Heather
Gray

What IT needs to know about PC management

Heather Gray

May 9, 2022

15 min read

PC management refers to the management of personal computers. They are multi-purpose devices intended for a single user. It comes with the ability to run applications specific to work with the addition of other hardware and software components when required. Despite the popularity of BYOPC, management of these devices continues to be riddled with many difficulties. Some of which can be attributed to IT consumerization and privacy concerns of increasing tech savvy customers.

PC management with Hexnode UEM

What is BYOPC? Is it a good idea?

BYOPC or Bring Your Own PC allow employees to use their own personal computer for work and personal use. Though BYOPC has been around for quite a long time, it hasn’t gained the traction that BYOD did within IT circles. This probably could be due to the fact that PCs are comparatively more expensive than mobile devices and PC management is still considered by some admins to be a bit clunky. Nevertheless, implementing BYOPC within your organization can be beneficial, as it allows:

  • Organizations to cut down on hardware costs.
  • Easier transition to remote work.
  • Employees to use the same device for work and personal use.

Preferred operating systems for PCs

Windows and macOS continues to be some of the most widely preferred OS for PCs. Windows as a Service was an approach introduced by Microsoft to simplify the deployment and management of devices running on Windows 10 and 11. Before the release of Windows 10, newer versions of the OS were released only after every few years, making the process of patch management and other security updates difficult.With Windows 10, the updates were categorized into two and became a more continuous process.

Apple offers multiple enterprise programs such as AppleSeed for IT, Apple Developer Enterprise Program and Apple Beta Software Program for IT admins, developers and the general public to test the pre-released versions of the OS.

The AppleSeed for IT program gives IT admins the convenience to test the compatibility of the new software within their work environment. The Apple Developer Enterprise Program makes it easier for developers to develop and distribute in-house applications without going through the trouble of waiting for the App Store review process to be complete. The Apple Beta Software Program can be accessed by any user with a valid Apple ID. It allows users to download public betas and test it.

Challenges with PC management within the enterprise

Before the coming of MDMs, PCs were managed using client management tools. They were used for configuring systems and performed a wide range of functions such as app deployment, patching, OS deployment and remote control. In addition to providing visibility to the systems, they also helped admins take a good look at the existing vulnerabilities across endpoints. Though they provided admins with a holistic approach to manage devices, it didn’t offer organizations the flexibility they needed as business requirements grew more complex. It wasn’t easy to meet these requirements with a client management tool.

If your organization manages Windows devices, you would be familiar with group policies. They are used to apply configurations, deploy applications and perform other actions on Active Directory (AD) domain joined devices. The required policies are pushed with the help of Group Policy Objects (GPO). They consist of a single policy comprised of various device and user settings. Any actions that are device centric such as the pushing of an OS update comes under device setting whereas other actions that involves users such as remotely deploying an application to a specific set of users would be classified as a user setting. Once a GPO is created, it would be targeted to a set of devices or users within an organizational unit.

Although group policy makes it easier for the IT team to push all the necessary configurations and policies, it can be quite confusing in terms of complexity. Excessively fine tuning the settings would just make the whole process a lot more complicated. Another limitation with group policy is that it can only be done on Active Directory domain joined devices. It also deploys configurations specific to devices and users.

A UEM on the other hand can enforce security configurations, policies from a centralized console. It even comes with the capability to remotely lock and wipe devices when it is reported lost or stolen. Enrollment of the devices is not just limited to AD domain joined devices. Hybrid domain joined and non-domain joined devices can be enrolled too. Let’s look at some of the challenges your IT team could face when managing the endpoints without the help of an endpoint management tool.

Endpoint and data security

“Keeping
Keeping assets and data safe
 

Data protection is increasingly becoming a priority amongst many organizations. With the majority of consumers being aware of their privacy rights, they fully expect businesses to comply with them. A large percentage of data would be governed by data privacy laws and these laws set very strict requirements to ensure that any data businesses collect and process is done so with the strictest of standards. As a result, businesses would need to take up good security controls to make sure any sensitive information they handle is not prone to data leakage.

Asset management

Maintaining an updated asset inventory is critical as it not only provides proper visibility of the assets but also makes it easier to track the source of any threats or vulnerabilities. It gives a more organized approach to deploying and managing the required applications. Asset management also helps businesses to prioritize assets based on their business requirements. Admins can get a complete overview of the devices and prevent the installation of malicious apps. It would be harder to manage the assets manually if your organization is large.

