Richard “Billy” Wesley, IT manager for the Division of Student Affairs at Virginia Tech has been relying on Kaseya VSA for over 5 years to help manage IT operations for his group.
This division oversees IT support for housing and dining and facilities and student services. Kaseya spoke with the 14-year university veteran about IT issues and the role that VSA plays in making things run smoother.
(Questions from Kaseya have been bolded and italicized)
What prompted your group to move to VSA?
Wesley: I was working with another part-time person managing the resources for what is now Student Engagement in Campus Life. Somebody left unexpectedly and left a lot of knowledge that was in their head. That was a problem.
There wasn’t a lot of documentation and there wasn’t somebody to back that person up that knew how to take the reins. We did an internal audit and realized these folks needed a full-time backup. It could be kind of expensive to hire another full-time person for every full-time person. We decided to consolidate the different IT areas in the division — which is what we did.
We realized we had resources all over the place managed in lots of different ways. We had two different domains, and different Active Directories. We had computers managed by two different areas that might be just down the hall from each other. We needed something to bring all of those end points together.
A colleague said there’s something at Kaseya I should look at. We thought this might be good for us so we gave it a shot and we’ve been using it ever since.
What’s unique in terms of your IT environment?
Wesley: We work with student workers that are working within the student unions or in the dining halls. A lot of students don’t need access to our systems, but in some cases they do. One of the challenges we face is bringing those students on board into our systems, and then off boarding them when they leave so they don’t have access to stuff they don’t need anymore. Student turnover is pretty quick. Students come in, they work for you for four years and leave. Or students work in one place for three months, then work in a different place for four months, or they’re working at two different places at the same time. That’s a challenge.
How does Kaseya VSA help you meet that challenge?
Wesley: We use automation in the service desk. When I get notices from managers whose accounts need to be turned off or disabled, I’ve got automation. I use a particular status within the service desk that’s called off board. When I change those tickets into that status it automatically fires a note off to the HR department so they know these people are leaving in case they want to do an exit interview.
We have plans to implement the opposite of that, onboarding to create an online form for creating new accounts that integrate into the service desk to create tickets for us automatically so we know what kind of access a certain person needs or where that person is going to be working.
Let’s tackle off boarding. It’s a resource issue but mainly it’s a security issue. You don’t want people that have left to have access to internal systems. All kinds of crazy things can happen.
Wesley: That’s spot on, particularly with students. When you come into the campus you get an account which is in the main domain. Those accounts never really go away. You could be a student for four years, graduate and come back and work here and still be using that same account. If nobody ever said this person doesn’t work for us anymore, that’s a problem. The further off it gets the harder it is to see what’s going on.
How are you using the service desk to solve issues amongst end users?
Wesley: We use it is as a normal help desk system as far as the end users are concerned. We have the agent icon setup so when they double click it goes into service desk and they can create new tickets. They click in and we associate said agent with said person depending on which computer it’s on so we can see where they’re coming from. We have their phone number, their location, their name, what they need and the ability to expedite that out to our service desk technicians quickly so the task gets taken care of.
There are two issues there; one is the ease with which an end user can alert you to a problem and you know who the user is and what the problem is, but VSA also helps remediate those issues.
Wesley: Once service desk has done its job and we’ve got the ticket in and categorized, Live Connect allows us to quickly get to a person’s computer. It keeps us from having to use what we refer to as ‘sneaker day’ where we run across campus.
If there’s a foot of snow on the ground, I can just remote into somebody’s computer. I can even run things in the background without them even seeing what we’re doing so we don’t have to interrupt their work.
With VSA 9.4 and Live Connect you can manage computers that don’t have an agent installed.
Wesley: We’re excited about that as well as the ability to run packages right out of Live Connect. We have a few PowerShell scripts we run from time to time and it would be nice to be able to package those and fire them off straight from Live Connect.
Do you use the self-service features within VSA so if somebody has a simple problem like trying to install a printer driver you don’t need a tech to do that?
Wesley: We don’t have that. I suppose that if we implemented some sort of agentless thing to do those things we could. We don’t tend to give any sort of administrative rights. As far as printers go, we have group policy and we have OUs so if a particular computer needs printing the group policy fires off and it automatically installs.
What functions within VSA are most useful to you as an IT manager?
Wesley: Live Connect the biggest thing. It helps service desk technicians get to computers quickly and drives them in the direction of how we’re going to do things, whether they have certain agent procedures that we can fire off to fix a particular thing. We use it to manage all of our end points so we use it for doing third-party updates. With Java, whenever there’s a new version we have an agent procedure we run to update the installers. We also use it for inventorying, auditing and patching — those are all big things for us.
The number one way hackers have successful exploits is against unpatched computers because they can dissect the patch, figure out what the hole is, and develop an exploit to go against that hole.
Wesley: It’s nice to see what patches we have and how many of those patches have successfully installed to local machines. We have about 800 end points and the majority of those are desktop computers.
Have you been involved in patching computers without a patch management tool, and trying to do it on a one-by-one basis?
Wesley: Back in the day when we had to do patching, we had to go to each office and each computer and check the updates and run the updates. It takes a lot more time, a lot more manpower. VSA has saved us an immense amount of time.
You mentioned the auditing was high on your list. Can you walk me through why that’s important and how VSA provides that function?
Wesley: With auditing, once you have the end point and the agent, you can scan the end points and it brings in a whole bunch of information about the hardware, the software, printers, and network connections. When you have so many computers that you don’t see each one every day sometimes they slow down or you see that some are not coming online. The information within the auditing module can help you deduce what’s going on. You guys must work with Dell quite closely because we use mostly Dell computers. In the audit module with the service tags we can just click right out in there to Dell’s website for that machine and see warranty information, when it was bought and other things which are quite useful.
