Listen to learn how to work from home securely and about tools and software to manage remote devices.
"Not long ago, companies didn't allow employees to take their work devices home, or even out of the network. Companies relied on the network security for these devices. In the past few years, we have all been forced to shift and figure out - how do we still keep work secure?"
Mobile device management is a heavy lift. Security teams recognize the risks posed by laptops, tablets, smartphones, and other mobile devices. Because of our increasingly remote working environment and the ongoing challenges posed by the use of personal devices for work, many companies have needed to find other solutions to help them in their security effort.
Founder/CEO of FleetDM Mike McNeil sits down with Host and Principal Security Analyst Jen Stone (MCIS, CISSP, CISA, QSA) to dive into mobile device management best practices.
Listen to learn:
Resources:
Download our Guide to PCI Compliance! - https://www.securitymetrics.com/lp/pci/pci-guide
Download our Guide to HIPAA Compliance! - https://www.securitymetrics.com/lp/hipaa/hipaa-guide
[Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.
Hello, and welcome back to the SecurityMetrics podcast. My name is Jen Stone. I'm one of the principal security analysts here at SecurityMetrics. Today, we're gonna talk about mobile device management.
It's a it's a pretty heavy lift. If you're if you're part of that group that is responsible for keeping mobile devices secure, you're gonna know what I mean. And if you're not familiar with it, it's pretty interesting topic. Security teams recognize that the risks posed by laptops, tablets, smartphones, and other mobile devices, especially because of our increasingly remote working environment and the ongoing challenges posed by the use of personal devices for work.
Today, I'm happy to be able to talk to Mike McNeil about the state of mobile device management and understand solutions out there that can be used to secure those devices. Mike, tell us a little bit about yourselves. Give us a little intro.
I don't have a bio for you.
Yeah. Yeah. My LinkedIn, is not purposely KG, but, it's a it's a little vague in the description.
I liked it. It was very man of mystery. But you are, the founder and, CEO of Fleet DM?
I am.
And and Fleet DM is a mobile device, management solution.
So, before we even talked about that and and, of course, there are a lot of solutions out there. So I don't want people to feel like, hey, we're only talking about your solution. We're gonna try and keep it high level and keep it focused on how do people keep mobile devices secure.
But but I really like the the solution that you do have. And, I I was really excited to to get to talk to you specifically about it because if anybody's in the development sphere, you probably have heard of Mike. He's, the sales guy, sales dot j s with an a I, not an a l e. Right? So there, there are a lot of, YouTube videos out there that that Mike is in, and I think that you're gonna like to hear from him. So, before we talk about how to keep them secure, a lot of people are probably wondering what are mobile devices? What falls under that category?
Yeah. And so MDM or mobile device management is one of these terms that kind of has evolved a little bit over the years, and and people have gotten this idea of of it as really, like, three main things.
Patching software on usually laptop computers and then, to some degree on on phones, although there's less there's less power there.
The ability to lock down OS config on laptop computers, and the ability to, get laptops drop shipped pre enrolled for those other capabilities, with a program like DEP for Macs or Autopilot for Windows.
Right. And and so people might be saying, well, how is this any different from workstation security? Like, why is there a whole separate category for mobile device management?
Yeah. So, like, looking back at the the history of of where that word came from, you know, it's part of it was phones. And, like, I remember I remember hearing the buzzword, like, enterprise mobility back. I think I worked on my first MDM project was, like, twenty thirteen, and I was working with this, telecommunications company.
And we were actually just building sales demos of, like, iPad apps to, like, show, like, ah, so this is this is how you can control your Wi Fi router from, from, I don't know, another country, and and you can, like, help your kids, turn off and on their Wi Fi on their on their cell phones. So I think the the vision was originally, like, look, laptops and devices are just generally becoming more pick it up and take it with you.
Yeah.
And you can't really rely on, like, the network as much anymore.
Now that said, like, MDM these days and and what I'll mainly focus on because where my expertise is, is is in really, so I'm learning. Right? But it's around the laptop use case.
