Ivanti Blog: Posts by

A Single Pane of Glass: How It Transforms IT Asset Monitoring

Thu, 09 Nov 2023 15:31:21 Z

How large is your company’s IT infrastructure? How many devices and assets are attached to it? As large as it was yesterday, it’s probably larger today — and will be still larger tomorrow. This is compelling organizations to embrace device and asset monitoring under a “single pane of glass,” meaning via a unified, “single console” view of their entire network to enable unified endpoint management (UEM).

Part of what’s driving the increase in the number and distribution of IT assets is the move to remote and hybrid work. An associated factor is the growth of new devices, especially Internet of Things (IoT) endpoints:

The Ponemon Institute found that 65% of companies said IoT/OT (operational technology) devices were among the least secured assets in their infrastructure.
50% said attacks on those devices had increased.
Only 29% claimed they had an inventory of all IoT/OT devices.

The dangers of tool sprawl

Imagine a scenario where your organization has a complex technology infrastructure running multiple software products on a wide range of devices. For each application or asset in that stack or network, there may be a standalone monitoring tool.

But this requires IT teams to constantly hopscotch between different tools to monitor all those endpoints and (hopefully) identify and remediate risks before they’re critical.

Beyond the problem of monitoring gaps, how big an issue is “tool sprawl”?

A recent survey by 451 Research found that 39% of respondents were using 11 to 30 monitoring tools to keep track of their application, infrastructure and cloud environments.
8% percent were juggling between 21 and 30 tools.

This creates knock-on problems:

Excessive monitoring tools can lead to alert fatigue and lack of context; some teams must prioritize over 1,000 alerts per day, so many get ignored.
Correlating data between tools can be challenging, delaying resolution.
Purchasing and licensing multiple tools may get costly, and many have features that never get used.

In this article, we'll explore:

How a single pane of glass monitoring solution helps counteract “tool sprawl” problems.
The benefits of a single pane of glass UEM for IT teams.
How it can help security and IT team alignment within an organization.
How to address monitoring tool sprawl issues now, even before adopting a unified solution.

The meaning of “single pane of glass” in UEM

With its comprehensive insights and unified view of data, “single pane of glass” IT asset monitoring can prove invaluable for IT teams. By collecting and displaying data from multiple sources on a single dashboard, it helps IT teams reduce the time needed to identify problems, maintain compliance with industry regulations andgain visibility into their environment.

As well as making it easier for IT teams to stay on top of their assets, this technology also provides valuable insights that wouldn’t be available through traditional analytics tools. Those insights make single pane of glass asset monitoring an essential resource for any organization looking to maximize performance across its entire IT infrastructure.

Plugging the gaps and other benefits of single pane of glass monitoring for UEM

It’s challenging for IT to bring different types of devices into compliance and make them productive for all users. If you’re using multiple monitoring tools, this can potentially allow for compliance gaps. For example:

Let’s say that kiosks for frontline workers are managed with tool A.
But devices for knowledge workers are managed with tool B.
If you’re using separate tools to manage these different types of endpoints, gaps can occur, which can allow risks to go undetected.

So, by not having a single, unified view, an IT admin runs the risk of having devices with critical data that are highly vulnerable. That’s because they’re not up to date from a cybersecurity standpoint or compliant with regulations and standards — which can impact the entire environment.

Once you have a unified view where all devices and assets are visible, you’ll spot any gaps and can measure them against your complete asset management environment. You’ll rest easy knowing that all endpoints have been discovered, properly managed and secured.

Let’s dig down further into the major benefits of single pane of glass monitoring in UEM.

Less toggling, more managing!

As we’ve said, single pane of glass monitoring for UEM provides IT teams with comprehensive monitoring of their entire IT estate. That visibility makes it easier to quickly identify and respond to endpoint issues, while also helping maintain compliance and providing greater visibility into performance and usage. In other words, making it easier to monitor the system and its assets means we’re better able to manage it.

Even the most expert IT admin can find it frustrating to toggle through a range of tools to monitor endpoints. By consolidating different tools into one unified platform, IT teams can therefore not only save time (and headaches) in identifying and troubleshooting problems, but also gain actionable insights into the way devices are being used and ensure that compliance standards are met.

Providing better system security

Solid security — whether it’s at the local bank or across your IT infrastructure — relies on visibility, on what you can see. Because it’s what you can’t see that hurts you. Remember that statistic about how only 29% of companies have full IoT/OT inventories? What kind of stress must IT teams at the other 71% have to contend with?

So, what may be the most important benefit of putting your entire network under a single pane of glass, meaning you have unified visibility into every connected asset? Now, you can secure those endpoints and eliminate the gaps where risk may fester.

Without a single pane of glass monitoring to track every asset and potential vulnerability, IT and security teams are constantly cycling through different tools. It’s like trying to take in the Grand Canyon using just coin-op tourist telescopes: you’re never able to step back and see all the risks around you holistically.

Streamlining compliance

Compliance becomes easier under a single pane of glass, meaning your IT team can now be sure they’re meeting industry regulations and security standards such as HIPAA, GDPR and CCPA across every monitored endpoint. It’s why UEM has gained traction in industries like healthcare, logistics and others where there are important data to protect or supply chains to monitor.

With consolidated monitoring, it’s far simpler for an organization to meet compliance requirements and keep its systems in step with any regulatory or policy changes.

Reduced costs and easier onboarding

There are training costs and time required for your IT or security teams to familiarize themselves with a medley of different monitoring tools or stay updated when new features are rolled out.

