Introduction to the beem Basic Security Edition Playbook
This playbook is intended for IT administrators, technical project leads, and partners involved in onboarding and migrating to beem Basic Security Edition.
This playbook guides you through migrating an existing environment to beem Basic Security Edition and onboarding your dedicated tenant. It uses modular Building Blocks with clear steps for activation, configuration, and migration of both existing and new environments. Use the Building Blocks to tailor a smooth transition and effective use of beem Basic Security Edition features.
What are Building Blocks?
Building Blocks provide a modular approach to implementing beem Basic Security Edition. Each block can be applied in different orders to match your organization’s objectives and environment.
The Starting Condition is the foundation for all Building Blocks. From there, you can arrange blocks in the order that best suits your needs.
Building blocks can also be used iteratively, allowing you to repeat steps when refining or improving processes. This flexibility ensures the onboarding and migration approach can be adapted to any situation.
Starting condition
Before you order beem Basic Security Edition, you need to decide how the onboarding process will be managed. You have three options:
- Swisscom Center of Excellence: paid service packages with expert guidance throughout planning and migration. Best if you want structured support.
- Partner: onboarding led by a certified partner. Recommended if you already work with a trusted partner or need external expertise.
- Do It Yourself (DIY): managed internally by your IT team. Suitable if you have the required resources, knowledge, and experience and prefer full control.
Your choice depends on available resources, your in-house expertise, and support needs. After deciding, you can place your order for beem Basic Security Edition and proceed with Tenant Provisioning.
Tenant Provisioning
Once you place an order through the beem Hub, Tenant Provisioning automatically secures eligible devices — mobile devices, PCs, Macs, tablets, and IoT endpoints with a Swisscom SIM — via beemNet. Protection is active nationally and while roaming. Locations you select during setup are added to your tenant alongside these devices. This automated step lays the foundation for later configuration: from the start, your first devices and sites are connected to the secure beemNet without manual setup.
Internet security features are enabled by default, blocking malicious websites and other online threats immediately. Note that not all SIM products support both protect and connect; some offer only one capability. If you plan to use Endpoint IP Address Cloaking, be aware that environments requiring fixed public IPs may need exceptions or alternative patterns. Assess these requirements early to ensure smooth deployment.
Building Blocks
beem app
The beem app for Windows, macOS, iOS, iPadOS, and Android protects client devices when they connect through third-party or unsecured networks (e.g., public Wi-Fi). It uses deep packet inspection to detect and block unsafe traffic, giving you granular protection against malicious websites and compromised networks.
Deployment
You can install the app in two ways:
- Self-service: Users download and install the app themselves.
- Managed deployment: Administrators roll out the app to enrolled devices via Device Management.
All devices are managed centrally in the beem Hub.
Licensing
A valid user license is required for:
- Passwordless authentication in the beem app.
- Protection of devices against cyber threats.
- Zero trust access to business applications for employees and partners.
To prepare:
- Define the users you want to onboard and the groups they should belong to.
- Order and assign the necessary licenses in the beem Hub.
- Use groups as criteria in access policies for context-based application control.
INFO
When managing UNID accounts and groups, focus on aligning with business requirements rather than over-optimizing license assignments.
User and administrator experience
- End users receive device-specific push notifications in real time and can view their personal Security Dashboard in the app. The dashboard shows blocked content and prevented incidents.
- Administrators see an aggregated and anonymized Security Dashboard at company level, giving visibility into overall protection while preserving individual privacy.
Device Management
Device Management provides centralized control of client devices running Windows, macOS, iOS, iPadOS, and Android. It allows you to enforce security and protect corporate data across your device fleet.
Capabilities
- Remotely block devices that are lost or stolen.
- Wipe corporate data from enrolled devices without affecting personal content.
- Apply predefined Device Policies that are continuously updated.
Activation
After your initial order, you can activate Device Management in the beem Hub. This process links the mobile device management (MDM) platform with your beem Basic Security Edition tenant.
Configuration
- Decide whether to manage all supported operating systems or only selected ones.
- Complete any OS-specific setup steps directly in the beem Hub (for example, creating and linking an Apple Business Manager account to manage iOS and macOS devices).
