The best mobile device management solution in 2022: SCCM vs. Intune
Choosing mobile device management (MDM) and mobile application management (MAM) solutions for your company can be challenging. With ‘bring your own device’ (BYOD) on the rise, MDM plays a crucial role in controlling corporate data on devices by configuring accessibility policies and data security. Here, the eternal dilemma arises: Should you go with Microsoft System Center Configuration Manager ConfigMgr (SCCM) or Microsoft Intune? Both solutions are parts of Microsoft Endpoint Manager – a single, integrated platform for managing all the endpoints in the organization. Intune is a cloud-based solution that allows you to manage company-owned and personal devices, while SCCM is a more traditional on-premises solution. Let’s look at both solutions, evaluating their pros and cons. What is SCCM / ConfigMgr? According to Microsoft, “SCCM is an on-premises solution to manage desktops, servers, and laptops that are on your network or internet-based.” Originally released in 1994, now part of Microsoft Endpoint Manager (MEM), it focuses on managing Windows devices across the enterprise (300+ devices). SCCM’s functionality includes: SCCM Pros: SCCM Cons: What is Microsoft Intune? Microsoft identifies Intune as a “cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM).” Being a cloud-based application, Intune has a simpler architecture than SCCM because it does not require on-premises infrastructure to operate. One of the main aims of Intune is to create a secure work environment by controlling device usage and designing customized access policies for devices, including BYODs. Intune can separate corporate data from employees’ personal data on BYODs, which is convenient as they will no longer need several devices. Moreover, with Intune, it’s easy to make sure that all devices are compliant with enterprise requirements. Intune’s additional features are: Intune Pros: Intune Cons: SCCM vs. Intune – Overview Feature SCCM Microsoft Intune Positioning On-prem Cloud Costs Subscription Subscription (price depends on the used data) Software updates Supports updates, patches, and software Supports updates, patches, and software Servers Servers required No physical server is needed – requires Internet access Remote features VPN, Wi-Fi Remote deployment Summary Microsoft Intune and System Center Configuration Manager offer various features, but it’s up to you to decide which best suits your business. Intune is a cloud-based solution accessible anywhere, making it perfect for remote workers. As a result of the ongoing COVID-19 pandemic, employees are working outside of protected corporate networks, using their own devices, and thanks to Intune, corporate data is safeguarded. Furthermore, Intune supports limited monitoring and managing of non-Windows systems. SCCM is a potent tool that can manage a variety of endpoints and has rich functionality. However, it can be complicated to work with and expensive.
What are applications update rings?
For a company, applications can be challenging to manage. They need to be installed on computers and regularly maintained afterwards. When a new application update is available, the IT department needs to reinstall them on all computers. Note: All applications need to be up to date, so hackers cannot abuse vulnerabilities in the software! On average, an application needs updating once a week, and the update takes around four hours to package and test. By multiplying this by the number of applications in your company, you’ll know how much precious time IT spends on this process. The bigger the company, the more control you need. Installing a conflicting update to more than 1,000 users can be a disaster for your business. For this reason, it’s essential to roll out updates in waves. In IT terminology, this process is called “update rings.” With update rings, IT can install updates to a limited group of users (pilot group). Once IT has confirmed no issues or conflicts, they can advance the update to a larger user group. If there are no issues or conflicts for this group, they can update for another group, and so on. Thus, the bigger the company, the more rings. IT needs to manage and monitor this update process for every update of every application. This activity is not the most thrilling task for a professional IT team, which is one of the reasons why companies don’t always have the latest applications versions. How to manage application update rings in Intune? There are different ways to manage application update rings in Intune. Changing the sources of an application. Changing the assignments for an application. Changing the sources of an application In this scenario, you created an application for each update ring. The sources and settings are the same for all the applications, but the assignments are different. As an example, let’s take three update rings. Application_Group_Fast Application_Group_Slow Application_Group_Release At creation, all applications have the same version but different assignments. When a new version of the application is released. IT can change the .Intunewin file containing the new sources, commands and configuration settings. Members of the Group_Fast will get the update and can validate it. After the testing period is finished, IT can change the .Intunewin file for the next group. A lot of manual work is involved in these actions if you don’t have an automation tool for it. Changing the assignments for the application Another way to use update rings is by changing the assignments for the application. In this case, IT creates a new application for each version. The first version will have the three groups assigned for installation. With a new application version, IT creates a second Intune application, assigning the Group_fast to this version. After testing and validation, IT assigns the next group to the new application. This process is then repeated until all groups have been assigned to the new application. Afterward, the initial version can be removed from Intune.
