SECURITY CHECK-IT: STEP 9

Endpoint Management

The diversity of devices (either company-owned or privately owned), along with data in the public cloud, seems like a true nightmare to secure. How do we know an employee is not checking his mails from an infected home PC? Or how do we prevent a rooted mobile phone to connect to the corporate network? We can’t ignore the BYOD (Bring Your Own Device) trend, and we can’t just open all the gates. So how do we control and mitigate the risks while still allowing our users to work with the devices they love?

The answer is a Mobile Device Management solution (MDM). At Tyneso, we use Microsoft Endpoint Management, formerly known as MS Intune. This suite has evolved from an MDM solution to a full Endpoint Management suite. Since almost every PC sold today is a laptop, the lines have faded and MDM has taken over what used to be managed by the likes of SSCM.

What can we do with this MDM?

The ultimate goal is to establish and enforce policies. We can enforce the usage of antivirus, encryption on the disc and hardening of the OS to make a device compliant for GDPR reasons. On the other hand, it containerizes work related data and apps on mobile devices to separate it from the users private information and apps. We do this so that private malicious apps cannot infect the work container. In case of a lost device or a employee leaving the company, we can selectively delete the corporate information from the device.

A useful feature is to block external devices from your Office 365 tenants. By enforcing access policies, we can make it mandatory for a device to be enrolled in you MDM and meet the requirements before it can access your mai, Sharepoint, Teams, OneDrive, etc.. This effectively eliminates hackers from trying to get into your Office 365 data.

With a cloud based MDM we can deploy apps and full blown software packages for personal and corporate devices, whether they’re in the office or not. During Covid19, this feature is a lifesaver for many IT teams. By moving this app deploy feature to the cloud, we take away the end user’s need to be a local admin. This is key, because a user without admin rights has a much lower risk of accidentally installing malicious software or, just as bad, installing illegal copies which can lead to expensive claims.

Unfortunately, setting up an MDM solution is not a one-time effort. Operating systems are evolving and, on the MDM side, policies need to be adapted and scripts need to be written to take advantage of the benefits of these changes. On the application side, apps need to be maintained so that we use the latest stable version at all times. Devices that do not meet the requirements must be sent to compliance from the workplace. As with all things in security, this is a tool that needs to be taken care of by real people to get value out of it.

Do you have any questions or would you like to exchange more information about Endpoint Management? We will gladly help you! Send an email to [email protected] and we will contact you as soon as possible.

Related Tips

Based on our years of experience, we’ve created a 15-step plan, offering free advice to bring your security to a higher level.
Read all about it.

Checkit campaign