- Once activated, choose from predefined Device Policies and assign them to the relevant device groups.
Application Discovery
Application Discovery is the process of identifying all business applications in your environment, deciding who should access them, and defining how they can be reached. It applies to applications hosted on local servers, in private or public clouds, and SaaS platforms.
Purpose
A complete application inventory is critical before migration. Without it, important applications may remain unprotected or misconfigured. When creating the inventory, consider questions such as:
- How do users currently access this application? Internally only, or externally as well?
- Is access provided through VPN, remote access, or directly via the cloud?
- Which groups or roles require access?
- Does the application run on-premises, in the cloud, or as SaaS?
This ensures that applications are catalogued according to both technical access patterns and business requirements.
Automated discovery in beem Basic Security Edition
To support this process, beem Basic Security Edition provides an automated Application Discovery function.
- Learning mode: Runs for a configurable period (e.g., several weeks) to capture normal usage.
- Passive analysis: Monitors LAN/WAN traffic, using protocol sniffing, heuristics, and aggregation to identify likely application servers.
- Active scanning: Complements passive methods by probing network nodes that may not generate high traffic.
- SaaS catalog: A built-in library of ~8,000 SaaS applications enables automatic detection of many common services.
The outcome is a consolidated view of applications in use, simplifying the configuration of application metadata and routes in the beem Fabric.
Connectivity patterns
Each application type requires a different connectivity approach. During discovery, plan which pattern applies to each application:
- Private applications on-premises (Edge Interceptor):
- Applications hosted on local servers can be published securely using the Swisscom Centro Business router.
- The router forwards inbound internet traffic directly to the final host in the LAN (ingress), removing the need for a separate on-site firewall in this setup.
- Security guidelines can be defined per fixed public IP address or FQDN.
- Private applications in the cloud (tunnel):
- Cloud-hosted private apps are secured through encrypted tunnels between client devices and cloud infrastructure.
- Tunnel-based connectivity supports multiple deployment models (e.g., IaaS, PaaS) and ensures consistent policy enforcement across different environments.
- SaaS applications (inline CASB):
- SaaS traffic is secured by an inline cloud access security broker (CASB), which monitors activity and enforces real-time policies.
- You can select from the supported SaaS catalog to apply zero trust controls for the chosen services.
Why early discovery matters
Mapping applications and connectivity requirements at the start prevents rework later in the migration. By knowing whether an app belongs in an Edge Interceptor, tunnel, or CASB pattern, you can align the beem Basic Security Edition configuration with your business environment from the outset. During the discovery process, different connectivity approaches should be considered based on application deployment: on-premises applications typically require Edge Interception connectivity patterns, cloud-hosted applications are best served through secure tunnel connections, while Software-as-a-Service applications benefit from inline Cloud Access Security Broker (CASB) integration. Understanding these connectivity requirements early helps determine the appropriate beem Basic configuration for each application type.
Internet Access
beem Basic Security Edition provides integrated internet security for all connected devices. Threat protection and privacy features are active by default, giving users secure browsing with automatic blocking of malicious websites, phishing attempts, and unsafe networks. The platform prioritizes internet security from the outset, ensuring immediate protection against web-based threats.
Endpoint IP Address Cloaking
A central feature of beem Basic Security Edition is Endpoint IP Address Cloaking, which conceals device and site IP addresses from the public internet.
- How it works: Carrier-Grade Network Address Translation (CGNAT) treats your private IPs as non-routable and replaces them with a shared public IP address from the beem pool.
- What others see: External websites and services see the shared Swiss public IP, never the actual client or site IP.
- Default behavior: Cloaking is enabled by default for devices and locations.
Benefits
- Privacy: Prevents websites and third parties from tracking individual device IPs.
- Security: Reduces exposure to targeted attacks such as DoS or social engineering.
- Compliance: Ensures the public IP address presented to the internet is always Swiss, supporting data protection and regulatory requirements.
Exceptions and planning
If you need inbound connectivity (e.g., fixed public IP to publish services), you can disable cloaking per location.In these cases:
- Per-location exception: Cloaking can be disabled for specific sites.
- Limitations: Using fixed public IPs with cloaking disabled can create configuration challenges.
