Imagine a life without any computing devices, be it laptops, PCs, mobiles or tablets. It is quite hard, isn’t it? Almost impossible. Now, think about work without any such devices. It is an even more impossible scenario, as the laptops and PCs have become THE office. It is precisely because we are entirely dependent on our work devices that the work from home scenario was not a total fiasco, and was even successful to a large extent. Gone are the days when the employees come to the office, log in to their bulky desktop PCs, and work all day without moving from their seats. Now, the enterprise is not so rigid. The employees and the devices are becoming more and more mobile. Understandably, the evolution of devices has also led to the evolution of device management, from MDM to EMM to UEM. How hard is it for someone new to learn Unified Endpoint Management? It is not so hard as you would think. Read through this guide to completely equip yourself with the basic knowledge of the what, how and why of the UEM in the enterprise, and maybe even start onboard a device or two with Hexnode UEM free trial for a hands-on learning experience.
What is a UEM?
According to Gartner, Unified Endpoint Management (UEM) tools combine the management of multiple endpoint types in a single console. A UEM should be able to configure, manage, monitor and secure Android, iOS, macOS and Windows 10 endpoints.
Devising a Device Management Strategy
Having a solid device management strategy is important for any IT manager. While the device management requirements may be different for different organizations, the core objective remains the same: securing corporate data, users, and devices. How to create a strategy perfect for your organization? We can roughly divide the process into four phases: Planning, designing, implementation and post-implementation.
Step 1: Plan, plan, and plan
We can find answers only if we ask proper questions. Find the answers to the following questions:
What is the use-case for your organization?
Identifying the specific end use-case for your organization is the very first thing you should do. Make a list of requirements and the expected end result that you hope to achieve with device management.
Example Use-Case 1: Restricting the users from using the work devices for non-work purposes
The challenge: Sam Dasakis, IT manager at Greek Orthodox Community at NSW, was worried about the nursing staff members using the mobile devices excessively for non-work purposes. The situation felt unmanageable, and he started looking for a UEM suited to his needs.
The solution: After trying different UEM solutions, he settled on Hexnode to lock down the devices into a work-mode. The users could access only the work applications, and were not able to use the mobile devices for any other purposes. The remote control feature helped Sam remotely troubleshoot the managed devices from a single web console.
Example Use-Case 2: Managing work devices with multiple operating systems
The challenge: At Access Health CT, the organization had deployed Fire tablets, iPads, and MacBooks to their employees. Joshua Booth, IT Security Analyst, found it a challenge when the employees had to bring in their devices each time they needed to update apps or troubleshoot issues.
The solution: Different operating systems need different management capabilities, and Joshua was able to realize it all by using Hexnode UEM. Joshua was able to use the Kiosk mode to enhance employee productivity, app management to push out regular updates of the required apps remotely, and enabled him to remotely view, monitor, and control the managed devices.
How many devices are to be deployed?
The number of devices that are to be managed could range from just one device to hundreds and thousands of devices. The IT manager should have a clear idea of how many devices are to be deployed, which would help in finalizing the optimal enrollment method after choosing a suitable UEM. If there are a large number of devices, the admin should go for a UEM supporting bulk enrollment methods such as Android Zero-Touch Enrollment, Samsung Knox Mobile Enrollment, and Apple Device Enrollment Program.
What are the operating systems of the devices to be managed?
For most organizations, the work devices are not limited to just one operating system. It is more of an ecosystem comprising of various operating systems like Windows, macOS, Android, FireOS, iOS, and/or even tvOS. The very definition of a UEM is to provide a unified console to manage and secure all the managed endpoints. A good UEM should possess the capability of scalable support for these different operating systems. In the planning phase, the IT manager should have a clear idea of the multiple operating systems in the managed endpoints.
What are the security requirements for your organization?
