Updated on May 9, 2017 by UpGuard
The following is a tale of two heavyweights in the CM arena: Microsoft’s Systems Center Configuration Manager (SCCM) and Chef. But even a big fish like Chef is still a minnow compared to the whale that is SCCM, which runs on about two-thirds of enterprise organizations. This is largely due to the fact that as a Microsoft product, SCCM rides on the dominance of Windows desktop and server. It’s nevertheless a truly useful product, though it may be overkill– and also horribly expensive– for smaller organizations. This is where open source solutions like Chef come in, offering a pay-per-node pricing structure that is much more cost effective than SCCM. Let’s dive into the details.
Previously available as Systems Management Server (SMS), SCCM is Microsoft’s offering in the Systems Configuration Management (SCM) marketplace. It can be used to manage both Windows and non-Windows clients such as Mac OSX, Unix, Linux and mobile devices running Windows Phone, Android, iOS and even Symbian. With Satya Nadella at Microsoft’s helm, collaboration not destructive competition is the new mantra; expect even more integration and interoperability between Microsoft products like SCCM and other platforms. That said, non-Microsoft platforms are only supported as end-clients; the server portion of SCCM must of course be hosted and run on a Windows server machine.
As a component of System Center 2012, SCCM is a competent CM solution that can be augmented by the capabilities of support products– at a cost. Additionally, because of its close tie-in with Windows, the tool can also be used for:
Hardware and software inventory
Keeping track of and compliance with software licenses, both for Microsoft and other products
OS image deployment using WSUS
Rollout and reporting of antivirus and security updates
BYOD support: maintaining a list of approved-software for user devices. Including mobile marketplaces: Apple Store, Windows Store, Google Play store
SCCM relies on Active Directory for users and device discovery. This makes it fast and reliable, as opposed to other 3rd-party discovery methods that sometimes take too long to discover devices (even then they still may require multiple tries). Being a Redmond product, SCCM sports an intuitive, well-developed GUI– unlike Chef which almost certainly requires learning Ruby.
For all its advantages, SCCM is still very much an enterprise or data center product. It’s actually a part of a suite of products, and can result in some costly and/or complicated licensing schemas per Microsoft. For example, SCCM requires both a server and client management license to be purchased. This makes SCCM prohibitively expensive for minimal use cases and out of reach for small and medium-sized organizations. Small companies typically only require 2 main attributes in a CM tool: the ability to keep track of hardware and software, and the ability to auto-deploy applications to their devices. In response, Microsoft has come up with another product called Intune. It can be thought of as SCCM-lite, but also has some unique features like exception support for mobile devices.
Pricing for SCCM 2012 is much simplified over previous versions, but still follows a proud Microsoft-licensing tradition of being complex, multi-tiered and thoroughly confusing. The following from Techrepublic depicts licensing configurations for the System Center suite:
“There are eight System Center products in the suite, and the suite is available in two editions for servers. (There are client computer licenses in System Center, for desktop and mobile computers, however [we are only looking at] the management of computers running server operating systems.) The Standard management license (ML) has a list price of $1,323 that licenses two Operating System Environments (OSEs). The Datacenter ML price is $3,607 for unlimited OSEs per two physical processor sockets. Basically the Standard ML is for the single server (up to two processors) and the Datacenter ML is for virtualization hosts (one Datacenter ML per two processors on the host). The effect of these changes depends on your perspective.”
Clear as mud, right? Additionally, after this one will probably require CAL’s (about $160 each). And SCCM requires SQL Server for storage, so that’s an extra ~$3,000 for the standard edition.
Unlike the strictly proprietary SCCM, Chef is available as both a commercial and an open source product. However, the latter is a bare-bones package and calls for extensive knowledge of Chef and Ruby to use it effectively. Springing for the commercial version from Chef, Inc., one gets a much more robust package of features, including a nice GUI tool that is nonetheless a few orders of magnitude below SCCM’s. In fact the GUI and spotty documentation are frequently mentioned as Chef’s weakest points in comparison to its main competitor Puppet.
Chef employs a pure-Ruby DSL for the creation of configuration files called recipes. These recipes can be grouped into “cookbooks” for easier management– each describing a set of resources that should be in a particular state: packages that should be installed, services that should be running, or files that should be written. It is then up to the software to get the devices or nodes to this desired state, also known as the Desired State Configuration (DSC). Chef utilizes a master-agent model; additionally, Chef installations also requires a workstation to control the master. The agents can be easily installed from the workstation using the SSH-based “Knife” CLI. Managed nodes then authenticate with the master through certificates.
Prior to the release of version 11 in early 2013, Chef did not have a well-formed push feature (though beta code was available to achieve this). This means that one had to configure agents to periodically check in with the master, as instantaneous master-to-agent change rollout was impossible. Push capabilities are now available in Chef, albeit only in enterprise versions.** Chef is also available in a server-less configuration called “Chef-solo,” mostly aimed at enticing very small companies or one-off projects into Chef, Inc.’s adoption funnel.
Chef is mostly popular in environments with a predominance of Linux admins, open source developers, and/or DevOps practitioners– though use with Windows systems is slowly increasing. In all likelihood it will simply never match SCCM’s tight integration with Windows. However, this is acceptable for most smaller companies, as giving up extended Windows functionality for reduced cost is a justifiable compromise.
Chef is available in the following pricing variants:
Open Source Chef: the free open source version.
Hosted Chef: an enterprise version of Chef in which one’s setup is hosted by Chef, Inc. Prices range from $120/month for 20 nodes and 10 users, $300/month for 50 nodes and 20 users, and $700/month for 100 nodes and 50 users.
On Premise Chef: An enterprise version of Chef that is privately hosted. This was previously available as a perpetual license, but now costs $6 per month per node, giving it really little price advantage over Hosted Chef. Standard support is an additional $3 per node per month, and a premium-support version offering 24-7 availability is $3.75/month.
The debate over SCCM vs. Chef should be influenced by the number of devices to be managed, whether mobile devices are also to be managed (Chef cannot manage these well), the number of Windows machines to be managed, and of course– budget. SCCM is best for large Windows-centric setups, although it can now also manage non-Windows client devices. Chef is a better fit for Linux setups in a development environment, is cheaper than SCCM, and can also manage Windows setups if needed. The table below may offer some additional guidance:
*Note: SCCM 2012 was previously described in this article as a suite of 8 products. This actually refers to Systems Center 2012, of which SCCM is a part. The article was updated on 4/20/2015 to correct this error.
** Correction: push jobs are open-source and freely available, and have been since Chef 12.
Misconfigurations are an internal problem that emanate from within the IT infrastructure of any enterprise; no hacker is necessary for massive damage to occur to digital systems and stored data. And the problem is pervasive, with Gartner estimating anywhere from 70% to 99% of data breaches result not from external, concerted attacks, but from internal misconfiguration of the affected IT systems.