Moving to a single pane of glass monitoring solution — especially one with an intuitive UI and UX — means an organization isn’t saddled with those multiple (and repetitive) outlays. It’s also much easier for new hires in IT and security to get onboarded to a single dashboard, rather than having to get trained on a slew of monitoring products.

Enhancing digital employee experience (DEX)

For many employees, the Everywhere Workplace is practically anywhere. So, delivering a consistent DEX is important to keep them engaged and productive, regardless of their location. Part of that consistency involves giving them access to the resources and tools they need, and also maintaining the controls the company requires to limit and secure that access.

Don’t forget the fact that a UEM platform reduces the stress and workload on your IT team. Their DEX matters, too, since they’re struggling with burnout at even higher rates than the average office worker: Ivanti research found nearly 1 in 3 IT professionals reported having a colleague quit due to burnout.

Better alignment for security and IT teams

It's imperative for an organization’s cybersecurity posture to have alignment between the IT and security teams. So, you can imagine how forcing everyone into using a host of different monitoring tools might complicate that. One team may be more up to speed on a particular tool than the other team, or the raft of tools leads to fragmentation of effort since it’s hard to get everyone to use multiple tools in a coordinated manner.

Adopting a single pane of glass monitoring solution helps improve alignment and collaboration between these teams. Since both are using the same single pane of glass dashboard, they’re sharing a single source of truth that eliminates friction and confusion.

How can you fight tool sprawl right now?

You may not yet be able to deploy a single pane of glass monitoring solution. Fear not! There are best practices you can follow today to alleviate the pain points caused by monitoring tool proliferation. At the same time, these practices set a good foundation for eventual migration to that unified solution.

1. Review your existing monitoring tools

First, evaluate your current monitoring tools to understand how well they’re really performing. Are there monitoring gaps or wasteful overlaps? How well do they perform? Are they worth the time and money you’re spending on them?

This also reveals what sort of data consolidation will be needed for an eventual migration to a single pane of glass monitoring solution. That helps you project the costs and time involved, and you may be able to leverage existing integration points to help minimize migration efforts.

2. Consolidate those tools

Is there a platform available that houses some of the monitoring features you’re already using with different point solutions? Maybe it’s time to consider adopting a platform like that, if it solves multiple issues for you and offers cost advantages.

If you’re using multiple tools from a single vendor, it can be smart to press them to help you out by scripting APIs to provide better integration of those tools. Just be sure that you don’t have too many outliers who can’t fit into a particular integration ecosystem.

3. Improve processes and training

It’s not just about the technology. Take a look at your processes to see if they’re clearly defined and serve to remove improvisation and “winging it” from IT resolution. Make sure your people are properly trained in how to not only use monitoring tools, but in the workflows you’ve designed to optimize their use. Develop focused policies on how to use the monitoring tools you’ve already got in hand and educate teams on them.

Better processes and better-trained people are central to technology success in any context. Putting them in place now will help ensure down-the-road adoption of a single pane of glass monitoring solution is a success.

4. Break down data silos

Another consequence of tool sprawl? There’s a huge flow of data being generated from the monitoring of networked devices, but the data is often locked into department- or application-specific silos. Breaking down these silos means you can maximize the value of all that data through analytics.

Be forewarned that teams often get possessive about their data, so senior leadership should lead the way in promoting this collaboration. And as with the other practices we’ve preached, mandating data consolidation today will give your future single pane of glass solution a head start.

Moving to single pane of glass monitoring

It only seems daunting for IT and security teams accustomed to using multiple monitoring tools to get started with single pane of glass monitoring. But when taken one step at a time, it’s a straightforward transition whose dividends are worth the effort.

1. Evaluate existing tools

We’ve covered this above: evaluate current monitoring tools so you know what type of data consolidation will be needed for the migration. This helps determine the costs and time involved, and your teams may be able to leverage existing integration points to help minimize migration efforts.

2. Evaluate single pane of glass solutions

It’s the old cliché: “Not all solutions are created equal.” The right solution will integrate seamlessly with your existing IT architecture so data moves freely, and will have scalability and flexibility to meet changing requirements. Also, don’t neglect checking out the track record and user sentiments about the provider, especially when it comes to the quality of their customer support.

Just because a provider promises they’ll deliver a true single pane of glass solution, it doesn’t mean the product will check every box on your requirements list. If they’re a viable and trustworthy vendor, they’ll bend over backwards to demo how the solution will perform in your environment.

3. Test and optimize

Your team should have the opportunity to test the solution before purchase and have explicit discussions with the provider’s support team on how to customize it as needed, to suit your specific requirements. Post-adoption, monitor usage metrics to make any adjustments needed to extract optimal performance.

UEM vs. MDM: Everything You Need to Know!

Fri, 27 Oct 2023 15:21:14 Z

Microsoft's release of Windows 10 modernized how IT teams approach device management.

Windows 10 is not a strict evolution of Windows 7 and 8. It’s an evolution of Windows Phone 8 and 10, where an MDM API was available to manage all aspects of a device, such as DLP, restrictions, software distribution and so on.

UEM vs. MDM: how Windows 10 changed the game

The big change that arose with Windows 10? It now had features similar to those on mobile OS (and macOS) that alleviated the task of onboarding and provisioning devices within an enterprise endpoint management (EMM) solution.

With Windows 10, IT admins were now able to manage Windows, macOS, iOS and Android devices from the same centralized platform.

(Read more about Microsoft’s concept of modern device management in Windows 10.)

At the same time, when Internet of Things devices and others (such as kiosks) started to adopt and standardize around one of the “big four” OS (Windows IoT, also with MDM/EMM capabilities) and Android AOSP (TVs, boxes, kiosks, dedicated devices, etc), the same management capabilities started applying.

