With the shift to remote work amid the pandemic, IT administrators must now enable and secure end users in new ways. A key component is the management of remote employee workstations.
Admins must configure and secure those systems, set appropriate user access levels, and monitor them to ensure they’re functioning properly. Complicating factors include a diverse set of platforms — macOS, Windows, and Linux — and, sometimes, lack of organizational ownership over these devices.
Here, we’ll examine key capabilities of system management and monitoring platforms that admins should consider before selecting one to use.
Configuring & Securing Remote Systems
Workstations serve as a user’s gateway to virtually all other IT resources, including applications, files, networks, and more, so they must be configured properly to perform optimally. In traditional, in-office network configurations, admins leveraged Active Directory, System Center Configuration Manager (SCCM), and other on-premises tools.
However, such on-prem infrastructure proved more challenging to use in the shift to remote work. Admins also need additional solutions to manage macOS and Linux systems with the same level of fine-grained control they achieve for Windows systems through AD.
Ideally, a system management tool will serve all three operating systems with equal functionality and enable admins to deploy machine hardening tactics across their fleets, no matter where they’re located. A system management tool should also enable admins to take over pre-existing local accounts on unmanaged systems and incorporate those into their managed environment.
Machine Hardening Tactics
These are a few core machine hardening tactics admins should be able to achieve on remote employee workstations:
- Enable multi-factor authentication (MFA) & require complex passwords: Complex and unique passwords combined with multi-factor authentication can greatly reduce the chance that remote machines are compromised. MFA helps ensure that even if a set of credentials is compromised, those credentials alone can’t unlock a machine.
- Patch operating systems & installed applications: Patches are important to address zero-day vulnerabilities, as well as routine maintenance, for machines and the applications installed on them.
- Enforce full disk encryption (FDE): Full disk encryption ensures that storage volumes and at-rest data are secure, which is particularly useful if a machine is stolen or lost.
- Install anti-virus/malware software: This software can help protect users and scan for threats in emails, applications, and other resources.
- Deploy other security configurations: GPO-like policies can help admins take other bulk actions on their fleets, such as setting the lock screen after a defined period of time or disabling removable storage devices.
Remote System Monitoring
Admins not only need to be able to configure and secure machines but also monitor them to ensure they continue to perform optimally and that all configurations are in place as expected. With this telemetry, they can also take responsive action quickly when needed.
Key Monitoring Data Points
These are a few core data points admins should be able to return about their remote employee workstations:
- Machine serial numbers: Serial numbers are helpful both for IT asset management purposes and for warranty and repair situations.
- Network information, including IP address: Network information can indicate where a machine is located and whether remote users are utilizing a secure network.
- CPU, memory, & storage: These data points can help in troubleshooting remote machines and assessing whether they adequately meet the needs of the users assigned to them.
- Full disk encryption status: This information can indicate which machines have encryption enabled and which volumes on each machine are encrypted.
- OS version & patches: This information can indicate whether machines are up-to-date and properly patched.
- Installed applications & browser extensions: This information can help admins verify that users have only approved applications and browser extensions on their machines.
Cross-Platform System Management & Monitoring
Modern cloud platforms can help admins manage and monitor their remote fleets. One such solution is JumpCloud Directory-as-a-Service — a modern cloud directory platform. JumpCloud can either serve as a standalone directory service or a comprehensive Active Directory identity bridge. It can extend AD identities to non-Windows resources, including macOS and Linux systems.
With JumpCloud in place, admins can manage remote macOS, Windows, and Linux systems, as well as monitor them with both directory- and system-level telemetry. Click here to learn more about cross-platform system management in action.