SCCM vs Puppet

Open-source vs. proprietary? In the software universe, this debate has raged on in almost all sub-sectors – OS’s, databases, and even in the CM arena, where SCCM vs. Puppet are two of the heavyweight champs slugging it out. But beyond that philosophical difference in origin, they also take two completely different paths to the destination of easing the sys admin’s life. In addition, these two configuration management tools come with different learning curves, which will impact how quickly you can be productive.  

SCCM is a Microsoft product, which of course means it ties in very well with Windows environments, especially enterprise environments, but SCCM 1906, released in 2019 (more on that in a bit) and other recent versions support clients running other operating systems. Puppet is an open-source product that can manage Linux, Unix, Windows and even and Mac OS environments, though of course it cannot match the abilities of SCCM on Windows. If you are in a devops environment with just a single OS, and it’s not Windows, picking Puppet might seem right. However, things get more complex when you must work with multiple operating systems. Given the popularity of Windows among operating systems in the enterprise, this is a scenario many devops teams face. So which one should you choose for managing your data center or multiplicity of servers that’s threatening to get out of hand? Let’s delve a bit more into them to find out.

SCCM Vs Puppet: In-depth, Major Differences

Puppet is the model-driven open-source CM from PuppetLabs. It’s written in Ruby, and has both a well-developed user interface and a CLI that uses either a Ruby-derived DSL or pure Ruby code, although this latter option is being deprecated. PuppetLabs founder Luke Kanies stated that: “One of the benefits of Puppet’s DSL—beyond the simplicity—is that it encourages the mental shift that Puppet requires. To use Puppet effectively, you need to think in resources, not files or commands. If you wrote your configurations in Ruby, you could easily just open files and run commands all the live-long day, but with the DSL, you have to learn to think in resources.” 

The user describes system resources and their states, and stores this information in files called manifests. Puppet includes a ‘resource abstraction layer’ that enables admins to describe the configs they want to manage and the actions they want to execute in high-level terms using the DSL. And a great benefit of this infrastructure-as-DSL-code approach is that you don’t have to worry about OS-specific commands and keywords. Puppet also has a great browser based UI for limited configuration and setup tasks, but most users will use the GUI as more of a viewing and reporting tool. This leaves the majority of software deployment and fine-grained work inevitably with a requirement for learning how to use the CLI.

Microsoft’s SCCM (Systems Center Configuration Manager), or to use its official title ConfigMgr, was previously known as Systems Management Server (SMS). The latest version is SCCM 2019, and it can manage environments with these supported operating systems:

• Windows 10, 8, and 7 with SP1
• Windows Server 2008-2019
• Windows Embedded Computers (selected versions) and Windows CE(7.0  ARM and x86 processors)
• Linux (Red Hat Enterprise Linux, CentOS, Debian, Oracle Linux, SUSE Linux Enterprise Server, Ubuntu) 
• Unix (Solaris, AIX)
• Mac OS X (Snow Leopard/macOS 10.6, up to Mojave/macOS 10.14) 
• mobile OS’s: Windows Phone, iOS and Android. 

Client support might be cross-platform, however, the server console must be installed on a Windows server, and no points for guessing which OS platform it works best in. Also like other Microsoft products, almost all work will be done on the GUI, with some added-on support for programmatic interfaces like VB scripts. This makes it faster to learn and use, but less flexible than a CLI-centric tool like Puppet. The differences from a declarative configuration management pose a drawback when compared to the expressiveness of Puppet. 

The CLI system on Windows operating systems is improving, however. For example, tools like Chocolatey now help make the devops experience much better, with easy to use CLI interfaces for initial setup of software, patching, and more. For a second declarative approach to configuration management for Windows systems, you can consider Powershell DSC(desired state configuration). Available in PowerShell 4 and up, DSC borrows many of the configuration management concepts in Puppet, making it easier to manage your environments. The declarative approach is also used in Ansible, another popular automation tool. Ansible uses YAML rather than a custom domain specific language.  

Latest Version Releases And Version History

SCCM 1906, released in July of 2019, is the latest version of SCCM available. This version added some notable features and improvements, including:

• Azure Active Directory user group discovery
• More detailed analytics for desktop apps
• New Maintenance Tasks tab for managing maintenance tasks
• New task sequence debugger for troubleshooting OS deployments
• Improved support for SQL Server AlwaysOn groups
• More customization options for Software Center

In terms of capability, SCCM is a force to be reckoned with when it comes to managing all your organization’s Windows assets. It can do it all, from delivering software to multiple sites while reducing bandwidth to patch management and rolling out real-time vulnerability remediation across the organization. SCCM 1906 marks the latest in a series of massive transformations to the software over more than a decade since SCCM 2007. SCCM 2007 superseded Systems Management Server 2003, the updated version of the configuration tool Microsoft launched in 1994 for the management of Windows deployments. The following major changes have taken place since that date. 

• SCCM 2007: First version to provide support for Windows Vista, Exchange Server 2008, as well as Windows Server 2008. This version also enhanced control over assets as well as system administrators' insight into assets as well as systems compliance.    
• SCCM 2012: Introduced major changes including support for BYOD (Bring Your Own Device). Microsoft recognized that users are increasingly using devices not purchased by their workplaces’ IT, so it added a way of automatically onboarding such devices into the SCCM-controlled network. SCCM of course uses and integrates very well with Active Directory and Group Policy to keep track of and roll out updates to all devices. End users can search for applications via a self-service Software Center and define the times when installations and upgrades take place. WSUS (Windows Server Update Services) and Network Access Protection provides policy and security enforcement and rollout, while EndPoint Protection Manager, formerly called ForeFront, provides data security and encryption on devices. 
• SCCM 1511: Microsoft designed this monumental release to work specifically with its then all-new Windows 10 operating system. Windows 10 builds on the enterprise support capabilities of previous versions, and SCCM 1511 added comprehensive support for Windows 10 to the 2015 release of its configuration management product. Its features include the ability to deploy, provision, and upgrade devices to Windows 10, as well as the full management of Windows 10 devices. 