What is a day zero-bug or a zero-day attack?
A day zero-bug or zero-day attack, as defined by Hewlett Packard, “occurs when a vulnerability is being exploited before the vulnerable software vendor has knowledge of the vulnerability and develops a patch.” Zero-day attacks are dangerous because malicious hackers can use them to exploit vulnerabilities before patches are even available. So the meaning of a zero-day bug is pretty straightforward; it’s the same as when you ask a company when they want a project finished, and they say, “Yesterday.” Yesterday was the day everything was alright. Contrastingly, today is not. You have less than a day or zero days to fix the bug or have the vendors create a patch. The difference between a zero-day vulnerability, a zero-day exploit, a zero-day attack and a zero-day virus A zero-day vulnerability is a programming vulnerability discovered by hackers upon vendor deployment. There’s no software patch available for zero hour exposure, enabling any assault to proceed. So a zero-day is the opposite of a known vulnerability, which is a known vulnerability, with a published patch. A zero-day exploit is an action taken by hackers to obtain access to a system containing an unexpected vulnerable flaw. A zero-day attack is an attack that uses a zero-day exploit or attacks the system with a zero-day vulnerability. A zero-day virus is a technical term for computer malware created, not yet discovered. It’s all in the patches Patching and updating are crucial aspects of removing vulnerabilities. The increase in cyberattacks during the pandemic has been phenomenal. Some reports state a rise of 600%, with a noticeable increase in attacks targeting mobile devices. But 9 out of 10 times, if you’re in this industry or market, you’ll probably already know this. With working from home and BYOD policies, it’s becoming an even bigger issue. The reason is straightforward; it’s an open door for hackers. Even when company policies and VPNs are in place, it’s still tricky for IT managers to keep hackers out of their systems. That’s why Microsoft Endpoint Manager and Microsoft Intune are necessary software in every enterprise currently working in a Microsoft ecosystem. And if you really want to be secure, it’ll be even better to include Scappman as an add-on. Scappman is a 100% cloud solution that automatically installs your applications and keeps them up-to-date, saving hours of IT team time. So now you know the difference between attacks, exploits, etc. Remember: It’s better to be safe than sorry.
How to manage private applications in Microsoft Intune?
We get this question a lot. First, it could be that people have a different understanding of what are private apps or what are public apps. Private applications are applications: where the sources can’t be downloaded from the internet without providing personal information. that require a license key or license file. Private applications are not monitored for new versions. Note: It’s the customer or partner’s responsibility to provide Scappman any resources for the initial packaging or any update afterwards together with a procedure on how to install the application. Scappman can package these applications, but these are billable. Prices are listed on the platform. Public applications: Public applications are applications where Scappman has access to the sources on the website of the vendor. Public applications are monitored for new versions and are updated by Scappman on the platform. Note: Public applications that do not support silent installs can only be requested as a private application. Scappman will package these applications for free for subscribed customers. Private application management in Microsoft Intune Prepare the application installation file for upload Before you add a private app to Microsoft Intune to be able to manage it, you must use Microsoft Win32 Content Prep Tool in order to prepare the app for upload. The tool wraps the application installation file into the .intunewin format. Also, it detects some of the parameters that Intune requires to determine the application installation state. After that, your application is ready to be uploaded to Intune. Let’s use the app <yourprivateapp> as an example. Download Microsoft Win32 Content Prep Tool from GitHub . The .zip file contains IntuneWinAppUtil.exe, Microsoft License Terms, Read me file and Release notes. Use the latest version of the Microsoft Win32 Content Prep Tool otherwise, you’ll see a warning that says the app was packaged using an older version of the tool. Create a folder that contains the private application installation files Create an installation file yourprivateapp.cmd that contains the installation command and put the file in the directory with other installation files. Now open a Command Prompt and go to the location of IntuneWinAppUtil.exe: cd/<name of the folder> Run IntuneWinAppUtil.exe and provide the requested information: Source folder Setup file Output folder 6. Once the installation file is converted, you’ll see the