Unified Endpoint Management

Introduction

To the security professional, end-user devices are entry points into the network for malware, viruses, worms, spyware, and phishing schemes. The challenges to security are device mobility and diversity, which often make devices difficult to track, secure, and manage with any level of success. Attackers know that an endpoint device is a network's weakest link and therefore is an easy target for their exploits.

Laptops, mobile phones, tablet computers, wearable devices, and Internet of Things (IoT) sensors are all examples of endpoints with which enterprise security personnel must deal. And if device diversity weren't enough to complicate security measures, add "bring-your-own-device" (BYOD) to the mix and you have a recipe for disaster in the form of a security compromise. BYOD complicates network security because users don't want their devices to come under corporate scrutiny nor do they want to risk remote wipes or lockouts of their devices by security personnel.

Users are typically not security minded enough to maintain patches or updates. Many users resist device maintenance because patches and updates are associated with downtime. This scenario presents the dilemma of managing devices enough to enforce security but allowing users the freedom to enjoy a hassle-free, but safe, mobile computing experience. No one wants to trudge through multiple, difficult-to-navigate security measures. Such heavy-handed enforcement often results in users abandoning corporate devices for personal ones or working around security policies by using rogue wireless connections or device tethering.

Unified endpoint management (UEM) solutions bridge the gap between security policy enforcement and the freedom and dangers associated with mobile computing. UEM promises to protect data and the corporate network but also allow users to have their privacy and appreciate a richer computing experience.

This book shows you how UEM addresses disparate devices and their security. You also get a feel for how you can move forward with a unified endpoint management solution that satisfies all levels of security compliance while leaving users free to be productive on any device they choose. By the time you reach the end of this book, you will understand how your team can streamline and simplify your IT management routines using a UEM.

Chapter 1 Tracking UEM Evolution

Unified endpoint management (UEM) is an integrated approach to managing what security researchers have called "the corporate network's weakest link": The endpoint. Endpoints include mobile phones, laptop computers, tablet computers, and any other device that generally is mobile and not always under the direct physical control or protection of the corporate network.

According to IDC Research, 70 percent of successful security breaches begin at the endpoint. Likewise, in The Ponemon Institute's "2017 State of Endpoint Security Risk," 69 percent of respondents believe that endpoint security has significantly increased over the past 12 months, but only 36 percent have adequate resources to address that risk.

Introducing UEM

Managing endpoint security requires constant vigilance that is impossible to provide through traditional patch cycles, anti-malware software, and hardware updates. Properly designed and implemented unified endpoint management suites manage endpoint security inside and outside of the corporate firewall.

UEM not only protects the device but it also protects the data stored on that device without depending on the user to manage security. UEM also guarantees uniform security, via policy, for all devices regardless of vendor, operating system, or form factor.

Replacing MDM, CMT, and EMM

Endpoint management has evolved quickly over the past ten or so years since it first began as another major offering. When endpoint management suites emerged, they were in the form of mobile device management (MDM) and they were seen as "heavy handed" because security was restrictive and, should anything go wrong, a user's device could be completely wiped or locked. Most devices under the control of MDM suites were corporate owned and strict security policies were tolerated. But as "bring-your-own-device" (BYOD) developed as an acceptable practice, users were less forgiving about extreme controls over their personal devices.

UEM suites grew out of a diverse set of technologies — each with its own set of limitations and features. UEM attempts to consolidate these technologies and create a single frame of reference for managing devices, applications, security, and users.

Client management tools (CMT) have been around for years and emerged when end-user devices were stationary and kept completely within corporate walls. CMT solutions target Windows and Mac operating systems and therefore cover only a portion of today's end-user devices.

Enterprise mobility management (EMM) grew out of MDM and incorporated aspects of mobile application management (MAM) and mobile content management (MCM) that focused on securing data rather than securing devices. EMM covers more devices but generally covers mobile devices.

UEM has evolved from the combination of MDM, CMT, and EMM to cover all endpoints, from those that are stationary to those that never venture inside corporate walls and from traditional PCs to mobile phones to virtual machines (VMs).

Benefitting from UEM

End-users, security staff, and IT groups all benefit from UEM's centralized management and consistent security policy distribution across devices. Users enjoy their personal devices while being enabled to securely use corporate apps and data. Security and IT groups can enforce security policies and remotely remove data and access without affecting a user's entire device.

