Expanded Lab and Desktop Management Task Force

Printer-friendly versionPrinter-friendly version
Team ID: 
College / Administrative Unit: 
Information Technology Services (ITS)
Date Started: 
January 2012
This is one of 7 Information Technology Leadership Council (ITLC) task forces.

Problem Statement: Endpoint management presents a wide array of challenges for IT staff. Here we try to describe these problems and the various environments in which they are encountered.

For discussion purposes, we expand the definition of “Lab and Desktop Management”, where “lab” usually means shared or public student computers and “desktop” usually means staff computers, to include mobile devices such as phones and tablets. Such devices and the BYOD (Bring Your Own Device) trend adds management complexity because of the wide variety of operating systems and device capabilities.

Here are the major areas of cost (time and money):

OS Provisioning
Application Installation and Configuration
Patching and Updating
Application Licensing
Device Security and Access Control
PII and Data Security
Malware Prevention and Detection
Problem Determination and Remediation

The common challenges and problems in these areas of endpoint management are described below. Most IT support units have devised ways to do these chores with common desktop and laptop OS‘es (Windows and OS X) but now must re-invent procedures for mobile devices (e.g., IOS and Android).

OS Provisioning

Many units will develop or use a suite of standardized OS images to build new computers, mostly to avoid the diversity of manufacturer-specific features and “bloat-ware” and often to join the clients to the unit’s infrastructure (networks, Active Directory, file shares, printers, etc.). Such images may or may not include OS patches and applications. The advantage is more uniform and predictable systems that can be rebuilt to a known state when broken. Disadvantages include time-consuming maintenance of multiple images, often one per model of supported devices, and less flexibility in deploying exactly what users want.

Application Installation and Configuration

If this OS build process doesn’t include all the applications users need, then a process for installing apps, and in some cases setting up appropriate options, needs to be developed. Many applications have user preferences that users would like to set once, and in a shared device scenario, have available on any device they use. Windows roaming profiles is an example of this, but provisioning and managing them can be a large job.

Patching and Updating

OS patches/fixes and application updates are frequent and often must be applied quickly to avoid security problems. These chores can be very time-consuming to test and verify, even with advanced management tools.

Application Licensing

Besides the actual costs of software licenses, which can be very high, the work to be sure enough licenses are purchased and updated can be very time consuming. Some vendors require license servers, which is extra work. Some application licenses may allow for installation on more computers than there are licenses if simultaneous use can be limited by the license server or a third party system like Sassafras K2. That can save money but requires work in maintaining the license server and monitoring license use.

Device Security and Access Control

Requirements for access control and securing computers can vary greatly among units, and may be implemented as part of the OS installation (e.g., hard drive encryption; Active Directory membership), but can present problems with portable and shared computers. User accounts and passwords prevent challenges. If Penn State Access Accounts are not used, then procedures to create and delete accounts and manage passwords have to be developed. Even when Access Accounts are used, authorization tools may not be available, for example; limiting Windows desktop logon to a group of users is easy with AD security groups, but tools to manage such groups must be developed by each unit.

PII and Data Security

PII (Personally Identifiable Information) and the security of other institutional data is a significant concern in some units, depending on what data end users have access to. PII scanning is now mandatory, but the tools are limited in what OS’s are supported and in their accuracy and ease of use. Some units require that institutional data stay on file servers, but often it is difficult to prevent users from downloading copies. Encryption of endpoint storage can help protect data in the event the device is lost, but device encryption involves developing another set of processes and procedures.

Malware Prevention and Detection

Virus/malware software is often installed as part of the OS image or application suite, but units still have a significant amount of work to be sure definitions are updated regularly and problems must be mitigated. File scanning of large server storage pools can be difficult.

Problem Determination and Remediation

Fixing endpoint problems is often where the most IT support time goes. Uniform OS and application deployments can simplify this, but in many scenarios many “one-offs” can’t be avoided.

Diversity of Solutions

The distributed nature of IT support at PSU has resulted in many units “reinventing the wheel” when developing solutions to the above problems. While that often leads to solutions that are tailored to the unit, the staff time needed to build those solutions is no doubt costly. Also, as end users move among endpoints supported by different units, they are likely to have very different experiences, and will have to learn how to use each different device. Students are most affected by that, but instructors that teach in various classrooms also encounter diverse systems. Another problem of distributed support of classroom and student lab computers is that the end user often does not know who to contact for support.

More information on this task force is available via the ITLC wiki at: https://wikispaces.psu.edu/display/itcouncil/Expanded+Lab+and+Desktop+Management+Task+Force

Please contact the Team Chair with specific questions related to this Task Force.

Expected Results:

PROJECT SCOPE AND DELIVERABLES The task force identified four outcomes relating to Lab/Desktop Management, i.e., We believe it is possible to:

- CREATE a more consistent look and feel for students/faculty across the campuses and colleges – thereby minimizing the current concern of "haves and have nots." This is particularly important for the eastern region campuses that are sharing or are soon to be sharing more Faculty.

- REDUCE both capital and operational costs by repurposing systems to extend their life and by redeploying existing FTE involved in end user support.

- ENHANCE our ability to remotely reproduce the resources currently found in our computer labs and office systems.

- ENABLE our existing lab spaces to evolve into collaborative learning spaces.


A CLM advisory group should be formed immediately.

Prototyping should begin with other solutions, namely Vmware and Microsoft, and should be studied for feasibility (6-9 months).

Creating initial infrastructure based on savings will be a fiscal challenge and thus ample time should be given (18-24 months).

Complete rollout is likely three or more years out.

Contact Person: 
Krystal McMillen
  • John Hoh, Chair
  • Shawn Alexander, Member
  • Preston Baker, Member
  • Matt Boyd, Member
  • Rick Coons, Member
  • Benjamin Derstine, Member
  • Fred DiMuccio, Member
  • Jonathan Holman, Member
  • Joseph Lanager, Member
  • John Matty, Member
  • Christine Mencer, Member
  • Matt Raup, Member
  • Chris Sacksteder, Member
  • Matthew Scott, Member
  • Trevor Squillario, Member