DSC vs. GPO vs. SCCM vs. MDM

Microsoft Windows administrators now have a number of ways for managing their estates.

  • Group Policy (GPO)
    Allows very fine-grained control over every aspect of Windows. Primarily aimed at Windows desktops. Requires Active Directory (AD) and very careful configuration. Requires well trained specialist staff to get it right.
  • System Center Configuration Manager (SCCM)
    Allows central control over software delivery. Also requires AD. Configuration of delivery packages can be complex and very careful change control is required. Software delivery via SCCM can also be intrusive to users. Requires well trained specialist staff to get it right.
  • Desired State Configuration (DSC)
    Though extended by Microsoft this is actually part of a wider open standard “Open Management Infrastructure” and so applies to other platforms as well including Linux. Mainly aimed at server configurations. Falls into the DevOps camp as it defines server configurations in purely text format and so can be put under source control easily. DSC is typically dynamic and enforces the correct configuration (normally every 15 minutes) which greatly helps ensure secure configurations.
  • Mobile Device Management (MDM)
    Primarily aimed at mobile devices, this style of configuration is increasingly applicable to Windows Desktops with the advent of Windows 10. Microsoft InTune is leading the way with other MDM vendors following on. Not everything on the desktop can yet be controlled this way, even with W10 but many key settings and controls are already available. A much simpler method for enforcing desktop settings than the other methods, it allows fewer administrators and much less specialist knowledge.

The article from FoxDeploy covers the first three of those and lays out the purpose of each. Well worth a read.

What is missing is the 4th method which uses Mobile Device Management tooling. The leading contender for this is Microsoft InTune. However, InTune is really only focussed on Windows 10 (desktop and mobile), it has limited control in other Operating Systems.

Servers only ever exist in a given state. If they deviate or we make changes, we refactor and redeploy. DSC drives it all and the machine will be up and running on a new OS, with data migrated in a matter of minutes.

For all practical purposes, the first true large scale management tool we had for Windows systems in the modern era was Group Policy, or GPO as it is commonly truncated.

Comparatively, SCCM and MDT allow us to we import an image from a Windows install disk and then run dozens of individual steps which are customized based on the target machines platform, model, office location and other factors. The sky is the limit.

Curated from DSC vs. GPO vs. SCCM, the case for each. – FoxDeploy.com

Development Virtual Machine (VirtualBox)

I’ve been thinking ahead to a change of job recently. Knowing that I’ll be getting a new Windows based laptop and needing to have development capabilities and having developed a taste for Linux 😉

I’ve used my favourite VM tool VirtualBox (now owned by Sun) to create a sparlkly new OpenSUSE 11.0 virtual machine complete with Apache, MySQL, PHP, etc. as well as office tools such as Open Office, mind/concept-mapping and diagraming applications.

Unlike the Windows XP VM that I use on my Linux desktop to give me access to Windows applications – which needs 2GB of RAM to perform nicely, the SUSE VM only needs 1GB of RAM to feel as fast (even though XP doesn’t have Apache, MySQL, etc. running.

Although I’ve created this on my Linux desktop, it should be easy enough to transfer to my new laptop. To help keep file sizes down, I’ve chosen to use three virtual disks. One for SWAP, one for /home and one for the root. This will make it a bit easier to transfer back and forth if I need to – though I’ll probably end up with two separate and different copies as I’m already finding that doing personal development work is much easier on the VM than it is on the host OS thanks to it being a more focused machine with less rubbish installed.

Update on FreeOTFE

Thought I would add a quick update on using FreeOTFE under Windows and PocketPC.
I tried it under Windows on a different PC and it does indeed work OK though it is nowhere near as polished as TrueCrypt.

I’ve also tried again a few times on a PocketPC with limited success and I think I know what is happening. Firstly, you must install FreeOTFE for PPC into system memory and not on a storage card – not terribly surprising really. However, you do not seem to be able to use a secure volume from a storage card either very reliably (I tried on a T-Mobile MDA Compact III). I did have some success creating a small volume (approx. 2MB) in main memory, it did load eventually. Sorry to say that this is unworkable and I’ll be sticking to Keepass and Tombo on PPC with TrueCrypt on Windows and Linux.

It is worth noting in passing that TrueCrypt for Linux now has a native UI.