Ivanti Blog: Posts by

Enhance Your Security With UEM

Wed, 20 Jan 2021 19:02:04 Z

Introduction

Many things blur the line between endpoint management and security. Examples? Managing an endpoint. Configuring it. Performing application and software management. And patching the endpoint. The fact is, managing and securing a device is so interrelated that it makes sense for these two functions to come together in a single platform that can accomplish these, and other tasks needed in your IT organization. Here are the seven ways Unified Endpoint Management (UEM) can support security.

#1 Discovery and Visibility

The first step to securing what you have right now is knowing what’s on your network. Not knowing what software is installed on devices means you don’t know whether it’s received necessary patches, whether the device needs hardening, etc. Getting a good view of all the devices on the entire network and everything connecting to it—whether it’s connected to the corporate network permanently or whether a device comes up temporarily, maybe for a few minutes or so, and then disappears—you need to be able to see that. UEM can give you this visibility and discovery through on-demand and passive discovery. It’s always looking for devices or software on the network while keeping your IT team alerted and aware.

#2 Compliance Management

It wasn’t too long ago where compliance management ensured that devices were protected with a password—a strong password. And now today, we are dealing with forms of device encryption, multi-factor authentication, device tracking, remote management, the list goes on. Now add the need to overlay government or regulatory-commission policies such as HIPAA or PCI DSS, in which a violation of, or a breach of compliance, could result in fines or fees and threaten the business. UEM can support security by ensuring that each user and each device is compliant with the policies your organization needs or is required to follow, whether internal or external.

#3 Patch Management

Patching has become much more extensive and is one of the most effective things you can do to prevent device vulnerability and prevent your environment from being breached. UEM can efficiently deliver excellent visibility on what needs patching and what has been patched and instill confidence that those patches are implemented—not only the devices connected to the corporate network but those off the corporate network also.

And that goes for patching the OS as well as applications. If you look at the top vulnerabilities that are listed regularly, many of those are in applications. UEM can scan a broad list of applications, as well as operating systems, see what needs to be patched or updated, and can be configured to apply updates automatically as they become available.

#4 Application Control

With application control, the balance you’re trying to strike is between reducing risk and increasing productivity—protecting systems and users while at the same time freeing them to do their jobs as efficiently as possible. And that’s where application control steps in.

We’re all faced with the possibilities of unknown threatening applications running against our corporate networks. Application control enables you to not only identify applications running on devices but restrict access as well. And the amount of time that’s required to do this manually can be significant. Application control can reduce the time it takes by automating a lot of those processes. It ensures only desired applications are installed. It can make sure that users have the right application at the right time with the proper access. Simultaneously, application control is preventing unwanted applications from being run. And then, in some cases, you need to remove an application. UEM can provide a comprehensive solution for application management, from installing it to controlling its usage to blocking and removing it.

#5 Privilege Management

One of the battles IT faces is whether or not a user should have administrator rights on their computer. Privilege management can help solve this dilemma. You have two ways to go about solving the issue. One way is to assign the user’s account basic user rights and then elevate certain OS or application privileges as needed, and then reduce or reset those privileges once the user’s needs have been met. These specific capabilities and rights let the user take actions they might want to do that they cannot do with basic user rights. Sometimes, however, a user must be set up as an administrator, which some necessary OS capabilities require. Privilege management would then allow you to restrict specific admin rights, reducing privilege elevations or adjustments.

#6 Secure Remote Access

The number of devices that IT organizations must manage is significant. Plus, the landscape is changing. We have large remote workforces that now need to have secure remote access more than ever. Establishing rules and policies for the management of all these remote devices—and then trust that no matter where that device is, it is appropriately managed—is critical. UEM tools can manage remote devices to ensure they are properly configured and always up-to-date. They can also identify devices that are compromised or out of compliance and prevent them from accessing specific data, services, or even the corporate network. UEM can maintain a connection to the device and update it so that it is compliant and is allowed needed access.

#7 Full System Reset

When we talk full system reset, we’re not only talking about resetting the operating system or removing data, but also about reimaging it in a break-fix scenario or when a device needs to be repurposed. You get more options when you leverage a UEM solution within your organization.

When a device has been compromised in some way, such as through a virus or some other malware / ransomware, there are a few different ways you could handle returning this machine to a good state. First off, if you have a malware tool you trust, you can use it to clean the device and hopefully be confident that it’s back in good working order. Sometimes that’s the right answer.

A second option involves a more drastic decision—replacing the compromised device. Restoring the device to a good state may not be worth the time or risk. That’s a useful method for some IT organizations, albeit an expensive option.

A third alternative is the middle-ground choice—reset or reimage the device. This choice is about not wanting to replace the device but ensuring it will work the same once you’ve cleaned it of the compromise, instilling confidence there is no additional risk. With UEM, you can reset the device and reimage it with your organization’s gold image, and install the user’s previous applications. UEM enables you to put user-profile information and user data back on the device as well. And by quickly resetting the device, you can have it back in working order quickly—in many cases sooner than it would take to run through several tools trying to clean the device and hoping the risk is fully remediated.

Why You Should Be Using UEM to Support Security

To wrap up, we’ve talked about how a UEM solution can support your security needs. But let’s also address the why. Bringing UEM and security together first reduces the administrative complexity occurring as organizations manage many device types. Second, securing devices means appropriately managing and configuring them, which you’re doing many times in your endpoint management tool today. And third, it’s going to improve device performance, plus it means a better user experience for your end-users.

Learn more about how Ivanti powers the everywhere workplace with our Unified Endpoint Management solutions.

Ivanti Neurons for Healing: Shift All the Way Left to Self-Healing

Mon, 27 Jul 2020 19:45:39 Z

If you are an IT professional, you are technical. You love technology. You love to dabble. You enjoy the thrill that comes from troubleshooting problems and finding a solution. But you probably don’t want to troubleshoot and fix problems all day. There are other interesting things to do. IT can be strategic in helping companies improve their top and bottom line.

The complexity of IT continues to increase. The good news is that the need for talented IT staff also continues to grow. The bad news is that if you are still struggling to keep up with fixing problems, you won’t have time to focus on the strategic projects that can help transform your business.

Wouldn’t it be wonderful if problems fixed themselves? Is that possible? This is the goal of the Ivanti Neurons for Healing. Let’s talk about how we get there.

Shift Left Strategy

You have likely heard of the “shift left” strategy. The core idea behind shift left is to move problem resolution or other activities as close to the end user as possible. A shift left solution automates problem resolution and gets that automation in the hands of the frontline support analyst. An even better idea is to make the automated solution directly available to the end user so they can fix the problem themselves. In each case, we shifted the resolution closer to the initial problem, or we shifted left.

The Ultimate Goal: Self-Healing with Ivanti Neurons for Healing

Shift left is a strategy that leads toward hyper-automation and the ultimate goal of having devices autonomously manage themselves. Like the human body can heal after an injury, wouldn’t it be nice to have devices self-heal when a problem occurs? This would reduce or eliminate many IT tasks and provide a better end user experience.

As an example, let’s imagine a device that is running low on hard disk space. The end user is now at risk of not being able to run some programs, and the device may fail to get software updates or important patches. A self-healing device would detect the dilemma and automatically run steps to clear up more disk space, preventing the user from being frustrated and preventing failed software update and patch tasks from IT. As remote workers become the new normal, it becomes even more important to increase automated resolution on your way to the self-healing goal.

Steps to Get There

Getting to a self-healing environment doesn’t occur overnight. Ivanti Neurons for Healing provides these steps:

Discover: The first step is to understand what you have in your environment. This includes endpoints with their associated software and peripherals and also includes infrastructure devices and services available to users.
Optimize: The second step is to identify the optimal configuration and performance settings that ensure a good, secure end user experience. Even more ideal is to personalize the experience for the end user to make their workspace familiar and productive.
Automate: Once you have identified the optimal settings to keep a device and user workspace secure and productive, you will then automate detecting if the device drifts from that optimal state and return it back, keeping the workspace secure and productive.

Join Us on the Journey

You will need a solution that will guide you through these three steps and assist you on your journey to self-healing. We invite you to join us on this journey. Start by reading and watching information regarding Ivanti Neurons for Healing, and continue by checking back regularly as we expand the capabilities of Ivanti Neurons.

Maximize Your Approach to Cybersecurity Through Real-Time and Continuous Monitoring

Wed, 30 Oct 2019 06:46:46 Z

What is Cybersecurity?

Cybersecurity, also known as computer security or IT security, is the protection of information systems from theft or damage to hardware, software, and the information residing on them or that can be accessed from them. Cybersecurity also protects against attempts to prevent disruption or misdirection of the services that information systems provide.

Why is Cybersecurity Important?

If you’ve ever set up a home security system, you probably did so to prevent people from breaking in and damaging or stealing your stuff or causing injury to you or your loved ones. Damaged or stolen items are expensive or impossible to replace. Injury can have a lasting impact to those injured and their loved ones.

Similarly, you don’t want someone breaking (hacking) into your cyber world. The expense associated with ruined or stolen hardware or software, and the impact of being hacked, can have significant impact on your personal or company image. If the data stolen includes such things as bank account numbers, credit card information, passwords, or government ID numbers, it isn’t hard to see how broad and devastating the damage could be.

Information can be stolen through malicious code run on devices with a vulnerable operating system or application. One of the most problematic elements of cybersecurity is the continually evolving nature of security risks. The traditional approach to security has been to focus resources on crucial system components and protect against the biggest known threats, which meant leaving components undefended and not protecting systems against less dangerous risks. Organizations should have a plan and tools for preventing and mitigating cyber-attacks from every possible system.

Sounds Daunting. Is it Hard to Implement?

Getting started can be as easy as Discover, Evaluate, and Remediate. Let’s take a look at each of these.

Discover

Ideally, IT would know about every device running on their corporate network. In reality, the larger a company grows, the more likely they will have devices on the network that people have forgotten about or that employees have recently added without following proper protocol (Shadow IT). Because of this, continual active and passive monitoring of the network is critical in order to identify devices that are unknown and likely unmanaged. Not only is it important to know about the device, but more importantly you must know about the OS and applications each device is running—and the version or patch level each is currently running.

