I recently had the opportunity to pick the brains of the IT manager at Hexnode, Azhar, over a cup of coffee. He always seemed laid back and happy, which for a guy tasked with teaching tech muggles like me about cmd+p seemed rather odd.
The fact that he single-handedly manages over 300 corporate devices of more than 200 employees spread over 4 continents seemed fascinating. The sheer number of devices and policies being managed by a single admin appeared to be hectic or even impossible to me but after the chat, I understood how companies with over 5000 devices are managed by just a couple of IT managers. Doesn’t seem like work when you have an MDM like Hexnode to do the work for you.
Before I stray off topic let me give you an idea of how Hexnode operates. Employees are split into several teams and shifts that work around the clock, 7 days a week. All the employees at Hexnode are issued a corporate-owned device for work. These devices are mostly MacBook Airs and MacBook Pros based on the requirements of the employee and the nature of their work.
Besides these, Windows PCs for dev-ops and managers, high-performance Windows laptops for designers and editors, Android and iOS smartphones for Accounts and HR teams are also provided. Android, iPadOS tablets are used by program coordinators, asset managers, security personnel, and office administrators while all the conference rooms have Apple TVs hooked up to projectors.
Key takeaways from our break-room chit-chat
I always knew that my device was being managed, but I wasn’t sure how, and being the nosey parker I am, I was interested in exploring the potential loopholes and vulnerabilities in the system. Much to my dismay, there isn’t even a needle-sized hole that could be exploited, and here is why.
Setup and Deployment
All the devices being used at Hexnode come pre-configured so that employees can enjoy a seamless out-of-the-box experience during setup. The pre-configuration doesn’t require any sort of manual intervention from the IT admin which is a huge load off of his shoulders. App deployment is also done remotely so that the employee’s device is ready for action as soon as it connects to Wi-Fi.
Hexnode’s offices use several Wi-Fi networks that are specific to areas in the office, devices being used, and the team using them. The teams are grouped and associated with a Wi-Fi policy based on their priority, needs, and location in the office. If a new team member joins, the IT admin simply adds the user to his respective group and the Wi-Fi connection on his work device will be enabled.
App Permission Management
The permissions for apps to access the device location, record screen contents, allow microphone, etc are revoked/granted as per requirement. Hexnode has also moved from the blacklisting of apps to the whitelisting of apps on its work devices. Malicious and potentially harmful apps were blacklisted and blocked on devices until August 2020 but now the app management policy associated has been changed to block the installation of all the apps other than the pre-approved ones. This means that only the whitelisted apps can be installed, the installation of other apps will require the user to contact the IT manager to edit the policy for the employee accordingly.
The company policy at Hexnode forbids the sharing of passwords among employees. The use of password manager services paired with Hexnode MDM for access to password-protected resources ensures that no passwords are shared at any point. The use of Active Directory-based password policies has been deprecated in favor of Hexnode MDM’s password policy to ensure better overall device security. The password complexity, length, and history configurations enforced ensures that employee’s device passwords are regularly updated.
It was also a surprise to know that FileVault wasn’t enabled on our devices till early 2020. All the devices deployed afterward came with FileVault pre-configured while it was remotely enabled by February on all existing devices. The capability to remotely enable this disk encryption method saved a lot of time and effort for the IT manager as there were over 200 devices by then.
The restriction on the ability to connect external memory devices via the device’s USB port was one of the first restrictions enforced on Hexnode devices as safeguarding company data and devices are of the utmost importance. Further, URL filtering through the blacklisting of potentially harmful websites, enforcing screen timeout, and screensavers targeted at device protection are also enforced.
At Hexnode, employees use their personal smartphones to login to their Microsoft Login for checking work emails, accessing the work messaging application teams, HR management, and attendance registration apps, etc, which could become a threat if left unmanaged. With a recent policy update, only the devices enrolled in the company’s MDM portal that is compliant with Hexnode’s policies (location, IP, etc) can access their Microsoft login.
COVID crisis and management
Hexnode moved to remote work from March 17th, 2020. The IT and management teams with the assistance of a cybersecurity expert decided on the security measures needed to secure the corporate assets. A plan was formulated and the policies were pushed to the devices. Most employees didn’t even notice the changes but some additional security measures were evident.
Hexnode has a wide variety of devices that are constantly being used by developers, product management teams, and the QA teams for testing MDM features. The distribution of these devices is carried out via an asset management app running on iPads in kiosk mode. These devices are issued to the office administrators who are notified as soon an asset request is created.
The accounts team is issued smartphones that are in multi-app kiosk mode. Only the essential apps and tools are available for their use. The HR team and the administrative staff are also given smartphones that have their capabilities limited to increase productivity.
When devices fall out of compliance the IT admin sends a technician mail to the user informing them of the issues and asks them to rectify the error. This information can also be used to act quickly on severe issues like theft of devices etc. A 7-day inactivity compliance policy is also assigned to all devices which locks the device when the employee leaves or hasn’t connected his device to the internet for over 7 days.
Hexnode MDM is one of the key factors that is helping Hexnode achieve ISO certification relatively quickly. Hexnode assists with the management of macs via the execution of scripts through Active Directory demobilization. Third-party DNS security application deployment, compliance status and report scheduling, user permission reviews, and Active Directory less user management have helped us stay compliant with international compliance laws like HIPAA, PCI DSS, etc.
The well-rounded management of corporate assets has helped keep Hexnode safe from scams, spams, viruses, brute force attacks, and more ensuring a high level of security for corporate data since its inception. All Hexnode portals including the one used to manage Hexnode are manually monitored 24/7 for discrepancies. Potential security flaws and mishaps are conveyed directly to the employee at the earliest.
Microsoft’s office 365 suite is used by Hexnode, the use of other email, document apps and personal accounts on corporate devices is blocked ensuring that corporate data isn’t leaked by the employees at any point. This keeps our customer, partner, and internal data safe and secure.
Beta in house
Unreleased features are available on the portal that is used to manage internal devices. For eg. The live terminal feature has been in use at our offices and on our devices for a few months now. This feature helps admins view and control devices regardless of their location.
A little piece of IT heaven
Azhar was full of praises for the software that makes his work easy and it wasn’t just him. Most of the employees here at Hexnode don’t even know that their output is significantly increased by a seamless IT experience. Rapid resolution of technical issues even when working remotely, blocking unnecessary distractions and phishing attempts, and the list goes on.
He also gave me an idea of the mountains he had to climb to manage devices at his old job with their traditional management methods. They needed an IT admin for every 20 employees and still lost a lot of the work hours on IT issues. They had multiple cyber-attacks targeted at them (nothing too severe) and lost a good amount of business due to technical mishaps and the story of a little rage-induced glass smashing while assisting 30 employees with their configuration setup, wrapping up our coffee break chit-chat.
A simple password just isn’t enough, you need more! If your IT manager is struggling to keep it together or if your firewalls are constantly getting breached, hiring more IT guys isn’t the answer. You need something that can secure your devices, the data on them, and ultimately your business.