Firm eases pain of patch management for mobile workers

Shamus McGillicuddy
Microsoft's release earlier this month of 13 patches has more than a few CIOs searching for a bottle of aspirin.

Two bottles, if you're a CIO with a large mobile workforce.

    Requires Free Membership to View

When I'm reporting to my CEO that 98% of our machines are patched, I'm more confident. I feel better about that report.
Tom Lenz
IT directorWipfli
This patch release, which addresses issues in Windows, Internet Explorer, Exchange, Media Player, PowerPoint and Word, was the most released by the software giant in more than a year. The sheer volume had IT departments scrambling to evaluate and deploy the patches. And few were without incident. In fact, within a few days, users started reporting that one of the patches was preventing them from using dial-up Internet connections.

But Tom Lenz, IT director of the accounting and business consulting firm Wipfli LLP, claimed to have had very little trouble deploying the critical patches on his systems.

That would not have been the case a few years ago, when Lenz was relying on Microsoft's Software Update Services to deploy patches to his company's employees. Seventy-five percent of Wipfli's 700 associates are laptop users who often work off site with clients outside the company's system. It was difficult to push patches out to those remote workers, and nearly impossible to know whether the patches were installed successfully.

He said his staff had to check machines manually to make sure they were up to date. The process was labor-intensive.

"We found it took quite a bit of care and feeding to operate effectively," Lenz said. "There was very little reporting."

However, Lenz took a new approach in May 2005. He purchased Endpoint Policy Management from iPass Inc., a Redwood Shores, Calif., mobile workforce solutions provider. The service interacts with most enterprise management systems to manage mobile devices. When a remote worker logs onto the Internet, Endpoint detects the device, assesses it and updates any outstanding patches and antivirus protocols.

Lenz says the improvement in his company's ability to distribute critical patches has been remarkable with the iPass solution. Prior to using Endpoint, Lenz estimates that only 30% of Wipfli's computers had every critical patch applied to it. "Now it's consistently 98%," he said.

Companies with complex IT environments and a large number of mobile and remote workers often find the deployment of software patches labor intensive and incomplete.

Chris Christiansen, vice president of security products and services at IDC, said companies with complex environments and large mobile workforces need a sophisticated approach to patch management.

More on patch management

Four patch management myths

Patch management tools: Different types, different approaches

Christiansen said a company that has a limited number of mobile workers and a system that runs only Windows software can get by with more common approaches to patch management. But if a company is running software from multiple vendors, it needs a more robust solution, even if it is more costly.

"You have to get patches from multiple vendors, and they don't always come out at the same time," Christiansen said. "There might be a complex order that they must be loaded in, or they may have conflicts with other patches."

Lenz said using Endpoint Policy Management has allowed him to streamline his patch management operation, reducing the amount of time spent managing patches by 30%.

"We have IT staff in six of our 17 offices," Lenz said. "Previously at least one person from all six locations was involved in deploying patches. Now we have two people who share the load firm-wide. They deploy all the patches and monitor them."

The process of assessing and testing patches before distributing them has also improved, Lenz said.

"We meet every Wednesday, the patch management team, and go through each patch. We look at the rating, decide if we need to push it out or not. After that meeting we push the all the patches that apply out to a test group of 30 people."

The test group of 30 people represents all the different business units and functions of the company so Lenz can see how each patch might affect different parts of his organization. If the test group goes a week without any problems, he then pushes the patch out to all employees.

"Before iPass, we had a smaller test group," Lenz said. "It was much smaller and not as representative of the company. It was only IT staff. We were not able to have all the functions of the firm represented, so we didn't have a good idea if we should expect issues when we pushed it out firm-wide."

Lenz said the biggest change for him has been the level of his confidence in his department's ability to push patches out consistently.

"When I'm reporting to my CEO that 98% of our machines are patched, I'm more confident. I feel better about that report."

Let us know what you think about the story; e-mail: Shamus McGillicuddy, News Writer

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: