Once upon a time, IT security teams had a definable number of endpoints to monitor, manage and protect, and all of those endpoints were connected to their data kingdom directly via on-premises systems.
However, digital transformation, combined with an increase in bring-your-own-device (BOYD) and remote workforces, has led to a shift in the way our networks are set up. We now connect not only from PCs in the office, but at home from laptops and smartphones. On top of that, most software applications that we use today are hosted in the cloud, rather than on-premises. The ability to work across such a range of devices and locations empowers employees to work flexibly and more productively, but it also makes it much more difficult for IT teams to keep track of who is accessing their corporate data, and from which devices. The addition of cloud-hosted apps also increases flexibility, but reduces IT teams’ visibility into account access and activity. Because of this, 30% of IT professionals don’t know how many endpoint devices their company has. The other 70% report an average of 750 endpoints connected to their network.
That’s lot of potential entryways into your company’s data to secure manually – and that’s assuming that you fall into the 70%!
Luckily, there’s a solution to the challenge of monitoring and managing each of those 750 endpoints: unified endpoint management.
What Is UEM?
Unified endpoint management solutions enable organizations to monitor and manage all of the PCs, mobile devices and IoT devices connected to their network, via one single interface, helping security teams to deal with the challenge of securing their endpoint connections.
In order to understand how UEM works, we first need to talk about MDM, EMM and CMT – I know, that’s a lot of abbreviations, but bear with me. Mobile device management (MDM) solutions allow IT admins to monitor, secure and configure policies for smartphones, tablets and laptops connected to their network. While this can be useful for businesses with a remote workforce, it means that those with a mixture of remote and office-based employees have to juggle two management tools for off-site and on-site devices. On top of that, traditional MDM doesn’t support a flexible BYOD culture: employees can’t switch easily between using personal and work applications on their device.
Enterprise mobility management, or EMM, is an evolution of MDM that uses containers to secure the apps and data on a mobile device. While this enables BYOD flexibility, it still doesn’t solve the problem of having to use multiple management tools across on- and off-site devices.
Client management tools, or CMTs, help IT and support organizations to automate their administrative endpoint tasks such as OS deployment, software distribution and patch management. This involves configuring and managing these tasks across a client device network.
Unified endpoint management solutions combine MDM and CMT feature sets to provide comprehensive controls and visibility into endpoints connected to your networks. This makes UEM a much more efficient endpoint management method than legacy systems, particularly amongst businesses with a wide variety of devices in their fleet. It also enables a unified digital environment across all devices and locations.
UEM solutions combine a range of features, including reporting, advanced user authentication and access management and application isolation, in order to improve the security and efficiency of diverse device networks.
Why Do You Need Endpoint Management?
Around 58% of organizations around the world currently have workforces who “telework”, or work from home – a number that has hugely increased over the course of the past year. The COVID-19 pandemic acted as a major catalyst for remote working, as governments around the world instructed people to stay at home to combat the spread of the virus. This meant that many organizations suddenly had to provision their employees to work from home, at very short notice.
Unfortunately, the speed of this change often meant sacrificing security in the name of productivity. This was largely because many organizations were unable to provision corporate devices to each employee, instead implementing a “bring-your-own-device (BYOD) culture. Although this enables employee flexibility, BYOD can introduce a whole range of security issues; not least that it’s more difficult to keep track of which devices are actually connected to your network!
Personal cell phones, laptops and tablets are much less secure than corporate-issued devices; they generally aren’t secured with MFA or a password manager, for example, and are less likely to encrypt stored data, connect to the network via a VPN, or have antivirus software installed on them. This means that they make much easier targets for bad actors trying to access your corporate data. Think of it this way: each of your organization’s endpoints is a doorway that opens into your corporate data kingdom. If an endpoint is properly managed and secured, that door is locked and bolted; if not, it’s swinging on one hinge. Because of this, personal devices are twice as likely to become infected with malware than their corporate counterparts.
UEM solutions provide a centralized view of all of the endpoints connected to your network, as well as enabling you to centrally and remotely manage all of those endpoints without having to compile data from on-site and off-site device management tools; the UEM solution covers them all.
UEM also makes it easier for you to monitor device usage and health, including vulnerabilities that need patching, OS updates and software or application updates that need to be deployed. Combined, these features enable you to provide a baseline level of security and threat monitoring across your endpoints, even for personal mobile devices.
Some UEM solutions even include a variety of in-built security functions that enable you to protect your endpoints against malware, viruses and malicious applications.
What Features Should You Look For In A UEM Solution?
Because unified endpoint management is an evolution of MDM, EMM and CMT tools, there’s a wide range of UEM solutions on the market. The good news is that you’re certain to find the perfect one for your business need. The not so good news is that it can be a little difficult to work out what each solution is offering, and which of those features is most relevant to your organization.
Because of how UEM has evolved, the market includes purpose-built UEM solutions, but also those which have been developed from the more traditional endpoint management solutions we talked about before. This means that UEM solutions often have quite differing feature sets. However, there are some features that are crucial to any unified endpoint management solution; let’s talk about those now.
