Organisations juggle many priorities and devices / technologies
Typically workstations, laptops, phones and tablets; Windows, Apple / Mac, Linux / Android; They have to quickly and effective deploy new devices, incremental add software, licences etc. Manage the end of device and software life cycles correctly as well as dealing with stolen or lost devices, all while keeping everything up to date, patched, and not loosing any business data.

Effective device and operating system policies, deployed via Mobile Device Management (MDM) solutions, Group Policy in windows, effective use of cloud applications, productive suites and file storage to keep data and files away from mobile devices and restricting users rights on devices so they cannot install random software, malware, browser extensions etc. are all important tools and technologies.

There are many commercial solutions available to solve these problems, some better than others, some easier to use than others, some with better cross platform support, here are some MDM vendor examples:

• Microsoft Intune
• Apple Business Essentials
• Jamf Pro
• Google Workspace
• Workspace One (Airwatch)

You may also need to integrate these products with other on premises or cloud solutions via API’s to deploy an acceptable level of device or access control. In practice there are challenges with locking down devices to thwart a determined user, while still providing flexibility for other users and not impacting the operation of the organisation. This is where monitoring and policies may be more relevant to compliance.

There are many other vendors and endpoint security solutions out there, you will need to choose one or more of them, that together meet your requirements for control, security, reporting and compliance. This is definitely an area where testing, comprehensive review, talking to similar organisations to see what they use, what works well and what does not for them will pay dividends.

Some examples of different types of common endpoint security solutions:

• Duo: – Identity Management and Device Trust.
• Zscaler, PaloAlto: – Security Service Edge (SSE)

Some examples of serious real world control circumventions and their consequences we’ve dealt with in engagements:

In an organisation with strong client certificate based Wifi access for corporate devices, MDM with a reasonable strong set of policies and some other client software controls in place; On an organisation owned MacBook, a user install VMWare workstation, ran a windows guest, sharing the host IP address to avoid network access issues, introducing an insecure and unsupported operating system to the organisation with inadequate malware controls to the organisations network.

In an organisation with a windows server, windows workstations and windows laptops, inadequate group policies and Intune policies in place allowed the user installation of commercial VPN applications, unsupported browsers, undesirable browser extensions, and some gaming software from the Internet.

An organisation allowed users to repeatedly defer Operating System updates and patches on Apple devices, eventually leading to a situation where, one some devices, multiple components were running unsupported software the MDM was no longer functioning correctly and not enforcing policies or updates to policies, Microsoft productivity software was past end of support and updates leading to a compromise of the MacBook with malware.

A visitor was able to connect to an Ethernet port in a meeting room, which was configured in the wrong VLAN, gaining access to VLANS configured for server connectivity and bypassing guest network access controls and guest user firewall policies.

A user left an organisation, did not return their MacBook and used open source tools and information to bypass MDM controls to centrally lock down the device as stolen.

A user deployed google drive agent, connected to a personal account to access personal files whilst on the corporate network, and backup work files inappropriately, violating corporate policies, client confidentiality, employment contract clauses and data protection legislation.

With respect to safeguarding there are other considerations relating to technology and device use, these include keeping track of images of children, making sure they are on on personal devices, upload to personal ‘cloud’ storage / sync solutions etc. Comprehensive and clear policies, training and education are the starting point for all these use cases, the technology monitoring and controls can be implemented from there to assist with monitoring and control.

Our Products:

We do not sell or recommend solutions in the space, however we can assist with evaluations and integrations as part of a consulting engagement.