This is when EMM evolved into UEM (unified endpoint management), a single solution to drive any kind of device and display all insights through a “single pane of glass.”

UEM platforms are now open to interact with other solutions respecting this model through APIs. It allows solution providers to extend the services that modern managed devices can consume, without compromising the sandboxed OS model. This capability is another contributor to any debate about UEM vs. MDM.

MDM alone?

Just as Apple soon understood that MDM commands and configurations alone couldn’t fulfill all the key use cases that most customers expect on laptop and desktop devices, Microsoft found itself facing the very same situation.

Pure MDM features provide a reasonable amount of control for basic use cases. The more restrictive, the better.

Mature customers need a higher level of control, integrations and flexible specific use cases that are far beyond the available pure MDM features, a.k.a. those that don’t require any agent to work.

Legacy agent-based solutions should be able to enhance what MDM alone cannot do. But when both methods don’t go together, orchestrated by a single director solution, this “co-management” becomes a catastrophe rather than a benefit.

So, what’s the right way to go if you’re evaluating UEM vs. MDM?

Benefits of a mature UEM solution

A mature UEM solution can provide not only all the MDM features that each OS system supports, but also all the critical capabilities that MDM cannot provide, such as:

Custom configuration profiles / CSP profiles → macOS / Windows.
Custom scripting → macOS and Windows.
Legacy configurations to silently configure software that is not using MDM to be configured, such as:
- Registry entries.
- PowerShell scripts.
- VBS scripts.
Flexible software distribution: MDM-based software distribution is intended for apps that are public and usually not very large. Mature customers distribute and consume bigger software packages that need to be deployed in a very specific way, with flexibility to avoid impacting users during work hours.
Flexible patching: always keeping updated to the latest version of a desktop OS is not always an option, so admins need to be able to have control of when and how to patch.
Automated scripting: the ability to query devices and apply automated remediation actions based on results. This capability is what transforms troubleshooting tasks from minutes or hours to mere seconds.
DEX score: the more complex your environment and the number of apps that your users handle for work, the more relevant the data is that you get from their devices. Gathering DEX scores from your users and their devices provides three big benefits:
- You get up-to-date sentiments from your internal customer experience while working with the tools you provide.
- You get a super-powerful tool based on metrics, machine learning and behavioral statistics to troubleshoot (in most cases) any issue that can be driving your DEX scores down, and possibly automate response actions to increase scores with low or no interaction with user devices.
- It translates device data, metrics and statistics into user quantifiable satisfaction, accountability and device/software performance.

But there’s even more to understand about UEM vs. MDM, and how Windows 10 moved the needle on device management.

Local admin rights

The most important concept to assimilate when it comes to modern device management as applied to desktop OS such as Windows or macOS? It’s that any centrally-imposed restriction will apply and win, even when a user has local admin rights.

This is a big change because most software is developed to run smoothly on an OS. When user permissions are restricted, this adds complexity because of the need to figure out how to make software run properly without having to lower the legacy level of security.

The same way that an admin can set the software and apps that are allowed to run and provide different levels of autonomy for users depending on profiles on iOS or Android, Windows 10/11 and macOS admins can do the same. That removes the complexity of limiting user permissions to adopt the desired security level.

As an example, let’s say we’re sending a set of restrictions based on native MDM API to allow only regular Windows software and corporate apps to run.

If a user tries to install or run any non-approved software, the OS will decline to open it and inform them that the administrator has disabled this app.
The same logic applies to a command line interface, PowerShell console, task manager, etc.
The result is that Windows and macOS devices are automatically built at registration to allow only the right software to run, removing any required interaction from IT.

If a device is also part of an Automated Device Enrollment program, like Microsoft's AutoPilot or Apple's Automated Device Enrollment (ADE), IT can send the device directly to the end user and the system will initiate the automatic provisioning alone.

Enterprise processes made easier

Another consideration in weighing UEM vs. MDM? How a mature UEM solution can enable high-value features for:

Onboarding.
Management.
Policy enforcement.
Software distribution.
Security enforcement.

These no longer require a direct connection to the corporate network to be triggered. It only takes an internet connection, and even includes integrated countermeasures to ensure that a device is not being provisioned only for personal use.

This became crucial when the pandemic began in early 2020, as most companies had to quickly adopt a bring-your-own-device (BYOD) and laptop-based strategy. This had to quickly replace the historical fixed desktop workplace model, where devices sat inside the corporate network, protected by corporate perimetral security.

The success of this pivot illustrated how IT can save time, money and effort in managing all devices without interaction compared to legacy management models.

Today, IT executives demand a solution that’s able to connect from everywhere. There’s a growing demand to be able to use and secure access to a mix of SaaS and on-premise-based solutions that can provide service regardless of the network.

Because of this model, other concepts gained more importance, such as zero trust access, where security levels should be maintained in any situation — regardless of whether a device is inside the corporate network, or if it’s partially or fully managed. As the axiom goes, never trust, always verify.

What’s up next? Modern device management with UEM

Another wrinkle in the UEM vs. MDM story? Right now, some vendors already provide additional features based on apps that complete MDM/EMM-focused management. This way, organizations can extend the level of control, provide more features, retrieve and consume security data and fill gaps that the MDM API cannot solve alone.

As before, it first appeared in mobile OS, in the form of agent apps that provided capabilities such as:

Device posture: detect, monitor and remediate compromised OS.
Notifications: allows direct communication of alerts or messages to end users within the agent app.
Location: when relevant, the management agent app can provide location insights and interact with the device.
Mobile threat defense protection against cyberattacks based on device, app, network and anti-phishing attack surfaces.
Private app store to allow users to install optional apps.