And Fleet, just to to make, to make this clear, didn't start as a device you know, it's always been a device management company, but, it really wasn't didn't start as a project focused on on laptops at all. It was really focused on on servers, and just any kind of computing device. So so one big difference between, you know, traditional MDM and maybe a a tool like Fleet is that Fleet is really like a a read only visibility tool that is part of your device management strategy. So you still use Fleet with, like, an MDM, like Jam for Kanji. Mhmm.
But at at least today. But Fleet's gonna give you, like, visibility about, like, what software do I have installed on these computers?
Can I, like, collect telemetry from these computers and send it to my SIM, for for or my data platform like Snowflake?
And then Fleet's also gonna give you visibility into vulnerabilities.
Like, is there, is there anything in NVD about this piece of software? Is there an ex a known exploited vulnerability on this piece of software, that kind of thing.
And so from my perspective, what I saw, especially in the last two years, was everybody started working from home because people weren't even going into the office. Right? So it used to be, not even that long ago that a lot of organizations didn't allow people to take work, mobile devices, laptops, phones, you know, whatever the whatever competing device they they were had to use. They didn't even let them take them out of the network.
For, I think, the reason that you're talking about, people relied on network security for these devices. And then they're like, well, don't take it off the network because then we lose all this security. Right? Everybody kinda had to shift over the last couple of years and figure out how do we keep that secure.
And it's been it's been, a much heavier lift for some groups than others. Like, it's it's been there are groups that were already ready. They already had remote work, policies and procedures in place. They already had tools in place to let them know what was patched, what was not patched.
And but there are a lot that still don't or that have struggled to get the insight that they needed. And so when your survey came came, across my desk, I thought, this is this is really interesting.
It seems like you're seeing a lot of devices that are that are mobile devices that are that are used outside of the network, like, increasingly. Is that what you're what the the survey showed, what you're seeing on your end?
Yeah. And and we're we mostly focused on on, you know, on the on the laptop use case again just because that that's the part that works best with with OS crew, which is kind of the world that I live in mostly, these days.
And but just speaking for speaking for workstations, right, for laptops, if you have a remote workforce, which pretty much everybody has some portion of the workforce remote, like, you're either relying on the VPN for everything, and you're probably having a a harder and harder time of it.
Mhmm.
Or you're you're enabling some kind of, dare I say it, zero trust approach where you're really trying to you know?
Hopefully.
And that's one of the recommendations that you actually give, and we'll get into that in a little bit.
But so you well, how are you seeing as you're talking to organizations, how do you think people are doing with their efforts to secure these laptops? What's the what's the general sense out there of how secure the insight where people are at compared to where they should be with in terms of that security?
Yeah. So so, you know, it's it starts off with with this if we rewind and and we just imagine ourselves in the past where, like, everything's under network security and at least in theory. Right? Yeah. It starts off with that that one team they set up, like, you know, maybe the the marketing team wanted to get security to get them get them access to a new product, but they ended up just kinda, like, rolling it out, and it's just some shadow IT, like, who knows what. Yeah. So everybody's little, you know, moles started popping up all across the organization.
That's not an unusual story either. Like, this is not like a I hear that about that all the time. Somebody wanted to do something that somebody wouldn't let him do, so they set it up themselves.
Yeah. Which, I mean, it's the spirit of, the spirit of it's a hacker spirit. Right? Like, we we we find we find things that need to get done, and we get it done whether, you know, whether that's the the sales gal or or, or the gal working in, you know, the software engineering department.
So, you know, we start off with those kinda little shadow IT things. Actually, I heard a story. A friend of mine worked at a large very large company, and, they had a problem where there was all these, cloud accounts with a with a cloud provider getting set up. And I think it was, like, a two year process that they were still working through, in their procurement department to, like, round up these these different cloud accounts, and and with no end in sight. Right? Like, you know, if if your only choices are negotiate and and also coordinate an enterprise wide agreement Mhmm.
Yeah, that slows things down. And it and it's in at a certain point, if you have people that are empowered and you let people kinda spend company money like it's their own money, at least on a departmental level, eventually, they'll just solve the problem themselves.
So so for from a from a kind of a centralized point of view, enrollment is a problem. How do you get it like, so you're seeing really slow enrollment where people are doing it.