The main purpose of unified endpoint management is exactly what the title suggests: to enable you to manage and monitor all of your endpoints from one central location. This means that the solution should support most different types of endpoint that could connect to your network, i.e. Windows, Mac and Linux desktop and laptop operating systems, Chrome, iOS and Android for smartphones and tablets, and IoT devices such as printers and wearables.
The range of supported endpoint types varies from solution to solution, to it’s important that you check that your entire device fleet will be covered before investing.
As well as making sure that each of your employees’ devices will be supported by your chosen solution, it’s important that the provisioning process for each of those device types is relatively straightforward. This is because BYOD users will need to set up their devices themselves. Some solutions feature cloud deployment; others feature a self-service app store deployment process.
The management console will offer you a whole range of features in itself, which could include:
- Software distribution and policy update configuration
- Role-based access configuration
- Overview of users, devices and apps connected to the network
- Compliance reporting
- Device health/system alert reporting
- Remote application and content distribution, either via automated roll outs to targeted user groups or via an app store experience
- New user and device enrollment
As with any solution, you need to make sure that the management console offers all the features you’re going to need: some organizations may only want to generate reports for compliance, for example, while others may want to generate reports into app usage or general device health.
The key takeaway here is that the management console is centralized, so that you can monitor and troubleshoot all of your endpoints from any location, at any time.
If your endpoints are doors into your kingdom of data, your users’ login credentials are the keys to those doors. Unfortunately, we’re notoriously bad at creating and storing secure passwords: sharing them via email; reusing passwords across work and personal accounts; favouring memorable catchwords over complex, random combinations. Because of this, and thanks to the increasing sophistication of social engineering attacks and password cracking technology, you need to make sure that you’re verifying each user’s identity when they try to connect to corporate data via their endpoint.
The easiest way to do this is via multi-factor authentication (MFA). MFA is an identity verification method that requires users to prove their identity in two or more ways before they’re granted access to an application, system or network. There are three main ways in which they can do this: using something they know, such as a PIN, something they have, such as an authenticator app, an something they are, which refers to the user’s biometric data, such as a fingerprint scan. MFA ensures that bad actors can’t access your employees’ accounts, even if they manage to get hold of their password.
Your UEM solution should come with in-built or integrated MFA. Additionally, it should include single sign-on (SSO), which means that users only have to authenticate after the device has been offline for a set period, rather than each time they try to open a new app. This will help to keep your corporate data safe in the event that a device is lost or stolen, while ensuring that that protection doesn’t hinder your employees’ productivity.
Application isolation is a particularly important feature if you’re implementing a UEM solution across a BYOD device fleet. This feature enables employees to separate their personal and work applications, and use them both securely on one device.
The level of isolation offered differs between solutions. Some enable users to create a separate “workplace environment” within their device, where their work apps and data are stored securely. Some enable users to connect to a corporate intranet from their device. Others offer container or kiosk modes with provide admins with a higher level of control (such as the ability to control peripheral settings or view the device’s screen in real-time) over their users’ devices when activated, for situations where an increased level of security is needed.
A strong UEM solution will integrate easily with any existing endpoint management tools you might have, as well as other third-party applications such as Active Directory, Google Workspace and Microsoft 365 for quicker provisioning and seamless patch management.
You should also check that your chosen UEM solution integrates with your third-party security measures, such as antivirus software, VPNs and MFA – particularly if it doesn’t come with these features already built in. And that brings us onto our final point…
Endpoint Security Features
All UEM solutions should provide insights into device usage and vulnerabilities to help you configure policies and implement any necessary security measures to protect your network’s devices. The best solutions then also then enable you to implement that security via powerful integrations; some come with these security features built in. These may include:
- A VPN to ensure that network connections are always secure, even when employees are connecting via unprotected Wi-Fi hubs such as personal home routers, or free public cloud services
- Remote device wipe or lock, in the case that a device is lost or stolen
- Automated device lockdown after a given period of inactivity, again to protect against loss or theft
- Email security that ensures that only trusted, corporate attachments can be opened on a connected device
- Remote peripheral setting adjustment, such as volume or screen brightness, and remote screen viewing
Today’s digital workplace makes the office a much more flexible environment for employees, increasing productivity and enabling a healthier work-life balance, but it poses a huge challenge to security teams in terms of keeping that environment safe. Not only do they have to keep the network itself secure, but they have to ensure that each employee is connecting via a secure, private Wi-Fi connection, on a device that has the necessary security in place, such as multi-factor authentication, email protection and antivirus software, to prevent bad actors from accessing corporate data.
Your endpoints are doorways into your company’s data; a UEM solution will enable you to bolt those doors and set up a security camera to keep an eye out while you’re not home.
However, finding the right solution can be challenging. To help you get started, we’ve put together a guide to the top unified endpoint management solutions for business.
Make sure you’re in that 70%.