Evaluate

Once you know about all of the devices and applications running on your network, it’s important to have a quick and simple (and continual) way of knowing if they introduce risk to your company. When the device doesn’t have the latest OS or application update, it could be vulnerable to malicious attacks. Quick and continuous scanning to provide this information is key.

Remediate

Now that you know where your risk is, it’s time to remediate the risk. Choosing the right remediation tool can save you time and headaches. Whether you’re self-governed or require planning and oversight by a change control board, your tool should give you the flexibility to work quickly as well as the ability to set automated workflows. To avoid problems with the network engineers, it’s also crucial that patches are deployed in a bandwidth-friendly way.

A Word about Applications and Real-time Assessments

Many IT organizations feel that they are being mostly protected if they keep their servers and endpoints up to date with the latest OS patches. The reality is that there are more vulnerabilities in applications than in operating systems. A good strategy for managing applications is crucial. Monitoring the software you have in your environment means more than just knowing what’s installed. It means:

Knowing what applications are being run and by whom
Removing software from systems or users who don’t need it or don’t have license to use it
Controlling who gets to run which applications and when and where they can be run

In today’s cybersecurity landscape, advisory organizations are promoting a more proactive and adaptive approach. Continuous monitoring and real-time assessments of user and application behavior is crucial to your cybersecurity plan.

DSM Customers: You’re Covered In More Ways Than One

Thu, 13 Sep 2018 21:35:13 Z

Our goal at Ivanti is to unify IT. A big part of that story is unified endpoint management – delivering modern management alongside our leading client management capabilities. Our go-forward unified endpoint management platform is called Ivanti Unified Endpoint Manager (I-UEM).

Another powerful client management product within our portfolio is Desktop and Server Management (DSM). I want to provide an update on our plans for DSM. We recognize that there are many questions and even concerns about the future of DSM. To help ease these concerns, we are announcing a commitment to maintain DSM until at least December 2022. To be clear, this is not an end-of-life statement. This is simply a commitment to our customers who rely on this product.

Maintaining DSM means we will provide updates that include bug fixes, support for latest OS versions, and priority enhancements.

DSM customers also have the option to migrate to I-UEM and for a time, we’ll also include our full security suite with OS and application patching—Endpoint Security for Endpoint Manager. The details for this upgrade are provided here.

As mentioned in the linked article, we are updating I-UEM with customer requested features that provide similar functionality to what is in DSM. In the 2018.3 release of I-UEM (currently targeted for October), we will add the following features: custom variables support, MST creation, and an enhanced Windows Actions packaging experience. Windows Actions is the tool that provides similar functionality to the DSM Packaging Workbench. Moving forward, we will expand the number of actions available within Windows Actions.

Watch for a Momentum webinar following the Ivanti UEM 2018.3 release for more information.

Should You Choose Your Windows 10 Channel or Let Microsoft Choose for You?

Sat, 13 Jan 2018 00:13:45 Z

Yesterday Microsoft announced that the Fall Creators Update (1709) is ready for enterprise use. It is interesting that they need to provide this kind of announcement when they intentionally removed the multiple branch strategy (i.e. Current Branch and Current Branch for Business) and have stated that companies are empowered to make their own decision about when they should move to the latest Semi-Annual Channel version of Windows 10. Making a statement like this sets a precedence and organizations will likely now wait for such an announcement before moving. Some may speculate that Microsoft made this announcement to encourage organizations to move to 1709 because they haven’t seen the kind of adoption that they had hoped to see.

Many companies are still debating whether to adopt every Windows 10 update or to only update once each year. The size of the organization may not necessarily determine which update model to follow. It might be tempting to assume that smaller companies will roll out every release because there are fewer computers to manage. However, they may not have the dedicated resources to manage such an update that larger organizations have.

The most likely scenario for many organizations will be the following:

Roll out each channel version to pilot group
When pilot group gives the green light or enough time has passed without major incident, roll it out to early adopters in each department
When early adopters give the green light or after a certain timeframe, roll out that semi-annual channel version to half of the users in each department
Repeat this process for the next semi-annual version and roll out to the other half of each department

This approach will minimize your vulnerability and risk factors. Thus, each device essentially gets an update once per year, but each semi-annual update is installed somewhere in the organization. The only reason you might choose to roll out a particular channel to a full department is if there is a particular feature or business value that the whole department requires.

With the semi-annual release cycle of Windows 10, it is recommended that you use a tool such as Ivanti Endpoint Manager to automate and manage the updates of Windows 10, so you can manage the timing and progression of the updates in your enterprise. Endpoint Manager provides day zero support of each Windows 10 update, so you can feel confident in rolling out the latest version immediately to begin your own evaluation of the update and then roll it out to larger groups whenever it meets your testing and pilot criteria. Don’t make your ongoing Windows 10 updates more complicated than they have to be—check out Ivanti solutions for Windows 10.