🚧 Work in Progress
We're actively working on the content for this documentation. Please check back soon for updates and the latest news!
Unified Endpoint Management
Unified Endpoint Management (UEM) in beem is a comprehensive solution designed to manage, monitor, and secure client devices across various operating systems. It ensures that endpoints, whether mobile phones, tablets, laptops, or desktops, adhere to corporate security policies and are continuously assessed for compliance and posture.
UEM tools apply privacy and usage policies and device configuration by utilizing telemetry data from identities, apps, connectivity, and devices. Furthermore, they can be integrated into identity, security, and remote access tools to support Zero Trust.
Once a beem customer decides to manage their client devices, a tenant is automatically set up and connected. beem supports various client operating systems: Windows, macOS, iOS, iPadOS, and Android (Linux is not supported for UEM but can access agentlessly). These specifications apply to both the beem App and UEM. Swisscom always recommends using the latest version of the client operating system. In other situations, we advise implementing additional security measures, such as network segmentation and limiting access to only essential, ideally non-critical, business applications.
beem Security Editions Basic, Plus, and Premium offer a state-of-the-art UEM solution. For mobile users, device onboarding is offered as a self-service feature in the Swisscom Cockpit. The Swisscom Cockpit is also available for Windows and macOS or devices without a SIM card. For BYO users, a web app with analogous features exists. Only a subset of the UEM features is available for Collaboration users, as device management is not supported. In principle, the use of UEM is optional for all user types. The full UEM functionality is available for managed client devices simultaneously using the beem app.
Device Posture Management
Device Posture Management is a method of assessing the security and trustworthiness of client devices. It facilitates the collection of device attributes, which can then be used for access rules. These rules can be used to restrict access for client devices that do not meet specific security requirements. The device attributes include predetermined information such as the operating system version and, depending on the client operating system, hundreds of other attributes. Overall, Device Posture Management aims to ensure the security and trustworthiness of client devices before they gain access to network resources or applications. With beem, we differentiate between “Proactive Device Posture Management” and “Continuous Device Posture Management.”
Proactive Device Posture Management
Proactive Device Posture Management enforces security policies before access is granted. Devices are evaluated based on OS version, encryption status, antivirus presence, and more.
Overall, beem offers five security levels for device profiles for client device, which define the strictness of posture enforcement:
| Level/Security Edition | Description |
|---|---|
| 1 - Essential | Basic security; minimal restrictions. |
| 2 - Basic | Balanced security and usability; default for mobile OS. |
| 3 - Plus | Enhanced security; default for desktop OS. |
| 4 - Premium | High security; may impact user experience. |
The administrator can set precisely one level per client operating system as the default. This implicitly may dictate which of the five client operating systems should be managed within the company. Optionally, the administrator can set assignments using user groups. A user group is then assigned a two-tuple: a level and a client operating system. Administrators need to ensure that they avoid multiple allocations. The first assignment found is decisive per user and client device.
Swisscom continuously updates and documents device profiles for all client operating systems and levels. A rationale is given for each setting, which can be made accessible to end users if necessary. A device profile potentially sets hundreds of parameters depending on the client's operating system. Users of managed client devices forfeit some autonomy regarding Client OS and/or device settings and, in return, gain access to company resources. Specific settings are centrally controlled depending on the chosen level.
Continuous Device Posture Management
Continuous Device Posture Management offers real-time monitoring of device health and configuration.
Endpoint Information Profiles (EIP) can be created to protect the company's network, resources, and data. EIP are used to define access rules and ensure that the devices granted access adhere to the required security standards. The available device properties are maximised when the beem App is used. There is a multitude of information about the device's security status. For instance, whether the latest security patches and antivirus definitions are installed or the device's permanent storage is encrypted can be checked. Furthermore, the integration with various Endpoint Protection Platforms (EPP) is offered. In particular, the antivirus or anti-malware tools of the following manufacturers are supported:
- McAfee
- Avast
- Windows Defender
- Trend Micros
- panda
- eset
- Symantec
- kaspersky
- crowdstrike
- Carbon Black
- SentinelOne
For Windows and macOS, many parameters are available for EIP that can be constantly checked. Due to some restrictions, the number of parameters on iOS, iPadOS, and Android is smaller. Therefore, proactive device posture management is critical for these client operating systems. beem intentionally creates a strong demarcation line between “proactive”- and “continuous device posture management” to reduce complexity. While both functional units complement each other, they inevitably have some areas of overlap. Beware that beem (currently) does not include an EPP module but relies on third-party solutions. Integration with third-party Endpoint Protection Platforms (EPPs), such as:
- Microsoft Defender
- Bitdefender
- CrowdStrike
- Sophos
- Trend Micro
is recommended.