Quick Wins for Endpoint Security and Management Methods
Endpoint Management has always been a popular topic among IT administrators with burning questions aplenty in search of the best end-to-end solution for a particular environment as well as the best overall approach for securing data and devices. Now more than ever we are getting a ton of questions from organizations desperately seeking the holy grail of Endpoint Management. Throughout this blog we will discuss the ins and outs of Endpoint Management and answer the following frequently asked questions:
- What are the quick wins we can take advantage of in terms of Endpoint Management?
- How can we secure our corporate-owned devices when they’re off-site?
- How can you enable secure access to resources that are on personal devices?
- When does it make sense to use Configuration Management?
- When does it make sense to use Intune?
- Which scenarios or environments are best for Endpoint Co-Management?
We will focus on some of the low-hanging fruit, by which we mean, using technology and licensing that most organizations already have in place.
These days, many people that usually work from an office now work from home. So, some of the common requirements we’re hearing are:
- We need the ability to deploy applications
- We need to support those applications, once they’ve been deployed
- We must be able to deploy updates and secure devices
- We need to configure settings and manage the device lifecycle from beginning to end
In order to achieve the above list of requirements, we need to look at the infrastructure in place. Most of Steeves and Associates’ clients are already in a situation where they have adopted some, if not all, of the tools we’re going to be investigating throughout the blog.
- Are you using Configuration Manager, to manage your Endpoints?
- Have you already got your tenant set up to support Azure AD or Intune for Office 365, SharePoint Online, or some of the other cloud-based solutions?
- Do you have Secured Network Resources? Most organizations have some solution in place for providing Secured Network access via an always-on VPN solution or another solution that provides access to your corporate resources.
- Perhaps you’re using a virtualization solution, such as Cisco or another vendor, that provides desktop virtualization.
For further insights into Endpoint Security and Management Methods that will enable your workforce to work remotely, collaboratively and securely – Watch Our 4-Part On-Demand Webinar Series >>
NEWS FLASH! Endpoint Management Licensing Changes
Microsoft made an announcement in the Fall of 2019, that Configuration Manager was to become part of the product suite known as Microsoft Endpoint Management. Both the Configuration Manager product and Intune product are part of this suite and both are managed by the same team of developers. This means that the developers can collaborate and communicate to ensure that these products are working well, hand in hand.
As well as this, Microsoft announced that the licensing for Intune is available to all Configuration Manager customers, enabling them to Co-Manage Windows devices.
What does the Endpoint Management Update Mean for Your Organization?
If you currently have devices that you’ve been managing with Configuration Manager, one of the issues you might be running into is that those devices are no longer on-premises. They’ve been moved off-premises, most likely to your user’s home. So, unless you have a VPN solution that is connecting them to your network, they’re not currently being managed by the Configuration Manager.
With this new licensing announcement, it means that you can now manage all your devices with the Configuration Manager client agent installed via Intune, at no additional charge.
Does Anything Change with the Rebrand to Microsoft Endpoint Manager?
Effective December 2019, if you are licensed for ConfigMgr, you are automatically licensed for Intune for enrolling Windows PCs in co-management.
First, a new license is now available for ConfigMgr customers with Software Assurance which provides Intune PC Management rights without additional purchases. You do not need to assign individual user licenses. However, there are some important considerations:
- Autopilot cannot be used to re-provision devices licensed in this way.
- You must use ConfigMgr to perform the enrollment of your devices. Enrollment using any other method will not work.
- The licenses do not allow you to manage iOS and Android or MacOS devices – for those you still require additional Intune licensing.
If you would like further details click here to find out more >
How to Take Advantage of The Endpoint Management Updates
If you have Configuration Manager devices already, you’ve got devices that are being managed using “System Center Configuration Manager”, and they have the Configuration Manager client agent installed on them. Now, as these Windows devices are away from the office, they require a way to connect back to:
- the Management Point
- the Software Update Point
- the Distribution Point
All of which are on-premises (unless you have a solution such as a VPN solution). Your devices that are on the internet will be unmanaged for a period of time until they come back and log into your corporate network.
Here are some ways in which you can take advantage of the updates to Microsoft’s software and licensing agreements during the current public health crisis.
Quick Win Number 1: Microsoft Endpoint Co-Management
The benefit of Endpoint Co-Management is that you can continue to reap the benefits of your existing Configuration Manager infrastructure, while also taking advantage of a number of different Azure Cloud advancements (these are available immediately upon enabling Endpoint Co-Management).
When Intune is added to your existing Configuration Manager infrastructure, the immediate quick win is that Configuration Manager immediately provides you with all of the benefits of an on-premises Configuration Manager environment. Plus Intune is also available to manage workloads that you feel are appropriate to be managed on your cloud-based, rather than your on-premises solution. As a result, you get the best of both worlds! As well as compliance checks, some of the robust compliance and security features that are only available as part of your cloud-based Azure AD solution.
