Device management has significantly changed in the modern world, and it’s becoming more and more complex. I think this post will give you a better understanding of Device Management overheads and an overview of how 1E Agent helps reduce Device Management Overhead.
Modern Device Management is not just deploying the apps and patches to the devices; rather, it’s securing the devices. The device admin’s job is to protect and secure resources and data on devices. There are several activities involved in securing the resources and data of your organization.
How to reduce device management overheads? Read-on, you will find the common device management pain points from an admin perspective.
Device Management
Do you have to manage and secure the same types of devices? There are many form factors of devices available for Windows 10 in the market. However, it’s been basic practice for most organizations to define a hardware catalog of devices with supported hardware support (TPM chipset, etc..). So, you need to manage and secure all these devices.
There are many device management solutions in the industry. There are different types of solutions available like on-prem, cloud, and a combination of both. The Configuration Manager (a.k.a Microsoft Endpoint Manager ConfigMgr) is an on-prem solution coming to the cloud with Intune integration.
Most of the organizations are using Configuration Manager (a.k.a SCCM) as a device management tool. ConfigMgr is the proven tool to manage the end-to-end life cycle of modern Windows 10 devices. This product is very mature, with hundreds of essential features for securing resources and data on devices.
Microsoft clearly documents the maximum supported number of ConfigMgr sites and site system roles. You must be very careful when you design a ConfigMgr infrastructure. Even though it’s officially supported to have a CAS and 25 primary servers, you should never implement it. First, you should not have CAS at all. As per the community experts, 99.99% of enterprises don’t have any requirement to have a CAS implementation!
Let’s have a quick look at the table for more details about the maximum number of site and site systems roles:
| Child Primary Servers | Secondary Servers | DPs | MPs | Pull DPs |
|---|---|---|---|---|
| 25 | 250 | 250 | 15 | 2000 |
I don’t think it’s recommended to have many DPs, like 250 DPs, under a primary server. In my opinion, the operational cost will be very high to manage those number of DPs. The expectation of SCCM admins is:
- Good network connectivity
- Unlimited WAN bandwidth
- High spec Servers as recommended by Microsoft
- Etc…
However, often the reality on the ground is a bit different. Most enterprises are challenged with:
- Complex Networks
- Slow WAN connections
- Shared Servers as DPs/PXE
- Limited options for storage
- And more
Let’s understand some of the key device management overheads here. All these challenges are discussed in the following sections of this post.
- FanOut Architecture (a large number of DPs/PXE Servers)
- Bandwidth (Saturated WAN connections)
- A lot of content sharing options
- OS Deployment
- Real-Time management
- Power Management
Architecture
A complex architecture is an overhead for many ConfigMgr environments. It’s a dream for admins to reduce the complexity of their ConfigMgr hierarchy. Distribution points are a must-have component for most ConfigMgr implementations because they can reduce the WAN bandwidth consumption for branch/remote offices. However, remote DPs and secondary servers are the biggest trouble makers for a ConfigMgr environment. Especially if the remote offices are connected with saturated WAN links, let’s understand how to simplify ConfigMgr architecture.
An additional agent installation on all ConfigMgr client devices and some additional configurations can help to eliminate the remote DPs. Many enterprises can eliminate the FanOut of architecture by deploying the additional agent & the server-side configurations. These steps help to simplify architecture and reduce operating costs.
The 1E Nomad agent uses the power of peer-to-peer technology to eliminate the need for remote distribution points. You might need only one distribution point at the central office for the initial content transfer. The rest of the content transfer is fully managed by a peer-to-peer network.
The following are some of the features that help to reduce the FanOut architecture of ConfigMgr:
- Bandwidth Management
- Election Process to have master client
- The Master client starts to download the content
- The bandwidth management is similar to LEDBAT protocol at the client end
- This dynamically adjusts the delay in between the blocks
- Inserts the delay in between the blocks – Delay and back off
- Real-Time Bandwidth monitoring
More details about the 1E peer-to-peer architecture can be found in 1E documentation.
Network Bandwidth
One of the key deciding factors of Configuration Manager architecture is network bandwidth. The saturated WAN network is one of the biggest pain points for Configuration Manager (a.k.a SCCM) implementations. Let’s understand how to reduce and manage network bandwidth consumption when there is a requirement to download GBs of content from a central office distribution point.