End user engagement

Providing a good user engagement is just as important as maintaining the security of your devices. Having a cluttered approach when managing endpoints could affect the productivity of your employees. Users expect to use the latest hardware that can easily run the software of their choice with good internet connectivity. It can be a challenge for IT admins to balance these expectations while ensuring the security expectations of the organization is met.

Collaboration

Encouraging a more collaborative workplace improves the productivity and problem-solving skills of your employees. As remote and hybrid work models are becoming more popular, employees expect the flexibility they need in communicating and working with other members within their team remotely. Employees are consistently found to be more engaged when working in a team. By not providing enough tools that promote collaboration, your organization may risk losing employees looking for more flexible workflows.

Remote troubleshooting

Remote users may encounter technical glitches and other annoying little hindrances within their PCs from time to time. Without adequate tools in place, it can be hard for your team to dive into the root cause of the issue. Leaving the issue unresolved for a long period of time would not only affect the productivity of your employees but also lead to downtime and disruption in your daily operations.

Feature resource

The ultimate guide to windows 10 PC management

Finding it hard to manage Windows 10 PCs? Read this guide to know how UEM plays an important role in managing Windows within the enterprise.

Download White paper

How to resolve these challenges with a UEM

Technology has greatly advanced in recent years bringing in a lot of benefits for both businesses and consumers alike. PCs, like most other endpoints, are now hubs for storing large amounts of data. A unified endpoint management solution streamlines the management of these devices by lessening the risks that come with using PCs to access corporate resources. This includes deploying specific network security policies to safeguard information present within the networks and initiating remote wipe to securely delete business sensitive data from lost or stolen PCs.

Device and data security

Deploy strong passwords

Improve the security of the managed PCs by enforcing strong password policies on it. Admins can refrain employees from following a poor password hygiene by defining the password type and setting the minimum password length and complex characters needed to make the passwords more secure. Complex passwords can be difficult to remember. Employees may choose the easy way out by following a predictable pattern when creating or updating passwords. When you leave this unchecked, hackers may exploit this to gain access to your resources. You can mitigate this risk by defining the password history. It prevents users from reusing the same password for a set number of times specified by your IT admin.

Restrictions

You can set restrictions on the device functionalities, security and privacy settings to ensure both device and data security. This gives your IT team better control over the managed PCs and dissuades users from making any unauthorized changes to the pre-defined settings. For example, if your organization is concerned about Microsoft collecting usage and performance data via telemetry, you could have this disabled when enrolling devices via the UEM portal. Other restrictions include preventing users from manually removing the workspace account from the device and disabling requesting passwords from nearby devices.

Network and email configurations

Configuring the Wi-Fi settings for each device manually can be incredibly time consuming. UEM provides admins with the convenience to remotely configure the settings for individual and bulk number of devices. This would give your IT team the assurance that employees only connect to a network approved by your organization and saves users from the need to remember complex passwords each time they connect to your network. It also limits the chances of unauthorized devices joining your networks. You can configure the VPN settings to make sure users securely access corporate resources when working remotely.

Leaving users to setup the email settings by themselves can take up a lot of time, particularly if you are working with teams who are not familiar setting this up on their own. You can configure the email settings remotely and synchronize the email account of users with the email server and have it all ready for users when they start using the device.

Threat management

Managing threats is an important part to secure and improve your security infrastructure. Microsoft Defender is a program that protect Windows devices from various malware threats. Its protection capabilities extends to protecting your networks from any malicious applications. It creates an isolated browsing session to prevent the insurge of any malware attacks into the operating system. You can secure Windows PC by remotely enabling Microsoft Defender settings from the UEM console.

Encryption

Encryption is an integral part in maintaining data security. It scrambles sensitive information into an unreadable code which can only be deciphered by the intended recipient with the help of a key. They are often mandated by some regulatory compliances to ensure data stays protected from unauthorized access and modification. You can enhance the protection of Windows devices with the help of BitLocker. BitLocker provides full volume encryption by encrypting the disk drives and all their contents. Similarly, Mac devices can be encrypted via FileVault. FileVault is a full disk encryption program in macOS that protects data present within the startup disk. It uses XTS-AES-128 encryption with a 256-bit key and requires users to verify themselves via password or Touch ID each time they access the device.