message Done!!! Now the private application is ready to be uploaded to Microsoft Intune. Add a private app to Intune Sign in to the Microsoft Endpoint Manager admin center On the pane go to Apps -> All apps -> Add In Select app type menu choose Windows app (Win32) In the Add App menu you have to select the app package – the file that we created – yourprivateapp.intunewin in click OK In the App information menu add the details for your private application: Name Description Publisher Category Show this as a featured app in the Company portal Information URL Privacy URL Developer Owner Notes Logo 6. In the Program tab you can configure the application installation process using commands, install and device restart behavior. Install command – normally, it’s filled in automatically. If it’s not the case – use yourprivateapp.cmd Uninstall command – msiexec /x “{12345A67-89B0-1234-5678-000001000000}” Device restart behavior – here you can select one of 4 options: Determine behavior based on return codes No specific action: Choose this option to suppress device restarts during the app installation of MSI-based apps. This is preferred if you don’t want to reboot the device after the app installation App install may force a device restart Intune will force a mandatory device restart Specify return codes to indicate post-installation behavior: add the return codes that are used to specify either app installation retry behavior or post-installation behavior. Return code entries are added by default during app creation. But you can add more return codes or change existing ones. Code types: Success – the return code was successfully installed Retry – the return code will be attempted to be installed the application 3 times. It will wait 5 minutes between each attempt. Soft reboot allows the private app to be installed without a reboot. However, reboot is necesssary to complete application installation. Hard reboot does not allow the application to be istalled on the device without a reboot Failed – the application is failed to be installed 7. In the Requirements section you can specify the requirements that the device must meet before the application is installed: Operating system architecture : 32-bit / 64-bit Minimum operating system Disk space required (optional) Physical memory required (optional) Minimum number of logical processors required (optional) Minimum CPU speed required (optional) 8. When deploying the private app you must specify the detection rules – how the availability of the private application will be detected. It can be done manually or by using a custom PowerShell script. Manual detection rules format: MSI: this rule type enables the admin to create a detection rule that must detect a specific MSI product code or even a specific MSI version. This detection rule type can only be used once. File rule type enables the admin to create a detection rule that detects a specific file or folder, date, version, or size to determine the installation of the private app. Requirement rules: Path – specify the full path of the folder that contains the application file File or folder – specify the file or folder that should be used to detect the app Detection method – choose the option that should be used to detect the installation of the app (File or folder exists, Date modified, Date created, String (version), Size in MB) Registry: with this detection rule the Intune admin enables detection of the application installation based on the value, string, integer, or version. Requirement rules: Key path – identify the full path of the registry entry containing the value that should be used to detect the installation of the app. Ex.: HKEY_LOCAL_MACHINE\Software\YourPrivateApp Value name: if this property is empty, the detection will happen on the default value. The default value will also
Detecting vulnerable applications with Microsoft Threat and Vulnerability Management
Given the number of cyberattacks facing companies these days, fixing vulnerabilities has become one of the biggest challenges. According to the US-CERT Vulnerability database, 18376 new security vulnerabilities were detected in 2021, which surpasses the 2020 record of 18351. But more than half of them (57%) could have been prevented by being identified and fixed on time. Another example to support the importance of the problem is that only 16% of executives are prepared to deal with cyber threats. Thus, identifying, assessing, and remediating new endpoint vulnerabilities is crucial in implementing a successful security strategy. Microsoft Threat and Vulnerability Management (TVM) helps organizations with these. It discovers the vulnerabilities that exist on the onboarded endpoints, and errors in the configuration in real-time with sensors and gives recommendations that you can follow to secure your endpoints. In this blog, we will cover TVM’s functionality and how it helps you increase the security of your IT system by identifying vulnerable applications and software. What is Microsoft TVM? Microsoft TVM is one of