The security and compliance rules and requirements vary from company to company. The policies and configurations have to be structured according to the risk tolerance of the organization. For example, in government organizations, data and information security would be of utmost priority. The policies have to be rigid and uncompromising to secure sensitive data. On the other hand, a construction company may not be that concerned with the data security of the devices deployed to the workers, and would be more concerned about the productivity of the employees.
Step 2: Structuring the policies and configurations
Now that the requirements have been identified and the planning has been completed, the next step is to design the execution. Taking Hexnode UEM as a reference, the admin can configure the policies in advance, before taking the final plunge and enrolling the devices. These policies can then be assigned to the devices once they are enrolled.
Mobile Device Management is incomplete without Mobile Application Management. A UEM takes care of both. The app management includes remotely updating apps, blacklisting/whitelisting apps, installing/uninstalling apps, configure app permissions and configurations, and more.
The admin can remotely install the apps from the Hexnode UEM web console. On configuring the apps as mandatory apps, the apps would be automatically installed on the managed device. The admin can manage store apps, enterprise apps, and web apps with Hexnode. The Hexnode admin can also push the app updates to the managed devices remotely.
Not all apps are required for work devices. Some are even directly detrimental to employee productivity. For example, the employee may start watching YouTube for a small break, and the break could extend into hours. The admin can just blacklist such applications so that the users are not able to access them. The admin can also whitelist the required applications so that the users are able to access and use only the whitelisted applications on the work device.
App Catalogs are quite a fun feature. It allows the IT managers to avoid the hassle of deploying different sets of applications to different users. The admin can simply set up a customized app store (App Catalog) that contains all the apps required by the organization and the end-users can easily download the apps needed by them. This feature is supported in Android, iOS and macOS devices.
App configurations and permissions
Even before pushing an application to the devices, the admin can configure the app configurations for the managed apps in Android, iOS, and macOS devices. For iOS and macOS devices, the configurations are uploaded as XML files. For Android devices, the admin can configure the work app directly from the policy.
Web Clips for iOS
IOS devices support an additional app management capability. Web Clips are website URLs that can be seen just as another iOS app on the device. On tapping the Web Clip, it would take the user to the corresponding website URL. These Web Clips can be added and customized by the Hexnode admin.
Identity and Access Management
Identity and Access Management (IAM) is a key capability of UEM solutions. How to use a UEM solution for IAM?
Protection against data and identity thefts
The best method to prevent identity thefts and malicious attacks is to have a strong password. While this may sound like an old method, it works. Use the UEM solution to enforce strong password policies in the managed devices.
Active Directory/Azure AD integration for protected access
Secure the managed devices by deploying certificates directly uploaded to the Hexnode UEM web console.
Containerization for corporate data
In personal devices, clear isolation of corporate apps and data from the personal apps and data is essential. It is important to choose a UEM solution that has BYOD support.
VPN for securing networks
The admin can remotely setup a VPN for securing the networks and the flow of data.
Email and Exchange ActiveSync configurations
Wildcards (%name%, %email%, %password%, etc.) can be used to configure the email and ActiveSync accounts remotely for the managed devices for an admin using Hexnode UEM.
The IT manager can configure device restrictions for managed devices remotely using the UEM web console. The device restrictions policy enables the admin to disable different device capabilities in one go. For example, if the admin disables the camera in device restrictions, the end-users would not be able to use the camera of the managed devices. For supervised iOS devices and specific Android devices such as Samsung Knox, LG Gate, Zebra and Android Enterprise enrolled devices, the admin can configure advanced device restrictions.
The security of the managed endpoints is a prime matter of concern for an IT Manager. Here are some ways you can secure the endpoints using a UEM solution:
As mentioned previously, a strong password is a foolproof method of securing the device. Using the UEM, it is recommended that the admin devise and enforce strong password policies for the work devices.
OS and software updates
The majority of the updates contain bug fixes and security updates. As an end-user myself, I have the tendency to indefinitely postpone the updates while working. This dependence on the end-user for installing the updates can be overcome with the help of a UEM. The admin can schedule and enforce the software updates on the managed devices, all done remotely from a single pane.
