Mobile users have long presented a special challenge to IT professionals when it comes to the task of patch management. The problem is that under normal circumstances centralized patch management only works when the end user is logged into the corporate network. This can be a problem since mobile users might only rarely bring their laptops into the corporate office.
In the past, IT pros have used two main techniques to deal with this challenge. One of those techniques involves decentralizing the patch management process. The Windows operating system can be configured to download patches directly from Microsoft and to install them automatically. Many third party applications offer similar functionality.
Decentralized patch managment
Decentralizing patch management for mobile users can be very effective because patches are automatically downloaded from the Internet, even if the end user is not connected to the corporate network. The disadvantage to using this technique, however, is that it leaves a lot to chance. Most larger organizations like to test patches before they allow them to be applied to production systems. When you decentralize patch management for mobile users, patches are automatically applied to the user’s laptops whether the organization has tested them or not.
Furthermore, this technique makes it difficult for administrators to determine which patches have been applied to mobile user’s laptops. When you decentralized patch management you also forfeit centralized patch deployment reporting.
The other technique that has been traditionally used to handle patch management for mobile users is to deploy patches over VPN connections. In this scenario, the organization maintains centralized control of the patch management process. This allows the administrator to perform patch testing before any patches are authorized for deployment to production systems. When a mobile user logs into the corporate VPN, their computer checks in with the patch management server and downloads any missing patches.
On the surface this technique seems ideal, but it has one fatal flaw. The problem is that patch management can only occur when the end user is logged into the corporate VPN. If the end-user only connects long enough to check their email, then it is unlikely that the session will last long enough for the patch management process to complete.
Either of these techniques can be used to facilitate patch management for mobile user’s laptops. As you have seen however, neither of these methods is perfect. Even so, there is a third method that directly addresses the shortcomings of the previous two methods.
This method involves using Microsoft’s DirectAccess feature to facilitate patch management. If DirectAccess sounds familiar, it may be because Microsoft introduced it with Windows 7 and Windows Server 2008 R2 as a next generation alternative to traditional VPNs. However, DirectAccess didn’t catch on because it was extremely difficult to configure.
Even though the first incarnation of DirectAccess was a flop, the story isn’t over. Microsoft revisited the DirectAccess feature in Windows Server 2012 and Windows 8 and made it much easier to configure. In fact, you can now deploy DirectAccess with only a few mouse clicks.
The reason why DirectAccess can be beneficial to mobile patch management is because it eliminates the need for a user to log into a corporate VPN. When a user’s connects to the Internet, Windows automatically establishes a DirectAccess session to the corporate network. This connection is established from behind the scenes with no end user involvement.
DirectAccess can be thought of as an always on connection to the corporate network. If the laptop has Internet connectivity, it also has connectivity to the corporate network. This makes it a lot easier to perform centralized patch management because administrators no longer have to worry that end users will only log on for a few short minutes to check their E-mail. Mobile users often remain connected to the Internet for several hours at a time, which is perfect for deploying patches.
Requirements to use DirectAccess
In case you are wondering, there are some client side requirements that must be met in order for an end user to establish DirectAccess connectivity. The only client operating system that natively supports DirectAccess is Windows 8; however, there is an update available for Windows 7 that allows it to work with the Windows Server 2012 version of DirectAccess. The client computer will also have to have a TPM chip in order to work with DirectAccess.
The Feather in the Cap
When all is said and done, DirectAccess might be the perfect mechanism for facilitating patch management for mobile users. It allows the organization to maintain centralized control of the patch management process, it doesn’t require the end user to do anything special, and the amount of time that users tend to spend online should help the patch deployment process to complete.
And because the DirectAccess connection is bi-directional, when combined with SolarWinds Patch Manager it gives you the ability to deploy updates on-demand, as well as perform other systems management tasks.