Monitoring remote laptops

Question

We're looking for something to monitor around 30 remote laptops that are constantly out on the road, never returning to base except for when there are serious hardware faults that need repairing. These laptops won't always be connected to the internet, they'll have mobile broadband and may work offline most of the time. They will be running a mixture of Windows XP, Vista and 7 and there is currently no server setup.

We're primarily interested in making sure that Windows Updates and antivirus updates are happening, and I guess we should also be monitoring remaining disk space, what software is installed and ideally hardware health. It might also be nice if we could gain remote access to perform work on them.

My main reason for wanting to monitor them is that it's going to be a real pain to get them back to base if anything goes wrong, so I want to be proactive in ensuring they last as long as possible.

Can you recommend what I should be monitoring to ensure a long life? What tools would you use to monitor and maintain these computers?

Answer 1

No servers? Sounds like a perfect case for Microsoft Intune, if it was available.

A Direct Access solution so they're always connected to the corporate network whenever they have internet access could be a nice alternative, but it will require a few servers and some infrastructure setup - and it only supports Windows 7.

Answer 2

You're going to have to make compromises. You could enforce policy by having the users connect via VPN and then to the domain on the road.

This is unlikely to be infallible, as you will either prevent access to the device or be unable to enforce policy. It cannot be assumed that an Internet connection will always be available or have enough bandwidth available, which will be requisite to connect to your network. This is fine for policy enforcement but if updates are downloaded from servers on your network it could delay their installation.

For remote users on company equipment, we often join to the domain and have them connect to the VPN or plug in locally. These users are more often on site than not, however, which makes logistics less difficult.

Based on your requirements, the best approach will likely be to setup group policies that enforce your update policies and then have them get updates from Microsoft or the antivirus vendor, as it will be more flexible.

For remote access, you could use Remote Assistance.

I'd strongly encourage full disk encryption as well. True Crypt is a fantastic Open Source solution.

Answer 3

When it comes to remote support I would check out TeamViewer. It's free, and a bit ugly on the user-side but works great. I use it for a random hodgepodge of computers at my church. It works through NAT so you can always connect as long as the computer has internet. I just install TeamViewer Host on any computers I'll need access to.

Answer 4

Implement WSUS and set them to receive their updates from your WSUS server. The server can generate reports on who needs what update and who hasn't asked for updates recently.

As far as remote access goes, you can enable remote assistance and just use that over the internet. You can also use something like Crossloop or Teamviewer as a backup remote solution.

All of this can be done via group policy.

Answer 5

I'd just consider a machine that's out there "tainted", and not allow it to come back to the LAN without a cleanup (aka, reimage). Don't allow it direct access to work stuff, instead using remote desktop or similar. Give them a good way to keep data to be scanned and introduced back into the environment.

Why? This way you can let them do whatever they want with the laptops and don't have to worry about enforcement on them. The cost of reimaging will be painful if you aren't automating it, but you will :)