Users benefit as much as administrators from a UEM managed environment in that the responsibility for device security, app security, the use of a VPN, and updates is moved from the user to the enterprise IT security team.

UEM removes the complexity of managing disparate devices. One interface to manage everything is a refreshing change from attempting to manage devices from multiple vendor-specific applications.

With Manage Engine's Desktop Central UEM solution, you also get all the features and advantages of modern management. Modern management is all about creating a flexible workspace by managing Windows 10 laptops, desktops, and mobile devices under a single application.

It provides all the functionalities typically found in desktop management software, such as OS migration (including Windows 10), inventory management, policy enforcement, asset scanning, and application deployment. Modern management also shifts the support focus from a device-centric model to a user-centric approach with emphasis on self-service options.

Additionally, adopting modern management offers several benefits, such as easy migration to Windows 10, bulk enrollment, and application distribution through cloudbased MDM solutions. Better endpoint security is the result of being able to wipe endpoints remotely and perform other management tasks.

Use Case: PacknStack

PacknStack is a merchandising company that provides retail services for in-store products for some of South Africa's biggest manufacturers in the fast-moving consumer goods (FMCG) industry. PacknStack's challenge was to deliver its in-house created application to more than 1,000 corporate devices. The effort began by manually installing the app and security options on each device. This method left the company with little device control, no visibility or monitoring, and numerous security vulnerabilities.

IT Manager Chris Pieters wanted a solution to manage PacknStack's corporate devices that included:

  • Custom APK deployment to multiple devices
  • Group and profile management
  • App restrictions and app blacklisting
  • Desktop and mobile integration
  • Access control for deployment and patch management
  • Geotracking for managed mobile devices
  • App and device restrictions (for example, kiosk mode)
  • Remote access to devices

Desktop Central's automatic patch management feature has reduced the time it takes Pieters and his team to perform patching by 60 percent, allowing Pieters to allocate time to other concerns within his IT environment. By limiting device Wi-Fi usage, the app restrictions feature has reduced PacknStack's data costs by 60 percent. PacknStack has also reduced the time it takes to deploy software by 80 percent because Pieters no longer has to manually deploy software to multiple devices. Detailed reporting and hands-on asset management have increased PacknStack's hardware, software, and licensing management efficiency by 50 percent in the IT department.

Chapter 2 Simplifying Management

Eliminating complexity from a computing environment is perhaps the most elusive and most challenging goal for any IT team. No IT manager wants to hear team members complain that the new tool is so complex that the tasks are easier to perform manually. IT personnel and budgets are stretched thin enough without adding more complexity to the mix.

Managing diverse endpoints is complex. The claim of unified endpoint management is that it eliminates — or at least, minimizes — deployment and support complexity.

The proof of management simplification is in how the UEM handles enrollment, app installation, device management, and security across a broad range of devices and operating systems.

Expediting Enrollment

Onboarding and offboarding new users and new devices is a major pain point for enterprise IT and security teams. The process is time-consuming and isn't consistent across devices or users. The mobile device management (MDM) portion of UEM makes device enrollment and user assignment a quick and simple process.

Self-enrollment requires only the following details: E-mail address, username, password, and owner. The process is generally the same across all mobile devices regardless of vendor.

A self-enrollment option enables users to enroll their own devices without a support team member's involvement. The user only has to follow a URL on the device to be enrolled. IT and security teams can limit self- enrollment to certain AD groups or allow it for all AD groups. Using AD groups to manage enrollment ensures that security, apps, and other options are applied uniformly.

BYOD users typically choose self-enrollment. You should allow it but require that the device undergo close scrutiny for security issues such as rogue apps, non-secure configurations, and rooted/jailbroken status.

Streamlining Installation

Mobile app installation for diverse devices is a challenge because of different security requirements, different app stores, and varying technical knowledge of a company's mobile device users. Although the MDM backend setup varies among device types, mobile apps may be deployed silently to all devices without user intervention.

For Android-based devices, installing Play Store apps on corporate devices is a tedious task for administrators because they need to set up the device, sign up with a Google account in the Play Store, and then install the apps. MDM solves this issue by ensuring all apps are automatically installed after the initial setup of fresh devices, without the need to configure the Play Store for each user.

For Apple devices, the MDM can install apps on supervised devices silently and without using an Apple ID. Unsupervised Apple devices require user intervention to install apps from an app catalog.

