US Dept. of Veterans Affairs Supports 500,000 Endpoints with PolicyPak
To protect our resources, we must implement a number of federal security mandates. Not only does PolicyPak make it easier, but in some cases, we would have no way to implement the mandated settings without it.
The United States Department of Veteran’s Affairs (VA) traces its roots back to even before the founding of the country, when Mayflower Pilgrims passed a law to support injured soldiers and their families. Such protections were strengthened during the American Revolutionary War, and have steadily evolved since.
Today the VA employs nearly 400,000, in hundreds of Veterans Affairs medical facilities, clinics, benefits offices, and other facilities in all 50 states, four U.S. territories, and the Philippines.
Managing policy across some 500,000 geographically disbursed computers and other endpoints is a monumental IT challenge. The organization uses Microsoft Group Policy, but felt limited with
what could be done with Group Policy alone—especially in regards to managing third-party (non-Microsoft) products. The challenge was heightened as the VA began upgrading desktops to Windows 10, and when the VA was asked to support multiple browsers to better match the needs of specific applications and those who used them. The VA looked for a better application settings management solution, something that could grow with them.
The VA chose PolicyPak Group Policy Edition and quickly deployed it across 500,000+ endpoints.
“We considered our options and determined that PolicyPak was best-of-breed,” says Jamie Hosley, Office of Information and Technology. “Deploying PolicyPak was an easy choice.” The VA IT solutions group found value in many PolicyPak features, including Applications Manager, Browser Router, File Associations Manager, SecureRun™, and Admin Templates Manager.
The VA IT solutions group has enjoyed a number of benefits from its deployment of PolicyPak, including gaining the ability to manage and secure third-party applications, meet the need to support multiple browsers, and protect applications and devices with Least Privilege Manager. The group also uses PolicyPak to ease its Windows 10 deployment, reduce the number of GPOs, retire legacy GPOs, lock down custom apps with PolicyPak Design Studio, and enjoy tighter security.
Gaining the Ability to Manage and Secure Third-Party Applications
PolicyPak has given the VA a better way to manage and secure third-party applications.
“Before PolicyPak it was extremely difficult just to have consistent settings on third-party applications, let alone locking down a particular area,” Hosley says. “This has proven to be a huge benefit. When we were seeking budgetary approval to get PolicyPak, we said that we were being asked to manage a much more diverse set of applications, and that PolicyPak allows us to do that, right out of the box.”
Application Manager, in addition to simplifying the deployment of third-party apps, has also simplified app maintenance, including patch deployment.
“The specific setting customizations we needed for something like Adobe reader, meant that before PolicyPak it would have been extremely difficult and time consuming to apply a newly released patch,” Hosley says. “We would have had to do a full uninstall and then do a full install every time Adobe updated the product.
Supporting Multiple Browsers
The VA has a wealth of web-based applications—some of the older ones work best using Microsoft Internet Explorer, some of the newer ones work better on Google Chrome, others on Mozilla FireFox, while the move to Windows 10 expanded use of Microsoft Edge.
Browser Router was immediately put to work as soon as PolicyPak was deployed. “The timing was perfect because we had just been directed to deploy Chrome across the enterprise to meet the needs of a specific application,” Hosley says. “We used Browser Router to guarantee that when users opened the application it would open in Chrome. We also used Browser Router to route some of our legacy applications to IE, because they were created to run on Internet Explorer.”
As word spread about the ability to link applications to specific browsers, more requests came in for matching applications to the browser they ran best in.
“Browser Router is an easy win because of its wide usefulness,” Hosley says. “And the user no longer has to think about it. Once the route is made, an application will always open in the correct browser, even if someone already has a different browser open.”
Protecting Applications and Devices with Least Privilege Manager
The VA IT solutions group found immediate use for PolicyPak Least Privilege Manager and SecureRun™. The group used Least Privilege Manager to lock down kiosks.
Using Least Privilege Manager SecureRun™, the group is ensuring that users can’t download their own version of Chrome, Firefox, or another browser. “With SecureRun we have automatic blocks in place,” Hosley says. “This ensures that if someone tries to work around our security by downloading a ‘portable app’ or their own version of Chrome, they will simply be blocked.”
That way we can be sure that a machine is only getting Chrome through the proper channels, through our configuration manager. It’s not being downloaded directly or via some unusual website.”
The group is now in the process of rolling out Least Privilege Manager across its full network to provide granular control of applications and other resources.
“With the move to Windows 10, Microsoft seems to be pushing organizations toward using AppLocker, which we haven’t found to be a good fit for our needs,” Hosley says. “We prefer the simple to use and seamless security settings we can put in place using Least Privilege Manager and its SecureRun capability.”