Once once these devices are enrolled, what kind of effectiveness are they in in terms of of getting the information to the teams that that they need to see out of all these devices?
So in terms of enrollment, it can be a challenge. Right? So just the you know, especially software engineers, we, we don't like the idea that, like, there's some opaque code running on our machine monitoring who knows what about our laptops. Mhmm.
And I think a lot of other people in other roles would probably feel the same way if they were thinking about it as much as as engineers, you know, have been trained to think about that.
And so you get you get resistance. Right? And people being like, why do we have to do this? I don't understand.
And you hopefully have a good process in place and you communicate. It's compliance. It's it's, you know, security posture. It's, consistency, making sure that we actually know where the laptops are so we're not just, like, losing them all the time or or trying to, like, send two copies of the same laptop to somebody.
But that's that's all really intangible. And especially in these huge organizations, it can be, even in a thousand person organization, that's still a lot of folks and a lot of feedback to kind of manage.
Yeah.
So so we there's actually a really cool project, from, I think, Shopify. And they they did, this is back when Jamf was called Casper.
And they they built this, this Rails app. Right? They would just sit there, and it would actually give every employee of Shopify the ability to see what is being monitored about me and, like, what are all the queries that have been running on my computer.
Oh, interesting.
And I forget the exact number, but they cranked enrollment significantly.
I think they went from, like, fifty percent enrollment to something like a Just because people understood what was being seen and and the the visibility rather than than a big old, hey.
You have to do this, and I and I'm not telling you why or what we're taking.
Right. Right.
So so that that's, that's really interesting. So, I mentioned the survey, but I didn't tell people. You can find it on your website. It's on, fleet d m dot com. And when I went to go find it, it's just a link at the top of the page, and you just click on it, and you can see it's it's a really comprehensive survey for people who wanna kind of dig more into it and see what's actually going on. And there's a ton of of useful information, interesting information, but the part that I thought was the coolest was you have to just keep scrolling and scrolling because at the very end, you give recommendations.
And these recommendations, I thought, were actually the gold of of the I don't even know how closely they relate to the survey. I don't care. I thought they were really good recommendations on on managing, on MDM, you know, topics. And and like you said earlier, zero trust.
We had, last season, we had, Jeffrey Sanders come on. He's from CERT at Carnegie Mellon, and he talked about the basics of of zero trust, the zero trust principles. But from a high level, how does zero trust like you said, you know, we're not on the network anymore. So how does that relate, and how does zero trust apply to MDM?
So so when it comes to, you know, zero trust, a lot when people hear that word these days in a conversation, I think usually they're thinking of, how can we take, like, the basics that we've already nailed down? Right? Like, we have some kind of SSO.
We have some such program password issues. We have some kind of, like, two FA probably, at least on most of our apps to to and, ideally, it's like a YubiKey. We're not usually there yet, but, there's some kind of two FA there. Right? So assuming the basics are done, I think people are really more interested in, like, device attestation or this BeyondCorp idea from Google, where it's not just who you are or and that you have the credentials to be able to access the to the whatever you're trying to access, but that you we also know, like, what machine you're on, like, what actual device you're on, and that is being used to authenticate you as well.
Right. So not only are you authorized to access information, you're authorized to ass access it from a specific device. Right? Exactly.
And and that's a piece that that some organizations are starting to really take in stride, and other organizations are kinda probably just hearing about it. You know, as you're listening, if you're like, I've never heard of this. This is new to me. That's totally okay.
So it was basically the things that we're talking about are, can can you log in to something? And if you can log in to something, is there another second factor, two factor authentication or multifactor authentication that's required in order for you to do this. And then, also, can you identify the device and is it allowed to connect? So so there's a lot of, ways that you can kind of confirm that your device is allowed to connect to sensitive information, and that's really what it comes down to her because you don't want just anybody anywhere getting to information.
And if all you have to protect that information is just a username and password, you're just not protecting that information. Right?
Totally. And it's like it's like where, you know, where you are, that part, we we let that constant turn into a variable. Right? Like, you can be in Starbucks now.
