Device Management - What to use for MDM, BYOD and Device Security
Editor's note: Daniel Macias, Head of IT at Bugcrowd, gave us some insights on the best practices for device management he’s implemented at Bugcrowd and other companies, plus provided reasons for switching their device management tools.
Thanks for sharing these insights Daniel!
Getting started with device management
Most businesses deploy an Mobile Device Management (MDM) when they’re required to: prospect security requirements, or business certifications requirements.
The advice I would give someone looking into device management is to get started as soon as you think it is an issue. In a day to day business environment, many would say that they are concerned with the cost.
But once you are at the point where you actually need to start analyzing your companies security posture and asking the question of “what if…” in regards to company devices, it’s a good sign that you should start. To illustrate, one of the questions we started asking ourselves is “What will the impact be if an unencrypted company laptop gets stolen?”
Device management tools overview
If you are new to this, the general rule is “Anything is better than nothing”. It comes with a caveat though -- once you are ready, I recommend you do a Proof of Concept (PoC). But be aware that there will be a lot of time that goes into it. If you don’t have the time to properly test, the MDM can cause unplanned issues. Of course that depends on the level of management you want for the device. I’d say there are different tiers of MDM offerings:
- A good entry level MDM is Meraki Systems Manager, if you’re running a Meraki network I believe Meraki allows you to use Systems Manager free for up to 100 devices. The reason I rate it as entry level is because it has limited insights of the devices. Meraki Systems Manager supports: Mac, Windows, iOS, Android, ChromeOS, and Windows Phone.
- Otherwise for a Mac environment, consider new providers like Fleetsmith where they also provide an easy way to get started with a little more features and insights to machines.
- Then you have JAMF which is built for Macintosh (Mac) management. It has 2 levels: JAMF Now and JAMF Pro.
JAMF Now (formerly Bushel) is also a great entry level MDM, especially if you’re not an IT admin. It provides great insights and management features.
JAMF Pro (previously Casper Suite) is JAMF’s bread and butter. It’s management offering for Mac devices cannot be beat. It allows you to create custom images for machines, custom package building, script deployment. It truly is the best when it comes to Mac management, but be warned JAMF Pro requires constant attention. You cannot set and forget it.
- Beyond the Mac environment there are many offerings for Windows MDM. I’ve used Airwatch for a mixed device environment, and in my opinion they do a fantastic job of handling a hybrid device environment.
Switching to a new device management setup
When I started at Bugcrowd, we switched from Meraki to JAMF Pro. There’s a lot of planning and testing that goes into changing your MDM system. Our process to implement the device management system was:
- Initially we created a custom .pkg to remove the Meraki Systems Manager from employee devices.
- We then provided users the ability to enroll themselves into Bugcrowd’s new MDM.
- Once the users were enrolled in the MDM, we launched ‘Self Service’. Self service is essentially an internal app store, once of the first things we made available in self service was the custom .pkg to remove the Meraki MDM. We made it available for a few weeks just in case there were a few stragglers.
- Aside from the enrollment was the transfer of FileVault keys. We wanted to make sure Bugcrowd was the owner of all the FileVault keys. To get around that, we created a custom policy to turn off FileVault and re-enable FileVault under the Bugcrowd policy. Once the machine checked in and we verified that we had ownership of the FileVault keys we then triggered the install of a local management account.
- For mobile devices, we use Okta for mobile MDM, authentication and trusted devices that are depending on the application policies set within Okta. For small organizations, one can also start with the Meraki Systems Manager as mentioned before allows up to 100 devices.
That was a good start for us at Bugcrowd, plus it was a free MDM. This helped us to create an inventory for all active devices and to know if we were all patched after a bug/vulnerability was announced. It saved us a tremendous amount of time from checking in with everyone.
Impact on the organization
Now we manage all Macs and company owned iOS devices (such as iPads and Apple TVs).This setup provides me with a good compliance report with system status, assurance that the operating system is most up-to-date, and allows me to deploy custom packages including multiple different operating systems.
This is essential for organizational security as we use a different hardening standard depending the type of user operating the machine. Some other critical systems might be excluded from this setup to ensure segregation and prevent dependencies.
Impact on employees
First of all, this makes the onboarding experience seamless for employees. Apple provides something called ‘Device Enrollment Program’ (DEP) that can be linked to JAMF and create an enrollment policy for DEP.
This means that the user can open the laptop, connect to WiFi and the machine authenticates. This allows for custom login experiences with assigned usernames and passwords via Okta / JAMF. It also makes sure the device runs policies to enable security features on the machine, which in turn makes it compliant out of the box.
Most valuable feature
To me, the best feature is the self service custom app store that I can provide to our employees. I even added URLs of company directory, and shortcuts to clear memory cache without rebooting. This allows the end-users to get involved with the machine so they can understand things and become a part of the security culture. They can even ask the system if it’s encrypted and it will say “yes” if it is.
It makes clear that the user owns the machine and IT can help administer as opposed to the other way round.
Challenges of the device management
One of the biggest challenges was addressing end users privacy concerns. MDM for some can be an intrusion of their privacy. At Bugcrowd we believe in the privacy of our employees and provide them insights to the controls we’ve put on their devices.
What was essential from the start was to be very honest with the team and confirm that the information that the MDM collects would not be used in a malicious manner. Transparency is always key when rolling out new systems to end users.
Another challenge that many might have is the mixed platform environment. You may have to deploy multiple MDM solutions to cover all of your needs. When running multiple MDM platforms the maintenance can become a nuisance.
Useful links on MDM:
The Best MDM Solutions of 2018
Comparing the top MDM Softwares
10 BYOD MDM Suites You Need to Know