UEM native configurations are written and sent in the native language of each OS:

Windows uses CSP (Configuration Service Provider) configurations, which are then sent to devices using CustomSyncML commands on the OMA-DM protocol.
iOS/iPadOS/macOS/TvOS use Apple's MDM protocol.
Android uses the Google FCM protocol and Managed Google Play APIs.

In the case of iOS/iPadOS, UEM vendors distribute an agent app to perform tasks (while adding more value) that an MDM API cannot do alone, such as:

Device posture (jailbreak, root detection).
Location.
Notifications.
Mobile threat defense.

In the case of Windows and macOS it comes as additional agent apps as well that work in tandem with UEM's native configurations. This adds more value by accomplishing tasks that are critical, but not included as part of the MDM API, as mentioned above.

Those co-manager apps provide any feature that may not be available as part of the MDM API protocol.

Examples include:

Custom management profiles (custom CSPs, custom payloads, etc.)
Scripts.
Task sequence-based software distribution.
Flexible patching.
Risk-based vulnerability management.
Risk-based access control to services.

The natural next step in this UEM vs. MDM evolution will be a mix of both models, optimized to run smoothly together by following development best practices. Which also adds some extra concepts that are now tightly tied to what analysts have started calling MDM 2.0.

In this new model, different fleets of devices are all registered to the UEM solution, but so are all other devices within the same network. By performing active and passive scans (discovery), the UEM solution ensures that all of them are naturalized, as it detects the devices that are not managed and that may create a security risk if they’re not up to date.

The device fleet is also naturalized to work with all the service providers and services the company is consuming, such as AD, AAD, Office365, Salesforce, Adobe and so on.

This also allows the UEM solution to build a persona that reflects the specific requirements of business units, processes or even users. It can save and share this information with other systems, such as ASM and ITSM solutions, which opens the door to automating tasks and adding AI, already a feature with Ivanti Neurons for UEM.

Perhaps the most important thing to keep in mind when contracting UEM vs. MDM is that unified endpoint management also means universal endpoint management. It gives organizations control over every asset and device that’s attached to their network, not just mobile ones. As the variety and complexity of endpoints multiply at dizzying speed, the “universality” of a good UEM solution is nearly invaluable.

In a World of Managing Risk, Do You Have Shiny Tech Syndrome?

Thu, 23 Feb 2023 14:50:25 Z

There is always something new on the horizon when it comes to technology. Isn’t it human nature to want to wait for the next 'new' model car, the next 'bigger' TV or the next 'faster' smart phone?

The newest release might be more appealing – especially to higher-ups, who want the latest and greatest trending technology. But there are hidden risks associated with waiting to implement a new tool or solution.

To help your organization quickly resource needed solutions to current problems and avoid poor product fit, it’s important to know the risks of waiting for a newly released technology versus immediately implementing an existing tool that already fulfills your requirements.

Same problems, “new” product?

Let’s take Unified Endpoint Management (UEM) solutions as an example. There are several known UEM solutions that have been on the market for many years, yet there are new UEM-related products releasing constantly.

The only way to know if you should wait for a new UEM product instead of opting for a proven solution is by truly narrowing down why your organization needed a UEM solution to its problems in the first place.

The importance of enabling anywhere operations has placed an increased importance on a comprehensive UEM solution.

Despite top tier analysts such as Gartner and Forrester viewing UEM solution as a mature market with limited growth opportunities, there has been significant growth in use cases supporting remote, hybrid and frontline workforce in recent years. It is critical for organizations to find a UEM solution that can support those use cases and also deliver differentiated capabilities.

Remote working also has fueled challenges in managing and securing endpoints. Top threats when securing a hybrid, remote or from home workforce include cyberattacks, human error, cloud computing vulnerabilities and mobile device security.

58% of CISOs have seen more targeted attacks since enabling widespread remote working. IT teams now find themselves burdened with managing and securing ever growing endpoints against phishing attacks and cyber threats.

The remote and hybrid shift requires a new security approach. Organizations need to protect remote workers from skyrocketing phishing attempts and provide personalized and productive digital experience with them. IT needs a combined tool to perform and automate endpoint management and security tasks that provides a 360˚ view of their environment.

In many situations, already established UEM solutions solve most of – if not all – of these issues.

Ultimately, for UEM or any other technology, organizations would be better served to go with a new, unvetted product only if they cannot resolve the problems with a known and proven quantity.

Additional hidden risks of new products: quality, opportunity cost, price bundling and implementation woes

New products offer unknown quality – even from known vendors

The potential for the new solution to not be as good as the original tool is perhaps the most significant risk to consider. Even if the new solution comes from a known and trusted vendor, whether a newly announced product will actually improve upon what is already available is impossible to tell by the announcement alone.

Your organization’s processes and implementations become a de facto test environment for the vendor, as the new product sorts out its flaws and issues in real-time. After all, it is often only after a new solution has been implemented that its shortcomings become apparent.

This scenario easily leads to frustration with wasted time and resources if organizations discover that they installed an inferior product when they already knew about the better solution from the start.

Delaying for new products decreases overall return on investment due to opportunity cost

Another risk to consider is the potential for a lower return on investment (ROI) when waiting for a newly announced technology solution. After all – based on the exercise we ran through with the UEM use case above – there were strategic operational reasons why you were seeking out this technology in the first place.

Therefore, if organizations wait too long to implement any solution, then they will continue to suffer through the problems that were pressing enough to require a budgeted investment in an external solution.

Just how long will your organization be willing to wait for a new, “better” solution when there’s an answer to the internal friction and struggles that already exists?

