As an IT administrator, you need tools to monitor what software is installed on your remote users’ laptops. This information helps you ensure software is up to date and that only approved software has been downloaded. It also helps you mitigate other security risks as users work outside the office.
Read on to learn about security best practices for managing remote user laptops, including reporting on installed software and versions across your fleet — and how to do so uniformly regardless of the operating systems in your fleet.
Why Limit User Access on Laptops
In general, it’s a best practice not to allow users to have administrator rights on their laptops. By default, you should set permissions as standard non-admin/non-sudoer for user accounts, which prevents users (and more importantly, malicious actors) from installing software and taking other actions on their laptops that could expose them to additional risk. For example, a BeyondTrust report found that more than three out of every four critical Microsoft vulnerabilities could be mitigated by removing admin rights on the device.
However, there might be circumstances in which you grant users administrator rights temporarily — like installing a printer — and you want to monitor whether they install unapproved software during that window of time. Or, due to bureaucratic or operational concerns, you might not be in a position to revoke administrator rights at all.
No matter what situation you find yourself in, you need visibility into installed software and version information across your device fleet to identify and close security gaps, particularly in the case of zero-day vulnerabilities that require immediate attention. Even approved software can present security risks if it’s not properly maintained.
And, you need a way to do this without physical access to the devices, especially during the COVID work-from-home orders.
Monitor Installed Software and Versions
You can use point tools and OS-specific solutions to monitor Macs or Windows independently of one another, but unified device management solutions enable you to monitor both operating systems from the same console. This simplifies your device management tasks as an administrator, as well as reduces costs for your organization.
Whether your users (or executives) request Macs or your organization goes through a merger or acquisition with a Windows shop, a unified device management solution offers flexibility and a single source of truth.
JumpCloud Directory Platform is a comprehensive identity, access, and device management platform for Mac, Windows, and Linux. Once you begin managing your devices with JumpCloud, you can monitor them directly from your web-based Admin Portal.
Using System Insights
JumpCloud’s System Insights feature enables you to gather asset, security, and configuration data for your managed Mac, Windows, and Linux devices. Using this feature, you can view installed software on Mac and Windows devices, as well as its version, install date, and the last time it was opened. You can also export this data for further analysis, storage, or to satisfy audit and compliance requirements.
Within your Admin Portal, you can view each device and an associated pane with a wealth of data points, including installed software. This is the view for the programs installed on one user’s Windows machine:
You can also use JumpCloud’s API documentation to query this information at scale and take action as needed across your fleet.
Layering Directory Insights for User Events
In addition to device-specific asset, security, and configuration data, you can use JumpCloud’s Directory Insights feature for visibility into user events on those devices (and other IT resources such as applications, files, and networks).
This includes login attempts and results, system updates, and more. Together, these features give you the clearest picture of remote activity and device health metrics that you can use to improve security and troubleshooting — no matter where your end users work.
Learn More about Unified Device Management
The head of information security and compliance at PayWith, an app development company, uses System Insights to record device serial numbers, monitor network information, and list Chrome extensions, among other data points. Read their case study to learn more about complete device management and reporting.