15

I'm working with a startup that's teaching kids to program. We've just obtained our first "fleet" of laptops - half a dozen refurbished thinkpads running Windows 7 - and I'm looking for the best way to administer and maintain them.

I've already determined that it appears to make sense to buy a volume license key, so I can use reimaging rights and generate a single known good image I can write to all of them, and use to wipe out a computer whenever I need to. What I'm wondering about now is how best to manage them on an ongoing basis.

The laptops will run on a variety of networks - none of them controlled by us - and we've got no central office or servers. We'd rather not acquire any.

I'd like to be able to easily push out updates and new software to all the laptops, as well as doing things like remotely configuring administrator accounts, and managing patches to make sure the laptops are kept up to date.

As a tiny startup, funds are limited, and money spent on software licenses is money we could have spent on more hardware, so expensive solutions are a bit of a no-go.

Does anyone have any recommendations for how we can most easily do this?

Falcon Momot
  • 24,975
  • 13
  • 61
  • 92
Nick Johnson
  • 364
  • 1
  • 10
  • 1
    Depending on what software you need to run on the computers, if you want to avoid software licensing costs, you could go with a free linux distribution. There are several distributions oriented to the education market, [Edubuntu](https://www.edubuntu.org/) is one example. – Johnny Jul 29 '15 at 19:41
  • if you don't have any servers than why did you tag the question with active-directory? – user2320464 Jul 29 '15 at 22:07
  • @Johnny Unfortunately, we're stuck with Windows, since we've got at least one tool that's Windows-only and won't run in Wine. – Nick Johnson Jul 30 '15 at 06:25
  • @user2320464 Because I hypothesized there might be tools (like Intune, say) that would provide a "cloud" active directory. – Nick Johnson Jul 30 '15 at 06:26

5 Answers5

14

This is the perfect use case for Microsoft Intune. While it is primarily known as an MDM solution, it also has PC management capabilities as well, such as app deployment and patch management. It's also completely cloud-based and is licensed on a per-device per-month basis, so it can scale as you grow.

If you're already managing internal devices with System a Center Configuration Manager, it has some neat integration. If not, it's perfectly functional as a standalone product as well.

MDMarra
  • 100,183
  • 32
  • 195
  • 326
  • That does look like a good match. A monthly subscription is a bit of a pain, but it's reasonably affordable at that. Will it cause any problems if the devices don't always have connectivity? – Nick Johnson Jul 29 '15 at 11:05
  • Nope. There is an agent that gets deployed which checks in to Intune on a regular basis, if it can't check in, it will get all policies and deployments the next time that it is able. – MDMarra Jul 29 '15 at 11:11
  • 1
    It looks like an alternative to this would be Deep Freeze, which would allow us to be less restrictive about what permissions students have, while still resetting the devices to a known-good state. We could probably get away without buying the VLK, too, since we wouldn't be reimaging so much. – Nick Johnson Jul 29 '15 at 12:42
  • 1
    Deep Freeze does the opposite of Intune. Intune manages the configuration of a machine so that it can be easily updated and reconfigured. Deep Freeze locks the machine into a steady state. These are two different objectives. You need to determine which one is appropriate. – MDMarra Jul 29 '15 at 12:48
  • From what I've read, deep freeze supports automated booting to "thaw" mode to apply updates, etc - it doesn't freeze configuration in place for all time. What I care about is making sure these machines remain as consistent as possible while still being useful for users, and being able to push out updates easily to many machines. It seems like both solutions can achieve that; I'm just not sure which is the better match. – Nick Johnson Jul 29 '15 at 12:52
  • Once you thaw a machine, how do you coordinate and control windows updates? App updates? Push new software? That's what Intune and other configuration management software does. Deep Freeze does not, as far as I know. It will "lock in" a configuration, but once it's "thawed" it doesn't have a way to centrally update/control Config changes. – MDMarra Jul 29 '15 at 12:54
  • Their "enterprise" edition lets you push configurations to machines, instructing them to reboot to apply windows updates, or to install specific MSIs, etc. I suspect it's more limited than Intune. – Nick Johnson Jul 29 '15 at 12:57
  • To be more concrete: Can you set a policy with Intune to ensure there's a guest user account with consistent settings? Even a locked down user account still allows a user to mess with their own shortcuts, files, start menu etc - if we can't restore those for the next 'guest', it won't be very useful to have the rest of the configuration consistent. – Nick Johnson Jul 29 '15 at 12:58
  • If [this doc](https://technet.microsoft.com/en-us/library/gg176672(v=ws.10).aspx) is correct, it looks like that can be done with Mandatory Profiles, leaving only the possibility for users to scatter random files around the drive (outside their profile directory). – Nick Johnson Jul 29 '15 at 13:07
0

It would be possible to automatically connect each laptop to a VPN network. All you would need is an VPN server / router. And some configuration for the laptop to connect to vpn on logon. After that you could simply RDP to it.

Bartas Kondrotas
  • 1
  • 1
0

Depending on your budget (which you haven't stated) I think a good solution for you could be that of a HP Microserver with some extra RAM as a domain controller?

That way you have an extremely portable server with the ability to push out updates and lock down the laptops with group policy?

For that amount of laptops the Microserver will easily be able to handle the load and you'll have everything you're wanting.

The downside is of course the cost. You're probably looking at about £1300- maybe more to get a finished solution.

However once it's setup it'll be low maintenance and you can add to it when and where you find the money with things like RAID and perhaps a small switch?

SORoss
  • 1
  • 2
  • As I said in the question, we'd really rather not get any hardware just for administering other hardware, particularly given the laptops will move around a lot. – Nick Johnson Jul 30 '15 at 06:27
0

I'm not sure if this will cover all you need but...

At the place I am recently employed, company-issued laptops (which are running Windows) are required to be able to access the company VPN. Namely, VPN access is only allowed using company-issued laptops.

Users are not admins on their local machine. Therefore, company IT personnel do all the administering, like setting Windows Update schedules, setting the schedules for anti-virus update, etc.

At first glance, it seemed annoying to me as a user not to be able to admin a laptop I take home or install what I want, and it probably takes the IT group some resources to manage the laptop fleet, but I suspect this methodology reduces external threats that free-floating laptops might otherwise present.

Good luck.

local guy
  • 1
  • I too have been annoyed by not being able to admin my own machine, but most non technical users might welcome it, and it reduces risk and hassle to have them centrally administered. – rholmes Jul 30 '15 at 03:47
  • This is probably necessary, but not sufficient - the question is, how to administer the laptops given the absence of an IT infrastructure (the answer appears to be Intune). – Nick Johnson Jul 30 '15 at 06:28
0

I would recommend Meraki Systems Manager. It's an entirely cloud-managed solution that's free for up to 100 devices. It's probably not as robust as Microsoft InTune or Systems Center Configuration Manager, but it may fit the bill for the price. My favorite feature is the VNC-based remote assistance.

ghaberek
  • 111
  • 5