Can you talk about IT automation?
Wesley: Automation is using technology to complete tasks without the need for human intervention. That’s one things I’d like to see us do more of.
And you apply automation to patch management?
Wesley: Since we can set up silent installs and have the system do it for us, we can schedule it at times when folks aren’t at work. They aren’t at their desks if we need to reboot the computer. We can schedule those things at nights or on the weekends and can also make sure that the same process is happening on each machine.
With our Java updater, we check registry keys to see if Java is even on their machine. I can run the update, it will check and see if there is a registry key, if it says Java is on this machine so go ahead and uninstall the current version and install the new version. If it doesn’t see it, or that we don’t want Java on this machine, it won’t install it. With applications like Java, it’s better if they’re not installed in the first place.
With the patching, you can easily tell what machines are patching. Probably 90-95 percent of the machines are up to date with patches. Before VSA, that was a hard number to gauge. By the time you got to every machine and patched it you would turn around and have to start over patching them again. Those kinds of statistics really show value
So doing things in the background and automating IT functions benefit end users?
Wesley: With IT, if the systems are doing what they’re supposed to do then the organization doesn’t tend to notice. We just want users to be able to do their job, and find their data because information sharing and information storing and things are a big part of our job.
Is there a way you can see or maybe even measure that end user satisfaction?
Wesley: We have a customer satisfaction survey automatically sent out from service desk when tickets are closed. We have around a 98 percent satisfaction rate. So yes, people do notice.
Do you track data about end user service?
Wesley: We do track the numbers. We’ve been using VSA for five or six years maybe and just with service desk, we’ve closed 10,000 tickets that were opened in that timeframe. That’s probably only capturing 65-70 percent of the actual tasks that we’re asked to do.
Do you go back and look at the types of tickets that have been filed and see common problems that you can fix once and for all so they don’t keep cropping up?
Wesley: Yes, we do. From a central IT perspective, we’ve been implementing Office 365 and SharePoint and giving the customer the ability to get in touch with us quickly so we can help them.
We talked about IT automation and you used the definition that is doing something you used to have to do manually. To my mind, if you’re not dealing with a lot of grunt work then you can be more strategic. You can think about where your infrastructure is going, and about new applications that you might want to bring on board.
Wesley: Those are good examples. Also it gives me and my colleagues more time to have a higher level view of the organization.
With turnover and people moving in and out of departments, being aware of that and having the time to actually interact is important. For instance, if I have a service desk technician with skills in a particular area and the skill is needed on one side of campus, I can staff that person over there. The time VSA has saved that can be used to learn more about the organization and how it functions is a huge benefit.
Are there technologies that you’re thinking about or that you’ve recently implemented that might have been tougher if you were spending all your time solving low-level computer problems?
Wesley: We have all sorts of systems on campus. We have event management systems that we use for reserving spaces and for our student organizations. We do upgrades to those systems as well as our dining systems. VSA gives us more time to focus on planning and upgrading the systems so they continue to function.
I understand you are using AuthAnvil for multi-factor authentication.
Wesley: We are using it for two-factoring into Kaseya VSA.
What was the impetus for that?
Wesley: A password is just something you know. If you have also a physical piece of something it makes it much harder to crack. If you can log into our VSA, depending on the account you have access to, you could get to all of our end points and that’s a problem. We use AuthAnvil to make sure it is more secure to get logged into our VSA so nobody can sabotage our systems.
How does it work exactly?
Wesley: We use YubiKey and so we have our soft tokens that are assigned to us and we use our AuthAnvil server to either reset or manage the soft tokens to the YubiKey for the users.
Let’s say I had a part-time tech person leave. They would return their YubiKey, we would reset the soft token by the serial number. When you log in, you put your username and password in but then you also have to do a PIN and a tap on the YubiKey in order for it to allow you access the system.
So it’s one little extra step but it’s well worth that minor inconvenience?
Wesley: It’s easier. If you access a domain controller and you need a 64-character password that is all sorts of different letters and characters, it is easier just to have that second form of authentication.
I understand you take advantage of custom fields?
Wesley: We use custom fields within the audit module to help us with our inventory. There’s certain types of information we need to be get out of the system quickly to make sure that our inventory matches up with the inventory of our central system.
Through the auditing you’re collecting information on the end points. Are there certain things that you do with that information, whether it’s for compliance needs or to report up to the IT folks that your group reports into?
Wesley: If for some reason we need to replace computers it gives us a good idea of what computers are older and what computers have warranties that have expired. Most of the reporting I’m doing now is pulling the inventory out of our system so we can send it over to our fixed assets folks. They can compare and make sure the inventories are up to date so that we don’t have to update several different systems on our own.
Does VSA help your group with budgeting?
Wesley: It does. We could know that we have 30 machines that are going out of warranty next year, and we probably want to replace these. We know what kind of machines they are and our budgeting folks can make decisions as to whether they’re going to need the same type of thing or needs to be changed.
With your tight control over these endpoints it seems like they’re not going to have the problems that a lot of unmanaged desktops have. These fall apart because they’ve been hit with viruses and whatnot and you end up reinstalling the operating systems because the performance is so bad. Do you find that you have more stable systems because they’re so tightly managed?
Wesley: That’s a yes. We’ve had a lot fewer instances of machines being compromised since we brought on Kaseya. That’s because we monitor them so much closer.
Does VSA gives you deep insight into end points?
Wesley: The nice thing about the single pane of glass, particularly within the account managed agent view, is you can manage which columns you’re seeing. I can see the computer, the IP address, what building it is, where it is, what agent version is there, and what operating system. I can see so much information that is pulled straight from those machines with the agents.
Want to hear more? Read the full Case Study with Mr. Wesley and Virginia Tech here.