Endpoint Management: ConfigMgr, Intune or Both? [On-Demand Webinar]
What’s Required to Take Advantage of Endpoint Co-Management?
- Configuration Manager current branch version 1710 or later.
- Windows 10 version 1709 or later. (If you’re still on Windows 7 or Windows 8, you’re not supported for the Co-Management scenario).
What’s the Effort Required to Implement Endpoint Co-Management?
Typically, you’re going to be able to turn on Endpoint Co-Management, in less than a couple of hours. This doesn’t mean you’re going to be doing anything new, simply that your clients will now be listening for both Intune Management instructions and Configuration Manager instructions.
We’re essentially telling the Configuration Manager client that it’s being dually managed by Configuration Manager and Intune, depending on the type of workload.
The Benefits of Endpoint Co-Management
What we suggest as a great solution for any organization that’s trying to quickly adapt to a workforce that is no longer on-premises, is to switch to a Co-Managed environment where you can take advantage of some of the additional security capabilities that we have in the cloud. You can continue to configure devices that are not connected to your corporate network and you can continue to take advantage of Configuration Manager benefits for those devices that need it.
Explore the On-Demand Webinar Now for a demo of Microsoft Co-Management >>
To see what we’ve been talking about in action, watch the on-demand webinar for a demo of setting up Endpoint Co-Management.
If you have any questions do not hesitate to reach out.
Considerations for Endpoint Co-Management
Co-Management allows Windows 10 devices to be managed by both the Configuration Manager client and Intune. Co-managed clients receive instructions from Configuration Manager about which loads are going to be managed by Configuration Manager and which will be managed by Intune. By enrolling a device in Intune, you get the immediate cloud benefits as well as enhanced security capabilities.
What Co-Management does not do, is provide a pathway back to the Configuration Manager infrastructure for your ConfigMgr devices that are internet-connected. If you don’t have a VPN connection for these devices to connect back to ConfigMgr. While these devices are away, any workloads that you’ve shifted to Intune, will be managed by Intune, but any workloads that the client has been told are being managed by ConfigMgr (a system without a VPN connection back into your network) is simply going to wait until it gets back onto your corporate network to receive its management instructions.
Are there any Adverse Effects or Impacts of Flipping a Workload that was Previously on Configuration Manager to Intune?
When we start looking at flipping workloads from Configuration Manager to Intune, there could be adverse and unplanned effects. We have to make sure, for instance, that if we are moving a workload from ConfigMgr to Intune, that the workload has been correctly configured for Intune. That’s why we have the handy ability to deploy workloads to a pilot group first.
Our recommendation is to always test out a workload in a pilot collection before moving it to Intune. By testing it out in a pilot collection, you can ensure that it behaves the way you expect it to once it’s migrated into the cloud, and then once you’ve completed the testing, you can move the remainder of that workload into Intune management.
Quick Win Number 2: Cloud Management Gateway
The second solution we want to dive into is the Cloud Management Gateway (CMG), as the CMG has some significant benefits over the stand-alone Endpoint Co-Management features.
What is the Benefit of the Cloud Management Gateway (CMG)?
With CMG, there are existing Configuration Manager clients, that are off-premises and are internet-connected. Unlike Co-Management, where off-premises devices are not managed by the Configuration Manager until they come back on-premises, we can now manage traditional Windows Active Directory clients.
With an Active Directory domain-joined identity, we can manage them with a hybrid identity, and we can install the Configuration Manager client on devices over the internet. Those clients, when they’re on the internet, can access:
- Your management point
- Your software update point
- Any cloud distribution points that you placed for device management
What are the Requirements for Taking Advantage of the Cloud Management Gateway?
- Current branch 1710 or later of Configuration Manager
- Windows 10 version 1709 or later (Windows 7 and 8 are unsupported)
You’ll also need your Microsoft Intune licenses, which are taken care of by your Configuration Manager clients. Your devices will need to have Azure Directory or Hybrid Azure Directory joined and the trickiest part of this whole installation is a public PKI certificate.
To create the Azure gateway, you’ll require global administration privileges in Azure AD, in order to flip this on and to enable it.
What’s the Effort Required to Implement Cloud Management Gateway?
Typically, if you’re thinking about how much effort is going to be involved in enabling this capability, we’re looking at probably less than four hours. However, once CMG has been enabled, there’s going to be additional effort moving some of your content.
What about Internet-Based Client Management?
Internet-based client management, or IBCM, is still a viable option and is still supported by Configuration Manager but there is an awful lot of ‘voodoo’ associated with it!
We have rarely seen IBCM to be a quick win, it’s usually an awful lot of effort to work with certificates and a lot of configuration of firewall rules in your DMZ. So, it’s rarely a popular solution and certainly, with the ability to set up a Cloud Management Gateway, we would definitely recommend CMG over internet-based client management.
