Best Unified Endpoint Management Software Considerations

While Unified Endpoint Management Software (UEM) provides IT with the convenience of managing their endpoints through one package, they fall short of providing all the essential tools an admin might need. Here are the best Unified Endpoint Management Software Considerations for any organization looking to centralize endpoint management. In this article, we’ll look at what UEM and MDM solutions do, what their shortcomings are, and how PolicyPak can help.

Best Unified Endpoint Management Software Considerations

Consideration #1: UEM vs MDM Software

We all like things that come in one nice neat package. Take Unified Endpoint Management (UEM) software for instance. Unified Endpoint Management (UEM) software such as Microsoft Endpoint Manager (SCCM and Intune), VMware Workspace ONE, Citrix Workspace, and MobileIron all put a lot of firepower into one package. But despite the benefits to these solution packages, they have their downsides as well.

WHITE PAPER: Group Policy vs. MDM

Does MDM replace Group Policy? You may be making one of the biggest mistakes of hybrid work management.

Consideration #2: Advantages of Unified Endpoint Management Software (UEM)

By unifying a number of management processes into one bundle, IT admins can leverage Unified Endpoint Management (UEM) Software to manage thousands of internet-connected endpoints through a single pane of glass. Unified Endpoint Management offers a simple alternative to the disparate solutions that IT used to assemble collectively to do everything from pushing updates and applications to remotely wiping a lost or compromised device. In fact, Unified Endpoint Management Solutions can do a number of things very well, including the following:

  • Configuration of updates for on-device security policies
  • Deployment of VPN and wireless network configurations
  • Onboarding of employee-owned devices
  • Tracking and collection of usage information
  • Compliancy reporting

WHITE PAPER: Why Microsoft Endpoint Manager Admins Need PolicyPak

Microsoft Endpoint Manager unifies management between Intune and Config Manager, but there are critical security and management gaps only PolicyPak can fill.

Consideration #3: The shortcoming of Unified Endpoint Management Software

While the typical Unified Endpoint Management toolset can certainly help enterprises control and secure their IT estate and all of its endpoints, their tool chests do lack some essentials. When it comes to endpoint devices, it’s hard to serve all the needs of all users and their devices. For instance, different device and OS makers provide different levels of MDM access. A management solution designed to accommodate smart phones, tablets, wearables, and other IoT devices may fall short of successfully managing setting configurations, policies, and security for Windows 10 user workstations and laptops.

MDM solutions do not offer the expansive coverage of configuration setting delivery and enforcement that Group Policy does, for instance. It is difficult for Unified Endpoint Management (UEM)  providers to release new features and innovation in lockstep with new OS releases. There is also the issue of keeping policies updated for devices that may lose connectivity for extended periods of time.

The National Security Agency, NSA, has documented concerns when it comes to the utilization of UEM solutions to control and secure mobile devices. They site “considerable differences existing between the enterprise management capabilities possible on each platform.” They go on to state “the lack of some controls makes mobile devices less secure than other platforms.” Some of the other gaps outlined by the NSA are listed below.

  • “App management features can be fairly weak.”
  • “Limited ability of EMM solutions to identify vulnerable mobile devices.”
  • “Delays in receiving security updates, depending on device vendor or network carrier.”
  • “The inability of enterprises to gain visibility into indicators of adversary activity such as indications of exploitation of previously unknown (zero-day) vulnerabilities.”
  • “Variations in security update speed and availability depending on the device vendor or network carrier.”
  • “Limited ability of enterprise mobility products to detect sophisticated attacks against mobile devices.”

There are obviously legitimate concerns concerning the gaps that inherently exist within UEM platforms. A Windows 10 client device is far more than just the Windows OS. It includes a multitude of applications that need to be properly configured for both security and maximum productivity. The listed security shortcomings are of serious concern considering the plethora of zero-day attacks that are released every day. The biggest vulnerability, however, is that users don’t always make the best decisions. All of these issues are magnified in the new paradigm of remote work strategies.

