No MBAM, and no, users cannot disable or manipulate Bitlocker. That's handled via GPO and Active Directory. It's integrated into AD and they used a PIN and it's TPM enabled. Group policy controls what they can or can't do - and we have it set so they can't do squat except get past "the bitlocker screen" and then log into windows.
And no, SCCM doens't do the suspend, we had to run a batch process, basically it's just a single command line like a batch file - SCCM is told to run that command, then run the updates/installs/patches. It's not native in SCCM. (*unless that has changed with 2012 but that won't matter as SCCM is going bye-bye soon. I think that 2012 SCCM actually did do that, 2008 did NOT. )
To clarify - we aren't looking at the entire suite, although I'd LOVE it if we did. I have to assume it's just too costly - I mean the underlying server part has to be a biggy, then each other item is an individual plug-in we have to purchase separately - I doubt we'll be getting much beyond Patch Management, although from these responses it appears we may be forced to.
We are looking for replacement for the SCCM patching and updating part AND a way to push software installs (inventory would be great, things get lost, things appear on computers that should not be there although I do lock things down a lot with SEP's application control).
We need a good way to keep the 300 computers we have patched and up to date for security fixes, patches, updates, etc. and push software if needed.
For example - Flash, JAVA, Google's Chrome browser, Acrobat Reader (although that's going away too thankfully and is being replaced by Fox-It reader), And Windows of course, and Office.
We need to be able to push out patches, security updates and fixes and so on for those products.
AND - push software installs and push software updates or upgrades.
We recently had major issues with Dragon Naturally Speaking - a version they told us to use was junk, failed constantly, so they said here, use this one instead - for that we'd need the Software Management Solution, correct?
So at first I was seeing conflicting information or replies, now that I've read further, it appears that Patch Management can NOT run anything BUT patches, there's no provisions at all for passing a single command line, just one little line to suspend Bitlocker? (uh, one reason we need to do that is because users can't, nor can they re-enable it later!)
No, as far as this -
>>but as you're aware Altiris is a script deliver engine at it's heart<<
No, I still know extremely little about Altiris but I knew *nothing* about it at all until I was told to try to find a replacement for SCCM's patching/updating abilities.
I had heard the name, but had no clue what it was, who owned it, what it did, and still mostly do not. This is new. It would be like asking me to perform operations on some HP Mini - LOL - I wouldn't even know how to get into one. I know SEP inside and out, this product is as foreign to me as trying to speak Chinese.
I guess that's why I'm asking such basic stuff- I have no clue what this thing is or does, but need to learn FAST - boss want's a decision this week!
Is this a product absorbed by Symantec? Or their creation? Or an acquisition they have integrated into the fold and modified for their needs? (nothing against any of that, we would have not had SAV-CE and then SEP had they not grabbed Intel technology years ago. )
So, to get this straight, Patch Management can NOT:
Install other software, it only patches that which there are security fixes or patches for.
Run a simple command, Run a script, Run a batch or command file
Upgrade IE from 9 to 10 or 11 (even though technically speaking IE10 and IE11 ARE SECURITY PATCHES for Windows and are not software installs or upgrades, please see image below - it's a security update for Windows according to Microsoft, not an installed application. check your Windows 7 control panel.)
To install apps, Andy seems to answer that with this:
>>I'm not sure Patch Management Solution will let you upgrade IE, you might need another component of the Client Management Suite, Software Management Solution, to accomplish that. Traditionally Patch Management has been to patch existing applications, not upgrade them although this has been relaxed.<<
We would need Software Management Solution, that makes sense and I'll take a look at that. We'll see how pricy that is, and what it can do, too - we DO need to push applications - SCCM used to do that when we could figure out how and force it to. SCCM faltered a LOT at software installs or pushes.
Andy also touched on something I'm trying to get my arms around - he mentions it here:
>>Separate from the targeting of patches is the application of them - this and the reboots can be scheduled; this too can be different for different groups of PCs. You can even schedule the install for, say, 2030, and then they will just be staged on the client and you can trigger the install manually via the agent when it suits you.<<
Targeting - I assume that's saying ok, we have patches A, B and C, and computers 1, 2 and 3, where computer 1 needs A, B and C, computer 2 only needs B, and C needs nothing - is that about right? Targeting - that would be Patch Management itself figuring out what patch or update to shoot at what computer?
Staged on the client - The patch is copied to the client, staged, its' there and ready, just not applied - because you have set the install for the future. It's there, but not installed because 2030 isn't here yet, but you can then later trigger the actual install manually per computer or group (or set the install date for just 7 days away and hit that the next weekend).
Could this be useful, perhaps for a major patch or fix that takes a lot of time to get pushed out to 33 remote offices across the WAN, too late to actually let it INSTALL because we are coming up on production hours - is that a scenario where that may be used?
I think I've gotten close to the basics thanks to all the responses that took into account I'm a total beginner with this product and Altiris in general. I knew nothing about it until 3 or 4 weeks ago and frankly still know very little about it. I'm more the SEP expert, network security administrator - so I guess it makes sense this would fall to me to investigate, trial and see if it will work for US, evaluate, etc. .
I've not done anything with it yet but would really need to get a true actual live TEST going -we have computers that are months behind because the one person who knew anything about SCCM is gone now, no one else knows it, and it never really worked anyway. NEver has.
So I'd like to actually pick 6 or 10 computers, figure out how to get at least THOSE patched and current, then can tell the boss yeah it works, but know HOW to do it!
There appear to be several things or stages or steps - but I'm getting there.
At least now I know what it can and can't do, and its' all reasonable.
Big thanks for those responses thus far!
Oh, IE 10 - it's a patch, not an application install - check your Windows 7 control panel ;-) - it won't be listed until you check display security updates in the programs and features part. It might fly if that is the case...........???????