Apr 30, 2021 Navpreet Kundal

Part 4: A comparison of Configuration Management tools’ administration

Managing an estate of devices on the network has always been a challenge to infrastructure administrators. In today’s world, we deal with real threats from bad actors, a multitude of everchanging devices, and complex remote work scenarios driven by Covid-19. Are the traditional tools like Microsoft’s Group Policy, Endpoint Manager, and PowerShell enough to manage a modern workforce?
A-comparison-of-Configuration-Management-tools -policy-engines- -2 2x

This is the fourth in a series of blogs based on TriCon Elite Consulting’s recent review of the following Configuration Management tools:

  1. Group Policy
  2. PowerShell DSC/Azure Automation
  3. Endpoint Management Compliance MGR
  4. 1E Tachyon Guaranteed State

Our first blog examined TriCon Elite’s analysis of these vendors’ policy engines, and the second instalment explored these Configuration Management tools’ delivery of custom scripts. Last week we considered TriCon’s comparison of remediation capabilities. This weeks focus is administration and we will look at:

  • Role-Based Access Control (RBAC)
  • Interface
  • Reporting
  • Installation
  • Support

How Tachyon Guaranteed State ranked in the Administration category

Config-blog-4

Role-Based Access Control (RBAC)

TriCon’s verdict: Role-Based Access Control (RBAC) is critical for an enterprise using any configuration, state, or management tool. In this area Group Policy and 1E Tachyon Guaranteed State scored the highest. Group Policy as a good mechanism to use Access Control Lists (ACLs) for objects, allowing delegation of adding, removing, managing, viewing, and creating new policy objects. Guaranteed State was found to have a strong interface for configuring RBAC; Settings can be tagged to Active Directory groups, and management for access to features can be easily delegated. PowerShell scored lower than the other solutions because it requires additional skills and coding to configure. When appropriately configured, TriCon found it to have one of the best RBAC approaches, but it is challenging to implement correctly.

Interface

TriCon’s verdict: In this area, Group Policy, Endpoint Manager, and Guaranteed State tied for ranking. With PowerShell DSC, everything is configured with code and configuration files and there isn’t GUI interface. And, although PowerShell DSC overall didn’t score well in this section, it caught TriCon’s attention with Microsoft’s focus via Azure Automation. Group Policy was found to have a very rich GUI and has PowerShell Modules created by Microsoft for core management tasks like creating, adding, removing, and reporting on policy objects. Similarly, MEM-CM and Tachyon Guaranteed State have a rich user interface and support configurations via PowerShell modules.

Reporting

TriCon’s verdict: When working with any enterprise toolset, reporting capabilities are a key factor. Overall, MEM-CM has a good reporting interface with report creating being available to almost all aspects of the product. MEM-CM does require a full inventory evaluation cycle to run on targets to gather status information. Powershell ranked alongside MEM-CM, with reporting capabilities via a configured reporting server, with all report formats needing to be custom developed. Group Policy has good reporting capabilities for configurations in the Group Policy Management Console, with reports that can be generated in HTML or XML format. Unfortunately, Tachyon was found to have more of a dashboard feel than a report, despite the real-time information available in the UI and report export and customization options are currently limited.

Installation

TriCon’s verdict: Group Policy ranked highest when it comes to ‘Installation’. The main reason it has such widespread use is that it’s built-in and available with every Windows operating system. Even for the most advanced use cases, there is nothing else to configure on the devices, or the Active Directory environment, to enable functionality. PowerShell DSC and Endpoint Manager were equally placed here. Tachyon Guaranteed state can be installed on a single virtual machine that can support 50,000 endpoints. The installation wizard is capable of remediating most missing components and provides detailed logging to help troubleshoot any installation issues. There is a required client agent that must be deployed using another solution, and versions are available for all supported platforms.

Support

TriCon’s verdict: When it comes to support, the Microsoft products rely on a vast community of experts and employees that support administrators through forums, blogs, and other virtual content. With many years of widespread use, product enhancements and 3rd party add-ons have developed to give these products extra edge. There are many avenues to go down before it is necessary to open a direct support case with the vendor. Comparatively, Guaranteed State – as a relatively new product – does not have the same base of global experts. However, TriCon refers to the Tachyon Exchange providing both a customer forum for collaboration, and a submission portal for help with coding.


You can read the full comparison report and learn how the vendors stack up for other evaluation criteria, here. To learn more, be sure to check out Part 1, Part 2, and Part 3!