the security pillars of Microsoft Defender for Endpoint, which aims to identify vulnerabilities and misconfigurations in real-time and prioritize them based on the threat landscape. It is cloud-powered and fully integrated with Microsoft endpoint security stack, the Microsoft Intelligent Security Graph, and the application analytics knowledge base. Microsoft TVM is a game changer – it helps bridge the gap between security operations, Security Administration, and ID administration. Real-time discovery. Vulnerabilities discovery is the first step in TVM. Microsoft Defender for Endpoint constantly collects and transmits all the information about the endpoint (OS, the installed applications and behavior of the device) to the cloud using the built-in sensors in Windows 10/11. Real-time discovery functionality means: Real-time device inventory – Devices onboarded to Defender for Endpoint automatically report and push vulnerability and security configuration data to the dashboard. Visibility into software and vulnerabilities – Optics into the organization’s software inventory, and software changes like installations, uninstalls, and patches. Newly discovered vulnerabilities are reported with actionable mitigation recommendations for 1st and 3rd party applications. Application runtime context – Visibility on application usage patterns for better prioritization and decision-making. Configuration posture – Visibility into organizational security configuration or misconfigurations. Issues are reported on the dashboard with actionable security recommendations. 2. Intelligence-driven prioritization. TVM provides insights that help users to prioritize security tasks and focus on the most urgent ones. Furthermore, users receive security recommendations based on the dynamic threat and business context: Emerging attacks in the wild – Microsoft threat intelligence determines emerging threats around the world. Based on this data, it prioritizes the security recommendations to focus on currently exploited vulnerabilities with the highest risk. Pinpointing active breaches – Microsoft Defender for Endpoint knows what attacks are currently happening in your organization. TVM processes this data in order to prioritize security recommendations. Protecting high-value assets – as it is a Microsoft solution, there is a deep integration with Microsoft Information Protection, that enables identifying of confidential data or business-critical applications. 3. Seamless remediation involves security and IT administrators. The security admins track and manage vulnerabilities, while the IT admins are responsible for patching. TVM Components Threat & Vulnerability Management Dashboard: gives a high-level view on the security of the organization, including the exposure score, Microsoft Secure Score, and device exposure distribution. To access the TVM dashboard go to security.microsoft.com. On the pane go to Endpoints -> Vulnerability management -> Dashboard. Exposure score is a metric that reflects the overall exposure of the endpoints across the organization. The lower the score the better. The exposure score is broken down into levels: 0–29: low exposure score. 30–69: medium exposure score. 70–100: high exposure score. There are many factors that have an impact on the exposure score, such as the number of weaknesses discovered on your devices, the likelihood of a device getting breached, and the value of the device to the organization. On the exposure score pane, you can see the dynamic of the score, which is changing all the time due to newly released CVE’s and taken actions. Microsoft Secure Score reflects the collective security configuration state of the endpoints across 6 categories: Application Operating system Network Accounts Security controls Device exposure distribution The higher the score, the more your endpoints are protected against cyber threats. Microsoft Secure Score is calculated based on the configuration discovery assessment on all endpoints of the organization which is compared to benchmarks maintained by Microsoft – recommended configurations from applications vendors and internal research team in Microsoft. The dashboard also provides configuration score trend over time, so you can track how the score evolves over time. Device exposure distribution demonstrates how many devices are exposed based on their exposure level. Selecting a section in the doughnut chart you can see the list of devices affected, their exposure and risk level, domain, OS platform, Windows version, health state, when it was last updated and tag. Recommendations Threats and vulnerabilities identified in your company are mapped to security recommendations and prioritized by their impact. Following prioritized security recommendations, you can reduce your exposure score and increase your configuration score. Every device is scored based on 3 factors in order to help users to focus on the right things at the right time: Threat: characteristics of the attack happening with the particular vulnerability. Breach likelihood: your company’s security posture and resilience against vulnerability. Business value: impact on the company’s assets and processes. To access Security Recommendations, go to Vulnerability management -> Recommendations. Security recommendations details Let’s take a closer look at one of the recommendations (Update Microsoft Windows 10 (OS and built-in applications). After clicking on the recommendation, you’ll see the details of the recommendation, including: A description of the security recommendation Number of exposed devices and list of all endpoints Impact on exposure and secure scores List of vulnerabilities associated with the recommendation breakdown of CVEs based on the impact (critical, high, medium, low) Description of CVE Related threats Exposed OS In the security recommendations menu, you also can:
Vulnerability Management explained
What is vulnerability management? Vulnerability management is the practice of proactively identifying and assessing vulnerabilities within an IT system, a crucial element in executing a cybersecurity strategy. This means that computer systems are potentially a significant risk to the system’s security when vulnerabilities are not addressed. If vulnerability had a slogan, it would be: “better safe than sorry”. Common vulnerability scoring system (CVSS) A nonprofit called “FIRST” is looking to standardize this in a framework called the CVSS or Common vulnerability scoring system. Based on analyzing their data from several CISOs and experts in the security information industry, they have already released their 3rd version of their model. It’s now more focused on timing and environment. You have a base metric group, a temporal metric group, and an environmental group. The cool thing about the guys from “FIRST” is that they have their online calculator to check your vulnerability scores. You can find it here. The range goes from 0.0 to 10.0. Based on the CVSS, the average vulnerability was 7.1 out of 10.0, to give some numbers. Google and Microsoft had the most vulnerabilities, respectively 1123 and 1108. These two make up more than 10% of the total number of vulnerabilities in 2021. If you must think about your own company, you’re 99% working with either of these products. To mitigate these vulnerabilities, vulnerability management is the best way forward. Taking charge and ownership is the way forward. The first step in vulnerability management is detecting the vulnerabilities. Microsoft Defender for Endpoint can be one of those products that can help build a healthy security environment. It discovers vulnerability and misconfigurations in real-time with sensors. It’s the first barrier against ransomware, malware, and hackers. Patch management is a second barrier A patch management policy should be a second barrier. As many as 60% of the data breaches were related to vulnerable software, so software that wasn’t patched. As weekly costs on maintenance rose by 34%, the cost of care surpassed those of the previous year. Lowered reliability due to vulnerabilities’ rectification took up more time during the last years. You can find more about patch management policy here. What are the vulnerability management best practices? A vulnerability management system is needed at any company to effectively manage any risks afflicted by unaddressed flaws in IT systems. Here is the checklist to help you make sure you’ve covered all the basics and are protecting your company IT infrastructure in a responsible way. This inventory should include OS + versions, native and third-party applications used by users in your organisation. With a clear overview of your IT environment, you can make sure you’re patching everything needing to be patched. Microsoft TVM is a good solution to provide you with a full overview of your IT system. To know more about Microsoft TVM, read this blog. 2. Prioritize vulnerabilities Classifying vulnerabilities based on impact and severity is one of the basic steps to remediate risks. Categorizing these vulnerabilities helps businesses to understand and assess the issues. In Microsoft TVM you can see the severity of the vulnerability (Vulnerability Management -> Weaknesses). Read more here. 3. Apply patches as soon as possible, but don’t forget about testing It’s essential to install software updates as soon as they are available, but in the meantime, a bad patch can break other parts of your system. To avoid this – test the patches before you deploy them to the entire system. 4. Scan and audit your IT environment for any vulnerabilities missing regularly The longer these security holes are open, the more likely it is you’ll be attacked. Patch management should be a continuous process with regular and ongoing scanning. 5. Automate the match management process With the right software to manage your patches, like Scappman, you can significantly reduce the amount of work you have to do. This software is much more effective than doing things manually, so it’s worth of investment. Just remember it’s better to be safe than sorry.
