Our scenario is that we (IT) manage all computer & system updates and we also do not allow the end user to install any software. At our church, this became a necessary evil a few years ago because folks were installing anything and everything, Weatherbug anyone, and not paying attention to those check boxes of what not to install. And, we had folks who would wait months to run any updates on their computers. We numerous times spent hours working issues caused by installations and updates issues, even rebuilds on PC’s.
So, fast forward to now.
What are you guys doing to manage computer, server, system updates in todays church IT? And, no purchasing of systems to manage updates for us either.
Hope your ticket system supports recurring tickets
If you really, really can’t afford to spend any money you can actually get pretty far with WSUS and a periodic scheduled task to run kill the user’s apps and run PatchMyPC in auto mode with saved credentials. Something like PDQDeploy is going to give you actual visibility and not be so clumsy to manage.
I would highly recommend WSUS for Microsoft Updates. And we use Ninite Pro for updates like Java, Chrome, etc. There are a lot of software that they support. It works with Active Directory, and only costs $20 a month for 100 PC’s or less. I’m running it three times a week to keep most of the sub programs up to date.
We also have a 50/50 split of PC/Mac in our environment. I’ve run WSUS a lot in the past in other environments and like it, but it doesn’t manage updates for everything non-MS so it becomes more of a burden for us.
We actually get very few tickets. Our ticket count dramatically dropped when we took away the ability to install anything and did a ton of cleanup on computers. When someone doesn’t just toss on whatever they want because they don’t know any better, the issues caused by installing whatever dropped dramatically.
For around 45 computers/servers, we have 1 guy who spends about 15 hours a month keeping everything up to date. For network gear, we spend about 20 hours quarterly/bi-annually keeping things up to date.
Have used SCCM many times in the past. The last install was a 5000+ computer environment and it was a big help as we were constantly managing updates and software. I also like WSUS, but do not have the local server to host it on.
How do you decide what a “user” is allowed to install and not allowed to install?
Due to many issues and much down time for both IT staff and the end user, we locked down computers and do not allow any installing without our involvement now.
WSUS for windows updates set through Active Directory Group Policy.
For additional software we use ManageEngine Desktop Central with the Self Service portal. You can specify what end users are allowed to install. ManageEngine will also keep installed endpoint software up-to-date. I basically don’t have to touch the endpoint unless there is truly an issue.