The boundaries of networks aren't as clear as they used to be, and they often extend far outside the office. Besides desktop machines and laptops on the premises, points of access include smartphones, remote computers, point-of-sale terminals, cloud connections, and IoT devices. It's hard to keep track of everything that connects, but if you don't, you could be leaving the network at risk.
Attackers look for any weak point in a network. It could be an unpatched operating system, a badly designed application, or a weak configuration. To keep the network secure, IT management needs to impose constraints on all endpoints. Unified Endpoint Management (UEM) lets them set the constraints up automatically and control them from a single console.
What devices do you have?
Managing the attack surface requires knowing its extent. "Shadow IT," where departments install their own machines to bypass approval processes, can mean endpoints that aren't properly protected. The discovery features of UEM will identify all devices with an IP address, so they can be compared against the list of authorized ones.
Employees might connect mobile devices to the network. Some businesses allow this under a BYOD policy, but it has its risks. A phone could have weak security and might already be infected with malware. Some employees may plug their own Wi-Fi access points into the network so they can use their phones with it. A UEM system can identify these devices and allow only ones that satisfy network policies.
How does UEM keep them safe?
An office usually has a mix of operating systems. It could have computers with Windows, MacOS, and perhaps Linux. Mobile devices could run iOS, Android, and perhaps occasionally other operating systems. UEM is designed to manage them all. It makes sure that every machine that the company controls gets updated with the latest patches.
Applications are a more complicated issue. Each of these machines could have all kinds of apps on them. It isn't always possible or sensible to permit only an approved set of applications. What's possible is to separate out the approved applications in their own environment, so that nothing else has access to their data. Unapproved applications don't get access to the network.
The UEM system will have control over the approved applications. It will keep their versions consistent and update them as necessary. When all user machines on the network have a consistent set of applications, it's easier to exchange and share documents.
Managing browsers to keep them consistent is especially important. Old versions can be vulnerable to attacks. Some plugins are very helpful, but badly written or outdated ones can open serious vulnerabilities. UEM can control and update browser plugins.
System configuration is the third big issue, after operating systems and browsers. A poorly configured system can have weaknesses. Users shouldn't normally work from administrator accounts; if malware hits them while they're in a user account, it can't do as much damage. They should have good passwords, enforced by the network policy. Individual machines should have well-configured firewalls to reduce the opportunities to attack them.
Can it work in your business?
Every business has different needs, but UEM is an effective solution for many situations. It's particularly valuable in an environment where employees aren't technologically sophisticated and need computers that will just let them do the job in a consistent way. It will track all machines, including mobile devices that otherwise would escape notice.
In other situations, UEM will need to take a more flexible approach, allowing a lot of exceptions to let everyone do their jobs. Beyond a certain point, it's easier to manage individual machines. A software development and testing operation, for instance, needs a lot of flexibility. But where there are different kinds of machines to manage, reasonably uniform tasks to perform, and significant risks to keep under control, UEM can provide a safer network for less effort than other approaches.