Microsoft Intune Dictionary
Microsoft Intune is a comprehensive cloud-based solution for managing mobile devices, PCs, and applications across corporate and personal boundaries. Intune provides a range of features to help organizations secure and manage devices, protect their data, and enable productivity. In this article, we will explore the different terms and definitions associated with Microsoft Intune. Admin permissions or Directory Roles define the administrative scope for users and the tasks they can manage. Types of administrators: Global Administrator accesses all administrative features in Intune. By default, the person who signs up for Intune becomes a Global admin. Global admins are the only admins who can assign other admin roles. You can have more than one global admin in your organization. Password Administrator resets passwords, manages service requests, and monitors service health. Service support administrator opens support requests with Microsoft and views the service dashboard and message center. They have “view only” permissions except for opening support tickets and reading them. Billing administrator makes purchases, manages subscriptions, manages support tickets, and monitors service health. User administrator resets passwords, monitors service health, adds and deletes user accounts, and manages service requests. The user management admin can’t delete a global admin, create other admin roles, or reset passwords for other admins. Intune Service administrator has all Intune Global administrator permissions except permission to create administrators with Directory Role options. Android Device admin is the old management method of Android devices with limited functionality in application management requiring elevated administrative permissions in order to perform certain tasks. It has been deprecated since Android 9.0. Android Enterprise is an initiative to enable the use of Android devices and apps in the workplace. The program offers APIs and other tools for developers to integrate support for Android into their enterprise mobility management (EMM) solutions. App configuration policy is the settings that are supplied automatically when the app is configured on the end-users device, and end-users don’t need to take action. The configuration settings are unique for each app. App logs is a file with reporting that includes a record of activities that generate a change in in the app. App protection policy is the rule that ensures an organization’s data remains safe or contained in a managed app. A policy can be a rule that is enforced when the user attempts to access or move “corporate” data, or a set of actions that are prohibited or monitored when the user is inside the app. App types in Microsoft Intune: Apps from the store (store apps) – applications that have been uploaded to either the Microsoft store, the iOS/iPadOS store, or the Android store are store apps. The provider of a store app maintains and provides updates to the app. You select the app in the store list and add it by using Intune as an available app for your users. Apps written in-house or as a custom app (line-of-business) – applications that are created in-house or as a custom app are line-of-business (LOB) apps. The functionality of this type of app has been created for one of the Intune supported platforms, such as Windows, iOS/iPadOS, macOS, or Android. Your organization creates and provides you with updates as a separate file. You provide updates of the app to users by adding and deploying the updates using Intune. Apps on the web (web link) are client-server applications. The server provides the web app, which includes the UI, content, and functionality. Additionally, modern web hosting platforms commonly offer security, load balancing, and other benefits. This type of app is separately maintained on the web. Note that Android does not support web apps. Apps from other Microsoft services – application that have been sourced from either Azure AD or Office Online. Azure AD Enterprise applications are registered and assigned via the Microsoft Endpoint Manager admin center. Office Online applications are assigned using the licensing controls available in the M365 Admin Center Apple Automated Device Enrollment ADE lets you create and deploy policy “over the air” to iOS/iPadOS and macOS devices that are purchased and managed with ADE. The device is enrolled when users turn on the device for the first time and run Setup Assistant. This method supports iOS/iPadOS supervised mode, which enables a device to be configured with specific functionality. Apple push certificate is required for Intune to manage iOS/iPadOS and macOS devices and enroll users’ devices via Company portal or Apple’s bulk enrollment methods (Device Enrollment Program, Apple School Manager, Apple Configurator). Application deployment is the process of installing, configuring, and enabling a specific application or set of applications through Microsoft Endpoint Manager. Assigned groups are used when you want to manually add specific users or devices to a static group. Autopilot is used to set up and pre-configure new devices to get them ready for productive use. In other words, it allows your organization to take a device that is fresh out of the box (straight from OEM), and send that device to your user/employee for immediate use. Auto-enrollment is triggered by a group policy created on your local AD and happens without any user interaction (possible for Windows 10/11 devices). Azure Active Directory (AD) is Microsoft’s cloud-based identity and access management service, which is used