Apr 02, 2021 Navpreet Kundal

Part 1: A comparison of Configuration Management tools’ policy engines

Managing an estate of devices on the network has always been a challenge to infrastructure administrators. In today’s world, we deal with real threats from bad actors, a multitude of everchanging devices, and complex remote work scenarios driven by Covid-19. Are the traditional tools like Microsoft’s Group Policy, Endpoint Manager, and PowerShell enough to manage a modern workforce?
A-comparison-of-Configuration-Management-tools -policy-engines 2x

TriCon Elite Consulting recently conducted a review of the following Configuration Management tools:  

  1. Group Policy 
  2. PowerShell DSC/Azure Automation
  3. Endpoint Management Compliance MGR 
  4. 1E Tachyon Guaranteed State

In this blog, we’ll explore TriCon Elite’s analysis of these vendors’ policy engines and their effectiveness around: 

  • Check Rules 
  • Onboarding
  • Device Status 
  • Cross-Platform Support 

Check Rules 

A Check Rule is defined as “the configuration item that builds rules for success and failure criteria.” Interestingly, TriCon found that this concept of a Check Rule is different between the four solutions evaluated. For example, Group Policy settings are configured in a Group Policy Object. Once applied to a target, this feature will sometimes remove the ability to change a configuration, thus nullifying the requirement for check and fix rules. The remaining three solutions, including PowerShell DSC, MEM-CM and Tachyon Guaranteed State, all have similar needs to build checks.

The logic defined in the check typically asks a question like; is this service running, does this registry key exist, does this file exist, etc. Once the question is asked, then code can be derived to take action to remediate the issue.  

TriCon’s verdict: Each solution presents “excellent” configuration options for Check Rules. 

Onboarding 

An agent is typically required for most configuration management tools. For instance, an agent is required to extend PowerShell DSC with Azure Automation State Configuration. Agents are also a requirement of MEMCM and Tachyon Guaranteed State. The only exceptions here are Group Policy and PowerShell. Both of these solutions are inherently included inside of the Windows Subsystem (Kernel).  

TriCon’s verdict: The ability to be always on from the time an Operating System is deployed gives a great advantage to Group Policy. 

Device Status 

Once an agent (either built-in or deployed) registers with its service, it needs to provide device status. Device status/checking in isn’t built into Group Policy’s functionality. As a result, when the policy is deployed, it relies on the built-in agent to be in good working order. If not, the ability to provide enterprise-wide compliance is greatly limited. In MEM-CM and Tachyon Guaranteed State, both agents routinely check-in and their compliance and status are displayed in universal dashboards. This can also be reported on from a device health perspective. 

TriCon’s verdict: Tachyon Guaranteed State is best designed to provide real-time device status reports. 

Cross-Platform Support 

Cross-Platform support is a big issue for most enterprise organizations. This becomes even more evident with organizations adding mobile devices at such a rapid pace.  

Probably one of the most significant drawbacks for an organization is with hybrid management. This typically requires more than one tool, and rarely can a single pane of glass be viewed for holistic management. Both Group Policy and MEM-CM cannot manage much other than Windows systems without extensive third-party solutions. (Although Mac support is included with MEM-CM, it is rarely seen in use.) 

TriCon’s verdict: PowerShell DSC, including Azure Automation, is able to support a broad range of non-windows platforms, but Tachyon Guaranteed State is the most extensible of the pack. 

How Tachyon Guaranteed State ranked in the Policy Engine category

Configuration Manager

Based on their evaluation, TriCon determined that the strongest contender in the Policy Engine category is Tachyon Guaranteed State. Based on its ability to scale to support 5000,000+ devices, TriCon considered the solution to best meet the needs of enterprises with a complex ecosystem of remote and office-based devices.

Tachyon Guaranteed State’s engine is also able to deliver instruction sets without impacting the existing network or core infrastructure, using microagent communications. According to TriConwhat pushed it to the top of this list was its extensive non-windows Cross-Platform support. It also integrates with MEMCM, BigFix, ServiceNow, and PowerShell.  

You can read the full comparison report and learn how the vendors stack up for other evaluation criteria, here.