Ivanti Blog: Endpoint Management

Digital Sovereignty and Sovereign Cloud: Protecting EU Cloud Data for Operational Resilience

Fri, 17 Apr 2026 12:30:01 Z

Traditional data protection followed a straightforward principle: Data stored in is protected by the laws of country A; data stored in country B is protected by the laws of country B. But in today’s global economy, where your data physically resides no longer determines which governments can demand access to it.

Cloud infrastructure brought new jurisdictional complexity. The physical location of data centers, the nationality of the cloud provider's headquarters, and the entity controlling operations can each create competing jurisdictional claims, potentially allowing multiple governments to demand access to the same data.

What is digital sovereignty?

This challenge has a name: digital sovereignty. Digital sovereignty is the principle that organizations maintain complete control over their data within their home jurisdiction's legal framework. This idea has become a necessity for organizational resilience as businesses work in a more fractured, less trusting geopolitical world. Private and public organizations need secure access to cloud-based platforms that are compliant with local regulatory requirements and shielded from the known or unknown geopolitical risks their region faces.

How the U.S. CLOUD act impacts EU data residency

The 2018 US CLOUD (Clarifying Lawful Overseas Use of Data) Act further cemented these concerns for EU organizations. This law empowers US law enforcement to compel any US-based cloud provider to produce data stored anywhere globally — regardless of the data's physical location or the customer's nationality.

Both the US CLOUD act and the Foreign Intelligence Surveillance Act (FISA) have given firms in the European Union cause for concern. Through these two policies, US authorities could access data contained within cloud platforms of any US-headquartered organization, even when the cloud data center is stationed in another country.

For EU‑based companies, using US‑based tools triggers specific GDPR obligations because personal data leaves the EU. And since the EU–US Privacy Shield was invalidated (known as “Schrems II”), EU companies need other protections. Standard Contractual Clauses (SCCs) remain valid but are conditional and complex as they require case-by-case review.

A subsequent Data Privacy Framework has been introduced since, but underlying trust among the nations involved only goes so far. These dynamics increased pressure to ensure data protection, and so sovereign cloud solutions were needed to ensure operational resiliency.

Ivanti Neurons for MDM – Sovereign Edition: built for EU cloud sovereignty

For our partners and customers in the EU, Ivanti Neurons for MDM Sovereign Edition addresses these requirements through fundamentally different architecture and operations. Located in Germany and independently operated, this solution was designed to align with the Cloud Sovereignty Framework of the European Commission and has been evaluated by the highly reputable cyberintelligence.institute, where their expert assessment explained:

“The Ivanti Sovereign Cloud demonstrates a high level of European control in the areas of data processing, security and compliance governance. In its current configuration, the Ivanti Sovereign Cloud achieves at least SEAL 2 certification, meaning that data sovereignty is ensured in all areas. Furthermore, the Ivanti Sovereign Cloud meets the requirements for SEAL 3 certification in many relevant areas, thus achieving digital resilience.”

You can read the full technical assessment to learn more.

Achieving data sovereignty compliance with confidence

Neurons for MDM – Sovereign Edition – EU provides European firms with a strategic foundation for their IT and Security platform from a trusted leader, while maintaining local jurisdictional protections for risk management. This means public and private entities can continue their digital transformation with the confidence that their cloud data will remain secure while their operations gain resilience.

Next steps? Read our whitepaper, Sovereign Cloud as a Strategic Necessity for European Organizations, to discover how Ivanti Neurons for MDM Sovereign Edition achieves and exceeds SEAL 2 certification and provides the sovereign cloud architecture European organizations need to maintain data sovereignty while enabling secure digital transformation.

Inventory to Intelligence: How AI and Automation Improve Endpoint Visibility

Fri, 03 Apr 2026 13:00:09 Z

Endpoint visibility has always been foundational to IT and security. You can’t secure, patch or support what you can’t see.

But as environments have become more distributed and complex, what visibility means has evolved. It’s no longer enough to know that a device exists — IT teams and organizations as a whole need to understand its health, its risk posture and its impact on both security and user experience.

This is where AI and endpoint automation start to make a practical difference. By moving endpoint visibility from static inventory to continuous intelligence, organizations can shift from reactive discovery to proactive, even autonomous operations.

Why traditional discovery practices fall short

Traditional discovery practices were built for a very different IT reality. Their approach is designed for relatively static environments, clearly defined perimeters and manual processes. That strategy doesn’t scale well in today’s hybrid, cloud-first world.

Manual discovery workflows often produce incomplete or outdated inventories. Ivanti’s 2026 Autonomous Endpoint Management Advantage Report reinforces this reality: Only 52% of organizations report using an endpoint management solution today, leaving many environments with limited centralized visibility and persistent blind spots across unmanaged or shadow IT.

In practice, this fragmentation shows up in very familiar ways. Teams often juggle multiple inventories, one from an on-prem client management tool, another from an MDM platform and yet another from identity or access systems, leaving gaps that widen as environments grow more complex.

Common challenges in manual device discovery

Manual discovery relies heavily on human input, which introduces inconsistency and error. As environments grow more distributed, these processes struggle to evolve with them, making it difficult to keep inventories accurate as devices are added, reassigned or accessed remotely. Reconciling changes across large estates becomes time-consuming and brittle, increasing the likelihood that devices fall out of view entirely.

Over time, these limitations compound. Discovery becomes episodic rather than continuous, and visibility lags behind reality. By the time inventories are reconciled, the environment has already changed.

Visibility gaps and security risks

These gaps aren’t theoretical. Ivanti’s research shows that many organizations still struggle with foundational endpoint visibility even after deploying multiple management tools. Endpoint data exists across scanners, MDM platforms and access systems, but it is rarely centralized, continuously updated, or trusted across teams. As a result, shadow IT, unmanaged devices and unknown access paths remain persistent sources of security and compliance risk.

Blind spots create real risk. Many organizations struggle to identify which devices are vulnerable or even actively accessing their environments.

When teams can’t reliably understand device exposure or access patterns, security decisions are made using incomplete or outdated data, increasing risk and delaying remediation. In fact, the above-mentioned Ivanti report highlights how common these blind spots are:

45% of organizations report challenges identifying shadow IT
41% struggle to identify vulnerabilities across devices
35% say data blind spots make it difficult to determine patch compliance.

Device discovery vs. device health monitoring

Discovery is only the first step. Knowing that a device exists doesn't tell you whether it's secure, compliant or even functioning properly. That’s where device health monitoring becomes critical.

Discovery tells you what’s present. Health monitoring adds the context that actually matters, from performance and configuration drift to overall security posture. Research from Ivanti’s 2025 Securing the Borderless Digital Landscape report underscores how significant these visibility gaps remain: Two out of five (38%) of IT professionals say they lack sufficient data about devices accessing the network, and 45% report insufficient visibility into shadow IT.

BYOD and edge devices, especially, are a concern. These can be online and still pose significant risk. It may be missing critical patches, running outdated software, drifting from configuration standards or suffering performance issues that impact users.

Presence data answers the question, “Is it there?” Health data answers, “Is it safe, compliant, and usable?” Without health insights, organizations are effectively managing endpoints in the dark.

Key indicators of endpoint health

To manage endpoints proactively, organizations need continuous visibility into key health indicators.

This includes:

Operating system and application versions
Patch and antivirus status
Configuration drift
Overall security posture

User experience signals such as crashes, latency and performance degradation also provide early warning signs that something isn’t right.

Modern platforms unify these signals into a single view, allowing IT and security teams to understand not just what devices exist, but how they're performing and where risk is emerging.

The risk of tracking only device presence

When organizations focus only on device presence, they expose themselves to both security and operational risks. Visibility without context leads to delayed detection, missed compliance requirements and reactive management.

Negative impacts on security and compliance

Tracking presence alone increases the likelihood that malware, misconfigurations or policy violations go undetected. Devices that are not enrolled in management or out of compliance may still access sensitive resources, creating gaps in enforcement. When access decisions aren’t tied to device state, enforcement becomes inconsistent by default.

Strong endpoint visibility, access and security ensure that only managed and compliant devices can reach sensitive systems and data.

Tying access to management and compliance status is critical. Conditional access, VPN and zero trust controls are only effective when visibility and enrollment are enforced consistently across endpoints.

Patch management is one of the areas where limited visibility creates the most operational strain. Our IT and security research shows that many IT teams struggle to track patch status across their full endpoint estate and to stay compliant as environments become more distributed. For example, of those we surveyed,

38% of IT and security professionals say they have difficulty tracking patch status and rollouts.
35% of teams struggle to stay compliant.

These challenges aren’t about patch availability alone. They stem from gaps in visibility into device state, ownership and real-world exposure, making it difficult to prioritize and verify remediation.

Operational inefficiencies

From an operational perspective, limited visibility leads to inefficiency. IT teams spend time troubleshooting issues that automation could resolve, chasing devices that should have been discovered automatically, and reacting to incidents rather than preventing them.

Without health data, teams are forced into a firefighting mode, responding to problems after they impact users instead of addressing them proactively.

This is exactly where AI and automation can begin to change the equation.

How AI and endpoint automation improve endpoint visibility

AI and automation turn endpoint visibility from a one-time discovery exercise into a continuous, self-sustaining capability. They enable teams to unify data, detect anomalies and maintain accurate inventories without manual effort.

Unified telemetry across multiple sources

Modern endpoint management platforms with AI and automation capabilities consolidate telemetry from discovery, UEM, MDM, patching, vulnerability and security tools into a unified, continuously updated view. This unified telemetry eliminates the need to reconcile siloed inventories and provides a shared, reliable view for both IT and security.

By normalizing data across desktop, mobile, server and IoT devices, organizations gain holistic visibility that supports faster, more confident decision-making.

Our autonomous endpoint management (AEM) research also shows that organizations make the most progress when endpoint visibility is treated as a shared objective. Teams that track metrics such as time to discovery, percentage of fully managed endpoints and exposure duration through shared dashboards are better able to align IT and security around the same data. This shared visibility turns endpoint management from siloed reporting into a coordinated, data-driven process.

AI-Powered automation and autonomous bots

Automation plays a critical role in keeping visibility current. AI-powered bots can automatically rediscover devices, reconcile duplicates, update ownership and location and detect anomalies across the environment.

When agents stop reporting or profiles break, automated workflows can repair or reinstall them without human intervention. This ensures that visibility doesn’t degrade over time and reduces the operational burden on IT teams.

Self-healing workflows for IT productivity

Self-healing workflows extend automation to the endpoint itself. Common issues such as failed updates, stopped services or configuration drift can be detected and resolved automatically, often before users notice a problem.

Endpoint automation enables these self-healing workflows to operate continuously in the background, resolving common issues without waiting for human intervention.

By resolving these issues without tickets, organizations reduce downtime, improve user experience and free IT staff to focus on higher-value initiatives. In fact, over two-thirds of IT teams today believe that AI and automation in ITSM will allow them to deliver better service experiences and give them more time to support business objectives.

Broader impact on security, productivity and user experience

When AI and automation are integrated into endpoint visibility, the benefits extend beyond IT operations. Security posture improves and users experience fewer disruptions — and productivity increases.

By combining endpoint visibility and control, organizations can reduce risk while still supporting productivity and flexible operating models.

Closing visibility gaps

AI-driven insights eliminate blind spots by continuously monitoring endpoint activity and health. Instead of relying on periodic scans or manual checks, organizations maintain real-time awareness of their endpoint environment.

This continuous visibility transforms endpoint management from a static inventory project into a living, breathing capability that adapts as the environment changes.

Improving IT operations and end-user satisfaction

Automation reduces ticket volume and accelerates resolution times, while predictive analytics help prevent downtime before it impacts users. Ring deployments, maintenance windows and self-service catalogs allow changes to be delivered with minimal disruption.

When users experience faster support and fewer interruptions, resistance to endpoint management drops and adoption improves. Over time, this creates a healthier feedback loop where visibility, automation and user experience reinforce each other instead of competing.

This is where autonomous endpoint management takes organizations next. Visibility becomes continuous instead of episodic. Automation keeps inventories accurate, health signals current and risk visible in real time.

With shared data and clear ownership, IT and security teams stop reacting to issues after the fact and start managing endpoints proactively. That shift from inventory to intelligence is what enables autonomous endpoint management, and it’s quickly becoming the standard for modern IT operations.

Who Owns Endpoint Management? Defining Security and IT Governance

Thu, 05 Mar 2026 13:30:01 Z

Endpoint management is one of the most critical — and most contested — areas of enterprise governance. Every organization depends on endpoints, yet many still struggle to answer a fundamental question: who actually owns these devices?

In many environments, IT and security teams are both confident they’re doing the right thing, yet still talk past each other. Security looks at a scanner and sees 10,000 critical vulnerabilities; IT looks at a patch report and sees everything deployed. They're both right, but they're speaking different languages.

The result is stalled risk remediation efforts, policy friction and growing frustration. Teams debate whose data is accurate instead of closing gaps. When endpoint management is governed jointly, with shared visibility and accountability, teams can shift their focus from reconciling data to improving execution.

As endpoint environments scale, governance also depends on automation. AI-powered capabilities can help normalize data across siloed tools, surface unmanaged devices, and highlight asset visibility gaps, making shared ownership possible without relying on manual reconciliation.

Why endpoint management ownership matters

Endpoints are where users work, where data is accessed and where many security incidents begin. When ownership of endpoint management is unclear, fissures start to appear.

Ivanti’s Autonomous Endpoint Management Advantage report shows that these visibility gaps are widespread and consequential. Just over half of organizations report using endpoint management solutions that provide centralized visibility, meaning many teams still struggle to see their full device landscape. These blind spots extend beyond unmanaged IT devices.

45% of security and IT professionals cite shadow IT as a key data gap.
41% report difficulty identifying vulnerabilities.
38% can’t reliably tell which devices are even accessing their network.

Most organizations believe they know what’s on their network, until they turn on proper discovery. The reality is that device lists are usually siloed: one from your MDM, another from on-prem tools and something else from the identity provider.

As a result, basic questions become hard to answer: which devices are fully managed, which are compliant and which can access sensitive resources without controls.

AI-powered automation can help continuously correlate endpoint data across management, identity and endpoint security solutions, reducing blind spots that manual processes routinely miss.

But visibility is only valuable when it’s shared and governed. You can’t secure, patch or support what you can’t see. Without a shared, trusted view and clear governance of endpoints, well-intentioned efforts still lead to friction, delays and increased risk. That’s why endpoint management is ultimately a governance problem, not just a technical one.

Security isn’t the only issue with these blind spots. Patching is slowed, support gets complicated and policy enforcement is undermined. When IT and security teams rely on different datasets, disagreements over risk and remediation are inevitable.

Clear ownership changes that dynamic. When endpoint management is governed jointly, with shared visibility and accountability, organizations are better positioned to move from debating data to closing gaps. Endpoint management becomes a foundation for consistent policy enforcement, faster remediation and better collaboration across teams.

Common points of friction between IT and security teams

Most friction between IT and security doesn’t come from bad intent. It comes from misalignment.

Our autonomous endpoint management research also suggests this misalignment isn’t abstract; it’s measurable and costly. We found that:

56% of IT professionals say wasteful IT spend is a problem.
And 39% point to inefficient tech support as an area of waste.

Nearly nine in ten respondents also report that siloed data negatively impacts IT operations, driving inefficient use of resources, reduced collaboration and elevated risk of non-compliance.

In practice, this misalignment tends to surface in a few consistent and recurring friction points:

Fragmented tooling

Fragmented tooling is a major barrier. Many organizations juggle an older on-prem client tool, a separate MDM for mobile and a different solution for patches. The result is tech sprawl that makes the problem worse.

As this disconnect plays out in practice, security and IT teams often rely on different tools and datasets to assess the same endpoints, leading to very different conclusions about risk and remediation status.

AI-driven analysis can add context across these datasets, helping IT and security teams interpret exposure through a shared lens rather than competing reports.

User impact

User impact is another source of tension. Endpoint controls are often seen as restrictive, raising concerns about performance, downtime or privacy, especially on bring-your own (BYOD) devices. IT teams are left balancing enforcement with user experience, while security pushes for stricter controls.

Resource constraints

Resource constraints make this harder. Teams are wary of introducing new platforms or policies that appear complex or disruptive, especially when they’re already stretched thin.

Without clear governance, these issues lead to inconsistent enforcement, stalled remediation and shadow policy decisions. Endpoint management stays reactive. But the good news is that this is solvable.

Balancing security requirements and business flexibility

One of the hardest challenges in endpoint management is balancing security with business flexibility. Security teams want consistent controls to reduce risk. Business leaders want minimal disruption and the freedom to work without friction. IT teams are often caught in the middle.

When this balance isn’t clearly defined, endpoint policies become a source of conflict. Strict controls applied universally can slow productivity, frustrate users and encourage workarounds. Too much flexibility, on the other hand, increases exposure and makes enforcement inconsistent.

The real issue is that organizations fail to agree upfront on what’s mandatory and where flexibility is acceptable. Without that clarity, organizations negotiate policy decisions ad hoc and react to incidents instead of managing risk proactively.

Effective endpoint governance reframes the conversation. By defining baseline requirements upfront and aligning them to risk, organizations can protect critical assets while still supporting different user needs and operating models. This shift allows security and IT to move from constant trade-offs to structured decision-making. That's when the relationship fundamentally changes from friction to alignment.

Who should own endpoint governance?

Endpoint governance can't sit with a single team. It requires shared ownership across IT, security and the business.

In successful organizations, endpoint governance is shaped by a group that includes IT operations, security and key business stakeholders. This group defines decision rights, agrees on priorities and establishes a common policy framework that everyone operates within.

Security brings risk context and threat awareness. IT brings operational insight and user impact considerations. Business leaders provide perspective on workflows, productivity and acceptable levels of disruption. When these perspectives are aligned early, endpoint policies are easier to enforce and less likely to be bypassed.

Governance clarifies accountability. It answers questions like who decides what's mandatory, how exceptions are handled and how conflicts are resolved. With that structure in place, endpoint management becomes a coordinated program rather than a series of isolated decisions.

Defining risk remediation priorities and timelines

Effective endpoint governance depends on clear agreement around risk remediation priorities and timelines. Without that agreement, IT and security teams often talk past each other, prioritizing volume instead of focusing on what matters most.

The problem with patching is prioritization, and Ivanti’s autonomous endpoint management research confirms this isn't just a theoretical problem but a measurable operational challenge:

39% of IT teams struggle to prioritize risk remediation and patch deployment.
38% have difficulty tracking patch status and rollouts.
And 35% struggle to stay compliant with patching.

These are all outcomes that stem largely from visibility gaps and inconsistent tooling, making it harder to focus remediation efforts.

Traditional approaches rely on CVSS scores and long spreadsheets that don't reflect real-world risk at all. Context matters: whether a device is Internet-facing, who uses it, what data it touches and how likely exploitation is, with AI-powered analysis helping teams assess that context continuously at scale.

Governance helps shift remediation from a volume-driven exercise to a risk-based one. By defining patching timelines, escalation paths and ownership upfront, organizations can align IT and security around shared priorities. Instead of debating which issues to address first, teams can focus on execution.

Clear timelines reduce friction by making remediation predictable instead of reactive. This consistency improves accountability, shortens exposure windows and builds trust between teams.

Non-negotiables vs. flexibility zones

One of the most important outcomes of endpoint governance is clarity around what's required and where flexibility is allowed.

Non-negotiables are the baseline. This includes disk encryption, specific patch management timelines and mandatory enrollment before a device can touch sensitive data. Defining these controls upfront removes ambiguity and ensures a consistent security posture.

Flexibility zones acknowledge that not all endpoints are the same. Different teams, roles and operating models may require tailored policies, especially in environments with BYOD, contractors or frontline workers. Governance defines where exceptions are permitted, how they are approved and how risk is managed when flexibility is granted.

Without this distinction, organizations either over-restrict users or allow uncontrolled exceptions. With it, endpoint management becomes both enforceable and adaptable.

Security teams know which controls cannot be compromised, while IT and the business retain the flexibility needed to support productivity. This balance makes endpoint governance enforceable and practical.

Building trust through shared dashboards and transparency

Even the best endpoint governance framework breaks down without shared visibility. When IT and security teams operate from different dashboards and reports, trust erodes and shadow decisions take root.

These disconnects are often rooted in fragmented data pipelines, where endpoint information is incomplete, outdated or inconsistently updated across tools and systems. Shared dashboards only change that dynamic when they are built on continuously updated, reconciled data. Autonomous endpoint management, powered by AI, helps make this possible by automatically correlating endpoint signals across discovery, compliance, vulnerability and remediation data sources.

When both teams rely on the same data — covering device inventory, compliance status, vulnerability exposure and remediation progress — conversations become grounded in facts rather than assumptions. Disagreements shift from “Whose data is right?” to “What issue should we tackle next?”

Data transparency changes the culture from finger-pointing to IT and security collaboration. Instead of security saying they’ve found more unmanaged laptops, the conversation becomes: “We have a visibility gap – how do we close it?”

Joint IT and security metrics such as time to discovery, percentage of fully managed endpoints and exposure duration create a common language for decision-making. AI-driven automation helps keep those metrics accurate and current. Shared dashboards reinforce accountability.

When progress and gaps are visible to all stakeholders, endpoint governance stops being an abstract policy discussion and becomes a measurable, collaborative effort. This visibility is what turns governance from intent into execution.

Measuring the effectiveness of endpoint governance

Endpoint governance only works if organizations can measure whether it’s actually reducing risk and improving operations. Without clear KPIs and accessible data, governance quickly becomes a policy exercise rather than a practical discipline.

In practice, effective measurement spans visibility, risk and operational performance.

Visibility and coverage metrics

Effective measurement starts with visibility. These metrics show whether endpoints are governed in practice, not just on paper.

Percentage of endpoints that are fully managed
Time to discover new or previously unknown devices
Number and persistence of unmanaged or unknown endpoints

AI-powered automation supports continuous measurement here by tracking trends in coverage and policy drift over time rather than relying on point-in-time reports.

Risk and exposure metrics

Risk-based metrics help teams move beyond volume and focus remediation on what matters most.

Exposure time for critical vulnerabilities
Devices with the highest risk based on context and access
Alignment of remediation activity to real-world exploitability

These metrics help IT and security teams prioritize actions that have clear business impact, rather than chasing patch counts or compliance percentages alone.

Operational performance metrics

Operational metrics indicate whether endpoint governance is improving day-to-day execution and user experience.

Reductions in endpoint-related security incidents
Faster onboarding and offboarding of users and devices
Fewer support tickets tied to endpoint configuration or patching issues

Over time, improvements in these indicators show whether automation, self-healing and policy enforcement are delivering measurable value.

Endpoint governance KPIs must be reviewed jointly, with IT and security looking at the same data and course-correcting as needed. This reinforces accountability and enables continuous improvement. As environments evolve, policies, priorities and controls should evolve with them. Endpoint governance isn’t static — it’s an ongoing process that adapts as risk, technology and business needs change.

Defining ownership to scale endpoint management

Endpoint management doesn’t fail for lack of technology. It fails when ownership is unclear and governance is fragmented.

As endpoints continue to diversify and work becomes more distributed, the question of who owns endpoint management can no longer be left ambiguous. Security, IT and the business all have a stake, and effective governance brings those perspectives together under a shared framework.

When organizations establish clear ownership, define non-negotiables and operate from a shared view of endpoints, AI-powered automation helps endpoint management shift from reactive firefighting to proactive risk reduction. Shared dashboards, agreed-upon remediation timelines and continuous measurement replace ad hoc decisions and shadow policies.

Success comes from treating endpoint management as a unifying, automation-first program. In practice, the pattern is clear: when visibility, shared ownership and governance come together, endpoints shift from a friction point to a foundation for resilience and collaboration.

Risk Appetite, CRQ and Exposure Management: Closing the Loop on Cyber Risk

Tue, 13 Jan 2026 13:54:57 Z

Executives today operate in a constant state of pressure. Regulatory demands grow faster than budgets, customers expect proof of resilience and every system outage becomes a business event. When each function manages risk in isolation, leaders spend more time reacting than advancing strategy.

The real issue is coherence. Most organizations still rely on partial instruments: dashboards filled with red and amber, but no clarity on which risks matter or what an outage would actually cost. Anyone updating risks once a year in a spreadsheet is flying the enterprise through fog without instruments. Cyber risk quantification (CRQ) brings those instruments in the form of credible metrics, realistic scenarios and ROI-based priorities.

But measurement alone isn’t enough. Risk appetite defines how much uncertainty an organization is willing to accept; exposure management operationalizes that boundary. When CRQ, risk appetite and exposure management operate together, risk becomes a controllable variable — a closed loop that ties monitoring to strategy and action.

The result is a system that reduces noise, sharpens priorities and enables leaders to balance security, profitability and innovation. And while measurement by itself is insufficient, it is the crucial first step for IT leaders.

Why measurement is the first act of leadership

You cannot manage what you cannot measure. A single “critical” label might conceal a $50,000 nuisance or a $5.4 million disaster. Without quantification, leadership decisions rely on instinct dressed up as process.

Measurement is the first act of control. When risk is expressed in financial terms (e.g., probability of loss, potential impact, return on mitigation) security becomes a business function rather than a technical debate. It re-enters the language of value, cost and return. Investors and boards increasingly judge resilience as an indicator of governance maturity. Quantified risk doesn’t just support better posture — it stabilizes valuation and reinforces confidence in executive judgment.

Cyber risk quantification (CRQ): Turning guesswork into dollars

Cyber risk quantification provides the translation layer that business leaders need. It models what a specific threat could cost in dollars, how likely it is to occur and which factors amplify or reduce exposure. Inputs include internal metrics (e.g., production revenue per hour, contractual penalties, data-handling costs) augmented by actuarial models, such as those from Munich Re.

CRQ reframes risk through three primary business impact categories. Each category has its own drivers and timeline, and ignoring those distinctions leads to flawed prioritization.

Business interruption: When systems fail, the cost clock starts running as production outages, penalties and lost revenues accumulate by the hour.
Data breach: Where damage unfolds in waves and cleanup, fines, legal action and the erosion of customer trust linger for years.
Financial theft and fraud: Compromised accounts, tampered transfers or false payment orders that inflict immediate losses.

CRQ also reverses the usual IT tunnel vision. Rather than starting with vulnerabilities, it begins at the business-model level. It asks: what would this cost us and which processes would cause the greatest financial impact if they failed?

The analysis uses company-specific data, such as hourly production revenue and contract penalties, cross-referenced with Munich Re’s actuarial models. The result: credible, actionable numbers. Executives can compare cyber investments to any other capital decision. Instead of "patch all vulnerabilities," the question becomes: which action reduces the most financial risk per dollar spent?

That shift marks the moment cybersecurity joins the CFO’s balance sheet. And, when CISOs talk in dollars instead of acronyms, cybersecurity becomes a language of enterprise value rather than fear management.

Risk appetite: Setting the boundary of ambition

Quantification alone is instrumentation — not leadership. Leadership requires defining how much risk your organization is willing to accept in pursuit of its goals. That definition (i.e., your organization’s risk appetite) is the hinge between measurement and management.

Every company balances ambition against exposure. A high-growth startup accepts volatility for potential upside while a regulated utility prizes stability over experimentation. Risk appetite transforms those instincts into policy, linking goals to thresholds, such as maximum loss, acceptable downtime and tolerance for reputational impact.

Defining risk appetite is both a quantitative and moral exercise. It signals not only how much loss a company is willing to bear but what kind of company it intends to be. Metrics like maximum loss and ROI coexist with softer judgments about values, reputation and ethics.

When a risk appetite statement (RAS) codifies those boundaries (distinguishing between risk capacity, tolerance and hard limits), leaders gain a common language for decision-making. For example, many organizations distinguish high appetite for innovation, moderate appetite for operations, minimal for security and low for compliance. Each organization must make these tradeoffs explicit.

A clear RAS ensures alignment. Without it, departments drift; marketing pushes for speed while legal demands caution. Well-defined risk appetite balances that friction. It also supports trust — investors and regulators can see that risk governance is intentional, transparent and measurable. Key risk indicators then track performance against these thresholds, providing early warning before conditions deteriorate.

Exposure management: Where visibility meets control

Until it meets daily operations, risk appetite is theoretical. Exposure management operationalizes that boundary by unifying three disciplines: attack surface management (ASM), risk-based vulnerability management (RBVM) and validation and remediation. This aligns with Gartner’s Continuous Threat Exposure Management (CTEM) model of scope, discover, prioritize, validate and mobilize.

Attack surface management (ASM): Provides visibility into every asset that could be attacked, including shadow IT.
Risk-based vulnerability management (RBVM): Contextualizes vulnerabilities by exploitability and business impact.
Validation and remediation: Confirms which threats are truly exploitable and whether fixes are effective.

In practice, exposure management is a living feedback loop between visibility and governance. Data aggregation breaks down silos by correlating vulnerabilities with asset value, while validation ensures theoretical models match reality. Remediation closes the loop automatically (through integrated ITSM workflows).

An online retailer, for example, may choose to tolerate higher risk on Black Friday to maximize revenue, but does so with heightened visibility and rapid mitigation. Security thus becomes dynamic equilibrium rather than reactive crisis management.

Where traditional vulnerability management is reactive and incomplete, modern exposure management spans assets, endpoints, applications and clouds, adapting continuously to the organization’s defined risk appetite. Automation, escalation and real-time reporting ensure that leadership always knows where your organization stands, what an outage would cost and which actions deliver the greatest reduction in financial exposure.

The closed loop: Turning cyber risk into a controllable system

When cyber risk quantification, risk appetite and exposure management operate together, risk becomes a controllable variable — a closed economic and operational feedback loop.

CRQ shows how much financial damage a vulnerability could cause. Risk appetite defines how much of that risk the organization is willing to accept. Exposure management ensures that the company’s attack surface aligns precisely with this threshold. Together, these three form a system of measurement, direction and control.

Without CRQ, the foundation is missing.
Without risk appetite, there is no strategy.
Without exposure management, there is no enforcement.

This closed loop converts cybersecurity from a compliance obligation into a performance discipline. It gives executives the same levers they use everywhere else (metrics, thresholds and continuous feedback). Imagine board meetings where risk variance is discussed with the same fluency as margin variance, where resilience becomes a competitive KPI.

For years, cybersecurity was the department of “no,” blocking ideas to prevent incidents. Quantification and exposure management transform it into the department of “how.” Leadership can now take calculated risks, prove the ROI of resilience and communicate in a language investors and regulators share: impact, probability and value at risk.

Measured risk becomes managed value — and leadership finally regains forward momentum. Cybersecurity, once a brake on innovation, becomes the steering system for strategic confidence — the new language of foresight. Anything less is gambling and, in the end, only the attacker wins.

DLL Hijacking: Risks, Real-World Examples and How to Prevent Attacks

Wed, 17 Dec 2025 14:00:02 Z

There’s been buzz around CVE-2025-56383 (published on Sept. 26, 2025), a hijacking vulnerability in Notepad++ v8.8.3 in which a DLL file can be swapped to execute malicious code.

The CVE has been disputed by multiple parties, but we’re not here to comment on that. However, we are here to comment on DLL hijacking and discuss the very real threat that it poses to an organization. Let’s look into what DLL hijacking is and what measures you can take to keep your DLLs safe.

What DLL hijacking is and how it happens

DLL hijacking (also known as a DLL preloading attack) is a security vulnerability where a legitimate and trusted Dynamic Link Library (DLL) file in a Windows application is replaced with a malicious one.

This method exploits the way applications load DLL files, which contain code and data used by multiple programs. By loading a malicious DLL, a threat actor can execute their own code with the same privileges as the legitimate application, leading to privilege escalation, persistence and defense evasion.

When a program starts, it often needs to load various DLLs to perform specific functions, typically from trusted system directories. However, if an application is not careful about where it looks for these DLLs, it might load a malicious DLL from an insecure or predictable location (i.e., the current working directory or a network share). This can happen if the application does not specify the full path to the DLL or if it searches for the DLL in a directory that can be accessed or modified by an attacker.

While this type of attack is not new, it remains effective due to its simplicity. And although this specific issue pertains to Windows applications, it's important to call out that similar vulnerabilities can affect other operating systems (like Linux and macOS, which use dynamic loading for shared libraries).

DLL hijacking introduces multiple security risks, including:

Data theft: The malicious DLL can intercept and steal sensitive data, such as passwords or personal information.
Compromised systems: The attacker can gain control over the system, potentially leading to further attacks or the installation of additional malware.
Malware: The malicious DLL can act as a conduit for spreading malware, infecting other parts of the system or network.

A DLL can be hijacked in several different ways; here are some of the most common techniques:

Insecure DLL search order: Attackers place malicious DLLs in directories searched before the legitimate DLL's location.
Relative path manipulation: Malicious DLLs are loaded when applications use relative paths.
DLL redirection: Techniques like path manipulation redirect the DLL loading process.
Weak permissions: Attackers replace legitimate DLLs with malicious ones in directories with weak permissions.
Phantom DLL hijacking: Attackers exploit applications loading non-existent DLLs by placing malicious DLLs with the same name in searched directories.

These potential vulnerabilities highlight the importance of secure coding practices and directory permission management when it comes to preventing this form of attack.

How to prevent DLL hijacking and keep your DLLs safe and secure

Although DLL hijacking remains a threat, there are best practices you can follow and implement to reduce your risk for a safer, more secure IT environment.

Secure DLL loading:

Use full paths: Always specify the full path to the DLL when loading it. This ensures that the application loads the DLL from a trusted location (and not from an insecure directory).
Set the safe search path: Use the SetDllDirectory function in Windows to add trusted directories to the search path and exclude insecure ones. This can help prevent the application from loading DLLs from unexpected locations.

File integrity checks:

Digital signatures: Ensure that DLLs are signed with a digital signature and verify the signature before loading the DLL. This can help confirm that the DLL has not been tampered with.
Hash verification: Use cryptographic hash functions to verify the integrity of DLL files. If the hash of the DLL does not match the expected value, the file may have been modified.

User permissions:

Least privilege principle: Run applications with the least privilege necessary. This limits the potential damage of a DLL hijacking, as the malicious code will have fewer permissions to execute harmful actions.
User Account Control (UAC): Enable UAC on Windows systems to prompt users for permission before running applications with elevated privileges. This can help prevent unauthorized changes to system files.

Application control and privilege management:

Known and trusted applications: Application control ensures that only known and trusted applications are launchable, removing the risk of unauthorized applications being introduced.
Privilege control: Effective privilege management is crucial in preventing DLL hijacking. By ensuring that applications have the correct rights and privileges to launch, you limit the ability of unauthorized users to introduce malicious files. This control acts as a key barrier, restricting the access an attacker needs to exploit the DLL search mechanism and thereby enhancing the security of your environment.

Security software:

Antivirus and anti-Malware: Use reputable antivirus and anti-malware software to detect and prevent the loading of malicious DLLs. These tools can scan for known malicious files and behaviors.
Intrusion Detection Systems (IDS): Implement IDS to monitor for unusual activity, such as unexpected changes to DLL files or attempts to load DLLs from insecure locations.

Patch management:

Keep software updated: Regularly update applications and operating systems with the latest security patches. Many DLL hijacking vulnerabilities are fixed via updates, so stay current to help protect against known threats.
Automated patching: Use an automated patch management tool to ensure that all systems are kept up to date without manual intervention. This reduces the window of opportunity for attackers to exploit known vulnerabilities, including those that could be used for DLL hijacking. This proactive approach helps maintain the integrity of your applications and operating systems, making it much harder for attackers to inject malicious DLLs.

By implementing these best practices, you can significantly reduce the risk of DLL hijacking and enhance the overall security of your applications and systems.

Combine the right tools and tactics to prevent DLL hijackings

DLL hijacking has been a persistent form of attack for years, proving that it’s still effective and will therefore continue to be an issue for organizations.

Future-proof your organization using the best practices mentioned above combined with proven solutions like Ivanti Neurons for App Control to help keep your DLLs secure. Capabilities like Trusted Ownership catch and deny a hijacked DLL from being executed by ensuring that ownership of the items matches your approved list of trusted owners.

And, keep your apps up to date to limit exposure to known vulnerabilities. Remove the risk of human error by automating patching with Ivanti Neurons for Patch Management, ensuring that systems are automatically updated and secured.

Secure the Mobile Edge: Android 16 & iOS 26 STIGs Require MTD

Wed, 03 Dec 2025 20:06:11 Z

Whether it’s Warfighters deployed in the field or remote analysts supporting missions across the globe, mobile devices make these operations possible. But, these endpoints (and your data) need serious protection.

That’s where the Defense Information Systems Agency’s Security Technical Implementation Guides (STIG) come in, setting the baseline for hardened endpoint and application security.

DISA has released new Android 16 and iOS 26 STIGs, and with each major operating system release, these STIGs are updated to ensure mobile security keeps pace with modern threats and capabilities. One of the most significant requirement changes this cycle is that all managed mobile devices must have a mobile threat defense (MTD) solution deployed to remain compliant.

In this post I’ll walk you through the importance of STIGs, why MTD is critical to safeguarding sensitive data and how an MTD solution simplifies compliance across the mobile edge.

STIGs: The gold standard for device security

Think of STIGs as detailed guidelines that tell you exactly how to configure and lock down technology, software, hardware or entire systems to meet Department of War (DoW) security standards.

STIGs ultimately help organizations protect Controlled User Information (CUI) and higher levels of data. Each STIG contains specific requirements (or “controls”) that make up the security baseline.

They (and associated security requirements guides) are linked to security controls defined by National Institute of Standards and Technology (NIST) Special Publication 800-53, breaking them down into actionable, measurable items.

For example, a mobile device STIG might stipulate that:

Device passcodes must be complex, with at least X characters.
The device must encrypt all data.
USB debugging must be disabled.
A mobile threat defense app must be installed.

U.S. military and government agencies rely on STIGs to harden systems that support mission-critical operations. While they’re mandatory for DoW and federal agencies, many defense contractors, healthcare and finance organizations adopt STIGs because they represent proven security best practices.

STIGs provide a baseline to help these organizations maintain compliance with a variety of requirements and policy mandates, such as Cybersecurity Maturity Model Certification (CMMC), NIST, CIS, HIPAA, etc.

Your new mandate: iOS 26 & Android 16 STIGs now require MTD

On the Apple side, the iOS 26/iPadOS 26 STIG added an explicit requirement: to remain compliant, an MTD app must be installed and managed on all DoW iPhones and iPads.

The latest Android 16 STIGs (i.e., Google Android 16 STIG and Samsung Android 16 STIG) introduce a clear mandate as well: a mobile threat defense (MTD) application must be deployed on every managed device. Failure to do so is flagged as a finding during compliance review.

These controls underscore a pivotal shift: Mobile endpoint risk management is no longer just about configuration and lockdown settings. It now includes actively enforcing real-time mobile threat defense to prevent device, network, application and phishing attack vectors on modern devices.

Here's the exact language on MTD from the Android 16 STIG:

"In the mobile device management (MDM) console, verify an MTD app is listed as a managed app being deployed to site-managed devices. If an MTD app is not installed on the device, this is a finding."

Translation: No MTD means you're out of compliance. It's that simple. However, deploying an MTD solution and ensuring it’s actively protecting against mobile threat vectors is more complex.

Integrating an MDM/MTD approach

Having worked with countless federal and enterprise organizations, I’ve seen firsthand what truly works in the field. Installing and managing an MTD agent is not enough to ensure active protection on mobile endpoints.

Standalone MTD agents often require manual activation after installation and application programming interface (API) integrations with MDM solutions to take action. The most effective approach requires tight integration between your MTD and MDM platforms, and an integrated MDM/MTD agent to ensure seamless activation and protection from mobile threats.

A unified single-agent architecture enables continuous mobile threat protection while automatically enforcing MDM compliance controls, eliminating the complexity and gaps that come with managing separate solutions.

That's where Ivanti Neurons for Mobile Threat Defense comes into play. With Ivanti Neurons for Mobile Threat Defense integrated in both the SaaS-based Ivanti Neurons for MDM and on-prem-based Ivanti Endpoint Manager for Mobile (EPMM), you get a single-agent architecture that's seamless to users but gives administrators complete control and security visibility.

This is what it looks like in practice:

Automatic and scalable STIG baseline enforcement for Android and iOS.
Users experience a seamless workflow with no additional apps or agents to manage.
Risk visibility and policy management live in one unified console.
On-device threat protection works even in disconnected, deployed scenarios to protect against device, network, application and phishing attacks.
An integrated MDM that manages any modern operating system including iOS, Android, Windows, macOS or ChromeOS.

MDM & MTD for holistic mobile security

Deploying an MTD app is no longer optional. With the Android 16 and iOS 26 STIG both calling for MTD on managed devices via explicit controls, you can’t rely solely on MDM configuration baselines. You need active MTD that gives you holistic security.

With mobile threat vectors like operating system vulnerabilities, malicious mobile apps, phishing via SMS/MMS and network man-in-the-middle attacks, rising rapidly, you need protection that lives on the device itself — not just in the cloud.

Compliance, mission assurance and mobile edge security are top priorities for every modern organization. Ivanti Mobile Threat Defense delivers on all three. Providing STIG-aligned protection across Android and iOS devices, integrating seamlessly into your broader device management platform and defending against device, network, application and phishing attacks to keep your organization resilient and compliant.

Schedule a demo today to see how Ivanti Mobile Threat Defense can keep your agency’s data safe and your mobile fleet audit-ready. For full STIG references and downloads, consult the Defense Information System Agency’s (DISA) STIG library.

Apple Business Manager Device Migration: What You Need to Know

Fri, 12 Sep 2025 17:27:33 Z

With Apple’s OS 26 release, IT admins using Apple Business Manager (ABM) or Apple School Manager (ASM) have a great new tool in their toolbelt: device migration. This makes switching devices between MDM platforms much easier, with minimal disruption for end users.

Here, we’ll unpack what you need to know, and how ABM device migration makes it incredibly easy to switch to Ivanti Neurons for MDM.

Key ABM device migration features

Apple’s new ABM device migration features make it easier to move devices between different MDM solutions, without manual steps or interrupting users.

No manual re-enrollment. You can transfer devices from one MDM server to another, or from one vendor’s MDM to another (including Ivanti Neurons for MDM), without erasing or manually re-enrolling devices. All existing user data and device configurations will automatically be applied during migration. The end user will be able to complete the re-enrollment with two guided clicks: one for restarting the device and one for re-enrollment into the new MDM.

Enrollment deadlines. This is the newest feature introduced by Apple in ABM and ASM. You can set and enforce deadlines for moving devices to the new MDM instance. If a device isn’t enrolled in time, it will be locked and the user will be asked to finish enrollment. With this deadline you will be able to trigger the automated process for re-enrollment in the new MDM. It will prompt the end user with screens to complete the re-enrollment seamlessly.

End user experience. The end user experience won't notice any changes during migration, except if the enrollment deadline has passed. Once the migration is complete, the user will get a prompt to restart the device. After the device restarts, the end user will get a prompt to re-enroll the device in the new management solution, which takes one click.

API-driven. The process can also be managed through the ABM or ASM portal using Apple’s new APIs (which you need to activate). This means that customers that use an API infrastructure can bulk assign or unassign devices with the new Apple ABM APIs without having to access the ABM console.

ABM device migration use cases

When would you use this feature? Here are a few key use cases.

Cloud migration

ABM device migration allows you to move from on-premises MDM to cloud-based MDM without re-enrolling devices. For Ivanti customers, this feature makes it easy to move to Ivanti Neurons for MDM from Ivanti Endpoint Manager (for MacOS) or Ivanti Endpoint Manager Mobile (for all Apple devices).

Switching MDM providers

ABM device migration simplifies switching from another MDM provider to Ivanti Neurons for MDM, or consolidating all type of devices (Android, Windows, Apple,) on a single platform from MDMs that only manage Apple devices, such as Jamf or Kandji.

School district device realignment

Educational institutions can realign devices between departments or campuses while maintaining all Apple management and assignment settings.

Mergers, acquisitions or reorganizations

If you’re combining or separating IT infrastructure due to M&A or reorganization, you can move devices to new MDM environments with minimal user disruption.

Setting up ABM device migration: a step-by-step guide

Before you begin

There are two important considerations before you begin:

Device migration only works on devices running iOS 26, iPadOS 26 or macOS26 (or later). Make sure your devices are updated first.
You don’t need to make any changes on the MDM server side to support device migration, but target MDM servers should be prepared to receive new device assignments and enrollment requests.

Device Migration via the ABM console

Sign in to Apple Business Manager and navigate to Devices. From here, use the search bar to find the target devices by serial number, order number or other identifiers. Then, select the devices you wish to set a migration deadline for.

Next, review the device details: Click on the device to open its detailed view and confirm that it is assigned to the correct MDM server. You can now set the migration deadline.

From here, click on Assign Device Management.

In the pop-up, you can choose the new MDM organization that the device needs to be assigned to.

Next, choose the deadline.

Select the desired date and time for the deadline. This is the final date users have to migrate their device to the assigned MDM server. If users don’t follow the prompts they’ll be locked out the device. Then, click Continue.

On the device the user will receive a notification to restart their device.

After restarting, the device will request the user to enroll in the new management service.

Device migration via APIs

Setting up ABM device migration via APIs is simple, and it’s done completely in ABM (or ASM), no matter which MDM you are switching to or from.

First, log in to your Apple Business Manager or Apple School Manager account and navigate to Settings > Device Manager Settings.

Then, review and enable the required APIs to allow device migration. (If you’re not sure how, check the Apple admin guide for step-by-step help.)

Once the APIs are enabled, you can simply follow Apple’s migration workflow to select devices and designate the new target MDM server. Optionally, you can set an enrollment deadline for migrated devices.

Additional ABM device migration resources

If you need more detailed information, you can refer to:

What Is a BadUSB? Understand the Threat and How to Prevent It

Tue, 29 Jul 2025 19:43:10 Z

Lurking beneath the convenience and everyday nature of USB devices is a sophisticated cybersecurity threat known as BadUSB.

BadUSB is a type of attack that leverages the reprogrammable firmware in USB devices (e.g., flash drives, keyboards, charging cables) to carry out malicious actions. Unlike traditional malware, which lives in the file system and can often be detected by antivirus tools, BadUSB lives in the firmware layer.

Here’s why security professionals consider BadUSB attacks a growing threat:

Plug-and-play nature — Users often trust USB devices implicitly, plugging in unknown or giveaway drives without a second thought.
Mass exploitation potential — Cybercriminals can distribute compromised USBs at events, in mail or even leave them in public places for victims to find and use.
Difficult to detect — Since the malware is embedded in the USB’s firmware, it bypasses most traditional antivirus and endpoint protection tools.

Once connected to a computer, a BadUSB device can:

Emulate a keyboard to type malicious commands.
Install back doors or keyloggers.
Redirect internet traffic.
Exfiltrate sensitive data.

How BadUSB attacks work

BadUSB gained public attention in 2014 when researchers Karsten Nohl and Jakob Lell demonstrated at Black Hat USA that USB firmware could be reprogrammed for malicious use — undetectable by operating systems. They also revealed that most USB controllers lacked firmware authenticity checks, a vulnerability likely exploited by intelligence agencies like the NSA long before the public disclosure.

Since BadUSB attacks manipulate a USB device’s firmware (the low-level code that controls how the device communicates with your system), understanding how a BadUSB attack unfolds is key to recognizing its severity and enacting safeguards.

Below are three crucial aspects of BadUSB attacks to familiarize yourself with so you can eliminate this potential vulnerability:

Reprogramming USB firmware
Masquerading as trusted devices
The timeline of a BadUSB attack

Reprogramming firmware to turn USB devices into cyber weapons

The ability to reprogram the firmware on USB devices (such as flash drives, keyboards, mice or network adapters) is at the heart of a BadUSB attack. Many USB controllers, especially older or inexpensive ones, allow people to rewrite their firmware without any authentication or digital signature checks.

Once compromised, the USB device no longer behaves as its label suggests. Instead, it becomes a covert cyber weapon. Because firmware operates below the operating system level, traditional security tools cannot scan or detect these alterations.

Masquerading as trusted devices to avoid detection

One of the most dangerous aspects of BadUSB is device impersonation. Here are two of the most common disguises:

Keyboard emulation — A USB flash drive can be used as a keyboard (a trusted device type), then inject keystrokes that launch PowerShell or Command Prompt to download and execute malware — just as if a user were typing the commands manually.
Network adapter spoofing — The USB can pretend to be a network interface controller (NIC). Once connected, it can reroute your internet traffic through a malicious server, perform man-in-the-middle (MITM) attacks or intercept sensitive data, like login credentials.

Timeline of a BadUSB attack: From plug-in to payload

Here’s a simplified timeline of how a BadUSB attack can unfold:

Device insertion (0 seconds) — The user inserts the malicious USB device into their computer, expecting it to be a harmless flash drive, charging cable, etc.
Enumeration (0–2 seconds) — The device introduces itself to the operating system; not as a flash drive, but as a keyboard or network card.
Payload Execution (2–5 seconds) — When emulating a keyboard, the device begins typing commands silently in the background. When emulating a network adapter, it reconfigures the system’s DNS or routes traffic through a malicious proxy.
Post-Exploitation (5 seconds and beyond) — Depending on the attack goal, the device may:
- Download and install back doors.
- Steal files or login credentials.
- Grant remote access to an attacker.
- Spread across the internal network.

Because this all happens within seconds, and without any antivirus alert or user prompt, a BadUSB attack can compromise a system before the user even realizes what happened.

Real-World BadUSB attack techniques

From Pavement to Breach: How a Forgotten USB Could Cripple a Government Network

What happened

Researchers conducted experiments by deliberately dropping USB drives in public areas, such as parking lots, university campuses and conference rooms to observe user behavior. According to G DATA, an overwhelming 98% of these abandoned drives were picked up and at least 45% were plugged into computers to inspect their contents.

Similarly, a study by Elie Bursztein and his team found that 48% of people who discovered a USB drive — regardless of the location — went on to plug it in. These findings highlight the significant risk posed by seemingly innocuous USB devices, driven largely by human curiosity or helpful intent.

What made it a BadUSB scenario

The USBs were crafted as malicious HID (Human Interface Device) implants (i.e., they weren’t carrying malware files but emulated keyboards that auto-typed attack commands once connected). They exploit user trust: no scanning by antivirus or clicking was required—the act of plugging the device in was enough to trigger the attack.

Key industry lessons from the study

Social engineering is still incredibly effective
- The studies confirmed that attackers don’t need advanced zero-day exploits when they can rely on human psychology. Curiosity, helpfulness, or even the assumption of lost property can be weaponized.
Traditional security measures aren’t enough
- Most endpoint protection tools scan for malware, but BadUSB attacks use keyboard emulation, bypassing antivirus and software-based defenses entirely. This showed a critical blind spot in endpoint security.
Air-gapped systems are not immune
- The fact that some USBs were plugged into secure or air-gapped environments was especially concerning. It shattered the illusion that physically isolated systems are inherently safe, and highlighted the importance of physical security and insider awareness.
Need for stronger device control policies
- These results pushed many organizations to re-evaluate their USB and removable media policies. Tools like Ivanti Device Control became more relevant, offering the ability to allow, block, or restrict specific device classes.
Emphasis on user awareness and training
- The studies reinforced the necessity of employee education. Users must be trained to treat unknown devices as potential threats and understand that “plugging in to help” could lead to catastrophic outcomes.
Policy meets technology
- The takeaway wasn’t just technological. It prompted organizations to develop clear security policies around removable media, improve logging, and enforce stricter controls for physical access.

Rubber ducky attacks

Rubber ducky attacks refer to a type of cyberattack where an attacker uses a malicious USB device, often disguised as a harmless USB flash drive (called a rubber ducky), to compromise a computer system.

Key points about rubber ducky attacks

Device type – Looks like a standard USB drive but functions as a Human Interface Device (HID), like a keyboard.
Working principle – When plugged in, the Rubber Ducky emulates a keyboard and rapidly types pre-programmed keystrokes to execute commands on the target system.
Payloads – These could include:
- Opening a command prompt and downloading malware
- Creating new user accounts
- Disabling security features
- Exfiltrating data
Speed – Executes commands far faster than a human could type, usually completing an attack in seconds.
No authentication required – Most systems automatically trust HID devices without user authorization.

Common mitigation measures

Implement workstation lock policies when unattended.
Apply the principle of least privilege—prevent users from having local admin rights.
Educate employees on not leaving workstations unlocked and the risks of unknown USB devices.
Physical security (USB port locks, CCTV, and awareness).

Why traditional security solutions don’t detect BadUSB attacks

Despite the ever-evolving cybersecurity landscape, BadUSB remains a stealthy and largely undetectable threat. Most traditional security solutions are simply not designed to monitor what happens at the firmware level of USB devices.

USB whitelisting limitations

Some organizations implement USB whitelisting, allowing only approved devices to connect to corporate systems. While this is a solid first step, it doesn’t protect against devices that masquerade as something they’re not doing.

For example:

A whitelisted USB flash drive could be reprogrammed to behave like a keyboard.
USB devices with dynamic identities can bypass static whitelists by switching their declared class mid-connection.

Since the operating system identifies devices based on what they say they are — not what they contain — a malicious device can trick even well-maintained whitelists.

Firmware-level reprogramming vs. traditional malware

Feature	Firmware-Level Reprogramming (e.g., BadUSB)	Traditional Malware
Operating level	Operates at the firmware level (below the OS). Modifies device firmware (e.g., USB controller firmware).	Operates at the software level within the OS.
Location	Lives outside the file system.	Resides within files, processes, or other OS components.
Detection	Cannot be detected by software-based scanners (antivirus, EDR). Rarely (if ever) validated by traditional monitoring systems.	Detectable by antivirus programs and EDR tools (scanning files, processes, network traffic, known signatures/behaviors).
Payload requirement	Does not require a stored payload.	Typically relies on stored payloads (malicious files).
Digital footprint	Performs attacks without leaving a digital footprint in traditional monitoring systems.	Often leaves a digital footprint that can be traced by security tools.
Trust exploited	Exploits the fundamental trust computers place in hardware devices (e.g., USB devices).	Exploits software vulnerabilities, user actions, or misconfigurations.
Defense	Requires hardware-aware policies, physical port control, and user education.	Relies on software defenses like antivirus, EDR, firewalls, and patching.

BadUSB attack prevention: Best practices

As BadUSB attacks continue to bypass traditional security tools, organizations must shift toward proactive, layered defense strategies. Fortunately, there are effective prevention methods that can minimize or eliminate risks, including:

Policy-based USB access control
Blocking unused USB ports
Keystroke behavior monitoring
Restricting access to elevated command prompt or PowerShell
Application control

1. Policy-based USB access control

The first line of defense is to establish strict, policy-driven USB access across your organization. This means defining exactly which devices can connect to which systems and blocking all others.

Key strategies include:

Blocking USB device classes that should never be used, such as HID (keyboard/mouse) on servers or point-of-sale systems.
Applying role-based restrictions to ensure that only authorized employees can use removable media.

By implementing these policies through centralized management, organizations can effectively prevent unknown threats. For businesses that require scalable, enterprise-level protection, device control solutions such as Ivanti Endpoint Manager (EPM) and Ivanti Device and Application Control (IDAC) offer robust security and management capabilities.

2. Block unused USB ports to eliminate attack entry points

One of the simplest yet most effective strategies to prevent BadUSB attacks is to physically or logically disable unused USB ports. If a port isn’t needed for business-critical functions, you should deactivate it to: Reduces the attack surface by limiting opportunities for unauthorized devices to connect.

Prevents users from accidentally (or intentionally) plugging in malicious USB devices.
Supports compliance with security frameworks that require strict endpoint control.

To implement this security protocol:

Use BIOS/UEFI settings to disable USB ports at the hardware level.
Leverage endpoint management tools (like Ivanti EPM) to block USB ports through policy.
Apply physical port blockers for high-security environments where tamper-proofing is essential.

By eliminating open and unmonitored USB ports, you can dramatically reduce the risk of drive-by BadUSB infections and maintain tighter control over endpoint security for your entire organization.

3. Detecting BadUSB with keystroke behavior

BadUSB attacks often use HID (Human Interface Device) spoofing to inject commands via simulated keyboard inputs. These keystrokes happen at inhuman speeds — far beyond what any human user could produce.

For example, a malicious USB might type a full PowerShell command in less than a second after being plugged in. By monitoring typing speed, timing patterns and command structures, security software can flag and respond to suspicious input activity before damage occurs.

Even so, one of the major disadvantages of keystroke behavior monitoring is that skilled attackers can slow down payload delivery to mimic human typing speeds and potentially evade detection.

4. Restrict access to elevated command prompt or PowerShell

BadUSB devices are dangerous not just because they connect to a system, but because they execute high-privilege commands almost instantly. One of the most common tactics is launching an elevated command prompt or PowerShell window to run malicious scripts, download payloads, or modify system settings.

By restricting access to administrative command-line tools, you can effectively neutralize the payload execution stage of many BadUSB attacks — even if the device successfully connects.

Implementing Just-in-Time (JIT) Privileged Access for command prompt and PowerShell is an excellent way to minimize attack windows while still allowing necessary administrative activity.

5. Deploy application control to mitigate BadUSB risks

Application control is a security approach that only allows approved and verified applications to be executed within a system or network. Instead of trying to identify and block bad behavior, it whitelists only known good behavior.

More specifically, application control helps you:

Block unauthorized executables — BadUSB attacks often try to launch scripts or applications upon connection. Application control ensures that only whitelisted executables are allowed to run, immediately halting the attack before it can escalate.
Prevent unauthorized code execution — If a BadUSB device tries to emulate a keyboard and inject keystrokes to open PowerShell or command prompt, application control can prevent these programs from executing (unless they are specifically allowed).
Implement hardware-aware policies — Some advanced application control solutions can implement device-specific policies (e.g., blocking all keyboard-like inputs from unknown USB vendors, restricting USB ports to charge-only functionality).
Reduce attack surfaces — By strictly controlling what software is allowed, even if a Bad USB bypasses physical protections, its ability to interact with the system is extremely limited.

How Ivanti Endpoint Management and Ivanti Device Application Control help prevent BadUSB attacks

Grant temporary (just-in-time) access to the USB devices only when necessary. Initially, a complete block — such as targeting tools like the flipper device — was considered. However, after evaluating feasibility and business impact, this approach was determined to be too restrictive.

Instead, Ivanti Endpoint Management and Device Application Control provide a more flexible solution. They help mitigate BadUSB threats by allowing controlled device access and applying the right security policies. This approach balances protection with productivity, reducing risk without hindering legitimate use.

Conclusion: Why BadUSB Awareness Matters

As cyber threats continue to get more sophisticated, awareness is your strongest first line of defense. BadUSB attacks represent a unique and underestimated vulnerability — one that bypasses traditional defenses by exploiting the inherent trust most people place in USB devices. Without awareness and proactive control, even the most secure networks can fall victim to a single compromised USB device.

Unfortunately, most organizations don’t fully monitor or control how these devices are used, leaving a massive blind spot in their security infrastructure. Implementing a clear USB security policy — along with the right tools to enforce it — is no longer optional. It’s essential.

Trust Ivanti for BadUSB attack prevention and superior device control

Organizations serious about mitigating USB-based threats should consider leveraging comprehensive device control solutions like Ivanti Endpoint Manager (EPM) and Ivanti Device Application Control (IDAC).

Ivanti’s solution addresses all the key application controls recommended to defend against threats like BadUSB offering granular USB access controls to block or allow specific device types, real-time monitoring and reporting of USB activity across all endpoints, and automated policy enforcement that ensures compliance across departments and regions. These capabilities integrate seamlessly with broader endpoint protection strategies, preventing unauthorized devices from ever reaching sensitive systems. But Ivanti goes beyond these foundational controls with context-aware policy enforcement, allowing organizations to dynamically adjust USB access based on real-time risk signals such as user behavior, location, and device trust — providing intelligent, adaptive protection in an ever-evolving threat landscape.

BadUSB is not science fiction—it’s already happening. Educating your team, enforcing USB access policies, and leveraging tools like Ivanti can mean the difference between resilience and breach. Don’t wait for a compromised device to remind you of the risks. Take control now.

Your Windows 11 Migration Is Looming – but There’s a Bot for That

Mon, 28 Jul 2025 19:31:10 Z

I recently spoke with a CIO who had committed a large amount of IT resources to manually migrating computers from Windows 10 to Windows 11. The process required months of planning, device assessments, compatibility testing and hands-on coordination to avoid disruptions to day-to-day business operations. While their dedication ensured their rollout was on track for the looming Windows 11 end-of-support date, it highlighted the strain such projects place on internal teams.

My conversation with this CIO isn’t unique. Before becoming an Account Technology Strategist here at Ivanti, I worked in various roles in IT support and still bear the scars of the Windows XP to Windows 7 migration. I also spent years helping organizations plan, execute and troubleshoot OS upgrades — often under tight timelines, with limited resources.

Automation is key to any major upgrade project. It improves overall IT efficiency, reducing labor costs and human errors. In this blog, I’ll show you how you can use automation in your Windows 11 migration and where Ivanti Neurons bots can help.

Assess the fleet

Before starting any project, asset discovery is key: you can’t upgrade something you don’t know exists or isn’t really there. One Ivanti customer discovered that they had 30% more assets than they expected on their network! This echoes a study from Gartner that found 30% of IT fixed assets are "ghost" assets, or missing and can't be found, which further complicates the task.

Data that exists outside of the device, such as device warranty, is important too. Perhaps upgrading a device with three months’ warranty left isn’t really worth it — it may be replaced through a refresh cycle soon anyway, leaving more disruption for users.

A step you can automate is evaluating whether each device meets Microsoft’s minimum hardware requirements, which you can do in Ivanti Neurons using the Windows 11 Upgrade bot. Then, devices that don’t meet the necessary criteria can be flagged with an automatic ticket in your service or asset management solution. This helps provide the right data to IT-adjacent teams like Procurement for financial planning and purchasing new hardware.

Create a baseline for end-user experience

Creating a baseline helps IT measure the impact of the upgrade, identify potential areas of improvement to review post-upgrade and ensure that the new operating system meets or exceeds current performance levels. It also provides a point of reference for troubleshooting should any issues arise post-upgrade. This data is gold dust for the service desk team, who will be on hand to support users.

One way to create a baseline is with a DEX, or digital experience, score (which you can do in Ivanti Neurons). This quantifies the quality of an employee’s digital experience by aggregating data from various indicators like CPU usage, memory performance, application crashes, disk space and battery health. For example, excessive CPU usage or frequent application crashes can lower the score, while optimal performance in these areas contributes to a higher score. Sentiment analysis of service management incidents can also provide qualitative data that impacts the DEX score.

Surveying the end user bolsters telemetry-based metrics in the DEX score. Surveys provide IT with an early indicator of problems — but you can’t ask too many questions before the end user hits the dreaded mute button! A simple emoji response via Microsoft Teams gives you an empirical response, and a free text field gets user sentiment feedback.

So how do you analyze the data at scale? Feeding these insights into AI for sentiment analysis lets you interpret the tone and emotion to detect frustration or satisfaction levels.

One big takeaway from any migration is its impacts on end users. IT should want the end user to feel part of the process, if not own it!

Put the user at the center of the W11 migration

At this stage, we have devices suitable to upgrade and know our baseline. Now it’s time to interact with the end user.

IT leaders are all too aware of the potential impact that changes like system upgrades or new software deployments can have on end users, but this awareness doesn’t always translate into action. In the push to beat pending deadlines like Windows 10 End of Support, user experience considerations can be overlooked, leading to disruptions, frustration (reduced CSAT) or decreased productivity.

You can use automation, like the Windows 11 Upgrade bot, to keep the user in the loop, providing them a reason for the change and allowing them to schedule the upgrade at a convenient time.

Validate changes with end users

When changes like system updates are made to their computers, end users often face disruptions to their familiar workflows. A major change like upgrading to Windows 11 can lead to confusion, reduced productivity and frustration, especially if the upgrade was unexpected or poorly communicated. Users may struggle to find previously accessible features, encounter compatibility issues, or experience slower performance, all of which can create a sense of being unsupported.

Surveys have shown that knowledge workers experience such issues 3–4 times per day and often don’t raise support cases. A bot like the Ivanti Neurons Survey bot can be used here, capturing end user sentiment and feedback. So far, automation has done much of the hard work in your Windows 11 migration, but there will always be humans … as it stands anyway! A survey offers an opportunity to bring a human into the loop where applicable.

Software updates – and more! – with Ivanti Neurons bots

So, you’ve read a little of how the Windows 11 bot works. This is just one use case for an Ivanti Neurons bot. The same principles can also apply to major upgrades of any software, but also to a wide array of automation use cases on devices:

Reduce IT operational costs by automating manual steps.
Limit opportunities to introduce human error through manual processes.
Ensure the user is engaged and, crucially, happy with the process and their new operating system.

Neurons bots help IT teams proactively identify, diagnose, and resolve issues across endpoints and devices, often before users even notice the problem. Bots communicate with devices in real time, run queries and perform actions to keep systems healthy and secure.

You can check out some of the ways our bots help automate, accelerate and enhance IT operations, freeing up time for you to work on what matters, by visiting the Bot Library.

Windows 11 Migration: Ivanti's Customer Zero Journey with Win11 Upgrades

Mon, 21 Jul 2025 15:46:23 Z

Windows 11 offers enhanced security and a modern user interface, but the transition can be complex for large organizations, with logistical and employee buy-in challenges. Microsoft will end support for Windows 10 on October 14, 2025, so it's crucial to start planning and executing Windows 11 deployments now.

The need to migrate to Windows 11

Migrating to Windows 11 is essential for staying current, secure and efficient. It provides advanced security features like stronger encryption and improved threat detection, safeguarding your data and enhancing IT resilience. The user-friendly interface also streamlines daily tasks, boosting productivity. With Microsoft ending support for Windows 10 this year, upgrading can help organizations avoid increased security risks and potential downtime. According to Gartner, many enterprises are opting to replace even compatible machines with new hardware to ensure optimal performance with Windows 11. Proactive planning ensures a smooth and seamless transition.

Ivanti’s use-case for Windows 10 to Windows 11 migration

At Ivanti, we’ve been successfully rolling out Windows 11 migrations since the beginning of 2025. Like many large organizations, this migration is something we’ve been discussing and planning for quite some time. The goal is to update every eligible machine in a timely manner and triage ineligible machines for further troubleshooting or replacement.

To meet this goal, we prioritized using our own Ivanti Neurons platform solutions, which equipped us with the proactive tools and insights necessary for a successful Windows 11 deployment. Using a phased approach, we were able to identify and address issues coming back from early adopters and gather valuable feedback. Once we saw validation of our plan, we could gradually roll out the upgrade to the rest of the organization, ensuring a smoother migration overall.

Potential challenges

Like any other company, we wanted to get ahead of any potential barriers to a successful migration.

Hardware compatibility and unknown devices

One of the biggest challenges in upgrading to Windows 11 is meeting the hardware requirements. Many existing devices may not satisfy Microsoft's strict criteria, limiting the number of eligible machines. This can be especially problematic for organizations with a mix of older hardware. To tackle this, Ivanti’s IT team used our discovery capabilities to perform a thorough inventory and assessment of all devices, identifying those that would need to be upgraded or replaced before starting the migration. You can’t migrate devices you don’t know about, which made a comprehensive view of our IT landscape a key first step.

End-user friction and disruptions to productivity

User resistance to new interfaces and features can be another barrier to success. Change can be daunting, and the new look and features of Windows 11 may intimidate users accustomed to older versions. OS upgrades can also cause disruptions to users’ work, causing frustrations and downtime. To minimize these issues, Ivanti’s IT team wanted to make sure that updates were happening at a time most convenient to the end user to avoid losing unsaved work or disrupting productivity in general.

Continuing security updates with extended support

Not every machine can immediately upgrade to Windows 11 due to hardware requirements. However, Ivanti’s extended support will allow us to continue Windows 10 security updates past October, keeping these devices protected and functional.

Ivanti’s Extended Security Update (ESU) deployment streamlines the patching process, reduces IT workload and maintains compliance with regulations like GDPR, HIPAA, or PCI-DSS. Unpatched systems face over 1,200 vulnerabilities annually, and a data breach can cost an average of $4.45 million, according to IBM. We need to make sure that any devices that don’t update to Windows 11 are kept safe and secure from vulnerabilities.

Extended support also helps us extend our device lifecycle for devices that aren’t quite ready to be replaced, or when budget constraints are a factor. According to Gartner, many enterprises are still delaying purchases despite the need to move from Windows 10 to Windows 11, extending the lifecycle of their existing equipment and seeking alternatives to maximize their budgets. Ivanti’s ESU solutions help extend the lifespan of these devices, avoiding the high costs of a full hardware refresh. This ensures seamless patching, minimizes security risks and reduces manual IT effort, helping us avoid potential losses and disruptions.

Ivanti’s Windows 11 migration workflow

Ivanti Neurons allowed us to automate key elements of the migration, from the initial device assessment to the upgrade itself, streamlining each phase and allowing our IT team to concentrate on other mission-critical activities. In general, here is how the workflow for updating devices from Windows 10 to Windows 11 looks at Ivanti.

1. Preparation

Identify Devices: Create a group of Windows 10 devices that need to be upgraded.
Download Files: Push necessary files to the devices, ensuring efficient data transfer by using ZIP files.

2. Pre-Check

Eligibility Check: Run PowerShell scripts to verify if the device meets the hardware requirements for Windows 11.
Power Check: Ensure the device is connected to A/C power.

3. User Interaction

Notification: Use Teams bot integration to notify users about the upgrade and allow them to schedule it.
Consent: Users provide consent for the upgrade via an interactive Teams message.

4. Upgrade Execution

Run Upgrade: Execute the Windows Update Assistant to perform the upgrade.
Monitor Progress: Track the upgrade process and handle any errors or issues that arise.

5. Post-Upgrade Actions

Restart Device: Prompt users to restart their devices to complete the upgrade.
Activation Check: Verify that the device is activated with an enterprise license key.
Additional Updates: Apply any necessary Windows updates post-upgrade.

6. Error Handling

Automated Ticket Creation: Use a bot to generate tickets for devices that fail the upgrade process.
Troubleshooting: Enterprise services team handles cases where devices cannot be upgraded automatically.

7. Continuous Improvement

Refinement: Break down the upgrade process into smaller automated steps to streamline operations.
Feedback: Incorporate user feedback to improve the upgrade experience.

This workflow ensures a smooth transition from Windows 10 to Windows 11 while minimizing disruptions and handling exceptions efficiently. This process has been rolled out gradually, taking it one week at a time. It’s been thoughtful and intentional, working to build this process and workflow for the future by ensuring it’s flexible and modular. That way, we can revisit a similar process for the next generation of Windows whenever it comes.

Ready to start your Windows 11 migration?

Migrating to Windows 11 is essential for maintaining security, efficiency and compliance. Ivanti has leveraged our own solutions to automate key steps, gather user feedback and provide extended security updates for ineligible devices, all while ensuring a smooth transition that minimizes end-user disruption and maximizes IT efficiency.

Ivanti’s approach and workflow not only addresses current challenges but also sets up a flexible and modular foundation for future OS upgrades.

Ready to start your own Windows 11 migration? Learn how Ivanti Neurons can simplify and automate the process.

Explore Ivanti Neurons

Apple WWDC25 Announcement of Enterprise IT Enhancements

Fri, 18 Jul 2025 14:15:25 Z

At WWDC25, Apple announced a set of updates to simplify IT management for enterprises. These updates, spread across macOS 26, iOS 26, iPadOS 26, tvOS 26 and visionOS 26, introduce practical tools to improve device, application and user management.

This article outlines the specific capabilities and how they can be applied effectively in enterprise environments.

Enhanced Apple Business Manager for flexible device management

Apple Business Manager (ABM) improvements in iOS 26, iPadOS 26 and macOS 26 bring enhanced flexibility to enterprise IT operations. Being able to migrate devices between Mobile Device Management (MDM) solutions means that businesses can react to evolving technological requirements or vendor changes without needing to reconfigure devices manually. For example, an organization switching to one of Ivanti’s on-premises solutions to Ivanti Neurons for MDM can retain operational continuity by utilizing the new ABM Device Migration APIs while aligning configurations with the latest policies.

Administrators can now enforce enrollment deadlines for Managed Apple Accounts, helping enterprises integrate new devices into their IT systems on schedule. This feature is particularly helpful for compliance with internal policies or regulatory requirements, ensuring devices are accounted for during deployments.

Enhanced onboarding processes with Account Driven Enrollments, supported by the Service Discovery API, simplify enrollment by enabling preconfigured settings to guide users through setup. This reduces time spent onboarding large numbers of employees or devices.

Organizations can also bolster account security with stricter access controls. By allowing only Managed Apple Accounts during device setup and login, enterprises can prevent personal accounts from compromising company data or workflows. Additionally, including warranty and AppleCare coverage details lets enterprises plan for the entire lifecycle of their devices, optimizing replacement or support strategies to maintain productivity while minimizing downtime.

Modernized app management with Declarative Device Management

Declarative Device Management (DDM) updates provide better tools for managing app lifecycles in enterprise environments. Administrators get granular control over app installations and updates, so you can enforce mandatory upgrades for security-critical applications or postpone non-essential updates to avoid disruptions during critical operations. Similarly, the ability to pin apps to specific versions can stabilize environments where software dependencies are tightly coupled.

Real-time reporting of app installation and update statuses offers IT teams actionable insights into compliance and troubleshooting. For instance, administrators managing thousands of devices can track which apps are outdated or whether installation errors occurred, resolving issues without delays. Furthermore, organizations managing extensive mobile fleets can restrict app downloads over cellular data to conserve bandwidth and ensure adherence to security policies, useful in industries with strict data regulations or cost-control measures.

Updates to macOS 26 let enterprises scale their device operations more effectively. Declarative Application Management lets administrators deploy apps — whether they are from the App Store or custom-built solutions — across thousands of devices simultaneously, streamlining rollouts during enterprise deployments or product launches. The ability to deploy .pkg files caters to organizations relying on proprietary software or specific configurations.

VisionOS 26 also supports deploying managed applications via DDM.

Improved Safari configuration for efficiency and compliance

Safari updates bring practical configuration tools that enterprises can use to align browser settings with organizational needs. Administrators can now preconfigure bookmarks to direct employees to relevant software tools, company websites or knowledge bases upon login, reducing onboarding times and improving workforce efficiency. You can set landing pages to match company branding and guarantee employees start their browsing sessions on compliant and secure portals, which is especially useful for maintaining organizational policies.

Better audio accessory management for shared device scenarios

For shared device deployments, such as in healthcare, education or retail, Apple’s enhanced audio pairing management introduces useful controls to maintain security while enabling flexibility. Administrators can allow temporary audio accessory pairing without data syncing to iCloud, ensuring that employee or customer data is not inadvertently retained on shared devices. For added security, pairing data can be erased automatically based on predefined schedules, such as each night.

These controls are critical for shared environments where sensitive data protection and operational continuity are key. For example, hospitals using shared iPads for patient intake can ensure that data is cleared between users while still enabling seamless accessory use for each individual session.

Platform Single Sign-On for simplified authentication

The new Platform Single Sign-On (SSO) tools in macOS 26 reduce friction during the authentication process for enterprise employees. Platform SSO can now be activated during automated device enrollment, meaning employees can immediately access managed apps, company services and their Managed Apple Accounts without additional sign-ins. This feature simplifies the device setup process for organizations onboarding large numbers of employees or contractors.

The addition of Authenticated Guest Mode benefits shared environments, such as schools or hospitals, by allowing temporary logins via organizational Identity Provider (IdP) credentials. This ensures that users can access only the resources they are authorized for, while personal data is automatically erased upon logout. This is especially beneficial in environments with transient users where data security and quick turnover are priorities.

Return to Service: streamlined device reuse

Apple’s improvements to the Return to Service workflow allow enterprises to retain managed apps during device preparation for reuse. This feature significantly reduces the time needed to prepare devices for new users in shared-use scenarios. For instance, retail organizations can erase user data while retaining critical operational apps, allowing devices to be redeployed within minutes rather than hours. Automated re-enrollment into MDM ensures that settings, restrictions and compliance policies are applied quickly and consistently.

If you have a healthcare use case, check out Return to Service features supported by Ivanti Neurons for MDM. By adding a Return to Service option on your Ivanti iOS client, your floor staff can safely repurpose devices with one click.

ManagedApp Framework for secure enterprise app configurations

The ManagedApp Framework, built on Declarative Device Management, introduces a structured approach to defining and passing configuration details to enterprise apps. This framework allows IT administrators to establish app behavior — such as server URLs, credential parameters or connection policies — tailored to specific employees or teams.

For example, an IT department can provide custom app settings for field technicians that include preconfigured server endpoints and unique digital certificates, while offering a more limited set of configurations for interns or temporary staff. The framework integrates seamlessly with features like Single Sign-On and Managed Device Attestation for secure, scalable and compliance-ready app deployments across industries. This feature requires support both from the application and from the MDM side.

Software updates changes in iOS/iPadOS/macOS 26

Apple is deprecating legacy software update management methods in iOS, iPadOS and macOS 26, and removing support in 2027 OS versions, requiring all organizations to transition to the new Declarative Management Software Update Enforcement and Software Update settings. Ivanti fully supports these new workflows, enabling automated and proactive update management. Declarative Management Updates are supported on iOS/iPadOS 17+ and macOS 14+. To prepare, customers should update their device management policies in Ivanti, configure Software Update Enforcement and settings for their devices and ensure compliance with Apple’s updated requirements—securing a smooth transition ahead of the deadline.

Key takeaways for enterprise IT

Apple’s WWDC announcements introduce meaningful improvements for enterprise IT, from streamlined device reuse to more flexible management and security controls. Using Ivanti’s endpoint management solutions alongside these new Apple features will help organizations automate deployments, ensure compliance and support diverse user needs with greater efficiency.

A Guide to Apple Declarative Device Management for Enterprises

Sat, 07 Jun 2025 13:00:01 Z

Apple declarative management introduces a shift from the traditional command-based model to a more autonomous and flexible framework. This approach aims to improve the efficiency and responsiveness of managing Apple devices.

The components of Apple declarative management — declarations, assets, predicates and status channels — work together to create a more efficient, scalable and responsive MDM framework. Declarations define the desired states; assets provide the necessary resources; predicates enable context-aware policy application; and status channels facilitate efficient communication.

Apple is deprecating legacy software updated management methods in iOS, iPadOS and macOS 26 and removing support in 2027 OS versions, requiring you to transition to the new declarative management software update enforcement and software update settings. Ivanti fully supports these new workflows for automated and proactive update management.

The shift to declarative device management

Let's explore the technical aspects of Apple declarative device management and its benefits for MDM users.

Traditional MDM operates on a command-and-control basis, in which servers send commands to devices to perform actions such as installing apps or enforcing policies. Devices then report their status back to the server, necessitating constant communication.

This frequent check-in process is needed for devices remain compliant with the organization's policies and that changes or updates are promptly applied. Without regular check-ins, administrators would have limited visibility into the device's status, making it challenging to verify compliance, deploy updates or address security issues in real-time.

Apple declarative device management utilizes a declarative format with which administrators define desired states and policies. Devices receive these declarations and autonomously enforce the desired state, reporting back to the server only when there is a change.

In this model, the device's operating system plays a critical role in making the device more autonomous. The OS continuously evaluates the current state of the device against the desired state defined by the declarations. If discrepancies are detected, the device will self-heal.

The OS independently applies the necessary changes defined in declarations and predicates to align with the specified policies. This autonomous evaluation and enforcement capability minimizes the reliance on server commands and allows for real-time adjustments, ensuring devices remain compliant even when offline or out of network range.

Key components of Apple declarative device management

Declarations

Declarations represent the desired state or configuration that an administrator wants to apply to devices. Declarations are sent to devices, which then interpret and autonomously enforce these states. The key features of declarations include:

Configuration definition: Administrators define configurations in a declarative format. This includes settings for Wi-Fi, VPN, device restrictions and more.
Autonomous enforcement: Devices interpret the declarations and apply the specified policies independently, without requiring continuous communication with the server.

Assets

In Apple Declarative Management, assets are resources used by devices to implement policies and configurations defined in declarations. These assets include certificates, data and user information.

Certificates are used for authentication, encryption and secure communication among devices and services. Administrators deploy digital certificates via declarations to enable secure access to corporate networks, email, VPNs and other resources. These certificates can be updated independently from the declarations, maintaining current security credentials without a complete policy overhaul.

Data consists of configuration files, scripts, binaries and content resources. Configuration files contain specific settings for applications or network configurations, while scripts and binaries automate tasks or add functionality. Content resources include branding materials or compliance documents. Managing data as assets allows for efficient updates and reuse across multiple declarations.

User information includes user profiles, preferences and roles within the organization. This information tailors device settings and permissions based on user roles. Dynamic data, such as location-based information or activity logs, ensures device configurations adapt to the user's current needs.

Assets are managed separately from declarations, allowing for efficient reuse and updates. When an asset is updated, all declarations referencing that asset can automatically apply the updated version.

Predicates

Predicates in Apple Declarative Management work as the conditional logic elements within declarations that define when and how specific policies should be applied to devices. Predicates are evaluated on the device itself, allowing for real-time, context-aware decision-making. They consist of logical expressions that can reference various device attributes and contextual information. When the conditions specified by a predicate are met, the corresponding policies or configurations within the declaration are enforced.

Predicates leverage the syntax and capabilities of the Cocoa programming language to define conditions under which specific policies should be applied. Cocoa predicates are expressions that evaluate a Boolean value, enabling complex logical conditions using attributes such as device type, OS version, network status and more.

Status channels

Status channels are communication pathways that devices use to report their state back to the server. Unlike traditional MDM, with which devices constantly check in with the server, status channels enable asynchronous and event-driven communication. Key features of status channels include:

Asynchronous reporting: Devices send status updates only when there is a change in their state or when specific conditions are met.
Efficient communication: This reduces the need for continuous polling, minimizing network traffic and server load.
Real-time monitoring: Administrators receive timely updates about the compliance and state of devices, allowing for prompt action if necessary.

Status channels ensure that administrators are informed of any deviations from the desired state, enabling proactive management and quick remediation.

Apple declarative device management in Ivanti UEM solutions

Ivanti keeps its products updated with the latest enhancements in the device management industry. Both our UEM cloud and on-premises solutions support declarative management.

Declarative device management is not a full replacement of the traditional MDM protocol. Therefore, solutions will present a hybrid approach, leveraging the best of both frameworks. Ivanti customers will see progressive and seamless integration of the new capabilities in our platforms as Apple also makes improvements to the framework with every new release of its operating systems.

Optimizing Apple DDM with Ivanti’s Latest Innovations

Tue, 21 Jan 2025 20:10:27 Z

The explosion in devices—particularly Apple devices—deployed across a modern enterprise is increasing the already arduous device management burden on IT and cybersecurity teams.

According to recent research, 76% of large enterprises are using more Apple devices, and 57% of US firms say Apple adoption is outpacing other options. So, it’s become crucial for more enterprises to leverage Apple Declarative Device Management (DDM) to streamline device management, automate compliance and enhance scalability.

Apple's approach to DDM was introduced in 2021 and expanded with each OS release. It’s created a fundamental shift in device management, streamlining software updates and patching. Now, IT teams can define desired states so Apple devices can self-enforce configurations and updates locally, reducing reliance on servers and manual intervention.

Thus, updates can happen faster, errors can be minimized, and end-user experiences can be improved invisibly and proactively. Which appreciably eases IT workloads while sustaining security and operational agility.

Apple is deprecating legacy software update management in iOS, iPadOS and macOS26, and they will remove support in 2027 OS versions, which means now is the time to make the switch to DDM. Let's explore how Ivanti's MDM and UEM products will enable admins to get the most out of Apple DDM.

What is declarative device management (DDM)?

DDM is an advanced approach to managing devices, primarily in enterprise or organizational IT environments. It empowers administrators to define a device or system's desired state and allows the system to automatically enforce and maintain that state.

The DDM model shifts away from traditional imperative management, where configurations and actions are centrally scripted and managed by IT administrators. That approach requires direct instructions to achieve the desired outcome on each device.

Key features and benefits of DDM

What are DDM’s advantages over a traditional device management model?

Administrators can specify the desired state or behavior of a device, focusing on "what" it should look like instead of "how" to achieve that state. For example, rather than scripting individual commands for configuring security settings, an admin can simply declare the required settings and the system will enforce them.
Devices autonomously monitor their configurations to ensure compliance with a predefined state. If a device deviates, it automatically corrects itself to restore compliance without manual intervention.
DDM proves highly effective in large-scale settings since it minimizes the need for repetitive and manual configuration tasks.
DDM minimizes the complexity of management workflows and ensures consistency across devices.
DDMs employ modern management protocols for faster and more reliable updates to device configurations and policies.
DDM is commonly implemented in cloud-based mobile device management (MDM) solutions, leveraging the cloud for synchronization, monitoring and enforcement, although it can also be implemented in on-prem solutions.
DDM reduces manual effort by automating configuration and enforcement processes.
Ensures consistency and compliance across devices, reducing the risk of human error.
Dynamic updates means quicker application of policies and settings versus traditional methods.
Changes are implemented seamlessly without disrupting the user experience.

An example DDM use case

In a hypothetical example, an IT administrator declares that all employee devices within the enterprise environment must:

Have a specific version of the operating system.

Enable encryption.

Restrict access to certain applications.

Using DDM, these requirements are automatically applied, continuously enforced and remediated if there’s any deviation.

Software updates and OS patching via Apple DDM

Utilizing Apple Declarative Device Management for software updates and operating system (OS) patching seriously improves these processes, making them more proactive, efficient and seamless. It simplifies administration, cuts down on delays and guarantees a fleet of devices is always secure and up-to-date.

Software update benefits

Centralized control with distributed execution

Administrators set configurations centrally but rely on the device's local capabilities for execution.

Proactive local enforcement

Updates are enforced at the device level, eliminating the need for constant server intervention. Admins set a desired OS version and deadline, and the device autonomously ensures compliance.
The device monitors itself, applying updates without the need for constant server communication.

Automation

Admins can configure specific versions and deadlines and update schedules (e.g., after work hours), automating the process while minimizing end-user disruption.
For example, a critical security patch can be scheduled for a particular time, ensuring all devices are updated without user intervention.
If a device is powered off and misses the update deadline declarative management reschedules the update automatically for a later time.

User notification and experience

Notifications begin 14 days before the deadline, reminding users to update at their convenience. On the deadline, the device automatically reboots and installs updates if necessary.
Admins can customize these notifications or suppress early reminders (e.g., for retail or healthcare environments).
Admins can configure the level of user interaction allowed by Apple DDM, such as permitting manual updates before the enforced deadline or limiting user deferrals.

Faster updates with reduced network dependency

Unlike traditional MDM, where the server continuously checks device status, DDM reduces latency by shifting the compliance mechanism to the endpoint.

Enhanced status reporting

Devices proactively report the status of updates to the server including whether an update is in progress, completed successfully or failed. In case of failure, detailed error logs are available.

OS patching benefits

Predicates for context-aware updates

DDM allows conditional rules (predicates) for updates, such as only applying a patch when a device is charging or has a battery above 80%.
These conditions are evaluated locally on the device, making updates context-sensitive and efficient.

Seamless transition to new OS versions

DDM automatically manages the transition to new OS releases or security patches without requiring manual admin oversight at each step.

Local action without internet

Devices can enforce configurations and patches even when offline, applying updates based on preloaded criteria and activating changes when conditions permit (e.g., when connected to power or during off-hours).

Another practical use case

In an organization with 1,000+ iPhones and MacBooks, a zero-day vulnerability requires immediate patching. The solution?

The admin declares a patch deadline and target version using Apple DDM.

Devices enforce the update based on local predicates, ensuring the patch is applied under optimal conditions (e.g., during low battery drain times).

Users receive notifications prior to the update so they’re informed without interrupting workflows.

Ivanti’s declarative management support

Ivanti’s declarative management support builds on Apple’s Declarative Device Management (DDM) framework to offer a seamless, proactive and efficient approach to managing Apple devices. What are some of its key components?

Integration with Apple’s DDM framework

Ivanti utilizes Apple’s DDM as an enhancement to the existing Mobile Device Management (MDM) protocol – not a complete replacement but an additional layer designed to:

Automate device responses: Allow devices to enforce configurations and policies locally, reducing reliance on the server for continuous checks.
Enable real-time proactivity: Devices can autonomously apply updates or configurations when predefined conditions (predicates) are met.

Software update enforcement

Ivanti's platform supports Apple’s declarative software update management, which introduces:

Enforcement settings: Administrators can specify OS versions, deadlines and update schedules.
Proactive local actions: Devices monitor themselves and apply updates without requiring manual input or waiting for server-side triggers.
Improved communication: Devices report their update progress, success or failure directly to the Ivanti management server, providing admins with real-time visibility.

Predicate management

A standout feature of Ivanti’s support is its handling of predicates – logical conditions that devices evaluate before applying configurations or updates. For example:

A policy applies only if the device’s battery is above 80%.
A configuration activates when the device is charging.

Simplified predicate management in Ivanti’s console

Ivanti provides a dedicated interface for creating, managing and reusing predicates across configurations.
These predicates can be easily applied to declarative configurations, streamlining complex workflows.

User experience and notifications

Ivanti enhances the user experience by leveraging Apple’s notification capabilities:

Notifications can start 14 days before the update deadline, with options to tailor their frequency and content.
Critical updates can override user deferrals by enforcing reboots and updates at the scheduled deadline.

Past-due handling

If a device misses the deadline (e.g., turned off), Ivanti reschedules updates automatically ensuring compliance.

Supported configurations

Ivanti ensures backward compatibility and a smooth transition to declarative management by supporting both legacy MDM and newer DDM configurations.
Existing policies and workflows continue without disruption.
Declarative configurations (e.g., predicates and local enforcement) are gradually integrated and highlighted within the platform.

Related: Watch the webinar Mastering Apple Device Management with Ivanti

Ivanti’s guidance for updating and patching Apple devices with declarative device management

Ivanti’s approach to supporting Apple DDM leverages the proactive capabilities of Apple's declarative management framework, combining it with a user-friendly interface, automation and support for complex enterprise workflows. This comprehensive guidance enhances enterprise device management efficiency and security.

Enforcing updates and patches

Automated scheduling lets admins enforce updates by specifying the target OS version along with a specific date and time for the update to occur. This eliminates the need for manual updates and ensures compliance with organizational policies.
Devices enforce update enforcement locally, applying updates based on preconfigured conditions without relying on continuous server communication.

Managing user notifications

Notifications are sent to end users starting 14 days before the update deadline, providing transparency and encouraging users to update at their convenience.
For specific use cases such as retail or healthcare, flexible notification configurations let admins suppress early notifications and opt for last-minute alerts to minimize disruption.

Improving compliance and visibility

Devices proactively report their update status to the Ivanti server, reporting whether updates are in progress, completed successfully or failed. Administrators also gain access to detailed error logs to troubleshoot issues.
If a device misses the deadline (e.g., if it is powered off), the device automatically reschedules the update for the next available hour.

Using predicates for conditional updates

Administrators can define predicate logic for when updates should be applied.
Since conditions are evaluated locally, updates can happen even when the device is offline.
Ivanti provides tools for creating, managing and reusing predicates across configurations, making conditional updates simpler and easier to implement.

Enhancing user experience

End users get clear communication about the update schedule, including the enforced deadline. They have the option to install updates manually before the deadline to avoid automatic enforcement.
Updates can be scheduled during off-hours to minimize disruption of the user's daily activities.

Streamlining patch management

Ivanti supports declarative patch management -Apple system updates.
Administrators can enforce updates, including critical security patches, ensuring devices remain secure and compliant.

Related: Read our Knowledge Base article on How to enforce Apple Software Updates with Neurons for MDM and EPMM

A standout approach to supporting Apple DDM

Ivanti's approach to Apple Declarative Device Management stands out because it extends an organization’s automation, local enforcement and proactive capabilities.

Administrators benefit from user-friendly tools, customizable notifications and detailed status reporting, while end-user disruption is minimized through scheduled updates and seamless workflows. With Ivanti, Apple DDM becomes even more efficient, secure and scalable for the organizations that rely on it.

Related: A Guide to Apple Declarative Device Management for Enterprises

How Risk-Based Patch Management Prioritizes Active Exploits

Fri, 03 Jan 2025 18:10:36 Z

Resistance to change is always present, especially if you think the processes you have in place are efficient and effective. Many organizations feel this way about their software management procedures until they have a security breach or incident and are left wondering where they went wrong.

The reality is that most patch management programs are built on assumptions and recommendations, rather than facts about actively exploited vulnerabilities. Risk-based patch management is the answer to this issue.

In this article, find:

What’s wrong with keeping typical prioritizations.
What risk-based patch management is.
Why it’s the perfect time to adopt risk-based patch management.

The problems with typical patch prioritization

Software feature updates, security fixes, bug fixes, performance enhancements and many other types of software releases have existed since the software industry started. Vendors often assign a severity rating or other score to each of these to let customers know what they think is most important.

Unfortunately, there’s no industry standard associated with these ratings, so we are left to compare and prioritize releases for deployment on our systems based on recommendations. On top of that, such ratings are rarely updated to account for active threat context even as vulnerabilities change.

Overlooking an actively exploited vulnerability

While better than nothing at all, vendor severity ratings often come up short. Consider the Follina vulnerability (CVE-2022-30190) published in May of 2022. This vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) allows for remote code execution.

Follina was under attack for several months before Microsoft finally responded with several updates. Alarmingly, Microsoft only assigned this vulnerability a Common Vulnerability Scoring System (CVSS) v3 rating of 7.8 and severity of Important. If you’re only patching based on Critical severity, you'd have missed this one, leaving a significant gap in your attack surface.

Worse yet, Follina’s CVSS score remained at 7.8 even after it was revealed the vulnerability was being actively exploited to distribute Bisamware ransomware, exposing organizations that had overlooked the vulnerability to even more risk.

Intelligence on the ransomware threat associated with CVE-2022-30190 displayed in Ivanti Neurons for VULN KB

CVSS shortcomings

Severity ratings are ‘augmented’ with CVSS scores from FIRST. Each CVE is assigned a CVSS number, such as the 7.8 given to CVE-2022-30190 in the example above.

One of the major objectives behind calculating the actual CVSS number is to ensure standardization so all CVEs are scored consistently and can be accurately compared. The higher the CVSS score for a vulnerability and the associated patch, the more critical it is to deploy in most environments.

For software updates that address multiple CVEs, the highest CVSS value is usually considered for prioritization. But is this value even accurate?

The results of an analysis of CVSS scores in a recent article showed there's a discrepancy for nearly 20% of CVSS scores (25,000). This analysis was based on a comparison of the scores reported in the NIST National Vulnerability Database (NVD) and those reported directly by the vendors themselves.

Vendor severity inconsistencies

One important point to keep in mind is vendors have historically assigned their own terminology to severity (e.g., critical, important). Using vendor severity scoring as a priority mechanism may work well when comparing all patches by a given vendor, but doesn't always provide an accurate comparison of patches between vendors. In fact, many use different terminology entirely.

Likewise, vendor severity isn't always a positive indicator. Many zero-day vulnerabilities are only rated Important by Microsoft but have high CVSS numbers. You can see how patching using severity and CVSS for prioritization is using assumptions and recommendations and can result in a vulnerable environment.

Why prioritize active exploits over any other prioritization method?

According to the US Cybersecurity and Infrastructure Security Agency (CISA), an actively exploited vulnerability is “one for which there is reliable evidence that execution of malicious code was performed by an actor on a system without permission of the system owner.” In layman’s terms, a vulnerability under active exploitation is one that's been used by a threat actor to launch a cyberattack.

Thus, to minimize the risk of an attack on your organization, you must prioritize actively exploited vulnerabilities above all others. This is good news as most vulnerabilities aren't being actively exploited and thus pose little to no risk to your organization. You can identify those that have been exploited through risk-based patch management.

What is risk-based patch management?

Risk-based patch management is an extension of risk-based vulnerability management, which goes beyond vendor severity and basic CVSS scores to identify and qualify the specific vulnerabilities that pose the most significant risk to an organization. This brings real-world risk context into the patch management process so that IT teams can focus their efforts on updates with known exploited vulnerabilities that matter most to an organization’s security posture.

How can my organization adopt risk-based patch management?

For organizations ready to adopt a risk-based approach to patch management, a good place to start is the CISA Known Exploited Vulnerabilities (KEV) catalog. CISA took a major step forward to help prioritize vulnerabilities when it introduced Binding Operational Directive 22–01 along with its KEV catalog. When originally released, the catalog contained some 200 actively exploited vulnerabilities. It has since grown to almost 900.

CISA builds the list with the knowledge the vulnerabilities it contains are being exploited in the wild by active threats. However, the list does have its shortcomings, as it currently excludes 131 vulnerabilities associated with ransomware.

Is the CISA KEV catalog the only resource available for risk-based patch management?

Organizations with more mature risk-based patch management practices leverage advanced risk scoring methodologies in place of or in addition to CVSS. These methodologies assign scores to every vulnerability identified in an organization’s environment, allowing those organizations to expand their risk-based approach beyond the CISA KEV.

Many vendors in the risk-based vulnerability management space have developed proprietary scoring methodologies that represent the true risk posed by a vulnerability. They do so by delivering dynamic risk ratings that give extra weight to actively exploited vulnerabilities.

For example, Ivanti’s Vulnerability Risk Rating (VRR) has assigned Follina a score of 10, a score that more accurately represents the risk posed by that vulnerability than its CVSS score of 7.8.

The difference between the VRR and CVSS v3 scores and severity levels for CVE-2022-30190 as shown in Ivanti Neurons for VULN KB

Why it’s the perfect time to adopt risk-based patch management

If you feel you’ve fallen behind on system updates or are overwhelmed by new systems and applications in your company, now is the perfect time to adopt risk-based patch management.

Even if you feel you have a solid program in place based on severity ratings and CVSS scores, it’s time to remove the resistance to change and start a new process before your business is devastated by a data breach stemming from an exploited vulnerability.

Start by using the CISA KEV to prioritize your updates and earmark a budget for a risk-based vulnerability and patch management solution. With the proper tools in place, you can quickly identify the highest risk systems to patch first and work down the list to ensure your systems are secure.

Looking to take the first step? Dive into this eBook for a one-stop guide for implementing a modern risk-based patch management program.

Ivanti Announces Android 15 Readiness

Thu, 07 Nov 2024 18:16:52 Z

At Ivanti, providing our customers with uninterrupted functionality and availability is important to us. So, we are pleased to announce that for the release of Android 15, our UEM products are ready for this update. That means our customers can enjoy a smooth transition to Google's latest Android release on Day Zero.

This readiness for the new release is another example of how we continuously bring new functionalities to our products by working with customers and partners. Customers can access Ivanti specific product support for Android 15 on our support page.

Line of business and Android – a new digital era with Ivanti

Business operations around the globe are thriving with Android adoption. Organizations of all sizes are competing in this new digital era and trying to maximize their ROI from the rapid innovation being driven by mobile devices and artificial intelligence, and Android is at the forefront of that.

These companies are striving to achieve higher efficiencies, whether through adoption of AI for operational excellence or by leveraging Ivanti’s capabilities to reduce TCO and improve LOB insights. We see organizations around the world turning to Android + Ivanti for their digital transformation needs. This is because we’ve remained committed to continual excellence and improvement in providing advanced capabilities, privacy and trust on our platform, built from the ground up with security in mind.

We are also thrilled to share that Ivanti is once again recognized as a Google Gold Partner, in addition to having been awarded an Android Enterprise Recommended badge for our product.

With the industry recognition, we look forward to helping our customers succeed and building exciting new innovations!

What’s new for enterprises in Android 15

Unlike past releases, Android 15 saw the stock Android Open Source Platform (AOSP) released first. However, many qualifying Google Pixel devices also received the day-one update as Ivanti device management solutions were ready with support. Device manufacturers follow a different cadence for over-the-air (OTA) updates; we recommend IT enforce necessary policies to maintain business continuity and check with vendors for updates and schedules.

Android 15 has several features ranging from improved security to managing AI assist, as well as many enhancements to improve enterprise privacy and control.

Key Android 15 highlights for enterprise include:

Private Space

This is a completely new concept being introduced for the first time on Android 15. Private Space lets users create a separate “space” on their device where they can keep sensitive apps away from accidental or deliberate access of people other than owner of the device, under an additional layer of authentication.

This may seem beneficial for users for their personal apps, but it may come with concerns for enterprises that may have to choose between enabling and disabling this function for their corporate-owned-personally-enabled fleet. For fully managed devices (i.e. organizationally owned without personal profile allowed), Private Space will not be allowed.

Circle to Search

While many of us are still filled with excitement around generate AI, Google has added control to limit features like Circle to Search and Assistant apps from accessing “assist content.”

Introduction of managed eSIM

Android 15 extends the capabilities of Android for eSIM by allowing IT to manage eSIM on capable devices using activation codes. This new capability is expected to help organizations move away from hardware SIMs and prove useful for customers planning to migrate from one service to another.

New security & privacy controls

On Device Abuse Detection (ODAD) will be disabled to prevent scanning of enterprise developed “in-house” apps. For organizations which may benefit from ODAD, control has been added in Android 15 to enable it for work apps.
Adhering to NIAP compliance: Android 15 migrates existing backup service audit logging event from logcat to security log
Near-field communication on Android 15 can be controlled to be disabled all together.
BYOD privacy improvements: EMM solutions will be prevented from accessing users' personal subscriptions (cellular details), though access to a managed subscription will continue to be available.

Some additional features include: extending screen-brightness control has been extended to WPCOD mode; control to allow embedded or physical SIMs on a device has been made available; the minimum target SDK version for apps has been changed to API 24 (this determines if an app will be allowed to be installed on an Android 15 device); apps which run foreground services for longer than six hours may require changes, and more.

To learn more about what’s new, refer to Google’s page for Android 15.

We’re committed to Android 15 – and our customers

Since we manage some of the world's largest Android deployments, the Ivanti team is always as excited and apprehensive as you may be when a new OS version is released. This is why we provide our customers with a product which allows you to safely and productively adopt any new OS version on Day Zero.

There’s a lot of work going on behind the scenes, but it ensures we’re able to help make every Android release a success for our customers. As we start building support for new customer-centric features on Android 15, we ask that you share your use cases with us and the Ivanti community, and reach out to your Ivanti contacts for any additional information.

Eliminate infrastructure and reduce maintenance costs by moving to the cloud

Mon, 04 Nov 2024 15:50:11 Z

Today, companies are constantly searching for ways to streamline operations and gain an edge. Many, though, are weighed down by the burdens and costs of on-premises IT infrastructure. That’s why some are considering the benefits of cloud migration.

In this article, we’ll take a look at cloud migration benefits and how they help you save money, scale your business and improve your operations. We’ll talk about how getting rid of on-site infrastructure, lowering maintenance costs and using the latest security technologies can help businesses of all sizes.

Lower costs and increase scalability

By moving to the cloud and leveraging its pay-as-you-go model, businesses can avoid investing heavily in on-site infrastructure, such as servers, software and data centers. This eliminates the capital expenditures associated with purchasing and maintaining hardware and software, freeing up valuable financial resources that can be reallocated to other areas of the business.

Scalability is another major benefit of moving to the cloud. Businesses can easily scale their IT resources up or down based on their needs, ensuring that they only pay for the resources they use. This is particularly helpful for businesses with fluctuating workloads or seasonal demands. By not overprovisioning infrastructure, they can optimize their IT spending and avoid unnecessary costs.

Furthermore, the cloud opens the door to using the latest hardware and software, empowering businesses to improve their performance and agility. With cloud providers handling infrastructure updates and maintenance, companies can focus on their core business, free from the burden of managing and updating systems. This allows them to remain competitive and responsive, driving innovation and growth.

Reduce costs by eliminating on-site infrastructure

Moving to the cloud means more than just not having to buy and maintain hardware. It also means significant reductions in the ongoing costs of on-site infrastructure. By migrating to the cloud, companies can avoid the cost of maintaining physical servers, storage systems and networking equipment. This means no more capital expenditure for hardware, no more power and cooling costs and no more maintenance contracts. Instead, companies can direct that money into initiatives that drive growth and innovation and move their business forward.

In addition, by reducing the need for an on-site infrastructure, you reduce the need to hire IT personnel to maintain and troubleshoot it. That means your existing IT team can spend less time on routine maintenance and more time on other projects that drive business value. And when you work with a cloud provider, they provide a team of experts who are always monitoring and optimizing their cloud infrastructure to make sure it’s both highly reliable and performing at its best.

And, because cloud providers benefit from economies of scale, they can provide infrastructure services at a lower cost than on-premises solutions. They do this by making significant investments in state-of-the-art data centers, using energy-efficient technologies and optimizing resource utilization. As a result, your business can save money without sacrificing quality or performance, which is especially important in today’s competitive environment.

No need to worry about applying upgrades and patches

A major benefit of cloud computing is eliminating the need to apply on-premises upgrades and patches. This shift reduces the risk of human error and delayed upgrades while freeing up IT resources to focus on strategic business initiatives. By removing the complexity of managing vendor relationships for system updates and patches, organizations can significantly streamline IT operations.

Furthermore, cloud computing providers offer reliable and secure data backup and disaster recovery solutions. This means that in the event of a natural disaster or system failure, businesses can quickly and easily retrieve their data and continue operations without major disruptions. This level of data protection and resilience is often difficult and costly to achieve with on-premises systems. With cloud computing, businesses can enjoy peace of mind knowing that their valuable data is always backed up and readily accessible.

Eliminate downtime caused by on-premises upgrades

One of the most attractive advantages of moving to the cloud is the elimination of downtime caused by on–premises infrastructure upgrades. These upgrades can be required at regular intervals, often involving lengthy downtime and disruptions to business operations. This can result in lost productivity and revenue as well as customer dissatisfaction.

In contrast, cloud computing offers a seamless and continuous upgrade process. Cloud providers handle all infrastructure maintenance and upgrades, ensuring minimal or no downtime for businesses. This allows organizations to focus on their core competencies without worrying about the complexities of IT management. By eliminating downtime, they can maintain uninterrupted operations, improve customer satisfaction and gain a competitive edge.

Furthermore, cloud computing offers access to cutting-edge security measures and compliance certifications. Cloud providers invest heavily in robust security infrastructure and employ dedicated security teams to protect data and systems. So, businesses can enjoy heightened security without the need for substantial investments in their own security infrastructure. This not only reduces costs but also guarantees adherence to industry regulations and standards.

Showing a green commitment

Beyond security, cloud computing also plays a role in environmental sustainability. Moving to the cloud means businesses can reduce their carbon footprint by decreasing energy consumption and minimizing hardware waste. This is particularly relevant as sustainability and responsible resource management are increasingly important. Embracing cloud computing isn't only a smart business decision but also a way for companies to demonstrate their commitment to a greener future.

In summary, cloud migration eradicates downtime, eliminates the cost of on-premises infrastructure and fortifies security. Making a move to the cloud delivers a strategic advantage for businesses in pursuit of efficiency, scalability and a competitive edge.

Cloud Migration Benefits – and the Challenges to Overcome

Tue, 29 Oct 2024 16:11:40 Z

Cloud migration has become a strategic priority for many organizations. By moving data, applications and IT resources from on-premises infrastructure to a cloud-based environment, they can see multiple benefits. But cloud migration also comes with its own unique challenges.

Gaining a deeper understanding of both the benefits and possible pitfalls of cloud computing is crucial before embarking on your cloud journey. Whether your goal is to reduce infrastructure expenses, improve time-to-market, or more easily scale your IT environment, these insights will empower you to make informed decisions and navigate the migration process with more confidence.

Benefits of cloud migration

We’ve said there are multiple advantages for an enterprise that makes this move, so here are some of the details.

Scalability

Resource elasticity: Cloud platforms offer elastic resources that can scale up or down based on demand. This enables businesses to handle diverse workloads without additional hardware investments.
Global reach: Cloud services have a global reach. Businesses can deploy applications closer to their users, reducing latency and improving performance.

Cost efficiency

Pay-as-you-go: Cloud computing operates on a pay-as-you-go model where businesses only pay for the actual resources they use. This aligns perfectly with scalability and contrasts with traditional subscription models where customers pay a fixed fee on a regular schedule regardless of their actual usage.
Reduced or eliminated infrastucture costs: Since organizations that move to the cloud no longer need to deploy extensive on-premises architecture to support operations, the costs of buying and maintaining those systems are minimized or eliminated.

Business continuity

Backup solutions: Cloud providers offer comprehensive disaster recovery solutions, ensuring business continuity in the event of infrastructure failures or other disruptions.
High availability: Cloud platforms are designed for high availability, with multiple data centers and redundancy measures in place to minimize potential downtime.

Security

Advanced protection: Leading cloud service providers invest heavily in security capabilities in order to protect cloud-based applications and their users from cyber threats and vulnerabilities. These include access control, identity management, encryption and compliance across multi-cloud and hybrid-cloud environments.
Regular updates: Cloud providers constantly update their security protocols to protect against emerging threats and ensure that businesses benefit from the latest security advancements.

Agility and innovation

Innovative technologies: Cloud platforms offer easier access to advanced technologies such as artificial intelligence, machine learning and big data analytics, enabling businesses to remain competitive.
Faster time-to-market: Cloud services can support faster application deployment, reducing time to market. With fewer infrastructure barriers, businesses can rapidly respond to changing market conditions and competitive threats.

Collaboration and remote work

The Everywhere Workplace: Cloud-based tools and services facilitate collaboration among teams, regardless of their physical location, enhancing productivity, efficiency and the overall employee experience.
Secure everywhere: The cloud supports remote work by providing secure access from anywhere to necessary applications and data, which has become crucial in the modern work environment.

Cloud migration challenges

As just seen, once applications have been migrated to the cloud, there are numerous benefits. But cloud migration can pose certain challenges. Anticipating them can help IT teams prepare for any potential issues.

Data security and privacy

Breach exposure: Migrating applications and sensitive data containing personally identifiable information (PII) to the cloud might expose that data to potential security breaches, so ensuring robust encryption and access control is critical.
Maintaining compliance: Ensuring compliance with industry regulations and standards can be challenging in a cloud environment. Regulated financial services, healthcare and e-commerce industries must choose a cloud provider that’s fully capable of supporting their specific compliance requirements.

Downtime and disruption

Migration downtime: The migration process can potentially cause downtime and disrupt business operations. Careful planning and a phased migration can help mitigate this risk.
Service interruptions: Although rare, cloud service outages can occur and impact business operations. Having a contingency plan in place is essential. Organizations with zero tolerance for downtime should design for redundancy by utilizing two or more cloud service providers.

Cost overruns

Uncontrolled usage and spend: Even with a pay-as-you-go model, cloud costs can spiral out of control without proper management. So, it’s essential to implement cost management practices and constantly monitor usage.
Hidden costs: Every cloud instance is unique. Beware of costs associated with data transfer, CPU, storage, memory and additional services that may not be initially apparent.

Vendor lock-in

Single provider dependence: Relying too heavily on a single cloud service provider may result in vendor lock-in, making it difficult to switch to an alternate provider or move back to on-premises.
Limited flexibility: Vendor lock-in can limit flexibility, as the cost, capabilities and limitations of their chosen provider may constrain businesses.

Skill gaps

Specialized skills: Migrating to the cloud requires specialized IT skills and expertise. Investing in training for your team and hiring experienced professionals is crucial for a successful migration.
Change management: Adapting to new cloud-based processes and tools can be challenging for employees at all levels. Effective change management strategies and pre-migration training are necessary to ensure a smooth transition.

Performance Issues

Latency and bandwidth: Although cloud resources are elastic, specific applications may experience latency and bandwidth issues, especially if the data centers are far from end user locations.
Resource contention: Over-subscribed cloud resources can lead to performance degradation if not properly managed.

Summary: Planning can equal migration success

Cloud migration offers many benefits, including scalability, cost efficiency, enhanced security, employee flexibility and access to the latest technologies. On the flip side, it also may involve several challenges, including exposure to security breaches, potential downtime, cost management issues and the risk of vendor lock-in.

But by carefully planning the migration process, addressing potential pitfalls and leveraging the expertise of skilled professionals, organizations can successfully navigate their cloud migration journey and open new opportunities for growth.

Learn how solutions like Ivanti Neurons for Zero Trust Access can protect enterprise cloud applications, data and devices from unauthorized access and threats. Team it with other cloud-enabled security solutions such as Neurons for RBVM and Multi-Factor Authentication to empower your organization with secure anytime, anywhere access to business-critical apps and data.

Device Management Remote Control is for Remotely Controlling

Mon, 28 Oct 2024 15:56:39 Z

The title seems obvious enough, but if there weren’t a story behind it, this blog wouldn’t be necessary. How do you use remote control to keep your mobile deployments operating at peak performance? It turns out that the answers vary across organizations.

The most common and expected purpose is to troubleshoot malfunctioning devices or apps. When a mobile worker is idle, it costs your business money. Getting that incident resolved fast is essential so the worker gets back to task and meets customer demand.

However, there are organizations using the remote control functionality of their MDM product for mobile device management. Why? Is the MDM insufficient for remote device management?

What makes an MDM?

Using the mobile device management remote control functionality to manage devices compromises core capabilities that make an MDM valuable: automation is a primary example. Using remote control means manually performing various device management tasks, such as updating the operating system or configuring apps. This means touching (even remotely) each device in the estate.

An MDM should provide a centralized, scalable means to manage fleets of devices – including but not limited to security policy enforcement, updating apps and operating systems, and configuring device and application settings. It’s about efficiency; a single pane of glass to discover, manage and secure all the mobile endpoints across the ecosystem.

Especially for mobile deployments in operations, but valid for corporate workforces as well, actions like targeted updates to segmented workgroups make it easier for Systems teams to use automation to take action.

The benefits of remote control

If troubleshooting malfunctioning devices and apps is the most common purpose of remote control, a second benefit is tracking of remote session history. Logging remote control session actions give Support Admins a view into what has been pushed to the device. They can see what apps have been updated as well as any OS updates. Visibility to all these transmissions – over secure sessions, helps resolve incidents much faster.

A third is the essence of the word “remote” in Remote Control. And this matters in a couple of ways, the first is the worker experience. Without Remote Control, a worker experiencing a device failure in aisle 31 of the warehouse is not only down, but now much navigate the warehouse floor to wherever the local support station is to report the incident.

At best, the worker then gets another device from the local spares pool, signs in and traverses the floor back to aisle 31 and resumes the task; hopefully where they left off. At worst, they put the device down on a shelf in the aisle, walk to the spares pool location for a replacement device, sign in and travel back to aisle 31. No incident report is made, and a device is missing.

Remote Control lets this worker report, and Support teams resolve, that issue right at the point of activity in aisle 31. No one leaves their location, and when resolved, the mobile worker is right where they need to be to resume work. It is also important to mention here that attended remote control (where the worker authorizes the remote control session) is possible and adds security measures beyond those in an unattended session.

The flipside example of “Remote” is your Support Analysts. Remote Control allows these workers to connect to devices at other (remote!) locations to diagnose and resolve incidents. They are also able to determine if the hardware needs to be sent to a repair center, having tested and verified the issue to helping avoid the dreaded “no fault found” resolution from the repair depot.

Using an MDM with remote control functionality as a crutch to compensate for limited domain knowledge compromises efficiency. The automation included in reputable MDM solutions means more reliable uptime for mobile workers, and a better experience for systems analysts. It is important and worthwhile to invest the time to learn the robust toolset an MDM delivers.

The bottom line

Each tool has a purpose. If your organization is stuck using remote control to manage mobility, take a look at Ivanti Neurons for MDM, and let one of our partners help you with a process consultation. We have a library of training to help your support analysts get more comfortable with using MDM. Identifying how to best implement automation in your device management could save your IT teams countless hours each month and improve uptime.

The Importance of Application Control

Tue, 15 Oct 2024 10:44:18 Z

In today's digital age, organizations face a constant barrage of cyber threats, with unauthorized applications posing a significant risk to their security and operations. Traditional security measures are no longer sufficient to protect against the sophisticated attacks that target vulnerabilities within applications and endpoints.

What is application control?

Application control consists of the policies, procedures and tools for ensuring applications work as intended, data reliability and accuracy are maintained, access to applications and data are restricted to authorized users and application updates and changes are properly managed. Basically, application control is about mitigating risk associated with data misuse, alteration or loss within applications, preserving the integrity of business operations.

The growing threat of unauthorized applications

The proliferation of cloud-based applications has made it easier for employees to access and use software without IT approval. This phenomenon, known as shadow IT, can introduce significant security risks into an organization. Unauthorized applications might be infected with malware, expose sensitive data or violate compliance regulations.

Furthermore, the increasing sophistication of cyber attacks has made it harder to detect and prevent malicious software from infiltrating networks. Advanced threats like ransomware, phishing and supply chain attacks can target vulnerabilities within applications to gain unauthorized access and disrupt operations.

The importance of application control

To mitigate these risks, organizations must implement robust application control measures. Application control solutions help to identify and prevent unauthorized applications from running on endpoints, reducing the attack surface and protecting sensitive data.

Key application control benefits

Enhanced security: Prevent unauthorized applications from accessing sensitive data and compromising your network.
Improved compliance: Ensure adherence to industry regulations and data privacy standards.
Reduced risk of malware: Protect against malware infections that can disrupt operations and damage your reputation.
Enhanced productivity: Streamline IT operations and reduce the burden on IT staff by automating application management tasks.
Improved visibility: Gain visibility into application usage and identify potential security risks.

Ivanti Neurons for App Control: A comprehensive solution

Ivanti Neurons for App Control is a powerful solution that empowers organizations to manage and control application usage. Its key features include:

Granular application control: Precisely define which applications are allowed to run on your endpoints, preventing unauthorized software from executing.
Privilege management: Enforce least-privilege principles to minimize attack surface and reduce the risk of unauthorized access.
Cloud-based deployment: Easily deploy and manage Ivanti Neurons for App Control from a centralized cloud platform.
Enhanced security: Protect your sensitive data and prevent malware infections by blocking unknown applications.
Improved compliance: Ensure adherence to industry regulations and data privacy standards.

How Ivanti Neurons for App Control works

Ivanti Neurons for App Control uses advanced technology to analyze the NTFS ownership of files and cross-reference them against a trusted owners list. If the file owner isn't trusted, the application is blocked from running. This intelligent approach provides a robust defense against unauthorized applications while allowing for exceptions to be configured for approved software.

Why invest in application control?

In today's threat-filled landscape, application control is no longer an option but a necessity. Ivanti Neurons for App Control offers a comprehensive solution for organizations to safeguard endpoints, reduce risk and improve security posture.

By investing in application control, you can protect sensitive data, streamline IT operations and ensure compliance with industry regulations.

Learn more: Explore the benefits, features and functionality of Ivanti Neurons for App Control.