Privacy preferences

From macOS 10.14 and above, some of the apps may require access to certain files in order to function. Leaving this to users who would have to do it manually can be distracting and hinder productivity. Instead, these app requests can be managed with the help of a PPPC payload that allows admins to manage these settings remotely.

Certificates

Digital certificates are increasingly being used across organizations to ensure secure access to corporate data. This makes it hard for external devices to connect to your networks. The security certificates can be remotely created and managed through the UEM console.

Web content filtering

Cybercrimes are becoming more frequent than you think. Web content filtering helps block access to malicious websites or other websites prone to wide range of cybersecurity attacks and vulnerabilities. Admins can blacklist websites and set up restrictions in place to prevent users from accessing those sites. Web content filtering can also be used to block access to sites that could slow down the productivity of your employees. For instance, certain social media websites for personal use can be blocked during working hours.

OS updates

It’s important to always keep your PCs running on its latest OS versions. Each update comes with security patches that fixes the vulnerabilities found within the previous versions. By updating the device, you limit the chance for hackers to gain access to your systems by exploiting the vulnerabilities. You can schedule the OS updates to minimize disruption to workflows or notify users of the update so that they could update their OS later.

Smart card authentication

Enforce additional security on Mac devices to authenticate users via their smart cards. Smart cards use a microchip that authenticates users by creating and storing cryptographic keys. The smart card consists of the user public key credentials as well as a PIN to authenticate the user owing the smart card. Admins can configure the smart card authentication settings by making it mandatory and performing several other actions such as allowing the use of one smart card per user and verifying the trust of the certificate.

Firewall

Firewall is used in protecting your internal network from certain areas of the internet that are considered to be insecure. Some of the benefits of using a firewall includes monitoring the network traffic, filtering network traffic and reporting on its activities and stop the spreading of malware, spyware and other threat attacks. In addition to configuring the firewall settings, UEM also help admins to enable stealth mode and block incoming connections to selected applications.

Application management

Mandatory apps

Any applications employees need or is required by a specific team can be set as mandatory. This ensures that the intended user has the applications installed within their device. Devices that don’t have the required applications installed will be marked as non-compliant, alerting the admins to have these applications deployed immediately.

Blacklist and whitelist apps

This feature permits the admin to either allow or deny access to a specific set of applications. Once the policy is pushed to the managed PCs, it would have to be restarted to reflect the whitelisted applications.

App catalog

App catalog can be created on Mac devices to create a customized app store with all the applications users need. This saves users from searching for the applications they need or rely on your IT team to have access to those applications.

App configurations

This feature allows admins to preconfigure applications specific to business requirements. These apps can be remotely configured from the UEM console before they are made available to users.

Single app and multi app kiosk

Windows devices can be restricted to function with just a single application or a set of whitelisted applications. These devices can be locked down in a kiosk mode to carry out a specific purpose.

Remote management

“Securing
Securing lost devices

Remote lock

Remote lock comes in handy when user reports their PC as being lost or stolen. Once a remote lock is initiated, the device will be locked with a secure password, the device can be unlocked only by the authorized user.

Data wipe

Lost devices always pose a great security threat to your organization. You can safeguard the protection of sensitive corporate data by initiating a remote data wipe as soon as the device is reported to be lost.

Track device location

The location tracking feature makes it easier for admins to track the location of the device either in real time or over a period of time ranging from 15 minutes to 24 hours.

Custom scripts

Admins can deploy custom scripts to make the management of Windows and Mac devices easier. Scripts are used to automate a series of tasks that would otherwise take up a lot of time when done manually.

Clear activation lock

Activation lock prevents unauthorized users from logging into your Mac device. Though they help in keeping the device secure they can be quite cumbersome when you need to reset the device of an employee who has left the organization. Admins can clear the activation lock from the UEM console to access the device again.

Summing up

PC management comes with its own share of challenges and benefits, your organization can take certain measures to educate employees on the responsibilities they need to take up in ensuring sensitive data remains safe when PCs are used for work. This includes documenting an acceptable use policy that states the device specifications and liability users hold in ensuring the data remains safe.

UEM plays an important role in securely managing the devices and limiting the possibility of a data breach by providing different management capabilities such as data loss prevention, application and security management and multi-platform support.

Share

Heather Gray

Technical Blogger @ Hexnode. Reading and writing helps me to stay sane.

Share your thoughts