Android users might feel that they are being unduly "locked down," but the reality is that the Google Play Store is far less discriminating about rogue apps. Apple meticulously vets all apps before they can be made available on the Apple app store.

Extending Device Management

Mobile device management is historically viewed as more "heavy-handed" than other technologies within the UEM umbrella, but for corporate-owned devices, the MDM approach has many advantages. Here are a few:

  • Automatic and silent app installation
  • Whitelisting/blacklisting web content AirDrop restrictions (Apple) iMessage restriction (Apple)
  • Prevent apps from using cellular data
  • Prevent account modifications
  • Enforcing use of a global HTTP proxy

MDM also allows administrators to track and manage device life cycles. Devices are identified by three categories during this life cycle:

  • Managed: Enrolled devices under MDM control
  • Staged: Retired, in stock, in repair, and unassigned
  • Pending: Enrollment invitation sent but not enrolled

Once enrolled, devices can be made organization-ready automatically by distributing Wi-Fi, VPN, Exchange sync, and other security policies. This procedure brings the device under full control of the MDM module.

IT Asset Management

IT Asset Management (ITAM) is a UEM module that scans and tracks all hardware and software on your network. You can track and manage any computer or network device regardless of operating system or platform. ITAM covers software license management and includes checks for unauthorized software. The UEM ITAM module covers all software license types.

Remote desktop management

The remote desktop management features in the UEM include patch management, software deployment, asset management, remote control, power management, USB device management, configurations, reports, a mobile app, user administration, help desk integration, and the capability to uninstall prohibited applications.

Operating system deployment

UEM operating system (OS) deployment is a three-step process: Create a new OS image, customize the image, and deploy the image to computers. Automated OS deployment saves IT staff time and effort versus manually installing, patching, and customizing each computer individually.

Managing Browsers

The Internet browser is a prime target for attackers because so much information passes through it: Corporate credentials, banking information, investment data, and other types of personal and private data.

The UEM can now manage and enforce browser security. You can detect, monitor, and manage browser plugins and add-ons that are vulnerable to attack and exploits. Security administrators can exert a great deal of control over browser behavior including enforcing security compliance, preventing data leakage, and limiting usage to trusted business applications.

Users should be made aware of approved browsers. Microsoft Edge, Internet Explorer, Google Chrome, and Firefox are generally managed by the UEM. Other browsers should be disabled for corporate use if they cannot be secured.

Removing Cross-Platform Complexity

A UEM suite removes the complexity of multiple platforms in enterprise environments. IT support team members don't have to be experts in every operating system or with every device. The UEM handles the internal workings and settings for multiple operating systems, browsers, and platforms without having to have specific operator knowledge of each one.

Use Case: Bostaden

Bostaden is a public utility housing company and Umeå Sweden's biggest provider of flats and student flats. Rickard Bäckström, IT engineer at Bostaden, states, "UEM is totally right for us. We get a basic structure for all clients and mobile devices that we didn't have before. Now we can be certain that everything is updated and that we have control of all our mobile devices." Bostaden's solution for its stationary clients is built on a basic configuration that is shared by all devices with Windows and Microsoft Office. A handful of packages with software and services can be chosen and installed for people who have specific needs in their work. These can be anything from Bluebeam for drawings, to Adobe programs, to different web browsers, to Notepad.

"UEM has made our work much easier," Bäckström says. "Before, we needed to do a lot of unnecessary extra work if a new person joined the company, someone left, or someone simply got a new phone. This is now all done simply via the system. We get a uniformity in the configuration and we can distribute all the programs or patches to everyone at the same time."

One example benefit of UEM deployment is the in-house developed app based on Bostaden's Pondus property management system, which the company's area landlords use to inspect flats when tenants move. The app is in constant use and links directly to Bostaden's business system. Thanks to UEM, the area landlords can always feel secure that the service functions and can be kept up to date on all mobile devices. Another advantage of UEM for Bostaden is that its functions can be factory reset or cleared of all user and company-unique information, which simplifies the work that needs to be done if someone leaves the company or loses their phone.

Chapter 3 Hardening Security

Security is one of the primary reasons for exploring and adopting a UEM solution. It is always in the top three that IT and security professionals mention. The other two are control of company data and automated app delivery and management. Malicious attacks and compromises from ransomware, viruses, Trojan horse malware, hardware vulnerabilities such as Meltdown and Spectre, and social engineering attacks from robocalls and phishing campaigns always place security as the top concern among support teams for endpoints.