New products from established vendors may be bundled with less-desired solutions for a higher price tag

There’s not just opportunity cost to consider, but possibly a higher realized price tag, as well. In some cases, organizations may also have to pay more for a newly released product – as the provider works out their pricing strategy and bundling options – than they would have if they had implemented an existing tool.

If the vendor sees the newer product as an “add on” for an existing technology suite, then they may succumb to the temptation of bundling together all of their related technologies into one.

Even if your organization only requires – and waits for – the one solution, then it may be stuck paying for tools and features it doesn’t need because the vendor requires the purchase of all related products to obtain the one product you really wanted in the first place.

New products introduce unknown variables within critical business environments

New products are, by their very nature, new. There are no known best practice guides for implementation or use; no references to consult for advice; no identified problem areas to avoid.

In use cases and situations where technology forms the backbone of an entire organization’s operations, any unknown variable creates the greatest possible risk for headaches (at best) and failure (at worst). The reward of a new product must be extreme, to outweigh such substantial risks.

In general, organizations should avoid waiting for the shiny technology solution that addresses all their needs; perfect rarely, if ever, exists. Carefully consider the costs – known and unknown – of waiting for that shiny new product that promises the world, especially when you already have vetted a solution that satisfies your organization’s current friction points.

How to Create the Perfect Kiosk Mode on Shared iPads

Mon, 29 Aug 2022 14:13:52 Z

Since the release of the first iPad, businesses have been clamoring to use it as a corporate device.

Over the years, more enterprise capabilities have been added to iPads, allowing IT admins to provide protection while fulfilling various use cases – depending on whether the device is corporate-owned or a BYOD deployment.

Using the kiosk mode on shared iPads

One of the key use cases that many companies adopted for iPads was the kiosk mode model, where the device is restricted and can only use a single app – usually Safari.

This is what Apple called Single App Mode or Guided Access, which has been proven to fit better within frontline worker scenarios than actual kiosks in lobbies.

It was not a bad approach, but there was room for improvement, mainly because Single App Mode has limitations related to management and updates.

The nice thing about single app mode is that you don't need to use Apple Business Manager - all you have to do is make sure the device is in supervised mode. However, this mode has limitations.

For the same reason, customers who enjoyed the benefits of Apple Business Manager were not enjoying the added functionalities when it came to dedicated devices in kiosk mode.

With the arrival of shared iPads for businesses, Apple opened a new door for customers to enhance and extend their use cases:

Allowing several users to log in using their own credentials, with each user’s info and apps remaining separate.
Allowing guest mode sessions to be started without impacting any other user on the device.
Creating a dedicated device that only allows temporary sessions where data will be removed after the user’s session ends.

This last use case is what companies that use kiosk mode should focus on.

The positive benefits of enabling guest mode-only

You do need to use ABM to provision shared iPads with guest mode-only sessions enabled. In return, companies will see how devices are:

Provisioned silently from scratch, adding an additional layer of protection that prevents thefts.
Registered against a legal owner, designated by procurement or IT.
Fully managed, so there’s no way to take control over the device.
Privacy hardened, because info is removed after a user session is finished – which can be manual, programmatic or on-demand by admin.
Restricted, because users will not be able to log in using their Apple ID, but in a natural way that provides an experience built at the OS level.

Hotels and office reception areas with iPads are good examples of a shared iPad on guest-only mode.

Seamless use for customers and employees

Now, the experience of the user is improved by allowing only one app, letting admins push for upgrades and restrictions silently – without leaving the kiosk.

Thanks to the Apple Volume Purchase Program, a device-based app deployment model, retail customers can login and use their own corporate apps, which are always installed silently.

Once the device is locked again, customers can start a guest session to check the catalog – without impacting or accessing the information from sales representatives.

Any employee can use any shared iPad if access is granted and there’s available space for new sessions. This can be extended to any business where IT centrally manages devices.

Taking advantage of corporate shared iPads

The campaigns where iPads can be deployed are wide-ranging – from signing a contract, voting or paying at your local street food stand. This is a real revolution that will allow companies to take advantage of corporate shared iPads for their business, employees and customers.

And it all starts with Apple Business Manager, iPads on iOS 15 or newer with 32 gigabytes of storage space or more and a great UEM solution that’s able to fulfill all these new use cases.

Curious? Read our blog to learn more about the positive influence shared iPads can have on your business.

What Does Ivanti Being Named as a First-Time Leader in the 2022 Gartner® Magic Quadrant™ for UEM Tools Really Mean?

Tue, 16 Aug 2022 17:57:39 Z

The latest 2022 Gartner® Magic Quadrant™ for Unified Endpoint Management Tools report has been published!

Here at Ivanti, we’re excited Gartner recognized us in the Leader quadrant for completeness of vision and ability to execute. 2022 marks the first time we’ve been recognized as a Leader, after Gartner named us their only Visionary in the UEM Magic Quadrant for 2021.

But what does being named a “Leader” or a “Visionary” by Gartner really mean? For that matter, what does “completeness of vision” or “the ability to execute” have to do with anything?

In this blog, we’ll offer some definitions and explanations as to how Gartner researchers and analyst arrive at their conclusions – as well as why we believe Gartner named Ivanti a Leader in their 2022 Magic Quadrant for UEM Tools report for our Ivanti Neurons for UEM solution.

How Gartner found vendors to consider for the 2022 Gartner Magic Quadrant for UEM Tools report

Gartner^®, a company that delivers actionable, objective insight to its executive and their teams, offers an unbiased, quantitative perspective on available tools in a wide variety of technical industries.

They measure various technology offerings and services as part of their annual Magic Quadrant™ reports.

