What is most valuable?
Secure USB has allowed us to secure USB ports on our PCs, thus improving our PSN compliance. The main selling point is that it's centralized. We can easily control which system should have access to what and we’re also able to produce a report in case of a security issue.
Patch Management provides us with the ability to patch third-party software on terminal servers. This has improved productivity in terms of being able to automate the process as well as targeting the rights OUs, Security Groups, etc. I have successfully decommissioned my WSUS server and now all Microsoft updates are performed using the “Automate Patch Deployment”.
“Deployment Policy”: It provides me with the ability to schedule server/non-server reboots. This has, for the time being, been the solution for a Microsoft bug for server 2012 R2 whereby a server does not properly reboot after MS updates been applied and forcefully does it when the user logs on instead.
How has it helped my organization?
I no longer have to use a dedicated WSUS server, everything is properly scheduled including the ability to get reports via e-mail. Everything is administered using a web interface. It’s an all-in-one solution not just for patches but for software inventories as well. From a sys admin point of view, it now requires less effort and time to perform these administrative tasks.
What needs improvement?
I would like the deployment window time to be reduced as it currently requires a minimum of three hours. The automated patch deployment should stick to its own schedule.
The web interface is sometimes confusing and requires improvement, meaning it should be easy to find your way round if you’re looking for a specific option, i.e. adding a new computer object.
Some help files aren’t helpful as they don’t clearly explain the tasks to follow. There should be videos or more scenarios to assist the user.
For how long have I used the solution?
I've used it for less than a year.
What was my experience with deployment of the solution?
At first it took me some time to understand how to automate the patches, especially the “deployment window time”, other than that everything becomes straightforward once you've spent “some time” learning the process.
What do I think about the stability of the solution?
What do I think about the scalability of the solution?
How are customer service and technical support?
4/10. Symantec, for instance, has better business support as you can log in for follow ups. It takes time for your call to be answered; you don’t know what your SLA is; you don’t get a quick reply. It’s basically not there yet.
Which solution did I use previously and why did I switch?
For Windows updates we used WSUS. With MangeEngine it’s so much easier to administer and monitor. We struggled to update 3rd party applications in the past. Software deployment is also not an issue anymore and easily manageable.
How was the initial setup?
What about the implementation team?
In-house. My recommendation would be to export all your computer objects, in .csv format for instance, from AD then import into ManageEngine. It would be simple and shorten the amount of time it would’ve taken, otherwise, to manually add each object and subsequently ease the process of deploying the agents to each object.
What other advice do I have?
With Secure USB, the system relies on the Device Instance ID of the USB device to identify and secure it (Allow, Deny). For implementation, my advice would be to “Deny all USB access” in order to allow access to devices only permitted by the organisation when plugged in.
The “Device Instance ID” is a unique, long string, alphanumerical identifier. To allow access to a specific device you’ll need to copy/paste this ID (from Device Manager) into ManageEngine. Let’s say you now have 20 IDs listed, how would you know which ID is for which device, as ManageEngine does not provide such option. I ended up creating a spreadsheet which records such information. That’s quite a convoluted way of doing things.
A USB Device can have multiple “Device Instance Id”: i.e. Digital camera. That means sometimes it becomes a hit and miss to get the device to work.