In contrast to SCCM, Puppet maintains a dual release model, with releases to both the open source Puppet as well as the enterprise version. Puppet’s Enterprise version saw the initial release of the latest major version change on October 9, 2018 with the launch of Puppet Enterprise 2019.0.0. Major changes in this version included the following:

• Support for faster automation of complex and heterogeneous infrastructure without requiring agents. This is an innovative option that adds flexibility to the existing model that made agents a requirement.
• Improved secrets management
• New CI/CD features that simplify the continuous delivery process for teams
• The ability to schedule jobs during maintenance windows to eliminate inconvenient timing for one off jobs
• Adopts the Puppet 6 Platform, available in the latest open source variant, as the base for the latest Puppet Enterprise version. The Puppet 6 Platform enables better secrets management as well as updates to Puppet’s Resource API which comprises modeling operating system resources in Puppet.

Since then, there have been a number of other updates to Puppet, including Puppet Enterprise Version 2019.1.0 and Puppet Enterprise Version 2019.1.1. The latter launched on July 30, 2019. Of special note for those interested in trying out Puppet, the enterprise version comes in STS(short term support) and LTS(Long Term Support). At the time of writing, the latest LTS major release was  2018.1 (LTS). This release first appeared on May 1, 2018 and will have an end of life in November 2020, outliving the 2019.1.1 version, alongside all other STS versions. STS versions have 6 month lifecycles, while the LTS versions have 18 month lifecycles.

Configuration Management at Large

The philosophical differences and capabilities of SCCM and Puppet are symptomatic of a broader configuration management scene that’s moving at breakneck speed where innovation is concerned. Some of the major projects that provide alternative approaches to these two include:

• Saltstack - Saltstack is the company behind the Salt remote cluster configuration management tool. Saltstack has both open source and enterprise versions. It uses a master and minion approach for keeping servers in defined states. Using YAML, Jinja or Python, you can define formulas or states for the installation and orchestration of packages on Saltstack minions. 
• Terraform - Unlike configuration management tools like SCCM and Puppet, Terraform is a provisioning tool that uses an immutable infrastructure paradigm. This helps to reduce the configuration drift that can occur across all your servers as each one develops a unique history of configuration changes. Terraform deploys uniform images or containers using tools such as Docker or Packer.
• Azure Automation - Another Microsoft cloud based configuration management and automation tool. It provides desired state configuration and other infrastructure management across Windows as well as Linux clouds. A potential replacement for data center management tools like Orchestrator, it’s a cutting edge tool in Microsoft’s arsenal as it competes with AWS for cloud market share.
• AWS CloudFormation - Amazon’s infrastructure provisioning, configuration, and management tool for AWS environments. AWS CloudFormation makes provisioning AWS resources easier, along with their modification and updates. It can be used together with AWS Systems Manager Automation for both defining cloud infrastructure and configuring the operating systems of the instances.

Community, Support, Pricing

Open-source platforms typically have a much greater sense of togetherness and product ownership. This is no different in the case of Puppet – an active user community and quick feedback and resolution are there when needed. Puppet’s source code is available on Github and Puppet is the largest player in the open source Configuration Management marketplace. With that size comes some inertia to change and loss of agility. There have been some small but vocal protests in discussion forums about stuff like PuppetLabs’ slowness to resolve bugs and their pushing users towards the commercial enterprise version, where they make their money. 

Puppet also boasts having some large corporate clients on board - Reddit, Dell, PayPal, Oracle, Los Alamos Labs, and Stanford University. When going up against a big-name established behemoth like Microsoft, such clients offer a lot of credibility in the minds of potential clients and users. Like the open-source version, Puppet Enterprise is also free for the first 10 nodes but then after that costs $120 per node per year; tiered discounts are also available up to 2500 nodes. As previously mentioned, Puppet works on almost all platforms, but simply can’t match SCCM’s capabilities on Windows; for instance you cannot use Puppet for provisioning and deploying new Windows servers, and it cannot directly update AD to reflect the status of machines in the network. However, you can run the Puppet master in a container on a Windows machine. 

With SCCM, many first of all have a problem with its closed-off, proprietary nature. That said, support from the user community is also very good. That’s not surprising given the dominance of Microsoft products, and you also get excellent answers and support from dedicated in-house SCCM pros, á la the Genius bar at the Apple Store. 

SCCM pricing is convoluted and not as straightforward as Puppet’s, especially if you are adding multiple servers, but this is common in almost all Microsoft products. To illustrate this clear-as-mud pricing setup, you need both client managed licenses (ML’s) and server managed licenses. Server ML’s are priced depending on whether you are taking up the ‘Standard’ or ‘Datacenter’ option, and also varies by the number of processors you have. So for example the top of the range 4-processor, datacenter server ML will cost $7230, and then you still need to factor in the cost of client ML’s ($62 - $121). SCCM will generally work out to be much more expensive than Puppet, is what we’re trying to say here. Read more about SCCM pricing here.

SCCM Vs Puppet Conclusion

If you have to make a choice between Puppet and SCCM, first detail what your needs are, then look for the tool that best fits those needs. And remember, you are lucky to even have such a choice – just 10 years ago there was basically only one CM tool! The pros and cons analysis below may help your decision-making, as well this site that summarizes and compares features of both SCCM and Puppet.