Updated: 18/07/2024

Remote Monitoring and Management software is rife. In the early 2000s when Microsoft only really catered for large enterprise in this area, it left a gap in the market for third-party products to spawn to solve a business problem:

How do I manage these endpoints?

What is RMM?

RMM software often comes in the form of having an agent installed on the Windows device, which then allows the IT admin to manage:

  • Windows Updates
  • Third-party software updates (not all do this)
  • Software deployments (to some extent)
  • Device health reporting
  • Obtain hardware/software reports
  • Script deployment
  • Remote control

Who uses RMM?

Lots of people. From internal IT depts, to managed IT service providers (MSPs). I’d argue there is more of a use case for MSP usage over internal usage since many RMM providers offer single dashboards to highlight issues or allow configuration changes across an entire client base in one swing.

MSP usage

In addition to centralised endpoint management, MSPs also have an intellectual property incentive to have RMM software; it allows them to build their computer management strategy away from what the customer and competing IT companies can see.

Suppose you decide to build your whole endpoint management strategy in Microsoft Intune, the M365 tenant belongs to the customer, and so any configuration work you do there belongs to them. If they get a new IT provider, they take over the management of your original configuration.

If the MSP build its patching, scripting, and monitoring strategy inside the RMM, that belongs to them. There is no obligation to hand that stuff over.

RMM software typically links to the MSP PSA tool (too many initialisms going on here, but that’s Professional Services Automation tool… or ITSM tool… IT Service Management tool… or the ticketing system they use). The benefit of this is that they can lower their helpdesk administration time by linking the incident ticket to the endpoint. Over time, they’ll be able to collect data about which endpoints are creating tickets, and it better informs how to manage that situation.

So RMM software is pretty integral for an MSP’s main goal – they want to charge you as much as possible, and hear from you as little as possible – the MSP doesn’t vocalise this very often . The second you pick up the phone, you are eating into their profits. Automation and clever management in this industry is key to the success and growth. That is certainly not to say they can’t work to a high standard. It is mutually beneficial to get this stuff real slick.

Is RMM software bloated?

Irrespective of the RMM you choose, let’s think about the current market for that type of product.

In general, many of them have been around since the early 2000s and continued to develop from there. Elements of Windows XP/7 management strategy is still embedded in these solutions from new purchases, I’ve seen real examples of scripts that still attempt to resolve Windows 7 issues, or reading log files checking for MS Lync presence in Windows 10.

They also spew loads of information about CPU/HDD/RAM usage and process activity. How relevant are automatic alerts for high RAM usage these days? Some of the visuals look extremely dated, I’ve seen speedometer type graphics to indicate CPU speed. I’d imagine back in the day it would be genuinely useful to know why a desktop was going slow (as a result of making use of a page file because of low memory, for example), but these days, who really cares?

I’ve been on those demos with RMM providers. They show you all the information you can gather with this new tool, but this is largely unchanged since launch, and your techs won’t bother making use of these features, trust me.

With modern hardware being so good, the end-user will call you if their machine is acting up, and it is probably not very often as a result of poor hardware.

“Scripts”

A common reason I hear of people having RMM software is to run daily scripts. An uncommon thing I hear is the genuine usefulness of what these scripts are doing to each endpoint.

If we take a standard Windows 11 endpoint from the box that has recently been configured to meet the end-user requirement, what could you possibly be needing to run on that machine daily that helps it operate effectively? I’d wager a daily script might be required as a duct tape solution for a line of business app that hasn’t been upgraded or is out of support. RMM isn’t the solution here.

The theme is that RMM software is potentially being used as a vehicle for technical debt and distracts focus away from the important stuff, security.

Cloud-Native Management

As someone who spends nearly all of their professional time trying to get people to move over to Intune and Defender for Endpoint, I see very little benefit to the role of RMM software once I’ve finished configuring the first-party toolset to the full potential.

Intune for Windows is the only solution out there that truly integrates the device management with the identity provider (Entra ID). I’ve seen examples of companies Entra ID joining computers with their M365 Business Basic/Standard licences, and having the RMM pick up the other management tasks.

Device Security

The big learning curve with Intune is that suddenly there is so much pointing towards endpoint security configurations. There’s an entire Endpoint Security blade. We didn’t have this in Group Policy, and it isn’t there in most RMM products. What are we supposed to do with this?

The answer is simply: To plan and implement these configurations. The RMM products aren’t the answer here, they are marketed as “knowing the bad stuff before the client does”, but how effective is this if there’s absence of a solid security baseline on the endpoints?

We have to challenge the big vendors with this stuff or their products won’t adapt. But to be realistic, most of the world doesn’t care and it is out of our hands.

Let’s focus on the stuff we can control (feedback I’ve had far too often both personally and professionally 🙂 )

What does endpoint security look like?

It looks like Microsoft Intune. There are no other secrets to be told. To be the most effective in endpoint security for the foreseeable future, you need to adopt Microsoft Intune as your primary MDM.

In a sentence, deploy baseline configurations designed to prevent accidental or malicious actions which may cause identity or endpoint compromise.

I’ve linked this before, and I’ll link it again – SkipToTheEndpoint

The Open Intune baseline is largely a collection of Settings Catalog configurations that will give you a good starting point from the endpoint security stance. From there you can tweak and work out your custom business requirements.

It covers:

  • Device restrictions
  • Compliance policies
  • Windows Hello
  • BitLocker Drive encryption
  • Data loss prevention for Chrome/Edge (preventing consumer account sync)
  • Antivirus scanning policies (assuming you are using Defender for Endpoint
  • Cyber Essentials basics (screen lock, disabling Autoplay, etc.)

Think of it as a modern equivalent to the Group Policy packs that Microsoft provide for on-premises environments.

Keep in mind that if you switch to Defender for Endpoint as your primary AV/EDR, you’ll also need to configure the Microsoft Security portal too.

The future role of RMM

Assuming you’ve covered all basis with Intune, I see RMM existing for a few reasons currently:

  • Third-Party patch management

Microsoft have Enterprise App Management as part of Intune suite, but this isn’t something I can see many MSPs adopting just yet, the closest commercially viable alternative to this is what PatchMyPC offers; they integrate the patch management into Intune. Apps are updated in your tenant by their tools and delivered to the endpoint in the normal Microsoft ways (and they are the best at doing it in my view).

  • Centralised reporting

Having an agent on all your devices for hardware and software reporting can be useful, especially for ensuring compliance for regulatory reasons. Intune reporting takes a lot of human effort to become accessible.

  • Servers

Managing servers in the Microsoft ecosystem is a particularly murky topic. There’s nothing out there like Intune for it, and the path of resistance to learn how to onboard with Arc and manage with Defender for Cloud for such few devices makes the RMM decision quite easy.

First-Party

There is a real use case for not using anything third-party. Suppose your users only use M365 apps, PDF readers, and web browsers. This can all be updated automatically using M365 Business Premium/E3/E5.

For Office – https://learn.microsoft.com/en-us/deployoffice/admincenter/overview

For PDF readers, rely on what’s included with Edge, or push the store version of Adobe Reader via Intune:

For Web browsers, configure their policies using Settings catalog to tell them when to update.

For Windows Updates, nothing does this better than Intune using either Autopatch or Update Rings.

Takeaways

  • Learn your tools, resist the urge to buy new products
  • Focus on preventative security measures rather than reactive alerting
  • If you’re considering Intune, buy it as part of a bundle SKU like Business Premium/E3/E5 and then start looking at all the other stuff available to you
  • Talk to others, the message on endpoint security and management is rapidly changing – go to conferences, join IT communities, engage with Microsoft MVPs in this space on LinkedIn.