- Recommendations: Where possible, adopt modern, centralized alternatives to maintain strong security while still meeting connectivity requirements.
Zero Trust access for private business applications
Private business applications and company data can be secured using a zero trust access model. These applications may be hosted on local servers within the corporate network or deployed in the cloud.
For client devices that are already part of beemNet, zero trust access to private applications is supported even without the beem app.
Implementation approach
Organizations can introduce zero trust access in phases:
- Start with critical applications: Secure the business-critical services first to reduce the highest risks.
- Expand gradually: Extend protection to additional applications over time, using the same zero trust framework.
- Align with business priorities: Ensure migration steps match operational needs and available resources.
This phased approach minimizes disruption, reduces complexity, and ensures that essential business functions are protected from the beginning of the rollout.
Zero Trust access for Software as a Service (SaaS)
Access to your selected SaaS applications can be secured and controlled using zero trust access principles.
An inline cloud access security broker (CASB) enforces policies in real time. With a forward proxy, CASB can apply zero trust access controls both inside and outside beemNet, depending on your deployment choice.
This ensures that only authenticated and authorized users gain access to SaaS applications, with policies applied consistently regardless of location.
Connect and protect local (web) servers
You can securely expose local web servers to the internet when the server’s site is connected to beemNet via a Swisscom broadband connection.
- Access methods: Local servers can be published using a fixed IP address or dynamic DNS (DynDNS).
- Security controls: Security guidelines are applied per fixed IP or fully qualified domain name (FQDN).
- Traffic handling: The Swisscom Centro Business router forwards inbound internet traffic (ingress) to the final host in the LAN using Edge Interceptor functionality.
- Infrastructure impact: This setup removes the need for a separate on-site firewall, as routing and security enforcement are handled through the router and beem policies.
Network & Traffic Preparation
Before implementing beem Basic Security Edition, you need to prepare your network to support secure connectivity and reliable performance.
Local server access
If you plan to make local (web) servers accessible from the internet:
- Connectivity: Servers must be connected to beemNet via a Swisscom broadband connection.
- Publishing methods: Servers can be published using fixed IP addresses or dynamic DNS (DynDNS).
- Security enforcement: Security guidelines can be defined for each fixed IP or fully qualified domain name (FQDN).
- Traffic handling: Inbound internet traffic (ingress) is forwarded directly to the LAN host through the built-in Edge Interceptor functionality of the Swisscom Centro Business router.
- Impact: This setup removes the need for a separate on-premises firewall.
Network preparation tasks
To ensure smooth onboarding and long-term stability:
- Assess routing policies: Review existing network routing to confirm compatibility with beemNet integration.
- Bandwidth planning: Validate that sufficient capacity is available to handle encrypted and secured traffic.
- Integration design: Align IP addressing, DNS, and connectivity patterns with the planned beem Basic configuration.
Proper preparation reduces the risk of disruptions during rollout and ensures that beem Basic services operate with optimal security and performance from the start.
VPN Decommissioning
The migration from traditional VPN solutions to beem Basic Security Edition requires a phased approach to avoid disruption and ensure continuity of access.
Key steps
- Assessment: Review all existing VPN connections and identify which applications and user groups currently depend on them.
- Replacement: Gradually transition these connections to zero trust access methods supported by beem Basic.
- Phased rollout: Replace VPN usage in iterations, validating each phase before moving forward.
- Decommissioning: Retire legacy VPN infrastructure only after confirming that all affected users have secure, reliable access through beem Basic.
Guidance
- Conduct the process in stages, not as a single cut-over, to minimize the risk of business disruption.
- Always ensure that critical applications remain accessible throughout each phase.
- Document each step so that dependencies and exceptions are fully addressed before the final shutdown. This approach ensures that VPN decommissioning strengthens security while maintaining uninterrupted business operations.
Firewall Decommissioning
With beem Basic Security Edition, traditional on-premises firewall infrastructure can be retired in a controlled manner, as the platform delivers integrated security functions.
Key steps
- Documentation: Capture all existing firewall rules, NAT tables, and security policies currently in use.
- Mapping: Translate these rules into equivalent beem Basic policies within the beem Hub.
- Testing: Validate that the new policies provide the intended access and protection without introducing gaps.