Consideration #3: PolicyPak Enhances Unified Endpoint Management Software

The good news is that you don’t have to go it alone with your UEM or MDM solution. PolicyPak works with what you already have to fill the gaps in:

  • Security
  • Policy management
  • Applications settings management
  • Other key Windows 10 settings

Let’s see where PolicyPak can augment your existing UEM and MDM solutions in a variety of ways.

Consideration #4: PolicyPak Least Privilege Manager Fills Security Gaps

As long as you have users on connected devices, they are going to download and launch programs. Since UEM solutions do not neutralize this attack vector, you might think your only alternative is to implement Allow Lists to specifically state which applications can be executed even though Allow Lists are cumbersome and time consuming to manage.

WHITE PAPER: Maximize Your MDM and Autopilot ROI

PolicyPak delivers nearly 100% of Microsoft Group Policy settings, as well as provides lockdown security protection for your users and devices.


But there is nothing cumbersome about PolicyPak Least Privilege Manager. PolicyPak Least Privilege Manager comes with SecureRunTM, which can be configured to block all items that are not properly installed by the admin. When PolicyPak SecureRun™ is on, PolicyPak Least Privilege Manager checks to see who owns the file executable, MSI, script, or Java JAR file. When users download files off the Internet or copy them from a USB drive, they own the file. The result is that properly installed applications can run perfectly well, but all unknown applications and scripts are blocked, as shown below in the following screenshot.

ransomware simulator

PolicyPak SecureRun™ stops all unauthorized apps and executables regardless of whether a file is part of an unrecognized exploit. It also works, regardless of whether or not the device is connected to the Internet.

Once you have engaged this blanket protection, you can then add granular policies in order to give standard users the exact privileges they need in order to do their jobs. You can create policies to designate which EXE and MSI files and scripts they can run. Endpoint management is about more than just dictating what standard users can’t do, its about what they can do as well.

Check out the video on our website to see how local users can overcome UAC prompts even if a user device isn’t connected to the Internet by using the Admin Approval feature, which is perfect for remote workers.

Consideration #5: PolicyPak Least Privilege Manager Fills Policy Gaps

As a Windows Admin, part of your job is delivering and enforcing settings to secure the Windows desktop and ensure its usability. Unfortunately, MDM solutions such as Intune don’t come close to providing the over 10,000 settings that the combined power of Group Policy and Group Policy Preferences provides. But you don’t have to sacrifice policy coverage for non-domain-joined machines. With PolicyPak, you can deploy any Admin Template or Group Policy Preferences setting to any connected Windows device regardless of its joined status or where it resides. Not only does PolicyPak’s Admin Templates Manager offer the same identical settings as Group Policy, it even uses the same Group Policy Management Editor to create your policies and deliver them as shown below:

unified endpoint management administrative templates manager

Using the editor, you can choose the ADMX settings you want to configure and deploy.

personalize policies

In the example above, we are configuring a computer-side policy, which gives us the option to select both Computer AND User settings at one time. You can watch a video demonstration on our website showing how you can deploy ADMX settings to any connected device as well as consolidate all of your current GPOs.

You can use PolicyPak to export any or all of your Group Policy and Group Policy Preferences policies and deploy them through your MDM. You can watch a video demonstration on our website showing how you can also deploy them to any connected non-domain-joined machines.

Consideration #6: Additional Features of PolicyPak

PolicyPak fills a number of voids in UEM solutions, as well as adding features that only PolicyPak can deliver on, like the following:

 

 

 

UEM solutions today do a good job of condensing endpoint management tools into a simple package. While definite gaps exist, they are easily fillable with the suite of PolicyPak solutions. You can check out all of the tools outlined here and more on our website.

Jeremy Moskowitz

Founder & CTO, Microsoft MVP in Group Policy, Enterprise Mobility, and MDM

Jeremy Moskowitz founded PolicyPak Software after working with hundreds of customers with the same problem they couldn’t manage their applications, browsers and operating systems using the technology they already utilized.

Ready to Get Started? Register for Our Webinar.

Our PolicyPak Webinars explain everything you need to know to get started with the software. Once you've attended the webinar, you'll be provided a download link and license key to start a free trial.