Easier Windows 10 Deployment with PolicyPak File Association Manager
The VA has some 30 file associations on their Windows 10 computers, something that would have been extremely difficult to achieve without use of PolicyPak File Association Manager.
The flexibility is needed because within the VA, some computers might have, for example, Adobe Reader, while others had the full version of Adobe Acrobat.
“PolicyPak makes it extremely easy to apply file associations,” Hosley says. “We can specify: ‘If Adobe Reader is on a machine’, then we make the file association for PDF. If ‘the full version of Acrobat is on the machine’, then we make that the PDF file association. And if both Reader and the full version of Acrobat are on the machine, we specify that the full Acrobat version will ‘win’ over Reader. This kind of flexibility with File Association Manager—the ability to handle all of these associations within Group Policy— makes it much easier to implement Windows 10 across our network.”
Reducing the Number of GPOs and Retiring Legacy GPOs
As the VA IT solutions group continues the process of upgrading computers from Windows 7 to Windows 10, it is using the Admin Templates Manager feature of PolicyPak to reduce the number of GPOs it has across its domains, and to retire legacy GPOs that are no longer relevant.
The group scored an immediate win with its geographically dispersed kiosks. Previously each kiosk had its own GPO. Using Admin Templates Manager, the group has reduced what used to be dozens of GPOs to a single kiosk GPO.
The group is also using Admin Templates Manager to tackle the challenge of reducing the number of GPOs that have accumulated over the years.
“We have GPOs that may have been created by people who have retired, or GPOs which apply to applications or configurations no longer in use. But people are resistant to touching them because there might be a dependency somewhere,” Hosley says. “PolicyPak makes it easy to work with these legacy GPOs, turn them off, see what happens, and make any adjustments that might be needed.”
Locking Down Custom Apps with PolicyPak Design Studio
The VA has a number of small custom apps that the IT solutions group plans to cover by creating their own custom paks using PolicyPak Design Studio.
“The more settings we can lock down, the fewer support calls we will have to handle,” Hosley says. “On a regular basis a user will inadvertently do something that they never intended to do and bring down an application or something. Our help desk gets a lot of calls like that. We think working with PolicyPak Design Studio we can reduce those kinds of scenarios.”
Tighter Security with PolicyPak
The IT solutions group has found that it is much easier to apply security settings and lock down resources since deploying PolicyPak. The group has also found it is easier to coordinate with the VA security group through use of PolicyPak.
“To protect our resources, we must implement a number of federal security mandates,” Hosley says. “PolicyPak makes it much easier to apply those mandates. In fact, in some cases we would simply have no way to implement the mandated settings without PolicyPak.”
The flexibility of PolicyPak also enables the group, working with their colleagues in security, to make exceptions in which a project might require settings that aren’t needed by others.
“With PolicyPak we can allow granular access to some settings, for those who need them,” Hosley says. “Before PolicyPak we would have to open the settings for everyone, which isn’t what you want to do from a security standpoint.”
PolicyPak has also proven to be a great collaboration tool when working with the security group.
“If someone needs access to specific settings in an application, we can work with our security team to show them all of the settings we control, and look at the exceptions a group might need for a specific reason, and determine the best resolution,” Hosley says. “Having PolicyPak brings great clarity to security discussions.”
Enjoying Great Customer Service
The VA IT solutions group values the speed and expertise with which PolicyPak support responds.
“With some companies we deal with you might enter a ticket and not hear back for weeks,” Hosley says. “You don’t know if they are just taking a long time to resolve the issue, or whether you are being ignored. With others it can feel like sending a ticket into a black hole.”
Not so with PolicyPak.
“With PolicyPak we get an immediate response, and you are talking to people with enormous knowledge—not just about PolicyPak, but about policy in general and about Windows and all the applications. The people at PolicyPak have more knowledge than other vendors we work with that might be 10X larger.”
Returning to the speed of ticket resolution, Hosley says, “PolicyPak easily responds four to five times faster than other vendors we work with. And the responses are always in depth and on target. They explain exactly what the issue was and how it is being resolved. That’s exactly the response you want when you need to contact support.”
PolicyPak Software provides total settings management for Applications, Desktop, Browser, Java and Security Settings for Windows endpoints. The PolicyPak software suite enables IT, professionals, to deliver, lockdown and remediate settings for desktops, laptops, VDI sessions, company devices, as well as BYOD. Settings can be controlled either via on-prem systems like Group Policy or SCCM or using cloud systems such as PolicyPak Cloud or an MDM service like Microsoft Intune, VMware Workspace One or MobileIron. PolicyPak Group Policy Compliance Reporter enables real-time reporting on the status of Group Policy settings across the entire network.