How do I keep my team’s distributed IT patched and secure?
Nik Rawlinson provides advice that will help guard your data on Windows, iOS and Android devices – and protect you against fines
Nik Rawlinson provides advice that will help guard your data on Windows, iOS and Android devices – and protect you against fines.
An increase in homeworking, and an understandable expectation among many staff that this will continue to some degree post-lockdown, leaves businesses with a quandary: how do they ensure that their employees’ devices are fully patched and properly licenced when working remotely?
Relying on staff to manage their own devices isn’t prudent when those same devices will be used to access business data. Even the least sensitive inbox, database or shared documents may contain personally identifiable information that, if compromised, could leave the organisation liable to prosecution for non-compliance with GDPR and the UK Data Protection Act 2018. While being able to prove that all devices were fully patched and secured is unlikely to be sufficient to avoid any fine at all, it might help when arguing that the business took security seriously and doesn’t deserve the maximum possible penalty.
Here, we’ll look at options for managing Windows, Android and iOS remotely via the cloud.
Locked Windows
Windows 10 is the most insistent release to date where updates and patches are concerned. Small business owners, who don’t have the benefit of dedicated or outsourced IT, can be fairly confident that their teams’ machines will be fit for business – as long as they don’t install unauthorised software. Restricting downloads to just software from the Microsoft Store can help.
So can Microsoft Intune ( pcpro. link/312intune). This cloud-based management tool is built to facilitate remote management of enrolled devices without investment in on-site or owned infrastructure. Thus, it works equally well with corporate or BYOD hardware, allowing staff to work not only where they choose, but on whichever device they prefer.
Although the feature range is, to some extent, dependent on the hardware choice, it’s by no means restricted to managing Windows 10. Recognising that staff are increasingly accessing corporate resources using nonMicrosoft platforms, Intune can also be used to manage staff accessing via Android, iOS and macOS devices.
Intune gives organisations the choice of managing PCs as either “mobile devices” using mobile device management (MDM), or “computers” running the Intune software client ( pcpro.link/312mdm). The distinction has practical implications for the way businesses keep remote machines patched, as well as how they monitor licencing compliance.
Microsoft recommends MDM. MDM doesn’t support versions of Windows prior to Windows 10, but it facilitates the use of device profiles, bulk enrolment and conditional access, none of which are available when using the software client. The last of these – conditional access – is perhaps the most important where ongoing management is concerned as it allows for fine-grained control over
“Conditional access allows for fine-grained control over which apps and devices can connect to company resources such as email”
which apps and devices can connect to company resources such as email and Microsoft 365.
With Intune, you can configure devices’ update settings, optionally withholding feature updates while ensuring security patches still make it through to end users. The earliest build you can stick with is currently 1803, which is now over two years old, giving admins time to patch businesscritical applications for later builds. Update policies are defined within the admin centre as rings, which can be run, paused or deleted. It’s also possible to extend a paused Windows Update for up to 35 days, as is the case through Windows Update when run locally on standalone machines
( pcpro.link/312update).
Paranoid Android
How strict do you want to be? Google offers three levels of control, from full device management for corporateowned, business-only devices to work profiles for BYOD devices enabled by their owners ( pcpro.link/312and1). The latter, which offers the greatest flexibility, lets staff use a single device for both business and personal needs.
Work profiles are a neat solution for staff who don’t want to carry multiple devices, allowing organisations to distinguish their own space within the OS. Business-focused notifications are marked with a briefcase icon to distinguish them from personal pop-ups, and business apps and data are kept separate from those for personal use, with a tabbed application drawer providing virtual containers for each app type. Work profiles are supported on Android 5 and later, and data that’s included in either a work or a personal profile on a device supporting both will never stray into the other territory, so email, calendars and contacts remain distinct ( pcpro.link/312and2).
Setting up a work profile allows system admins to specify certain device security requirements that apply globally rather than just to the business focused aspects, such as passwords of a specific length, which won’t be a serious imposition on the device owner. Removing the work profile when the staff member leaves the organisation or upgrades the device deletes both the apps and data associated with it. Staff can initiate this action themselves.
The organisation can access data within the work profile, but not the rest of the device, giving staff a high degree of privacy. If the organisation requires greater oversight than this, it can instead opt for a fully managed device, although this would be most practical on business-owned hardware, rather than BYOD. Work profiles on fully managed devices can only be deleted with admin approval.
Full device management is more prescriptive than just opting for work profiles and extends the degree of control organisations have over the device, its data and security. Device owners can remotely wipe the tablet or handset, as well as remotely installing and removing apps, which can be done silently, without user approval. Users themselves can install optional apps using a managed Google Play store on the device. Full device management is supported on Android 6 Marshmallow and later.
With “zero-touch” enrolment ( pcpro.link/312and3), staff don’t need to configure their phones themselves, but get up and running by scanning a QR code, logging in to an enabled G Suite account or using NFC. The zero-touch service is set up by the device reseller or network, which assigns the enabled devices to your corporate G Suite account. Once they’ve done so, admins can manage devices via a dashboard by setting up defined configurations to roll out to individual devices, or batches, as soon as users first turn them on.
“Business-focused notifications are marked with a briefcase icon to distinguish them from personal pop-ups”
SOS iOS
Apple’s mobile hardware supports a similar model to
Android, allowing both corporate and personal devices to be managed remotely to ensure only authorised apps are used and sensitive data remains protected.
Maintaining control over app installation and restrictions, automated deployment and remote account setup requires two resources, an MDM tool – such as Jamf Cloud ( jamf.com) – and Apple Business Manager ( pcpro.link/312apple). Business Manager centralises the purchasing and deployment of apps through a web dashboard, as well as enrolling devices in the MDM. It can enrol devices running iPadOS, iOS, tvOS and macOS that were ordered from Apple or an Apple Authorized Reseller after 1 March 2011, and handle multiple distinct enrolment tokens, which can be assigned to different sets of devices.
Once up and running, admins can manage remote installation of custom in-house apps, as well as downloads from the App Store and even books so staff always have the most recent corporate documents to hand. Apple Business Manager also allows for distribution of apps developed in-house that aren’t available through the public-facing App Store.
It’s up to admins whether staff are alerted that an update is ready to be installed, or it simply happens in the background. Likewise, apps can be remotely configured, removing responsibility for setup from staff and allowing the business to move backend services, if required, and update team members’ devices to ensure business as usual. Apps can be bought and deployed in bulk and, because management of this aspect of the business is centralised, on-device access to the App Store can be restricted.
Updates aren’t linked to Apple IDs: Apple Business Manager can link to an organisation’s Azure Active Directory, allowing staff to use their Active Directory usernames and passwords as a Managed Apple ID.
Books and controlled apps can be removed, which makes tidying up when staff leave simple and secure.