by Endpoint Manager for identity of devices, users, groups, and multi-factor authentication (MFA). Azure Active Directory PowerShell is a module IT Pros commonly use to manage their Azure Active Directory. The cmdlets in the Azure AD PowerShell module enable you to retrieve data from the directory, create new objects in the directory, update existing objects, remove objects, as well as configure the directory and its features. Azure AD Connect is a tool for connecting on-premises identity infrastructure to Microsoft Azure AD. The wizard deploys and configures prerequisites and components required for the connection, including sync and sign on. Bring-your-own-device BYOD is a policy that allows employees in the company to use their personally-owned mobile device (phones, tablets, and PCs) for work-related activities. Bulk enrollment is joining a large number of new Windows devices
Top 5 Challenges of patch management
One of the better cybersecurity practices is updating software regularly. Regardless of your industry, it’s essential to keep your software up to date to protect your organization from breaches. According to a study conducted by Ponemon Institute for ServiceNow, 60% of cyberattacks are caused because applications are not up to date. Despite the importance of patch management, many companies are still struggling to patch applications effectively. Companies face some challenges when it comes to patch management, but they aren’t impossible to overcome. Common Patch Management Challenges 1. Time-consuming According to the Ivanty report (2021), 71% of IT and security professionals find patching complex and time-consuming. To prove this, let’s discuss the patch process cycle. Organizations must continually identify and assess vulnerabilities, monitor and test patches, and deploy the patches to their systems. Based on the Ivanty survey results, IT & security professionals spend 53% of their working time each month detecting and prioritizing vulnerabilities and 19% testing patches. The biggest problem here is how to find out if there is an update available. Many people think of something like Patch Tuesday with Microsoft. However, it’s not like that in most cases – there is no system. And let’s consider this: for example, Chrome releases a full OS update about every four weeks. Minor updates, such as security fixes and software updates, happen every 2–3 weeks. Only for patching Google Chrome, an IT specialist must go through the patch cycle 2-3 times a month. But what about other applications? On average, a company uses 110 applications (Statista, 2021). It’s difficult to calculate how much time IT admins should spend on patching all the software to prevent the companies from breaches. 2. Lack of IT Inventory Management Another common patch management challenge is the lack of understanding of what software companies’ endpoints actually have. This problem has become harder to deal with as companies move to remote work. Implementing asset control and an accurate inventory system is a good solution. With a detailed asset list, it’s possible to have a complete picture of your company’s IT infrastructure and what endpoints and applications are vulnerable. This makes it easier to prioritize assets and applications for faster patch deployment. To address this challenge, you can use Microsoft Threat and Vulnerability Management tool (TVM), one of the security pillars of Microsoft Defender for Endpoint. It aims to identify vulnerabilities and misconfigurations in real-time and prioritize them based on the need of the threat landscape. Read more about Microsoft TVM in this blog. 3. No desire to deploy every patch Implementing an inventory management solution can cause another challenge – only highly prioritized vulnerabilities will be patched. This doesn’t solve the problem entirely – your company’s endpoints are still at risk, and there is no guarantee that you won’t be hacked. 4. Patch failures 72% of managers are afraid that applying security patches right after release could “break stuff.” That’s true: there is a risk that some things can go wrong with updating software. This can occasionally happen, even if the vendor extensively tested a patch before a patch was released to the public. Sometimes, the reason for a patch failure is that you install the patch and forget to reboot the system. To address this challenge and not “break everything,” you must test the updates first in a test environment and then deploy them. 5. Vulnerability management It’s essential to remember that patching does not always mean managing vulnerabilities. Even if all the patches are deployed, a new vulnerability can always become a hole for some of these flaws. Once the patch is deployed, new vulnerabilities will likely appear, and you patch it again. Patching is a catch-up game where you’ll always be behind. How can you automate patch management? Use Scappman! Scappman is a 100% cloud solution that automatically installs all the necessary updates for your applications. Scappman automates the whole cycle of patching: Scappman scraps the installed applications for the new version, and if it’s available, Scappman tests it, creates a package, uploads it to Intune, and installs it to the assigned users. There are more than 500 third-party applications in Scappman App Store that Scappman keeps an eye on. They are always up to date and secure to use, so you can be sure that hackers can’t use steal or encrypt your data. To know more about Scappman and how it helps you save valuable time and keep endpoints in your organization secure just in 2 steps, book a demo with us.
