One of the features that ERPM is capable of providing is giving users the ability to 'request' admin credentials on their machines for a specific purpose (provided you have removed all users from local admin on their machines). You can force them to put in descriptions or ticket numbers for logging when they want to check out an admin password but keeping the backend configured properly, so that users can ONLY see their assigned computers is rather difficult.

My company is only around 600 users, so manually assigning users to specific computers is not too difficult but if my company was larger with several thousand endpoints, it would be almost impossible. Fortunately for me, we have spent time so that our CMDB is up-to-date. I can export the active computers in my network with the users who are assigned, and then import them into ERPM. I know some ERPM admins have to compromise by allowing users to see a 'group' of computers so that assignments can be by a group of computers instead of one to one but, to do it properly, you only want the user to have the ability to see ONLY their computer and nothing else. Also, you want to make the checkout experience as seamless as possible for the end user, so having only their computer show up makes it easier for them to navigate the web program. This is not a huge issue, but something that would be nice in future releases.

They should improve the application password management. The capability to manage high availability application passwords is its biggest shortcoming.

Macs: The support team wasn't too knowledgeable about how to deploy the above solution to MAC workstations.

We deployed a solution where our desktop support team would use a local admin password created and managed by ERPM. There is a default local admin on each machine. We replaced it with an ERPM-created local admin account. The problem we faced was for MACs, we needed to know the current password of the default ID.

While setting up management set, we had Lieberman support on the phone and our developer was correcting most of the recommendations from their architect.

Apparently, they don't have a large MAC user base. It took a few days and several phone sessions with them before we were satisfied with the whole process so we could continue with the deployment.

Overall, ERPM looks like a good product and we are only using a small percentage of the features it says it will offer.

Session recording generally works but intermittently stops. The permission model for individual accounts could be made better. It would also be nice to be able to group accounts together, specifically with domain accounts. Currently, the product is centered around nodes and machines.

The permission model is based around what they call Management Sets. Management Sets group together computers. So if you have multiple accounts on the same computer, you are not able to easily assign different permissions. The best example of this is the Active Directory domain. To Liebermann, it’s a single computer with lots of accounts. You could add the domain to multiple management sets, but that will create other problems. If you have service accounts in your Active Directory domain, the only choice for is to assign specific permissions to specific accounts as opposed to using some time of grouping.

The included session recording is not very robust.

The session recording feature is supplementary to the core product. It is an implementation of Microsoft Expressions and IIS Media components, freely available from Microsoft, that plugs into the ERPM product.

With this enabled, sessions that are launched through the ERPM Application Launcher can be recorded, using those free MS components and the exposed ERPM web service.

It records simple, flat Windows Media Viewer format files, and is suitable for very basic recording needs. It is not a very scalable or robust offering and offers no session management capabilities.

ERPM can run without this component enabled. ObserveIT integrates very well with the product and provides true robust recording and management capabilities. The product integrates successfully with Balabit as well.