An estimated 60 percent of data is leaked electronically. The remaining 40 percent is leaked physically. The average cost per record of a data breach is $240 and the average total cost of a data breach is $4 million.

Mobile endpoints present new challenges because they are not protected by internal corporate network security. Devices can be lost, stolen, or hacked when connected to public Wi-Fi hotspots, fake hotspots, and other nonsecure networks. Devices that don't receive regular updates are vulnerable to attacks.

Securing Devices

The first place that most businesses begin when securing their mobile infrastructure is securing the endpoint devices. Bringing all endpoints under a single security structure is a satisfying task because it guarantees that rogue devices are prevented from accessing corporate assets, and all enrolled devices, regardless of geographic location, are now protected as if they were local to the corporate network.

The security level you, as an administrator, select is based largely upon a combination of corporate policy and device ownership. Corporate-owned devices can be more closely managed, controlled, monitored, decommissioned, and wiped than those personally owned by employees.

Different security policies can be applied to user owned devices versus those that are corporate owned.

Administrators must exercise caution when wiping data from personal devices and ensure that only company data and configurations are removed while leaving personal ones intact because users might not have a recent backup available.

Separation from the company means that corporateowned devices are returned, wiped, and redeployed or recycled. Limitations and restrictions on both types of devices should be clearly stated in company policies.

Insulating Applications

"RSA Fraud Report 2019" highlights findings that 50 percent of all attacks are from rogue mobile apps. This is a 300 percent increase in attacks from rogue mobile apps from fourth quarter 2018 to first quarter 2019.

End-user education isn't enough. Administrators must whitelist/blacklist apps and only allow limited access to app stores, specifically on Android devices where rogue mobile apps trick users into downloading malware.

UEM offers automated patch deployment for Windows, macOS, and Linux endpoints, plus patching support for more than 530 third-party updates across 300 or more applications.

Protecting Data

The most valuable corporate asset that resides on endpoints is data. Corporate data is vulnerable to leaks, hacks, phishing, keyloggers, and other malicious software and intrusions. Administrators must secure corporate data on all endpoints that might receive, send, or store company-owned content. Company policy may require device encryption, data encryption, app installation, VPN connectivity, cellular restrictions, and other measures to prevent data loss.

Check your requirements toward GDPR compliance for endpoints before applying any security policies to personal devices. Also check privacy laws that govern your business.

The UEM offers a dashboard exclusively for data protection officers (DPOs), displaying the security status of the computers in the enterprise and detailed insights on the areas in which the DPO should be on red alert for breaches.

Administering Browser Security

Browser security is often overlooked in the overall security scheme, especially for mobile devices. It shouldn't be overlooked because fraud from mobile browsers comprises 43 percent of fraudulent financial transactions total for the mobile channel.

The average value of a fraudulent financial transaction in the mobile channel was $1,058.

UEM browser protection offers three sets of policies to better secure transactions:

  • Data leakage prevention
  • Threat prevention
  • Browser customization

Each of these policies is a collection of browser settings and configurations provided by Chrome, Internet Explorer, Edge, and Firefox browsers. This gives IT administrators the option to deploy security policies to different browsers in various computers as needed all from one place.

Enhancing Visibility

Placing a device under UEM control provides administrators with visibility into the device's apps, data, security settings, storage, accounts, operating system, patch level, browser configurations, and rooting/jailbreak status. Deep visibility is required for an enterprise to protect its data, its network, and its users' privacy.

This enhanced visibility helps managers plan budgets for new devices, upgrades, and repairs.

Use Case: BMI Healthcare

BMI Healthcare Limited (BMI) is one of the UK's largest private hospital operators with approximately 10,000 employees and 6,500 IP-enabled devices in use. BMI's challenges were that it required a centralized management solution to manage its IP-enabled devices across the UK and to ensure visibility and understanding of the entire IT landscape.

Matt Rooney, former IT Desktop Manager at BMI, reports, "Much of the medical equipment we use is Windowsbased so it is imperative that it is protected against external threats by ensuring a carefully devised patching schedule is implemented, which Desktop Central has allowed us to facilitate."

Automating these important, yet traditionally manual, IT functions has freed the IT team to focus on other business critical IT disciplines and projects such as network monitoring and security event management.

Chapter 4 Five UEM Considerations

Selecting a UEM suite to manage and protect your endpoints is an important step in normalizing and securing your mobile workforce. You need to select

a UEM solution that changes and grows with your company. In addition to being usable by even the least trained system administrator in your enterprise, you need to be aware of a UEM suite's power.