For inclusion in the 2022 Magic Quadrant™ for Unified Endpoint Management Tools report, Gartner researchers identified and analyzed “the most relevant providers and their products” within the UEM market.

Quoting directly from this year’s report, UEM tool providers qualified for inclusion and consideration needed to have:

"A generally available, single-license product that demonstrates:
1. Agentless management of Apple iOS, iPadOS and macOS, Google Android, and Windows 10, which includes:
  1. Device enrollment and provisioning
  2. Device configuration and policy enforcement
  3. OS patching and update management
  4. Application deployment in native format
2. Agent-based management or prebuilt connector for CMT integration
3. Direct integration with the Microsoft Intune Graph API for app and data protection
4. Location-agnostic endpoint management (not dependent on LAN/VPN)
Evidence that the UEM product has at least 10 million devices under management, excluding managed devices entitled under trial, freemium or other no-cost use arrangements
UEM offering as turnkey SaaS (UEM vendor hosted and operated, not IaaS)
Rank among the top organizations in the market momentum index defined by Gartner for this Magic Quadrant. Data inputs used to calculate UEM platform market momentum include a balanced set of measures, such as:
1. Gartner customer search, inquiry volume and trend data
2. Volume of job listings specifying experience within the UEM platform as a job requirement of Talent Neuron and on a range of employment websites in the U.S., Europe and China
3. Frequency of mentions as a competitor to other UEM platform vendors within reviews on Gartner’s Peer Insights forum between April 2021 and March 2022”

What “Ability to Execute” and “Completeness of Vision” metrics meant for Gartner UEM Tools this year

Once identified by Gartner, any qualified providers were then evaluated on two proprietary metrics: Completeness of Vision and Ability to Execute.

Gartner Ability to Execute metric for UEM Tools in 2022

Per the 2022 Gartner® Magic Quadrant™ for Unified Endpoint Management Tools report:

“The Ability to Execute criteria evaluate the vendor’s ability to properly resource product development, marketing and sales. The emphasized criteria center on the product itself, but consider the operational support from sales, marketing and R&D, as well as the vendor’s reputation with customers and performance in the market relative to competitors.”

The various criteria for the 2022 Ability to Execute metric – specifically for evaluated UEM Tool vendors – included:

Product or Service
Overall Viability
Sales Execution/Pricing
Market Responsiveness/Record
Marketing Execution
Customer Experience
Operations

Each criterion was weighted for different values, to then combine and create the aggregate Ability to Execute metric. This metric was plotted along the vertical “Y” axis of the Magic Quadrant™ graphic for each qualifying vendor.

Gartner Completeness of Vision metric for UEM Tools in 2022

Per the 2022 Gartner® Magic Quadrant™ for Unified Endpoint Management Tools report:

“Completeness of Vision focuses on the performance of a vendor’s product as it applies to current market needs, the strategy and performance in delivering to meet that understanding, and the vendor’s ability to innovate for current and emerging needs, as well as against its competitors. This metric also assesses a vendor’s geographic strategy and presence, its strategy and roadmap for the product, and its general business model.”

The various criteria for the 2022 Completeness of Vision metric – specifically for evaluated UEM Tool providers – included:

Market Understanding
Marketing Strategy
Sales Strategy
Offering (Product) Strategy
Business Model
Vertical/Industry Strategy
Innovation
Geographic Strategy

What the Gartner^® Magic Quadrant™ positions and Leader recognition meant for UEM Tools

Here’s the final 2022 Magic Quadrant™ for UEM Tools:

As you can see, Ivanti was placed as only one of three vendors within the Leaders quadrant of the 2022 Magic Quadrant™ for UEM Tools. But, what does the “Leader” position mean within this context?

What the Gartner leader position means for the 2022 Magic Quadrant™ for UEM Tools report

The following quote describes how Gartner considers companies and organizations placed within the Leader quadrant for the 2022 Magic Quadrant for UEM Tools report:

“Leaders exhibit strong execution and vision scores, and exemplify the suite of functions that assist organizations in managing their mobile devices and PCs. Leaders also provide guidance and tools to help migrate from traditional client management to modern management, as well as deep integration with endpoint analytics and endpoint security tools to provide a simpliﬁed IT administrator and an improved employee experience.”

What the Gartner Visionary position means for the Magic Quadrant™ for UEM Tools report

While Ivanti was named by Gartner as a Visionary last year – in 2021 – we thought it would be useful to also quote what Gartner considers to be a Visionary for this year’s Magic Quadrant for UEM Tools:

“Visionaries exhibit strong capabilities in their current offerings and a complete set of functionalities to address common use cases. However, the vendor’s size, the size of its installed base, platform breadth or integration points make it appropriate for some, but not all, buyers.”

We at Ivanti personally believe that our new Leader position within the 2022 Magic Quadrant for UEM Tools means that we have proven that our Neurons for UEM solution “walks the walk” in execution.

That is to say, between last year and this one, we feel that we proved out our UEM vision and foundation through our increased ability to execute on that vision – and we’re committed to keep improving through next year, too.

Validation of Ivanti’s UEM solutions for your Everywhere Workplace

We truly believe that this new recognition and Leader placement received from Gartner is a demonstration and validation of our strategy. The team here at Ivanti believes that the Everywhere Workplace is here to stay, and we will likely continue to experience fast growth in endpoints, data and remote workers.

After all, in today’s on-site, hybrid and remote Everywhere Workplaces, IT teams need a single tool to analyze, perform and automate endpoint management and security tasks now more than ever.

So, we’re committed to helping IT teams like yours to manage and secure your workplace – wherever it may be, and with whatever devices you need! – so that your end users can be productive anywhere.