Top 5 MSP tools for Microsoft Intune
At SCAPPMAN, we just wanted to show you the top 5 tools that can be helpful for you as an IT service provider. Microsoft Endpoint Manager is one of those fantastic products by Microsoft that has been around for almost 11 years. The cool thing is that excellent apps are being built that upgrade MEM to MEM 2.0. The top 5 tools for Microsoft Intune are Lansweeper, Micke, Remote Support tool, Admin by request and Scappman of course. Lansweeper: IT Asset Management Software It wants to know your IT environment and what assets are on your corporate network. It does this in 3 steps. Step 1: Discovery The Lansweeper Deepscan discovery engine will find any asset on your corporate network without needing you to install any software on them. It has no limit to the effects it can have on the environment or resources. Step 2: Inventory Lansweeper offers a complete and insightful overview of the hardware, software, and users that enables a straightforward exploration of your network. Launder all network tasks, projects, and decisions by managing one source of truth. Step 3: Analytics Be on top of things at all times with your IT. Be able to answer any questions, thanks to your over 400 built-in network reports and the ability to create or modify these reports, so they suit your needs. A tool that helps MSPs mitigates risk and enables you to control your IT assets. We think one of the most astonishing combinations together with SCAPPMAN. Micke: IntuneManagement with PowerShell and WPF UI PowerShell scripts use this Microsoft Authentication Library (MSAL), Microsoft Graph APIs, and Azure Management APIs to manage objects within Intune and Azure. The scripts have a simple WPF UI, and they are used for operations such as Export, Import, Copy, Download, Compare, and more. You can find the Github info here: Admin by request: to be or not to be an admin Administrator rights, I think we never entered a company where this wasn’t an issue. The issue is: that you must allow users to maintain local admin rights or manual labor called unlimited remote installs. Admin by request can quickly deal with this for you without requiring much time and effort and allow you to use your IT resources this way freely. Again, it’s best to mitigate risk if your security principles say that you should grant your users the least amount of privileges required to carry out the task. This security rule is why local administrator rights were given, but eventually, users will request elevated rights. That’s why PAM (Privileged Access Management) system was created like Admin by Request. Remote Support Tool or Remote Help with Intune and Microsoft Endpoint Manager Finally, it’s here in public preview, the tool remote help. The tool’s title is self-explanatory, connecting your users’ devices with support staff. You, as an MSP, can make configurations directly and take actions on the users’ devices. Yes, and it’s possible to take complete control of the device when the user permits it. Scappman: it’s all about multitenancy and saving your time In addition to all the tools above, we don’t want to leave out our tool. We think we’re the best solution if you are an MSP with multiple customers and need a multi-tenancy automated patching software solution. We think that automated updates in Intune will help your life as an MSP significantly better. You can use it for yourself, but you can also resell it. It’s up to you. You can find all the info about our MSP program here.
Why browsers never stop updating and you should care as an IT Manager
Last week it happened again. Chrome had another zero-day exploit and had to update to Chrome version 99. It feels like every week, there is a new update to Chrome. And what we see – in a couple of days, update version 100 came out. And it’s not just Chrome. Microsoft Edge, Mozilla Firefox, Opera all browsers continuously improve and secure themselves via patches and updates. Of course, this would be easier if you wouldn’t have to do this yourself, but your MSP or IT manager would take care of these automatic updates. He could always automate these patches via SCAPPMAN; sorry for the shameless plug. Why should you update browsers? There are 2 main reasons why your browsers should be always up to date – security and functionality. 1. For functionality reasons We all have had an experience when an app or software stopped working on the device because OS was out of date. The same story with browsers. When being on the website from an older browser, sometimes certain features on a page will stop working for you. Or you’re unable to use the page at all. As with all tech-related stuff, coding languages get updated too. They become more advanced and even though the website may look the same, it’s no longer compatible with its outdated interpreter. 2. For security reasons Browsers are only a tiny piece of software in your IT environment, but it’s the ones that can create the most damage in that environment. It’s the gateway for your users to explore information on the Internet. But it is also the gateway for exploiters to go into your network. These people with bad intentions prefer that gateway since it’s the one that users are using daily. So they (the hackers) are constantly looking if these browsers have flaws that they can exploit. The security patches alone are why you should always make sure you’re running a current web browser version. Outdated browser versions leave you vulnerable to attacks that expose your confidential information to suspicious websites. You have automated software that detects these bugs for Chrome. But the question is, as an IT manager, do I have the tools to see if we have the latest version. We wrote a whole topic about Vulnerability Management. But the best thing you can do against these bugs is to automate the updates. So then, you don’t have to worry about these updates anymore. In conclusion, any browsers will keep on updating, and it’s up to us to keep an eye on it since the browsers are trying to keep up with the hackers and vice versa. And in many companies, it’s the only forceful way to get into their network and reach company critical data. That’s why browsers will keep on updating.