Compliance could mean different things for different companies, or even different departments. With the UEM solution, the admin should be able to create custom compliance rules. The rules can be created to include checking whether the devices are active, if they are password compliant and application compliant, if they are jailbroken or not, and more. Just creating the set of rules is not enough. The UEM should also enforce it. For instance, with Hexnode, the admin can set up regular compliance checks and get instantly notified if the devices go out of compliance. The admin can then choose to take action to get the errant devices compliant.
Security has almost become synonymous with encryption these days. Even the good old HTTP is now HTTPS, to secure our web browsing. It would be really amiss of us if we fail to encrypt our work devices that contain sensitive corporate data. The IT managers can enforce device encryption on Windows 10 and macOS devices with Hexnode UEM. For new iOS and Android device models, the encryption is turned on by default.
BitLocker: It is the full disk encryption tool for Windows devices. Hexnode UEM can enforce BitLocker encryption for protecting the entire volume against unauthorized access.
FileVault: It is the full disk encryption program for macOS devices running Mac OSX 3.0 and higher. On encrypting the Mac using FileVault, the data in the device cannot be read without the device password or the recovery key. The admin can enforce FileVault encryption in the macOS devices by pushing a configured policy.
Custom scripts execution
A script is a set of commands that are used to automate and execute time-consuming tasks in the endpoints without any manual intervention. Hexnode UEM supports executing custom scripts in both macOS and Windows 10 devices.
Executing custom scripts for Mac
The custom scripts can be executed in all the managed macOS endpoints remotely from the Hexnode UEM web console. Executing the script is as simple as selecting all the endpoints and giving the “Execute Custom Script” action.
Executing custom scripts for Windows
The admin can create the custom Powershell scripts or batch files. These created scripts can then be uploaded to Hexnode Files in the web console. The admin can then select the target Windows endpoints and execute the script in bulk.
A Firewall acts as a security barrier between the internal and external networks of the organization. The IT Manager can configure the Firewall settings for macOS endpoints using Hexnode UEM. The admin can choose to block or allow all incoming connections or the incoming connections to specific applications.
Geofencing is a location-based UEM restriction. Using this feature, the admin can create virtual perimeters around a geographical region. These geofences help the admin to restrict the availability of corporate resources and define security policies for the devices entering and exiting these virtual geographical regions.
Security management would be incomplete if there are no plans in place to take care of the lost/stolen devices. Hexnode UEM enables the admin to remotely lock or wipe the missing device. The remote lock feature comes with a custom message that the admin can use to communicate with the person who finds the missing device.
The two core aspects of network management are network security management and network usage management.
Tips for Network Security Management using UEM
- Configure the Enterprise Wi-Fi in a policy and push it to the endpoints. The devices would be automatically connected to the Wi-Fi without being dependent on the users to input the Wi-Fi password.
- Hexnode UEM allows the admin to configure VPN for iOS, Android and macOS endpoints. A VPN does a great job in securing the network and monitoring the flow of data through it.
- Set up Web Content Filtering for iOS, Android and macOS endpoints with Hexnode UEM. This would prevent the users from accessing potentially dangerous or malicious websites.
Tips for Network Usage Management using UEM
- For an enrolled Android endpoint, the admin can monitor how the Wi-Fi and mobile data is being used. With Hexnode, you can track daily and monthly data usage and setup usage limits. The network connectivity would be restricted for the end-user once the limits are reached.
- Manage and control the cellular data usage for managed apps while the iOS mobile endpoints are roaming. The device may accrue higher charges while roaming, and it is recommended to turn the cellular data off while roaming if the extra charges are a concern.
Tablet locked into Kiosk mode with HexnodeThe managed iOS, Android, Windows and tvOS devices have a very useful feature. These devices can be locked down into a Kiosk Mode. Kiosk Mode means that the endpoint is locked down into the functionalities and applications determined by the admin, and prevents the users from interacting with any other apps or device settings.