Ivanti Neurons for UEM enables your IT team to leverage a single pane of glass view into their devices to efficiently discover, manage and secure all endpoints through accurate and actionable insights.

Plus, Ivanti’s built-in, on-device, out-of-the-box mobile phishing protection requires minimal user interaction and results in better end user experience and protection.

And, your IT team can also leverage the Neurons’ artificial intelligence (AI) / machine learning (ML) powered automation platform to detect and remediate any device issues or security threats before they can cause harm in your environment.

Finally, consolidating tools is top of mind for many customers. We truly believe that the level of integrated capabilities to discover, manage and secure endpoints will help improve IT efficiency and productivity.

We will continue to innovate and deliver the UEM tools that help our customers succeed. We’re excited about next innovations that we will bring to the market, and we hope you will continue to join us for the journey.

Disclaimers and attributions:

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Ivanti.

Gartner, Magic Quadrant for Unified Endpoint Management Tools, Tom Cipolla, Dan Wilson, Chris Silva, Craig Fisler, 1st August 2022

What's New in Ivanti Neurons for Mobile Device Management?

Mon, 02 May 2022 18:25:13 Z

The latest release of Ivanti Neurons for MDM includes enhancements for managing COSU devices and transitioning to cloud-based device management.

Provide extra security and support for your Android COSU devices

Corporate-owned single-use (COSU) devices are dedicated for a single use, and Android Enterprise's capabilities can help configure those devices to best serve that purpose. Use cases for COSU devices include:

Point-of-sale (POS) systems in retail.
Handheld barcode scanners in supply chain.
Smart panels (such as information kiosks, timecard entry panels, physical access entry panels, etc.) across a number of industries, including healthcare, retail and manufacturing.

These locked-down devices can be dedicated to a single user, multiple users or external users. The Android Enterprise COSU configuration provides more control over how your staff and customers use the device by compartmentalizing the operating system to deploy in a locked-down environment, running a single application or a specific set of apps. Usually, one application is intended to run on the device and that’s all. COSU improves security, efficiency, processes, compliance and user experience by locking devices down to execute a small range of specific tasks.

With the latest release of Ivanti Neurons for MDM, several new features have been added to better secure and support your COSU devices.

5G slicing support

With more COSU devices deployed in remote locations, 5G support becomes more essential for securing those devices. Not only does Neurons for MDM provides 5G information to let you know if your device is part of your private 5G network slice, 5G network slicing allows your provider to take a shared physical network and portion it out into logical segments. Each segment is provisioned for a different set of users, devices and applications, and the logical separations mean the traffic from one slice does not interfere with another.

In a retail environment, different slices can be configured to provide for your mobile POS devices and for your customer kiosks. Your remote retail environments might employ these slicing schemes to provide better employee and customer experience, while behind the scenes keeping track of inventory. These slices would separate each other’s traffic and resources, improving security. 5G slicing can be enabled in the lockdown Android Enterprise configuration within Ivanti Neurons for MDM.

Configuring higher app priority distribution and updates on your COSU devices

With Ivanti Neurons for MDM, IT can set higher-priority apps for enrollment and update on COSU devices. This will allow admins to set which applications are critical for deployment and updating. This is important especially if the update would resolve or prevent a production-related issue. Getting these updates out as fast as possible can reduce downtime or even prevent a production-affecting event from surfacing.

Providing additional USB security to your COSU devices

With Ivanti Neurons for MDM, you can configure the USB port to be used for charging only to prevent the USB port from being used as a physical vector for malicious attacks, keeping unauthorized users from accessing confidential data. This is important particularly important for COSU devices in an open area, such as kiosks and POS devices in retail stores.

Unattended remote session support

Remote session support becomes even more of a necessity for remote COSU devices, particularly in a retail environment where there maybe no one is available after the store closes to troubleshoot and resolve technical issues.

With Neurons for MDM, you can initiate a remote session from within the console without requiring input from any user at that location, making it easy to manage COSU devices when there is no physical access to those devices.

Easily transition Windows devices to cloud-based modern management

We are excited to announce an Ivanti Neurons for MDM deployment package with the Q2 release to support customers with an easy transition for their Windows devices from traditional management to modern management.

Ivanti Neurons for MDM deployment package

IT can enroll devices managed by Microsoft Configuration Manager (formerly SCCM) or Ivanti Endpoint Manager into Ivanti Neurons for MDM. The Deployment Package tool allows organizations to streamline the transition of Windows devices to cloud-based modern management, without downtime or end-user interruption. Seamless transition is achieved by downloading a unique deployment package from the Neurons for MDM console, then deploying it through the existing management tool or domain. Once the package is deployed, it will silently enroll endpoints into Neurons for MDM for ongoing management. This approach allows administrators to first migrate devices easily, then have flexibility to configure devices later over the air. When device enrollment is completed silently into Neurons for MDM, it is joined with MDM and gets co-managed by two management authorities. Once an administrator configures the desired Windows experience within Neurons for MDM, a legacy management platform can be decommissioned, leaving Neurons for MDM as the single management authority of the device.

This package can be deployed in environments that do not leverage Azure Active Directory (AAD). The main elements of Neurons for MDM modern Windows management suite do not require AAD. Co-management or co-existence may require certain workloads or configurations to be deployed upon silent enrollment, to avoid any impact during transition.

Why move to cloud-based modern management?

As UEM solutions have evolved and added more capabilities over the years, it has become critical to provide a consistent user experience and management capabilities between mobile (iOS and Android) and Windows devices. Cloud-based modern device management on Windows devices is fundamentally different from traditional device management, but similar to mobile device management on iOS and Android.

One of key differences is profile-based management. Breaking from image-based management relieves significant IT workload from manual device imaging and maintenance. A profile is a collection of configuration settings that are applied to a device based on group membership, which allows profiles to be created as a module with multiple profiles assigned to a single user depending on their job function and required apps. With profile-based management, IT can remotely make changes on any configuration and push patch updates over the air.

Those differences mean that cloud-based modern management significantly reduces IT overhead and the complexity of managing Windows devices.

There are a number of drivers for considering a transition from client-based to cloud-based modern device management:

Higher scalability and lower cost impact. We can view scalability into two different ways – faster deployment and ease of scaling. First, a cloud-based solution is faster to deploy compared to an on-prem solution. Second, if you want to deploy more devices with a cloud-based solution, you don’t need to build a new server, which would be required for an on-prem solution to scale. Also, cloud-based solutions are managed by the vendor, so customers can save the cost of managing infrastructure and servers on their own.
Better security posture. Some might argue that on-prem has a better reputation when it comes to security posture. And it is true that some customers in heavily regulated industries still prefer to continue using on-prem solutions. The caveat is that security posture really depends on a customer’s infrastructure, and it often requires a heavy investment for customers to build their own security infrastructure and hire experts to manage it. Cloud service providers, including Ivanti, meet a high security standard with various certifications — for example, Ivanti Neurons for MDM is FedRAMP and SOC2 certified.
Improved productivity and user experience. Remember the significant efforts that went into the Windows 10 migration of a few years ago — and the loss of productivity due to downtime during the update? Modern device management minimizes impacts on productivity between Windows OS updates, as devices are being managed like smartphones. Modern device management also allows you to leverage a zero-touch provisioning solution that integrates systems like Windows Autopilot, Apple Business Manager, Android Enterprise and Samsung Knox Mobile Enrollment. IT can ship a Windows device directly to a user, and it automatically gets enrolled into the cloud-based UEM solution. You can cut onboarding time from weeks to two days, which results not only in a faster onboarding but also higher user satisfaction.

Learn more

For more information about Ivanti Neurons for MDM, visit the product page or view the release notes.

Exciting Announcements at WWDC21!

Wed, 09 Jun 2021 22:31:16 Z

Apple has made an exciting announcement at its WWDC21 keynote on Monday, including a lot of upgrades on iOS 15, the new macOS Monterey, big improvements to FaceTime, and more. Among the new features and upgrades, we are most excited about Declarative Device Management (DDM), which we believe will have a major impact on the future of device management.

One of the challenges of today’s MDM protocols is that they are server-based and rely on a device to check-in to identify state changes and enforce policies. This has limitations as the MDM server needs to keep track of changes by continuously polling the device. We can provide similar capabilities using mobile threat defense solutions. With declarative device management, our MDM capabilities will be further enhanced as the MDM server will be notified of state change on the device directly from the OS. This will further improve the overall interaction between the device and server.

While there are workarounds to the current server-based protocol, none are elegant or efficient. Another challenge is the overload on both network and UEM servers having to constantly poll and apply policies to the entire device fleet.

With declarative device management, the device is empowered to be autonomous and is able to proactively apply policies independent of the UEM server. This new approach is in many ways what agent-based management of Windows devices might look like, however it would eliminate a burden of having to run a myriad of agents on the device.

We are really excited about this update and what it means to the future of device management. Stay tuned to learn more about DDM itself and how we plan to integrate it into our UEM portfolio.

Google I/O Announcements – What Do Ivanti Customers Need to Know?

Thu, 20 May 2021 16:17:51 Z

This week Google unveiled a number of exciting announcements at its annual developers’ conference, Google I/O 2021. Announcements included Android 12 and several security and privacy features that are coming to its platforms.

At Ivanti, we are particularly excited about what Google is doing to improve user security and privacy.

The consistent theme of Google I/O was Secure by default, Private by design, and You’re in control.

Security – Secure by Default

Passwords are still the top cause of data breaches. In fact, this week during a keynote presentation, Google claimed that the single most common security vulnerability today is still bad passwords. While getting rid of password would be the ultimate solution, there is a long journey ahead of us.

Until we realize the goal of eliminating passwords, it’s good to see technology leaders working to make the password more secure and more manageable. This week, Google announced four new upgrades for Google Password Manager. It will now recommend strong passwords, secure them for you, detect and alert any compromised passwords in data breaches, and easily change and fix them when you are compromised. In a world of data breaches, consumers have a little more peace of mind knowing that Google is helping to proactively help the user to use secure passwords.

We agree that this will help strengthen user security particularly in a world where some of the most common passwords in 2021 are still: password, 123456, and 123456789.

At Ivanti we are particularly excited about these upgrades as we are committed to enhancing user security and have been on a mission to eliminate passwords for organizations with Zero Sign-On (ZSO).

Privacy – Private by Design

Google made significant improvements to Privacy on its Android operating system. Android Private Compute Core will help to ensure privacy of personal data. As mobile devices continue to become an extension of ourselves, the focus from vendors like Google on user privacy is critical.

At Ivanti, we firmly believe in this principle. Just as larger vendors are making investments in protecting consumer privacy, organizations need to take employee privacy more seriously as well. Being a Unified Endpoint Management (UEM) vendor, we are in a unique position to help organizations accomplish that. We enable privacy using various controls that are available natively in Android and managed by Ivanti UEM. In addition to native capabilities, we offer features such as a Visual Privacy Policy which enables users to know exactly what data their organization has access to from their managed devices.

Learn how your organization can realize a passwordless world using Ivanti ZSO, and how they can ensure the privacy of employees with the Ivanti UEM solution.