- Phased removal: Decommission legacy firewall appliances in stages, only after successful validation at each step.
Integrated security features
The need for standalone firewall devices is reduced because beem Basic Security Edition provides:
- Deep packet inspection for granular traffic analysis.
- Advanced threat detection against malicious traffic and intrusion attempts.
- Centralized policy enforcement across all users and devices.
This approach allows organizations to simplify infrastructure, benefit from unified security management, and still maintain granular control over network access and security posture.
Virtual Desktop Infrastructure (VDI) Decommissioning
Legacy Virtual Desktop Infrastructure (VDI) can be phased out as zero trust access replaces traditional methods of application delivery. This reduces dependency on central VDI environments while enabling secure, device-agnostic access.
Key steps
- Inventory: Review all applications currently delivered through VDI and classify them (business-critical vs. non-critical).
- Migration: Transition application access to the zero trust model, allowing secure use on managed and unmanaged devices.
- Phased reduction: Decommission VDI resources incrementally, validating each stage to ensure that migrated applications perform as expected.
- Final retirement: Fully retire the VDI environment only after confirming that all required applications run securely and reliably through beem Basic Security Edition.
Benefits
- Flexibility: Applications become accessible on a wider range of devices without requiring a VDI session.
- Security: Zero trust access enforces identity- and context-based controls for every application.
- Continuity: Stepwise decommissioning avoids business disruption by ensuring every phase is tested and validated before proceeding.
Implementation Approaches with beem Basic
The Building Blocks of beem Basic Security Edition can be combined in different sequences to fit the needs of each organization. This modular approach ensures that migration can be tailored to business priorities, existing infrastructure, and available resources.
This chapter provides example implementation paths. Each path illustrates how the Building Blocks can be arranged to support a specific objective—such as security-first rollout, device management, application visibility, or compliance. The examples also highlight the flexibility of the framework: organizations can follow a recommended sequence or adapt the order of Building Blocks to match their environment and strategy.
Implementation Principles
The following examples illustrate how the Building Blocks of beem Basic Security Edition can be combined into different migration sequences. Each sequence is designed for a specific business situation or priority, such as immediate security, device management, application visibility, or compliance.
The examples are written in clear, non-technical language so that decision-makers, partners, and administrators can understand the options and select the path that best fits their organization.
Examples
Sequence A: Security-First Approach
For businesses prioritizing immediate protection against cyber threats This sequence is ideal if you want to keep your devices and data safe from hackers, phishing, or harmful websites as quickly as possible.
Best for: Small businesses or those with remote workers worried about security risks.
Sequence B: Device-Centric Approach
For businesses with many devices or mobile workers This sequence is great if you want to focus on managing and securing devices, like phones and laptops, used by employees working from different locations.
Best for: Businesses with bring-your-own-device (BYOD) policies or employees working remotely.
Sequence C: Application-First Approach
For businesses wanting to understand their application landscape before securing This sequence is perfect if you have many apps and want to map them out before making changes to ensure nothing is missed.
Best for: Businesses with complex application environments needing a clear overview before migration.
Sequence D: Compliance-Driven Approach
For businesses in regulated industries needing thorough documentation This sequence is designed for businesses that must follow strict rules (e.g., healthcare or finance) and need to track every step of the migration.
Best for: Businesses in regulated industries needing detailed records and full compliance.
Sequence E: Startup Approach
For new businesses with minimal existing systems This sequence is for startups or new businesses starting fresh with few or no existing IT systems, focusing on quick and simple setup.
Best for: New businesses or startups building their IT from scratch.
Sequence G: Hybrid Cloud-First Approach
For businesses relying heavily on cloud apps with some on-premises systems This sequence is for businesses using mostly cloud apps (e.g., Salesforce) but with a few on-premises systems, prioritizing cloud security first.
Best for: Businesses with a mix of cloud and on-premises systems, focusing on cloud security first.
Sequence H: IoT-Centric Approach
This sequence is perfect for businesses where IoT devices (e.g., GPS trackers in trucks, sensors in factories, or cameras in buildings) are critical, focusing on securing and managing these devices.
Best for: Businesses with many IoT devices, such as logistics companies with GPS trackers, factories with smart machines, or buildings with sensors and cameras.