The importance of hardware lifecycle management

Building a Secure Digital Workplace

This blog post will focus on computers and mobile devices, but the recommendations are applicable on data center- and networking-hardware as well.

  • Insight

This blog post will focus on computers and mobile devices, but the recommendations are applicable on datacenter- and networking-hardware as well.

A Real-World Example

Let’s start with an example from a current case with mobile devices from Apple. To enable a complete set of configuration settings in iOS and iPadOS, the devices need to be configured as “Supervised”. The preferred way to enable “Supervision” is by using Apple Business/School Manager (ABM/ASM) and Device Enrollment Program (DEP).

DEP is used to get an Apple device under management when it connects to the internet. This creates a more secure device, but also a better user experience.

To be able to add devices to ABM, authorized Apple resellers can populate your organization’s ABM automatically when you purchase new devices. It’s both efficient, leaves little room for vulnerabilities during the procurement, and ensures that the device can be secure from the start.

However, there are resellers who do this population of ABM manually using a Mac computer and the Apple Configuration application.

It works almost in the same way as the automatic upload from an authorized reseller, with one big exception.

Apple Configurator

When the population of devices has been done using the Apple Configurator the user of the device is able to remove the device from management within 30 days of enrollment.

In the worst case, this also removes the device from ABM. In this scenario, your organization has lost control of the device. You can only restore it if you get physical access to it again. This is a security concern and does increase the likeliness of the device being stolen.

A screenshot (in Swedish) from an iOS device and the option to remove it from management.

We, therefore, encourage you to choose authorized resellers for your Apple devices. This is to ensure that the population of ABM has been done the proper way.

If you aren’t using ABM or supervised devices, we recommend that you configure it as soon as possible.

This is only one example of why it is so important to choose the right hardware- manufacturer as well as reseller. In many aspects, Apple has been a visionary in this space.

Today, similar services are being offered for both Windows and Android devices.

Secure Windows Devices

In regards to Windows devices, your organization should always require a minimum hardware specification. This ensures that the devices you procure fulfill the requirements for all available security features in Windows 10. Below is the minimum that you should require. Fortunately enough if this is the default configuration today:

  • UEFI
  • Virtualization-support
  • TPM 2.0
  • Windows Hello for Business (face recognition is preferred)

Always try to avoid buying hardware from the vendor’s consumer range. This is something we have seen especially in the education space. It will limit what you are able to do in terms of management, security, and automation. They may be cheaper than the professional or enterprise ranges, but for a reason.

If the device came preinstalled with Windows Home, you aren’t allowed to upgrade to Education or Enterprise.

Choosing Your Android Flavor

Continuing with Android, the choice of hardware vendor and reseller is more important than ever before.

Samsung has been the pioneer here, but the other vendors are quickly catching up. This is thanks to the adoption of Android Enterprise.

For Samsung, their services work in a similar fashion to Apple. An authorized Samsung reseller is able to automatically add new devices to Samsung’s KNOX service.

Samsung introduced KNOX as a security framework a number of years ago. It improved the manageability and security of the Android version that runs on Samsung hardware.

When the devices are added to KNOX, it allows for a Zero-touch experience (similar to DEP) when the phone is configured.

It will enable a unique (for Samsung) capability to control when and how new OS updates are installed.

Lastly
for Android – ensure that all your current and future devices run at least
Android 9.0 or later. Earlier versions don’t have support for the new features
of Android Enterprise, which allows for a better and more secure experience for
both users and administrators.

Start by Making Active Choices

To
summarize these brief touchdowns in the different hardware offerings:

  • Make active vendor choices.
  • Buying the cheapest device can often turn out to be an expensive decision in the end.
  • Use resellers that are authorized by the hardware vendors.
  • Buy hardware and OS versions that are made to be used in an Enterprise or Education environment.