14 Apr Managing and protecting endpoints with Microsoft advanced solutions
The changes from the past two years in working patterns and, consequently, enterprise IT architecture have created new customer needs, as well as more third-party solutions, for all “purse and purposes.” Today, we are announcing our plans to deliver new management functionality in Microsoft Endpoint Manager that will further simplify how organizations manage and protect their user computing landscape with Microsoft advanced solutions.
Over the next year, we will launch a series of solutions designed to improve user experiences, increase endpoint security, and reduce total cost of ownership (TCO) by bringing together mission-critical endpoint and security management tools into a single, cloud-powered solution. These new capabilities will help to protect endpoints in the cloud, on-premises, and across device platforms, and will be foundational for organizations striving to adopt a Zero Trust security model.
Our vision is to bring together advanced endpoint management solutions in a new cost-effective, Microsoft 365 plan. Today, we’re delighted to highlight what capabilities will be included in the future suite and deliver:
- The ability to respond faster, by providing secure, cloud-based remote help and optimized user experiences.
- Safer, easier access to company data independent of platform or device types, and app protection for people who have multiple company accounts.
- Greater automation, making permission elevation, certificate management, and patching easier.
Faster response bolsters worker satisfaction
As more and more employees work remotely (52 percent of employees are considering going hybrid or fully remote in the coming year)2 and as the need to support frontline worker devices has increased, the demands on IT helpdesk have changed. The days of just walking to the employee’s desk to provide technical support are gone. Now, the helpdesk must support employees wherever they are. These shifts have prompted us to rethink the remote assistance toolkit. We are pleased to announce that the first of our premium solutions, remote help, is now generally available in Endpoint Manager, effective today.
Remote help is a cloud-based solution that provides secure, help desk to user connections. It is tightly integrated with Endpoint Manager for enhanced security and allows a helpdesk employee to quickly resolve problems no matter where the user is located.
The integration with Endpoint Manager allows organizations to provide remote help to users with devices that are cloud-managed as well as co-managed from on-premises. It also provides role-based access control (RBAC), so administrators can control who can help whom and manage what helpers can do on the user’s device during a connected session. This integration also provides the ability to explicitly verify user and helpdesk support personnel identities and mitigates the risk of a breach by conducting device compliance checks—both capabilities help fortify a Zero Trust security model. All this results in faster, more effective, and more trusted remote assistance for users, increasing their satisfaction and allowing them to get back to work faster.
Figure 1. Permission-based remote help enables view-only or full control connections for real-time assistance.
Another way to bolster employee satisfaction is to not just react when they call their IT helpdesk with a problem but to proactively take steps to prevent that problem in the first place. With hybrid work, the endpoint is the new workplace, and IT admins are key in ensuring employee experiences are both frustration-free and secure. We are deepening our investment in helping organizations optimize the digital endpoint experience for employees. Without deploying an additional agent, using endpoint insights, AI, and signals from Microsoft Cloud, we will deliver IT alerts based on anomaly detection and recommendations. By natively including these new capabilities in Endpoint Manager, we can provide IT admins with complete visibility. The capability will also integrate with leading IT service management tools, minimizing the need for our customers to manage additional third parties, further unifying effective endpoint management.
Safer, less complex access to company resources
To help tackle the risk of more sophisticated cybersecurity threats, it is more important than ever to enable secure access to company resources from any device. This includes access to on-premises apps and websites from mobile devices which may be unenrolled or unmanaged—often these are devices that are personally owned or bring your own device (BYOD). By setting up a secure VPN and an app protection policy with Microsoft Tunnel, IT administrators can enable secure access on a per-app basis while protecting organizational data from accidental leakage. Our plan is to provide a solution that benefits both users and IT admins, allowing workers to remain productive on their devices of choice with secure access to on-premises apps and websites while retaining their privacy, as only traffic from specific work-related apps is being sent via their company’s network. IT can apply the protection policy on a per-app basis so corporate data is protected. Admins will be able to enable VPN connections for unenrolled mobile devices to company on-premises resources using Microsoft Tunnel first through the Microsoft Edge mobile app.
Figure 2. Secure access to company resources for unenrolled mobile devices.
Our solution will stand out for three reasons. First, it provides strong authentication via Microsoft Azure Active Directory (Azure AD). Second, it benefits from Microsoft’s leadership with native mobile app protection policies (MAM), not just for Microsoft apps but eventually for third-party apps (such as line of business apps). Lastly, it supports Microsoft Edge, where the VPN connection is only established when the user is using their corporate identity (thus protecting the company data and user privacy if they are signed in using their personal account details).
The principles of safer, easier access are also behind our plans to enable organizations to manage and protect Linux desktops. We will make corporate app and data access easier and more secure for engineers or developers who choose to use Linux desktops as their work devices. Rather than allow exceptions for these specialty devices (which might have resulted in Linux desktops in an organization being unmanaged and unprotected), or blocking the use of them entirely, Endpoint Manager will allow organizations to target Linux devices and apply Conditional Access, device compliance, and device configuration policies.
There are two other capabilities I want to mention briefly. First, devices running Android Open Source Project (AOSP) will soon become generally available as part of our premium portfolio. In preview already, administrators can simply provision and configure the specialty AOSP devices with Conditional Access to company resources when, where, and how they need them.
In a future release, we will extend our app protection policies to apply to the apps of users who have multiple company accounts or identities on a single device. This will enable company staff to use their favorite mobile apps with access to their company files from multiple organizational accounts and have the data protection policies for each organization apply without device enrollment. This capability will enable workers who enjoy a portfolio of roles all at the same time to work in a more seamless fashion. For example, people from a variety of industries—be they physicians, consultants, recruiters, or something else—will have responsibilities to both their firm or private practice and their client at the same time. They may need to manage multiple email accounts or access sensitive company information at any given time. This new functionality will allow for the right data to be made available to the right persona, not just the right person, at the right time.
Greater automation. Increase security. Reduce frustration.
Friction equals frustration. For many employees, not having the right permissions, certificates, or current versions of their apps and OS can lead to lost productivity—three new capabilities will address this frustration head-on all while increasing security.
First, Microsoft plans to introduce the capability to automate and manage when workers have permission to use admin privileges for specific tasks. Attacks on users who have local administrator privileges lead to higher impact breaches, so standard user permissions are the gold standard. But standard users can’t perform tasks like installing certain apps or running Windows diagnostic tools to remediate and troubleshoot issues. Not being able to perform these tasks can reduce user productivity and increase support costs. To address this issue, this new capability will allow IT admins to set rules that elevate standard user permissions so that those users can then perform certain admin-level tasks on a temporary basis. This removes barriers to user productivity, by allowing users to “self-serve” and perform allowed admin tasks on Windows devices when needed. This elevation of privileges can be automatic, based on a set of pre-defined rules and parameters. It can also be user-driven or IT support approved. In any case, the management of these endpoint privileges helps both users and IT admins. Organizations can define executables that elevate granular permissions on a device, saving IT time. Microsoft’s solution stands apart from others as it is integrated with Endpoint Manager and the broader Windows ecosystem. It also includes additional reporting on what elevations have occurred, allowing a continuous improvement loop in what privileges should be extended to what endpoints, and when.
Figure 3. Create rules and parameters in Endpoint Manager to elevate standard user permission.
Second, we will introduce a certificate lifecycle management solution that makes the setup and deployment of certificates easier from the cloud. Offering seamless authentication to Wi-Fi, VPN, and apps are scenarios that many users may take for granted, but which require deep expertise from security professionals and significant on-premises public key infrastructure (PKI). Microsoft’s cloud certificate management solution for PKI reduces the complexity that typically comes with managing the underlying infrastructure and the skills required to do so. Cloud certificate management allows IT admins to easily deploy certificates from within Endpoint Manager to quickly secure the authentication scenarios. It will make PKI certificate management simple to set up and provide seamless, passwordless authentication for users. Moreover, as a cloud-based service, it will be highly available and scalable, allowing IT professionals to reduce costs and focus on more strategic tasks.
Last, vulnerabilities in third-party software applications are a major security concern for enterprise customers. IT teams are unable to constantly keep monitoring vulnerabilities in all the third-party software used in their enterprise, identify the latest patch versions for those applications, and then manually deploy it. In several cases, once a vulnerability is publicly disclosed, malicious code developed by adversaries might be targeted at enterprise customers within hours. We plan to help organizations reduce their security risks by automating device vulnerability management with proactive identification and automatic remediation of security vulnerabilities across both software and hardware. Continuous detection, assessment, and automated app patching across Microsoft Defender for Endpoint and Endpoint Manager can significantly move your organization toward your desired Zero Trust stance.
Additionally, with proven software and firmware security baselines to assess and enforce settings, organizations can verify compliance with their company requirements as well as against industry security standards. By making these capabilities more proactive and automated, coupled with additional threat vulnerability management from Microsoft, we hope to help reduce friction for users, reduce risks, and save IT admins time from performing lower-order tasks.
Today’s announcement is a starting point: we are excited to share this news to help our customers plan for their future as they navigate the needs of their employees through the transition to hybrid work. Our vision is to simplify endpoint management with the power of the Microsoft-connected cloud and a lower TCO for our customers.
By expanding the solution coverage, we provide in Endpoint Manager, we aim to ensure greater unity and consistency in your mission-critical endpoint management tools, rather than relying on multiple different solutions. Such unity should simplify your IT training and adoption, given the greater consistency between the tools. Consistency will also drive greater visibility across your user computing landscape as a common data layer provides deeper insights and automation. There should also be economic benefits: the fewer vendors to manage, the lower your overhead and the greater your IT productivity, and the tighter the integration with Microsoft Security, the lower your risk of breach.
We look forward to providing you with solutions “for every purse and purpose”.