Everyone knows that IT administrators take care of the digital security of the system landscape and, in the process, use guidelines to eliminate security risks. However, a bad and careless driver who doesn’t follow the rules puts everyone on the road at risk. Smartphones and other private mobile devices are nothing unusual in corporate networks. By using these devices, anyone can easily and quickly access emails or “Teams messages” from anywhere.
“Why should it be so bad to read my Teams messages on my smartphone? We only chat.”
And who has access to the device? What happens if something has already been downloaded from unsafe sites?
Microsoft Endpoint Manager ensures that all mobile devices are equipped with the desired security standard before a connection to the corporate network is established. It is also possible to track which devices use corporate access.
What is Microsoft Endpoint Manager?
Microsoft Endpoint Manager (MEM) is a comprehensive cloud platform that integrates multiple Microsoft services to securely and efficiently manage a company’s endpoint devices. MEM includes both Microsoft Intune and Configuration Manager, also known as System Center Configuration Manager (SCCM). By combining these two powerful tools, MEM enables centralized management of all devices on the network, regardless of operating system or hardware (PC, smartphone, tablet, etc.).
The main components
Microsoft Intune
Microsoft Intune provides the following tools:
- Mobile Device Management
- Mobile Application Management
- Bring your own device support (BYOD)
- Remote-Wipe/ -Lock
Mobile Device Management (MDM) is a tool for managing all registered end devices, regardless of the operating system. These devices do not necessarily have to be company-owned, as MDM also supports the use of private devices in the company network. MDM offers various security functions to ensure that these devices meet certain security requirements before they are granted access to the company network.
An important security function is remote wipe or remote lock. The lock function can be used to lock a device remotely, which switches it to the lock screen and can only be unlocked again by entering a PIN. This prevents unauthorized access, for example if the device has not been locked. Alternatively, the device can be completely blocked from Intune using the “Disable function”, or all company data can be deleted from Intune using the Retire function, without removing it from Intune. This is useful if a device changes hands within the company. Only company data and policies are removed, while the device remains usable.
The Wipe function can achieve the same thing without removing the device from the Intune list. There is also the option of a factory reset, which resets the device to factory settings and deletes all data. This is often used when a device is lost or stolen to ensure that no company data is stolen.
Configuration Manager
The Configuration Manager provides the following tools:
- Software distribution and deployment
- Distribution of operating systems and updates
- Integration of a Windows Server Update Service (WSUS)
- Remote control and diagnostics
- Compliance management
Software distribution enables, Software and the corresponding updates to be distributed automatically and globally to all devices. The device must be switched on and connected to the Internet. Software and updates are stored once in a so-called software library and distributed from there to all devices. In this way, IT administrators can ensure that all clients are updated to the latest version in a timely manner.
The integrated WSUS (Windows Server Update Services) offers IT administrators the option of managing the updates to be received. The installation options can be set in so-called update rings. For example, the installation intervals can be defined, and feature, quality or driver updates can be blocked, permitted or otherwise configured.
The remote-control functions allow IT administrators to gain remote access to the devices and take control without the need for additional software, to ensure that this access is controlled. There are security functions such as role-based access, user access confirmation, session logging and encryption, and device groups to ensure that this access is controlled.
With compliance management, policies can be set to ensure certain security criteria before a device can connect to the company network. Microsoft offers a variety of options that can be applied to the devices.
A common example is password policies: In addition to the minimum length, simple passwords such as “1111” or “1234” can be blocked, password expiration can be set, and mobile devices can be forced to use a password to unlock them. It might be required that Windows Defender or another antivirus program is active, a firewall is turned on, Trusted Platform Module (TPM) and BitLocker are enabled, Secure Boot is used, and only certain operating system versions are tolerated. In addition, policies can be set on how to deal with non-compliant devices.
Since not all policies are equally useful for all device types, groups can be created and specific policies can be set, for example for Macs.
Key Functions
- Unified endpoint management:
- Centralized management of all endpoints, regardless of operating system and location.
- Simplification of IT administration through a unified console.
- Extended security features:
- Integrated security policies and threat detection.
- Zero trust architecture to minimize security risks.
- Automation and compliance:
- Automated device provisioning and configuration.
- Real-time compliance reports and monitoring to ensure compliance with legal regulations and corporate policies.
- Ease of use:
- Intuitive user interface and self-service portals for end users.
- Improved user experience through integration with existing Microsoft 365 services.
Conclusion
The Microsoft Endpoint Manager ensures that predefined security standards are set before data is received, regardless of the operating system or where the device may come from. This means that risks can be excluded immediately before the connection is established and company data can be easily removed from mobile devices.
A must for every network with bring-your-own-device components.
Do you have any questions regarding MEM? Simply write to service@inwerken.de. Our IT-Infrastructure-Team will contact you. More information and additional services are available in our Portfolio.