Single App Mode
Single App Mode restricts the user access to a single application, enabling a locked-down experience in the device. Hexnode UEM can be used to configure Single App Mode in Android, iOS, Windows and tvOS endpoints. We have all interacted with single-app Kiosk devices at one time or the other, the most common example being self-service ticketing Kiosks.
Multi App Mode
What if the admin wants the user to have access to a set of work apps? Multi App mode allows you to do exactly that. The device is locked down into a set of applications and device settings specified by the IT manager, blocking the user access to all other apps and settings of the endpoint. Hexnode UEM supports Multi App Mode in Android, iOS and Windows devices.
Web App Mode
The Web App Kiosk Mode allows the end-users to access only the whitelisted URLs that appear as app icons on the Android or iOS endpoint. Using Hexnode Kiosk Browser helps the admin to ensure additional security while the user navigates the Web Apps.
Digital Signage Display
We have all seen digital signage displays in shops, buildings, malls and airports playing advertisement videos or just displaying images. Hexnode UEM supports Digital Signage Display for all endpoints running Android 4.4 and above.
File and content management
Managing the files that are to be sent to the managed devices can get messy. A UEM includes Mobile Content Management (MCM) so that you can add, delete and manage all your files in one place. These files can then be sent to the managed devices in bulk, as required.
An enterprise uses multiple services and software, and it is important that the UEM provides the important integrations to ensure a seamless endpoint management experience.
Hexnode UEM Integrations
- Microsoft Active Directory
- Azure AD
- Apple Business/School Manager
- Okta Integration
- GSuite Integration
- SCCM Integration
- Zendesk Integration
Step 3: From plan to action
Now that the policies have been configured and the settings have been determined, the next step is to actually take the action to manage the devices.
Not everyone needs access to everything. Controlled access is an important security measure. Taking Hexnode UEM as a reference, there are three roles that can be assigned to a Hexnode technician:
- Admin: Admins have complete access to every feature and function in the Hexnode Web Portal.
- Reports Manager: Just as the name suggests, a Reports Manager would have access only to the reports generated and the dashboard.
- Apps and Reports Manager: An Apps and Reports manager has access to everything that the Reports Manager has. Additionally, they would also have access to the Apps tab, where they can add, delete or update applications in the Web console.
Enrolling the devices
All the planning and policy configurations would go to waste if the devices are not enrolled. A UEM should support the enrollment of devices having different operating systems. For instance, Hexnode UEM supports the enrollment of Android, iOS, Windows, macOS, tvOS, and FireOS devices. The enrollment methods are different for all of them. The methods also vary according to the number of devices to be enrolled. After enrollment, apply the configured policies to the managed endpoints.
Get started on your UEM journey now
Step 4: After deployment
Reports and Auditing
The job of IT managers is not done once the devices are deployed and set up. They need to be regularly updated on the device and user status, troubleshoot any issues that may arise, and help the end-users to become self-reliant. All this is possible only if there are good reports to analyze regularly. The Hexnode UEM technicians can schedule reports on a wide range of conditions, such as endpoint compliance, user compliance, device inactivity, application reports, location reports, and many more.
We talked about configuring compliance rules. What if the devices are not compliant? These errant devices are marked as non-compliant. With regular device scans, Hexnode UEM continually checks if the devices are compliant or not. The admins can see the number of non-compliant devices from the dashboard itself. The admins can then take steps to makes these devices compliant.
The future of Endpoint Management
Predicting an exact future for endpoint management would be difficult. The evolution of endpoint management over the past decade has been humongous, and it looks like it will continue to be so. The digital strategies and management methods have changed and will keep changing. It is important to choose a UEM that keeps updating according to the times, which would make it easier for you to make a seamless transition between the ever-changing security trends.