If Clients are Already Connected via VPN, do you Need Cloud Management Gateway?
A VPN will punch clients back into your corporate network and they’ll be able to gain access to resources. Some organizations still want to use a Cloud Management Gateway in order to shape traffic, so that it’s not being pumped through the VPN into your corporate network, but rather it is coming in through the Cloud Management Gateway. Technically you would probably not see a lot of benefit to a Cloud Management Gateway if you already have an always-on VPN.
Likewise, if you have an always-on VPN, you do not need to worry about Intune administrative templates that are offered by Azure Active Directory.
How does Cloud Management Gateway Work?
With Cloud Management Gateway, your roaming laptop, which is internet-based, has been tuned to come back to the Cloud Management Gateway, in order to receive management instructions.
The Cloud Management Gateway will tunnel the client requests through the Cloud Management connection point in Configuration Manager, back to the management point, and software update points that are on-premises.
The management point, of course, provides similar policy instructions so that the roaming laptop now knows how it should be configured and it configures itself appropriately e.g. for anything that needs to be installed or any applications that need to be available to that machine when it’s away from the office. The roaming laptop can now download content from your cloud distribution points, in a similar way to what it would do if it was connected to your on-premises network.
Check out the on-demand webinar for a demo of Cloud Management Gateway. Check it out now and let us know if you have any questions!
Quick Win Number 3: Microsoft Intune Only
We’ve detailed a couple of quick wins above, but what if you don’t have Configuration Manager? Well, that’s not a problem because ‘Intune only’ management provides you with the immediate benefits of both an MDM device management and an application management platform; similar to what Configuration Manager provides to an on-premises infrastructure.
We can use Microsoft Intune to manage devices whether they’re on-premises or whether they are cloud-connected, all they need to do is have an internet connection to be managed. You don’t need an on-premises infrastructure.
One of the beautiful things about this is unlike Configuration Manager, which has a pretty complex and higher maintenance infrastructure to maintain, Intune is completely hosted on Microsoft, managed and maintained by Microsoft, so this means you don’t have anything to worry about!
Plus, there are additional benefits such as:
- Your policy can be configured directly through Intune, without group policy or Configuration Manager
- Conditional access with device compliance
- Remote actions, such as restart factory, resets and wipes
- Centralized visibility of devices whether they are on-premises or not
- The ability to do modern provisioning with Windows Autopilot
What’s Required to Take Advantage of Microsoft Intune?
All you need is a Microsoft Intune license and Azure AD hybrid / AD join enabled environment.
Typically, you can have this all set up with some basic configuration in place within 8 hours. It’s not a huge amount of work and you can see some real immediate benefits.
Do Administrators still need an Internet Distribution Point for Third Party Updates or is that Available in Intune?
If you’re going be doing third party updates then, absolutely, you will need to have a
cloud distribution point that provides your clients with the content for those updates. Otherwise, they won’t have a place they can go to download content from, for Microsoft updates.
There’s an option for Microsoft updates that you can check in the deployment that says ‘go to Microsoft directly to download the updates’ if they’re not available from a distribution point.
Resources to Get You Started with Endpoint Management
As you can see, there are some quick wins that you can leverage within just a few hours that can help you manage devices that have moved off-premises. Below we have listed some additional resources to help get you started:
- Co-Management for existing Configuration Manager clients
- Enable Co-Management for new internet-based devices
- Co-Management Documentation
- Managing Clients on the Internet with Configuration Manager
- Microsoft Endpoint Manager admin center
- Windows Virtual Desktop
- Always On VPN
Let Us Assist You with Endpoint Management with Our FastTrack Program
Steeves and Associates are part of the FastTrack program, which means we can provide free guidance and help clients adopt a cloud workload. As well as this, there are migration benefits for the likes of:
- Files on OneDrive
- On-premises mail (whether it’s Exchange, Groupwise, or any other mail system out there).
We highly encourage you to look at this particular service, especially if you’re under tremendous cost pressure and seeing nonessential projects being delayed or canceled.
If you have any questions or queries do let us know, we’re happy to help.
Author: Doug Griffin
Doug Griffin is an experienced Endpoint Management & Mobility Architect at Steeves and Associates. With a focus on System Center Configuration Manager since 1998 as well as Microsoft InTune, there are few in the field that has more hands-on experience. Doug Griffin also holds a wealth of certifications from Microsoft, including MCSA, MCTS, MCITP and is a Microsoft Certified Trainer. Griffin also has a Bachelor of Science from the University of Saskatchewan and over a decade of experience as an MCT, providing classroom and online-based training in ConfigMgr and other Microsoft products. In his time off, Doug enjoys playing Squash, although after years of practice he is still not very good at it.