Editor's note: Daniel Macias, Head of IT at Bugcrowd, gave us some insights on the best practices for device management he’s implemented at Bugcrowd and other companies, plus provided reasons for switching their device management tools.
Thanks for sharing these insights on our IT Manager Checklist Daniel!
Getting started with device management
Most businesses deploy an Mobile Device Management (MDM) when they’re required to: prospect security requirements, or business certifications requirements.
The advice I would give someone looking into device management is to get started as soon as you think it is an issue. In a day to day business environment, many would say that they are concerned with the cost.
But once you are at the point where you actually need to start analyzing your companies security posture and asking the question of “what if…” in regards to company devices, it’s a good sign that you should start. To illustrate, one of the questions we started asking ourselves is “What will the impact be if an unencrypted company laptop gets stolen?”
Device management tools overview
If you are new to this, the general rule is “Anything is better than nothing”. It comes with a caveat though -- once you are ready, I recommend you do a Proof of Concept (PoC). But be aware that there will be a lot of time that goes into it. If you don’t have the time to properly test, the MDM can cause unplanned issues. Of course that depends on the level of management you want for the device. I’d say there are different tiers of MDM offerings:
- A good entry level MDM is Meraki Systems Manager, if you’re running a Meraki network I believe Meraki allows you to use Systems Manager free for up to 100 devices. The reason I rate it as entry level is because it has limited insights of the devices. Meraki Systems Manager supports: Mac, Windows, iOS, Android, ChromeOS, and Windows Phone.
- Otherwise for a Mac environment, consider new providers like Fleetsmith where they also provide an easy way to get started with a little more features and insights to machines.
- Then you have JAMF which is built for Macintosh (Mac) management. It has 2 levels: JAMF Now and JAMF Pro.
JAMF Now (formerly Bushel) is also a great entry level MDM, especially if you’re not an IT admin. It provides great insights and management features.
JAMF Pro (previously Casper Suite) is JAMF’s bread and butter. It’s management offering for Mac devices cannot be beat. It allows you to create custom images for machines, custom package building, script deployment. It truly is the best when it comes to Mac management, but be warned JAMF Pro requires constant attention. You cannot set and forget it.
- Beyond the Mac environment there are many offerings for Windows MDM. I’ve used Airwatch for a mixed device environment, and in my opinion they do a fantastic job of handling a hybrid device environment.
Switching to a new device management setup
When I started at Bugcrowd, we switched from Meraki to JAMF Pro. There’s a lot of planning and testing that goes into changing your MDM system. Our process to implement the device management system was:
- Initially we created a custom .pkg to remove the Meraki Systems Manager from employee devices.
- We then provided users the ability to enroll themselves into Bugcrowd’s new MDM.
- Once the users were enrolled in the MDM, we launched ‘Self Service’. Self service is essentially an internal app store, once of the first things we made available in self service was the custom .pkg to remove the Meraki MDM. We made it available for a few weeks just in case there were a few stragglers.
- Aside from the enrollment was the transfer of FileVault keys. We wanted to make sure Bugcrowd was the owner of all the FileVault keys. To get around that, we created a custom policy to turn off FileVault and re-enable FileVault under the Bugcrowd policy. Once the machine checked in and we verified that we had ownership of the FileVault keys we then triggered the install of a local management account.
- For mobile devices, we use Okta for mobile MDM, authentication and trusted devices that are depending on the application policies set within Okta. For small organizations, one can also start with the Meraki Systems Manager as mentioned before allows up to 100 devices.
That was a good start for us at Bugcrowd, plus it was a free MDM. This helped us to create an inventory for all active devices and to know if we were all patched after a bug/vulnerability was announced. It saved us a tremendous amount of time from checking in with everyone.
Impact on the organization
Now we manage all Macs and company owned iOS devices (such as iPads and Apple TVs).This setup provides me with a good compliance report with system status, assurance that the operating system is most up-to-date, and allows me to deploy custom packages including multiple different operating systems.
This is essential for organizational security as we use a different hardening standard depending the type of user operating the machine. Some other critical systems might be excluded from this setup to ensure segregation and prevent dependencies.