Once an endpoint is under control of your UEM, the administrator has full control of that device with few exceptions. Be sure that if your UEM doesn't have administrator role levels baked into it that adequate training and policies are in place to govern corporateowned and personal devices.

Device, app, and data security are primary considerations when selecting a UEM solution. The following UEM suite features are guidelines to follow when choosing a solution.

Examining Security

When selecting a UEM solution, administrators must focus on device, app, and content security. Administrators should be able to apply separate and granular security policies to each of these areas separately and without conflict with one another.

IT security teams need to be able to secure operating systems, automatically patch applications, prohibit unwanted software, manage USB security, and secure network data, as well as manage firewall configurations, browser addons, user privileges, browser security settings, app store access, and other activities that could compromise corporate network security or company-owned data security.

Managing Mobility

The UEM should be able to handle any popular endpoint platform in use today. Today's workforce is mobile and endpoints come in many different platforms and with an ever-changing list of features. End-users want devices that are easy to use, security that isn't daunting, and privacy for their personal data.

Focusing on Simplicity

Any user-facing management technology either should be transparent or extremely easy for users to navigate. It should also look and feel the same on every platform — or at least be similar enough so that there's no learning curve for employees who use devices from multiple vendors. It's common for users to have Apple, Microsoft, and Android devices at their disposal and the UEM software shouldn't be significantly different regardless of device type or vendor.

Ask for product demos so that your teams have a chance to work with the software prior to purchase.

Although IT personnel deal with technically complex tasks, software, and hardware, the UEM should not add to the overall complexity. Interfaces should be intuitive and have many ready-to-use policies, settings, and features that can be deployed with ease.

Checking Efficiency

It's easy to set up and configure a fresh device for a user, but in BYOD environments, administrators need adequate tools to easily onboard endpoints that they might never physically touch. Having a variety of onboarding and enrollments processes is essential to bringing every device that needs corporate connectivity into the UEM fold.

Not every user is a mobile device expert, so an efficient onboarding, app installation, and setup process saves IT departments a lot of help tickets and saves users a lot of frustration.

Transparency for new users is important as well. New apps and settings should be delivered automatically and with little or no user intervention. The easier the process, the better buy-in you'll have from the user community.

If problems can't be resolved by traditional means, the UEM has a built-in remote control feature that has multiple sub-features such as user notification, which tells the user that you have connected remotely. You can also disable the remote computer's wallpaper for a more efficient connection, black out the remote computer's monitor so that the end-user doesn't see the changes being made, disable the remote computer's keyboard and mouse to assume full control, capture transparent windows, adjust the connection compression settings, and edit the color quality settings of a session to preserve bandwidth during a remote session.

Delivering Versatility

A UEM platform is required to fully support Windows, MacOS, Linux distros, tvOS, ChromeOS, Android, and iOS devices and be flexible enough to extend to wearables and IoT devices as these gain traction in enterprises. Your solution has to be able to evolve with your business needs and the changing face of computing.

You should be able to deliver a set of standard applications that everyone needs and then deliver additional applications based on job function or role.

Versatility also includes hardware support during OS deployment. You can set up custom driver repositories to support all your end-user hardware so that you don't have to hunt down drivers for each system.

Major features of the UEM's OS deployment module include imaging of live computers, hardware-independent deployment, the ability to deploy OSs anywhere, customized deployment, and multiple boot options.

Your chosen solution should also take into account the diversity of your users. Every user doesn't require every application. For example, knowledge workers require different applications than those who are involved in operations.

Use Case: Australian Coal Mining Company

The organization is distributed around six different sites geographically and has a small team to manage and troubleshoot systems. "Whenever there is a requirement to troubleshoot systems at a remote location or to add extra software to client systems, it has resulted in IT personnel constantly moving from one place to another," explains an IT administrator.

Clearly, the company needed a comprehensive solution, and had a checklist of "Things to be Present" in the expected software such as patch management, software management, and efficient reports.

On average, the IT team deploys 119 applications and the challenge was to ensure that the deployment was accomplished without disturbing the end-user. This feat was executed successfully with Desktop Central silent software installation facility. The return on investment (ROI) was significant.

"The beauty of Desktop Central is that it is an ideal solution for any industry that requires endpoint management," the IT administrator reports.