Monday, December 19, 2022

Do You Still Need an RMM?

We get mail . . .

Daniel writes: 

Hi Karl,

I’m taking your MS in a Month course on demand, and I have some questions around RMMs. 

Given the recent (or not so recent?) and significant breaches caused by RMMs like Kaseya and SolarWinds, do you still advocate for using an RMM?

Why or why not?

If yes, What do you do/advise to protect yourself and your clients?

If no, What do you propose as an alternative?

-- -- -- 

Great question, Daniel.

Personally, I’m still a huge fan of RMMs. 

Let me take a step back in the evolution of Managed Services for me. For me, the evolution looked like this:

1) Develop a service based on regular monthly maintenance. Standardize this pricing.

2) Move these clients to a flat fee service based on regular monthly maintenance. 

3) Add tools to increase the number of devices that can be managed. This allowed me to increase profit dramatically because I collected the same amount per device (servers and workstations), but did not expend the same amount of labor per device.

This "roll your own" service included RDP to servers, VNC, alerts from Servers Alive, and built-in alerting from Small Business Server, backup software, and other installed software.

4) RMM tools/services then allowed me to bundle all those functions into one tool - and automate the deployment and management of anti-virus.

So, the evolution of managed services, for me, was a matter of relying on fewer tools over time while dramatically reducing the amount of labor it takes to manage users. At each stage, I managed more and more endpoints with less and less labor. The result was more and more profit.

The current fad of pretending not to use RMM tools is really just a reliance on Microsoft's RMM, plus various tools built into various services and software. Microsoft's RMM is either Endpoint Manager or Intune, depending on which day of the week it is. If you Google either one, you'll find it. I'll use the term Intune, although Endpoint Manager is more descriptive.

In some sense, this feels like a step backward, but it's not. Intune is extremely powerful. It requires a good deal of work to set up and deploy properly, but it's very well supported by Microsoft and is basically their "default" RMM product. 

This is a bit like stage three (roll your own) described above - but with fifteen years of evolution in products, services, security, consolidation, and ease of use. The biggest benefit of this approach is that Microsoft owns all the code and manages its evolution and support. You might also consider that its biggest weakness.

Personally, I like to use non-Microsoft tools to monitor Microsoft's security for the same reason that I want a non-Boeing employee to certify the safety of Boeing airplanes. (I love Boeing. I love Microsoft. That's not the question.)

There are three major points to consider when choosing an RMM

1. Where do you fall on the spectrum from 90% manual to 90% automated? Neither extreme may be possible, so there's no "100%" on either end. As with all technology automation, you are trading your labor for automation, and trading control at the same time. 

2. You still have to do a lot of work!!! This is actually where some MSPs are finding themselves on the wrong end of regulators: They sign contracts, deploy agents, and do nothing to monitor and verify that the agents are doing what they promised.

The goal here is to spend a small amount of labor to provide a large amount of value. (You are pricing on value.) The goal is not to spend zero labor and assume that the tools will take care of themselves.

The average good, brand-name RMM will give you lots of value and automation. But you still need to create processes and procedures to make sure it's installed properly, configured properly, updated regularly, secured, and working as reported. That's true of Intune or any other RMM.

3. The well-known attacks need to be kept in perspective. I believe the only people affected by the Kaseya attack were those with Kaseya servers onsite instead of using the cloud product. In fact, Kaseya knew about the vulnerability months in advance and plugged their cloud servers. The Solarwinds attack was actually on a very high-end product that is not used in the SMB market. It was not the Solarwinds RMM that you would ever deploy.

Also, consider the larger business context. My personal data has been compromised by every credit I've owned in the last ten years, my ex-wife's employer (many times), Target, Best Buy, Verizon, Yahoo, Facebook, LinkedIn, Marriott, MySpace, Twitter, Experian, Adobe, Equifax, eBay, Capitol One, DropBox, Tumblr, Uber, MGM, Zoom, my electrical utility, almost all online dating sites, and many others I'm not aware of.

The point is: We have to do the best we can, and we cannot stop using services because they might get compromised. Instead, we have to do serious due diligence to pick partners carefully. We need to thoroughly understand their services. We need to work to set them up properly, monitor them properly, and keep them updated. 

-- -- --

Bottom Line: I love a good RMM. It is the very basis of providing managed services because it allows you to provide the same value as doing everything manually without spending the labor to do everything manually.

In fact, I would go so far as to add a fourth point:

4. In the 2020's, you cannot provide appropriate monitoring, remote access, and patch management without an RMM. You can use Intune and say you're not using an RMM, but that's just legerdemain. 

The manual "roll your own" approach that I used in 1998-2003 is summarized in my famous 68-point checklist (Free here: But that checklist was once a month. Verify the security logs, disc space, and processor usage once a month. With any decent RMM, you can monitor these once every sixty seconds.

 More importantly, the world was a simpler place in 2000. Security was a concern, but malware consisted of frustrating and annoying behavior - not the actual loss of data and access to an entire network and all devices on it, or the payment of ransom. 

In my opinion, you have to have an RMM in the modern era. Just be sure to do your due diligence in picking a good one and using it properly.

Comments welcome.


No comments:

Post a Comment

Feedback Welcome

Please note, however, that spam will be deleted, as will abusive posts.

Disagreements welcome!