Microsoft technologies like BranchCache, Peer Cache, and LEDBAT can help with bandwidth management to an extent. 1E Nomad’s bandwidth management algorithm gives better and more reliable bandwidth management as per the comparison study done by 1E.
| Bandwidth Management | Peer-to-peer sharing | |
| Nomad | Yes | Yes |
| BranchCache | No | Yes |
| Peer Cache | No | Yes |
| Delivery Optimization | Yes | Yes |
| Background Intelligent Transfer Service (BITS) | Yes | No |
| Low Extra Delay Background Transport (LEDBAT) | Yes | No |
Nomad’s reliable bandwidth management never allows the saturation of the WAN bandwidth. Hence there is no need to manage network locations using boundary groups. The 1E Nomad agent installed on the ConfigMgr client helps to manage network bandwidth dynamically. The Single Site Download feature of 1E Nomad helps to reduce the content transfer from remote DP by allowing peer-to-peer content transfer across different subnets.
Peer-to-Peer Content Sharing
Let’s understand another device management overhead. Peer-to-Peer content sharing and Bandwidth Management are closely linked topics from the device management perspective. Microsoft offers more than one bandwidth management and peer-to-peer technology. All those technologies are helpful for certain scenarios. In my experience, it’s expensive and time-consuming to integrate more than one technology to produce a relevant solution.
With every new version of Windows 10, Microsoft is improving and adding new features to make these technologies more useful in the enterprise world. It’s worth having an end-to-end assessment (once every couple of years) of all these Microsoft Peer-to-Peer content sharing and bandwidth management technologies.
1E Nomad is a mature peer-to-peer content sharing and bandwidth management product. The 1E Nomad peer-to-peer content distribution agent provides two (2) solutions bandwidth management & peer-to-peer content sharing. 1E Nomad is included in the 1E Windows Servicing Suite and extends automation for Windows 10 upgrades and application deployment. You can read the 1E whitepaper to get more details on the additional features supported by 1E Nomad.
As I mentioned in the previous post, the content distribution issues for remote DPs are expensive and time-consuming. You can fully eliminate remote branch office servers by using 1E Nomad peer-to-peer technology. The reduction of costs and simplicity in the management are the two key factors that you need to consider before selecting any solution. The FanOut feature mentioned above dramatically improves peer-to-peer efficiency.
1E Nomad Pre-caching is also a useful option that helps to remove the content delivery overhead of device management. As per my experience, most admins would like to pre-cache the content to ensure better success rates in the deployments. The reporting option with 1E Nomad Pre-caching Jobs is also useful to validate the content pre-cache on Windows 10 devices.
OS Deployment
One of the biggest overheads in device management is dealing with network team(s) to make OS Deployment (OSD) work. The PXE boot is the key component (unless USB boot media has been used) for bare metal OS deployments. There are three main components involved in this process (listed down below).
- Network (Routers)
- DHCP Server(s)
- PXE Server(s)
I love the quote from Microsoft’s Kerwin Medina (ConfigMgr Product Team Member) – “Befriend your network administrators. Be nice to them, out of a genuine heart“. You can read the following post from Kerwin to understand the Network team’s dependency to make PXE/OS deployment work – You want to PXE Boot? Don’t use DHCP Options.
1E Nomad eliminates all the remote DPs from your environment. However, that creates another problem, PXE servers! What will we do for PXE servers hosted on DPs servers? Let’s eliminate the PXE servers with the PXE EveryWhere agent (part of the 1E agent) and a web service (PXE EveryWhere Central Server). That makes one or more PXE servers available in each subnet, and therefore there is no router configuration required (unless DHCP Snooping is enabled). You can find more details about PXE Everywhere in the 1E documentation (https://help.1e.com/display/PXE32/Introducing+PXE+Everywhere+3.2).
Real-time Management
Remote client management is another overhead in the device management world. In recent times the work location and connectivity to the work environment have drastically changed. And new challenges were introduced because of the change from office-based to a home-office-based work environment. The real-time management of devices from home-office networks is important for organizations in this changed scenario.
1E Tachyon comes with real-time management and many more features. Real-time management is challenging because all the devices may not be connected at the time of a query. So, what will happen to the query when the device is offline? I feel one of the biggest advantages of Tachyon is the configurable options to tackle these kinds of scenarios.
- Each query has a configurable duration
- This allows devices to connect later and send answers
- Keep answers for a configurable duration
You have to be more careful when dealing with real-time management scenarios because some types of answers can get stale quickly. The configurable duration option should be decided carefully to have accurate results.
As per the 1E documentation, most real-time queries/instructions require only a single packet exchange, enabling your team to remediate and respond to issues faster. Also, this makes sure that you are NOT choking the home-office network by sending and receiving many queries/answers simultaneously.
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…