What is our primary use case?
The use case is for organization server patching, and we also use the asset management in a smaller capacity.
How has it helped my organization?
For what I use it for, the solution provides a single pane of glass with everything I need for endpoint management of all devices. For the most part, it lowers the amount of time required for manual intervention. It gives me more time to work on other projects instead of consistently worrying about patching. Per week or per month, it's saving me a good five hours.
What is most valuable?
One of the most valuable features is that it natively patches third-party applications and not just a core operating system.
It's relatively easy to use and most of it is pretty intuitive. They've made things a little more involved now with the agent token that needs to be used. That means installing it from a server, from the share, is not quite as simple as it used to be, but once you know how to do it, and that it's something that has to occur, it's really not a problem.
It enables IT asset management, compliance, software asset management, mobile device management, and patch management, although we don't utilize the MDM. That's mainly due to our security requirements. But the IT asset tracking is a big segment.
And the software asset management has been a big help, even when it comes to license true-ups. I can use it to find out how many Tivoli we have, and boom, there's the number. Even if it's reporting a number that might be a little higher than what it actually is, because it's looking for one component, it gives you a good first first-hand look. As a result, we know there's something out there and this confirms we've got five of them. And you can actually click on the information about the software and it shows, for example, that these five servers are where it's being reported. If you really want, you can log in to them and validate. We have used that quite a bit.
Another segment that has really helped out is where you go in and actually use the distributions. We might have a situation where we need something installed on all 237 servers by tomorrow. I'll just go in and do a managed installation and have KACE push it out. So far, that's been pretty successful. I wish it had a little bit more ability to allow me to put something in there without saying, "Okay, we're already aware of this software. What file do you want to use?" It would be nice if it let me type it in and prompted me, when needed, saying, "We've already found that. Do you want to use this one? Yes or no?" But it hasn't kept me from accomplishing what I intended. Overall, the distribution is a pretty nice feature.
What needs improvement?
My biggest complaint is that almost every time they send out a new version, it fixes something and breaks another. Something that wasn't working in the last version now works, but something else stops; or they'll remove some dashboard that I really found to be nice and replace it with something totally different that I could care less about.
Another example of this would be that there is a set of agents where the communication between the agents and KACE is very consistent, and the patch numbers are very good. And then there will be a new agent which they say fixes this, this, and this. But then, all of a sudden, my patch numbers go down and the communication isn't as good, or they're timing-out more.
An additional instance of this is that it used to be, when you were patching, you would see how many succeeded and how many failed. You would also see which patches had failed and had reached the maximum number of attempts. Connected with that, there used to be a "reset tries" feature and that was nice because you could actually reset the attempts and KACE would try those patches the next time. Now, although "reset tries," is still there, it's grayed out. It doesn't function.
It affects usability because every time you upgrade, you don't really know what you may be getting yourself into. I wish they'd be a little more consistent and make sure it's only getting better, rather than their saying, "We had 15 known issues in the last version. In this new version, we're offering these new things, but we've still got 15 known issues."
The installs are generally very easy. You just say, "Okay, go ahead, upgrade," and they seem to run fairly smoothly with no problems. It's just that after you've done them, you have to see what is working and what's not working.
For how long have I used the solution?
I have been using Quest KACE Systems Management for five years.
What do I think about the stability of the solution?
On the whole, the stability is good. Once it's up and running, it just pretty much runs. There aren't really system crashes or anything of that nature. It's a solid system that really does not encounter failures of the system itself.
What do I think about the scalability of the solution?
Scalability is available. I have not experimented much with some of the options. For example, you can have a system at this site and have another site that doesn't have an entire KACE, but just a file share where KACE can put patches as well. Instead of servers at that site going all the way to your primary site, they just pull the patches from that local repository. Theoretically, that helps. So it can be scalable if you so choose.
In our environment we manage 237 servers.
How are customer service and support?
Their technical support is good. They're very prompt. Quest has been very quick in responding to any support cases or questions. And most of the time, the answer is very straightforward and easily executed or easily understood.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
We did use something that KACE replaced, but I don't even remember what it was.
SCCM is what we use for workstations, but not for server patching. We do have WSUS (Windows Server Update Services) running as a backup in case we want to use Windows Update. We do have other options available, but for servers, KACE is the primary patching system.
How was the initial setup?
I was involved in the initial setup and I found it to be relatively easy. It was pretty intuitive and straightforward.
Bringing it online to the point that I could log in took 45 minutes to an hour, and that included making sure I had DNS records so that the URL was resolving, and putting in the IPS and gateways, et cetera. All of a sudden, boom, it was up and running.
After that, it was a matter of making sure that patches are actually downloading properly, and that the agent installs are checking in and everything is working properly. So getting it all tuned and set the way we wanted took two or three months, but the initial "it's technically functioning" was just two or three days.
What was our ROI?
We have realized a return on our investment with the solution. We are more stringent than the NSA as far as security goes. We run weekly security scans on our systems and we're consistently bringing in third-party organizations to do red-team tests where they'll try to hack in and do a lot of things to test us. Since Quest KACE Systems Management patches not just the operating system, but can also patch third-party things like Java and Wireshark if an update is detected, overall it handles everything that's detected. If possible, it will attempt to patch it.
What's my experience with pricing, setup cost, and licensing?
The cost of KACE has been relatively low compared to other systems. Even if those systems have the same cost, they do not do as much of the third-party patching that KACE natively does. With a cost of less than $4,500 a year, it's been very good.
The pricing model is fair and fine. I wouldn't change anything about that.
Which other solutions did I evaluate?
We looked at SCCM and Qualys.
One of the reasons we went with KACE was cost.
Another was that it patches third-party applications natively. Certain systems tend to need native operating system patching only. You can download something like a Java update and then "package it" for installation. But with KACE you can say, "If you find it and it's critical, recommended, not superseded, and it's detected on our system, download it and patch it." It's nice that it's doing third-party apps and not just the operating system.
What other advice do I have?
If you're considering KACE for a large environment, come up with smart labels and patching schedules that are going to fit the number of systems that you have. The scheduling really comes into play, especially now with Windows having bundled patches. As a result, you're downloading a 1 or 1.2-gigabyte file to update the server, versus between three and seven 2 or 3 or 5 megabyte files. When there were multiple files, even if two of them didn't get uploaded, the other three did. If this one large file times out, it just does not patch. So scheduling the time to stage those and deploy on a different day is really important.
I wish we had the ability to use the mobile asset tracking and bar coding. Those are things that have been a real void in our organization. At least we are utilizing KACE for the servers and we manually input barcodes or serial numbers. Having the option to use a KACE app to input that information is nice and would save a lot of time.
Which deployment model are you using for this solution?
On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.