Impact on employees
First of all, this makes the onboarding experience seamless for employees. Apple provides something called ‘Device Enrollment Program’ (DEP) that can be linked to JAMF and create an enrollment policy for DEP.
This means that the user can open the laptop, connect to WiFi and the machine authenticates. This allows for custom login experiences with assigned usernames and passwords via Okta / JAMF. It also makes sure the device runs policies to enable security features on the machine, which in turn makes it compliant out of the box.
Most valuable feature
To me, the best feature is the self service custom app store that I can provide to our employees. I even added URLs of company directory, and shortcuts to clear memory cache without rebooting. This allows the end-users to get involved with the machine so they can understand things and become a part of the security culture. They can even ask the system if it’s encrypted and it will say “yes” if it is.
It makes clear that the user owns the machine and IT can help administer as opposed to the other way round.
Challenges of the device management
One of the biggest challenges was addressing end users privacy concerns. MDM for some can be an intrusion of their privacy. At Bugcrowd we believe in the privacy of our employees and provide them insights to the controls we’ve put on their devices.
What was essential from the start was to be very honest with the team and confirm that the information that the MDM collects would not be used in a malicious manner. Transparency is always key when rolling out new systems to end users.
Another challenge that many might have is the mixed platform environment. You may have to deploy multiple MDM solutions to cover all of your needs. When running multiple MDM platforms the maintenance can become a nuisance.
Useful links on MDM:
The Best MDM Solutions of 2018
Comparing the top MDM Softwares
10 BYOD MDM Suites You Need to Know
Phone-based systems are not just a small-business solution. CEO of Kisi, Bernhard Mehl, comments: “If you see the average of three doors connected then that might seem low but, in reality, one door relates to around 50 employees—so those are locations with about 150 people on average, including satellite offices. That’s quite significant.”
Mobile Access Control Adoption by Industry
Kisi examined which industries are investing the most in mobile access control technology. To do so, the average size of mobile access control installation projects by industry were measured. Commercial real estate topped the list with 23.5 doors running mobile access per facility. Education management came in last with 1.0 door running mobile access per facility.
The number of shooting incidents at K-12 schools, according to the CHDS, reached an all-time high at 97 incidents in 2018—compared to 44 in 2017. Cloud-based access control companies, like Kisi, offer a lockdown feature for active shooter situations or emergencies, making it an effective protective layer for places that are targeted, such as religious institutions, which come in near the top of the list with 4.0 doors running mobile access per facility.
Based on industry size, it makes sense that commercial real estate tops the list, with 23.5 doors running mobile access per facility. Cloud-based access control enables these larger organizations to scale more seamlessly and allows large organizations, like telecommunications, to deploy the most manageable IT solutions available, eliminating the need to create and manage a business’s own IT infrastructure over time.
“Commercial real estate is, of course, the driver of mobile adoption since they have the largest buildings,” Mehl adds. “The key here is to show that mobile-first technologies are not a risk but an innovation that brings positive ROI and allows agencies to reposition their buildings as forward-thinking establishments.”
The scalabelilty and ease of use in onboarding an organization allows many different types of industries and businesses of different sizes to adapt a cloud-based access control system, either using keycard or mobile credentials for access.
Mobile Access Control by State
Looking specifically at the United States, Kisi analyzed in which states companies are investing the most into upgrading to smartphone-enabled access systems. Of the currently installed base of access control readers, around 20 percent will be mobile capable by 2022, according to a recent IHS report. Cloud-based systems, like Kisi, are future-proof—allowing over-the-air updates in real time and unlimited scalability for users.
“Mobile unlock technology makes you think of the major tech hubs like New York, San Francisco or Los Angeles,” Mehl adds. “Looking at which states have the largest projects, it’s surprising and refreshing that those are not the typical ‘tech cities, and yet that’s where access control technology really makes an impact.” The fact that the largest projects are seen in states outside of the typical tech startup landscape is evidence that mobile access control is highly applicable across industry sectors.
For further questions about this study, reach out to Kait Hobson (firstname.lastname@example.org)