easy to run a variety of reports to find out which systems are most vulnerable, which patches are missing across the enterprise, etc.

  • Software deployment engine - there's a big package library where you can easily search and deploy things like Dropbox, Adobe Reader, etc. It also includes a self-service portal where users can simply select certain packages and have them installed automagically!

  • Inventory - ability to have detailed hardware/software level details on each machine. Ability to block software by path and/or hash. You can also give people a warning saying "We're gonna nuke dropbox in 2 days if you keep it on here!"

  • Agent-based install gives you ability to chat with users, remote control systems, send announcements, drop to a command line at a target machine, etc.

  • Reports - you can create a report for just about anything under the sun like AD group changes, user logon reports, users that are disabled/expired, and on and on...

  • Email alerts - I think you can trigger an email alert for just about ANYTHING that happens in the environment.

  • Solid online help - nice "quick links" at the bottom of each screen with relevant how-tos, a good Kbase, and plenty of videos/FAQs.

  • Pricing seems competitive - less than $1,000 for either pro or enterprise version. Enterprise has a few things pro doesn't, like 2FA.

Cons

  • When you first get started with Desktop Central the interface is very chatty, screaming at you to "Go here to fix XYZ config, otherwise nothing will work!" kind of thing. But as annoying as that was, I realize it was a means to an end as the app is helping you get things setup right so that, you know, stuff actually works!

Patching solutions bake-off gist: