Lately since COVID and Lockdown, remote or hybrid working has become the new norm for most organisations. Also, mobile devices and their capabilities these days easily compete with those of laptops and computers and might also be advantageous when it comes to accessibility.

In other words, the eco-system has changed dramatically and requires a new approach and with that introducing new technology, policies and procedures. Zero Trust is that overarching new approach and offers capabilities to enable and control devices which are used in a work context based on a set of conditions. It can be differentiated between corporate devices and non-corporate devices so that data and apps are controlled and managed based on conditions to prevent data from leaking or to be able to track devices if they are lost. In case of BYOD to ensure that corporate data can safely be wiped once a member of staff leaves the company.

In short: modern endpoint management!

Endpoint Management as part of Zero Trust

Together with users’ identities, data and applications, endpoint management is an important aspect of establishing a Zero Trust architecture.

First of all, we need to clarify the device scenarios:

BYOD – bring your own device; means it is a personally owned device, allowed and enabled for work

COPE – company owned, personally enabled; opposite to BYOD; a corporate owned device that is enabled to be also used for personal purposes

COBO – company owned, business only; here no personal use is allowed and often enforced/restricted

Microsoft Endpoint Manager

Microsoft offers a suite of products and services called Microsoft Endpoint Manager. These are all licensed through their respective licensing plans. The components are:

• Microsoft Intune
  Intune is Microsoft’s cloud-based mobile device management (MDM) and mobile application management (MAM) tool for your apps and devices. It lets you control features and settings on Android, Android Enterprise, iOS/iPadOS, macOS, and Windows 10 or Windows 11 devices.
  
  
• Configuration Manager
  Configuration Manager, formerly known as SCCM is an on-premises management solution to manage desktops, servers, and laptops that are on your network or internet-based. You can cloud-enable it to integrate with Intune, Azure Active Directory (AD), Microsoft Defender for Endpoint, and other cloud services. Configuration Manager is used to deploy apps, software updates, and operating systems.
  
  
• Co-management: Co-management is the process that combines your existing on-premises Configuration Manager investment with the cloud using Intune and other Microsoft 365 cloud services. You choose whether Configuration Manager or Intune is the management authority. This means, whether Configuration Manager or Intune manages specific workloads such as ‘Device Compliance’ or ‘Windows Updates’
  As part of Endpoint Manager, Co-Management allows you to use cloud-features such as Conditional Access (along with Device Compliance). Any workloads not moved to Intune, remain on-premises with SCCM. You keep some tasks on-premises, while running other tasks in the cloud with Intune.
  
  
• Desktop Analytics: Desktop Analytics is a cloud-based service that integrates with Configuration Manager. It provides insight and intelligence for you to make more informed decisions about the update readiness of your Windows clients. The service combines data from your organization with data aggregated from millions of devices connected to the Microsoft cloud. It provides information on security updates, apps, and devices in your organization, and identifies compatibility issues with apps and drivers.
  
  As part of Endpoint Manager, use the cloud-powered insights of Desktop Analytics to keep Windows 10/ Windows 11 devices current.
  
  
• Windows Autopilot: Windows Autopilot sets up and pre-configures new devices, getting them ready for use. It’s designed to simplify the lifecycle of Windows devices, for both IT and end users, from initial deployment through end of life.
  
  As part of Endpoint Manager, Autopilot can be used to preconfigure devices, and automatically enroll devices in Intune. You can also integrate Autopilot with Configuration Manager and co-management for more complex device configurations (in preview).
  
  
• Azure Active Directory (AD): Azure AD is used by Endpoint Manager for identity of devices, users, groups, and multi-factor authentication (MFA). Azure AD Premium, which may be an additional cost, has additional features to help protect devices, apps, and data, including dynamic groups, auto-enrollment, and conditional access.
  
  
• Endpoint Manager admin center: The admin center is a unified portal to create policies and manage your devices. It integrates other key device management services, including groups, security, conditional access, and reporting. This admin center also shows devices managed by Configuration Manager and Intune (in preview).

Embracing modernising endpoint management

In this blog I have tried to outline that the eco-system that represents modern endpoint management is quite vast and in the context of Zero Trust, can be somewhat complex. In terms of a lifecycle, the technology is covering all aspects of deployment, control, management through to disposal of devices. So it is most advisable to start with an area that is already established e.g. Use of Intune, or where the need is the greatest e.g. starting to deploy devices with AutoPilot.

Formulating the appropriate policies to align with the modern endpoint management is also important as this forms part of the process. All of this should form part of establishing the Zero Trust architecture.

risual is an expert partner and has experience with all aspects of modern endpoint management and establishing a Zero Trust Architecture.