Building a secure digital workplace – The importance of hardware lifecycle management

I spend my time helping customers and colleagues build secure workplaces, appreciated both by users and administrators.

Truesec are fortunate enough to work with some of Sweden’s, and perhaps also the worlds, most challenging IT-infrastructures. We implement and manage technical solutions, proven to make a difference when it comes to security.

Unfortunately, we are often presented with conditions that are far from optimal. One of the areas which we see can be greatly improved are procurement and lifecycle management of hardware.

This blogpost will focus on computers and mobile devices, but the recommendations are applicable on datacenter- and networking-hardware as well.

A real world example

Let´s start with an example from a current case with mobile devices from Apple. To get the full technical background, you are welcome to read more on my personal blog.

To enable a complete set of configuration settings in iOS and iPadOS, the devices needs to be configured as “Supervised”. The preferred way to enable “Supervision” is by using Apple Business/School Manager (ABM/ASM) and Device Enrollment Program (DEP).

DEP is used to get an Apple device under management when it connects to the internet. This creates a more secure device, but also a better user experience.

To be able to add devices to ABM, authorized Apple-resellers can populate your organizations ABM automatically when you purchase new devices. Its both efficient, leaves little room for vulnerabilities during the procurement and ensures that the device can be secure from first start.

However, there are resellers who does this population of ABM manually using a Mac-computer and the Apple Configuration application.

It works almost in the same way as the automatic upload from an authorized reseller, with one big exception.

Apple Configurator

When the population of devices have been done using the Apple Configurator the user of the device are able to remove the device from management within 30 days of enrollment.

In the worst case, this also removes the device from ABM. In this scenario, your organization have lost control of the device. You can only restore it if you get physical access to it again. This is a security concern and does increase the likeliness of the device being stolen.

A screenshot (in Swedish) from an iOS device and the option to remove it from management.

We therefore encourage you to choose authorized resellers for your Apple devices. This is to ensure that the population of ABM have been done the proper way.

If you aren’t using ABM or supervised devices, we recommend that you configure it as soon as possible.

This is only one example of why it is so important to choose the right hardware- manufacturer as well as reseller. In many aspects, Apple has been a visionary in this space.

Today, similar services are being offered for both Windows and Android devices.

Secure Windows devices

In regards to Windows devices, your organization should always require a minimum hardware specification. This ensures that the devices you procure fulfills the requirements for all available security features in Windows 10. Below is the minimum that you should require. Fortunately enough most if this is the default configuration today:

  • UEFI
  • Virtualization-support
  • TPM 2.0
  • Windows Hello for Business (face recognition is preferred)

Always try to avoid buying hardware from the vendors consumer range. This is something we have seen especially in the education space. It will limit what you are able to do in terms of management, security and automation. They may be cheaper than the professional or enterprise ranges, but for a reason.

If the device came preinstalled with Windows Home, you aren’t allowed to upgrade to Education or Enterprise.

Choosing your Android flavor

Continuing with Android, the choice of hardware vendor and reseller is more important than ever before.

Samsung has been the pioneer here, but the other vendors are quickly catching up. This is thanks to the adoption of Android Enterprise.

For Samsung, their services work in a similar fashion to Apple. An authorized Samsung reseller is able to automatically add new devices to Samsung’s KNOX service.

Samsung introduced KNOX as a security framework a number of years ago. It improved the manageability and security of the Android version that runs on Samsung hardware.

When the devices are added to KNOX, it allows for a Zero-touch experience (similar to DEP) when the phone is configured.

It will enable a unique (for Samsung) capability to control when and how new OS updates are installed.

Lastly for Android – ensure that all your current and future devices runs at least Android 9.0 or later. Earlier versions don’t have support for the new features of Android Enterprise, which allows for a better and more secure experience for both users and administrators.

Start by making active choices

To summarize these brief touchdowns in the different hardware offerings:

  • Make active vendor choices.
  • Buying the cheapest device can often turn out to be an expensive decision in the end.
  • Use resellers that are authorized by the hardware vendors.
  • Buy hardware and OS versions that are made to be used in an Enterprise or Education environment.