I would like to urge ManageEngine to go back to putting the asset management/scanning feature back into the SDP product in a near future release, rather than using a completely separate product to implement the functionality. Or at the very least, merge SDP and the free asset scanning features of DC into a single, smaller footprint product. API integration does not make SDP and DC a single product from an IT management standpoint.
While the integration of DC into SDP since SDP build 11303 may have made life simpler for ManageEngine and perhaps other customers, or MSPs out there, it has made life difficult for us. We are an on-prem customer. I have been employed about 11 years now. We have used SDP since before I joined. We are a long time customer. Our IT staff is kept small, and we have to manage and secure our production environment.
We have been generally happy with the product until the upgrade to 11303. In build 11303, instead of a regular patch to the vulnerable agents, we were forced to add an entirely new product in order to retain our ability to have a visibility on our infrastructure: Desktop Central 10, another large footprint product with a lot of features we don't need, or use, and that are potential security vulnerabilities. Desktop Central installs 4 new services in the server side, and 2 new services on clients. Desktop Central has many security features. But these are features that need to be monitored, patched, audited, etc... in other word, extra man-hours that often translate to more operational expenses.
In December, 2021 Apache released two CVEs for HTTPD < version 2.4.52. DC has an Apache HTTPD service component at version 2.4.8 after upgrading to the latest release. Then you have the more recent log4j problem for which we upgraded to the latest SDP release. These two upgrades cost us at least 48 man hours over a couple of week-ends, since we also have to test the API integrations after upgrading, before deploying to production and backup sites.
Instead of managing a single product, we manage two product each with their own issues and vulnerabilities handled separately. Since we have to vet all our products with vulnerability scans, penetration tests, internal and external audits, that is more time spent scanning, evaluating, writing reports, and closing cybersecurity advisory tickets, away from our other priorities, such as simplifying our operations, tending to internal and external customer needs, handling business priorities, and everything else that matters to upper-management. That makes me wonder about the ROI claim that appears in a red banner on top of every ManageEngine page I browsed today. All this adds technical debt. It is operationally inefficient.
The kicker is that I could not get a straight answer out of the ManageEngine rep I spoke to about this. His well-trained marketing robo-answers boiled down to two choices: Either I use DC or I lose visibility on my infrastructure, and can no longer scan my network to populate the CMDB or create up-to-date asset/patch/software reports when we have audits.
If this is an attempt by ManageEngine to coerce on-prem customers to use the cloud service offerings, I can 100% guarantee that ManageEngine will be disappointed by the outcome, at least in our case.
When our IT department cannot handle a particular business requirement, we don't go to the cloud. Fulfillment of the business requirement is outsourced to another more specialized, and cheaper to operate IT outfit in Eastern Europe. In other words, if ManageEngine makes life more difficult for our IT department, it will most likely lose an 11+ year old contract.
Again, I urge ManageEngine to consider merging the asset management feature back into a single, easy to manage, no learning curve SDP product. Innovation is great only if it is useful.