With COVID-19 and the mass migration to Work from Home (WFH) from the traditional office model, the focus on protecting company data in-transit and on both corporate and personal devices has increased.  The Zero Trust model of Security assumes every attempt to access information is a breach until the user proves who they are, and the device is “compliant” to security policies.  Think of it as guilty until proven innocent.

Traditionally companies have focused on in-transit data encryption, firewalls/VPNs, etc., putting up fortifications around their corporate environment to restrict access.  But cyber-criminals learned that exploiting the computers of users and compromising their credentials can easily bypass those protections.  Protection of the Identity (user) has become the foremost concern and without proper configuration and management of these computers, or endpoints, companies are opening themselves up to repeated cyber intrusions.

But now Microsoft has developed Microsoft Endpoint Manager (MEM for short) to allow for easier and more consistent configuration and management of on-prem and remote/mobile devices.

It consists of the follow components/services:

1) Microsoft Intune:

This is a cloud-based Mobile Device Management (MDM) and includes a Mobile Application Management (MAM) tool that is 100% available in Azure.  With this, you can control all the functionalities that exist for the following Operating Systems:

  • Android
  • Android Enterprise
  • iOS
  • iOS for the iPad
  • macOS
  • Windows 10

Note that if parts of your IT and Network Infrastructure remains On-Premises, the following connectors are also available:

  • Azure AD Connect: This lets you sync up those users and groups of your employees in your on-prem Active Directory, provides password hash synchronization or pass-through authentication, and allows for SSO to all your M365 services.
  • Intune Connector: This connector provides the ability for cloud enrolled devices in a hybrid environment to join the on-prem domain and process Group Policies without being physically on-prem.  It also allows for encrypted certificates to be used when communicating with one device to another, especially when email is used.

2) Windows Autopilot:

With Autopilot you can configure Deployment Profiles that allow for touchless setup of the Windows device.  All settings, configurations, and apps specified in the profile get applied with limited or no user interaction making deployment of your Windows computers simple and easy.  Devices can be shipped directly to users removing IT as the middleman and saving hours of normal setup time and having to ship/deliver the device again.  The hardware is also registered only to your Microsoft 365/Azure tenant so if a device is stolen it cannot be wiped and reloaded by someone else; anytime it is connected to the internet it is recognized and Autopilot will lock anyone outside of your organization out.

3) Endpoint Configuration Manager:

This is the next generation of System Center Configuration Manager.  With this service, you can instantly manage almost every device that resides in your network through one single interface.  It can also be easily integrated with the Azure Active Directory and Microsoft Defender.  This is the primary benefit as your IT Security team can deploy any new applications, software/firmware upgrades, and patches, and even deal with compliance issues all in one interface.

4) Co-Management:

Co-Management allows you to balance the administration of your devices and services between Intune (cloud management) and Configuration Manager (on-premises management). This service has been specifically designed to give you control over those devices that are running Windows 10 either as a Virtual Desktop or an actual hardware-based device.  Essentially, it lets you decide which workload will be applied to what device and effectively manage them so you can get the best levels of productivity possible.

5) Desktop Analytics:

This functionality works in conjunction with Configuration Manager, as previously described.  With it, you can get all of the information you need to see how all of the devices and apps in your network are functioning.  For example, it can give details about the security of applications that have been deployed and any types of interoperability issues that could exist or issues related to deploying them from the cloud.

6) Administration Center:

As also mentioned, this is the centralized cloud platform from which you can easily create, establish, and manage your Security Policies for all your devices.

The above services are illustrated in the diagram below:

The Benefits of Microsoft Endpoint Manager

Some of the benefits include the following:

  • You can deploy and manage all kinds and types of devices, both actual and virtual ones, on a real-time basis. Therefore, your Remote Workforce can keep using those devices that they are most comfortable with, thus increasing your company’s productivity level.
  • It offers a greater level of protection for all of your digital assets, including the Personal Identifiable Information (PII) datasets of both your employees and customers;
  • Because of its centralized nature, you can get all warnings and alerts in one location, thus allowing your IT Security team to triage them in just a matter of a few minutes;
  • Since this is all available through Azure, it eliminates the need for extra spending on additional resources – you only pay for what you consume;
  • The licensing is very flexible – for example, instead of basing it on a per device basis, it is done on a per user basis. In other words, you can have as many as hundreds of devices, but your cost will be determined based on how many employees use them.

Wrapping It Up

If you have just deployed the Microsoft Endpoint Manager or are contemplating doing so, please contact us with any questions that you may have.  We are always here to help you.

Sources