You can Yeah.
Maybe be in China now depending on what you're trying to access. And that that ends so it does kinda play a role sometimes. Right? If it's, depending depending on the security restrictions or the compliance restrictions.
But it's also I mean, it's it's also like, hey. Is this a recognized device? But does this recognized device have any vulnerable Chrome extensions?
Do it does it meet our security posture?
Does it, you know, does it have an unencrypted hard disk even? I mean, like, that's unlikely. You know, it's unlikely that you would use that particular mix. But depending on what you're trying to access, it might even vary on a per per app basis what you wanna check.
Right. And it might definitely varies on a a per role basis. You know? What is a person supposed to be doing and how are they supposed to be doing it? Being able to centrally manage that, like you said, and sometimes it's a a security issue, but sometimes it really is a compliance issue. You have to be able to to prove that you're keeping an eye on all the things that you're keeping an eye on when a person has access to to information. So the next one that I thought was was, you made some pretty strong statements about Linux.
Like, if they're using Linux, tell me about that.
Yeah. So, I mean, in terms of visibility on Linux, OS Query is actually really good. So the the good news is there's, like, a free open source, utility out there. This this been around since, what, twenty fifteen, gotten really stable. And if you have your instrumentation set up to be able to use that data, which you can with Fleet, by the way, then then you're in great shape on the visibility side.
Not a super common, solution. We know, like, organizations like Comcast, Erin Palmer there has a great video where she talks about kinda what, what challenges they've had with Linux visibility and how they ended up solving it, with those query.
But in terms of management on Linux, like, being able to, install software, there's not just, like you don't just go buy Jamf and, like, plug that in. Linux is kind of kind of the wild west when it comes to actual workstations.
Right.
But there's always that, like, you know, one, two percent of folks that really wanna use Linux, and a lot of organizations really wanna let them. It's just sometimes they can't because there's not as much power there, in terms of patching and management.
Right. Because, really, what it comes down to is if you can't manage a system, if you can't patch if you don't know its current state and and and ensure that it's actually running against what you want it to run against, then then really it shouldn't be part of the mix. Right? So, alright. The next one recommendation you made was regarding containers. So first of all, how are containers related device management?
Because we were talking about laptops, but now we're talking about containers.
Help me help me cross that divide.
Yeah. So that's one that, you know, we have a unique perspective at Fleet because we started it, you know, as an open source project for community. It's been around since, like, twenty seventeen or so.
And there are folks, using Fleet for workstations, and there's also folks using Fleet for servers.
And if you're using Fleet for servers, like, maybe you have a bunch of AWS instances, but you might also just have a bunch of, like, containers floating around, and they might be super ephemeral. Right? They may only last for, like, an hour.
Right.
And I think a lot of a lot of practitioners really have have gotten used to relying on the idea to look. It's ephemeral.
I'm gonna trust that it hasn't been modified and that there's no way that it could have been modified from the time it went from image to, like, reified real world Mhmm. Living container.
And there's starting to be, I think, some organizations that are like, that sounds good, but should we check? Yeah. Just to be sure.
So the cool thing about, you know, you know, containers is they have a little OS on there. So anywhere you can run Linux, you can run OS query. So we've seen folks actually enrolling containers as well just to get the visibility on, like, the runtime state, and to make sure that nothing has changed or and also that, like, the image that they expected to deploy actually deployed.
So, really, we're talking about a compute environment, whether it's a laptop, whether it's a container, whether it's a server. A compute environment is something that Fleet wants to take a look at and make sure that it's running in the way that you want it to be running.
Exactly.
This episode is brought to you by SecurityMetrics Shopping Cart Monitor Inspect. It's a revolutionary new product that can help you detect any problems with your shopping cart security, allowing you to effectively improve your ecommerce security. Here's what I know about it. A lot of times people say, well, hey.
I am PCI compliant because I passed my SAQA. Great. You're missing most of the things that people are actually stealing information from right now. Shopping Cart Monitor was created to actually close those gaps and help you against things like made cart and other known ecommerce issues.
To learn more about this shopping cart monitor, head to our website www.securitymetrics.com.
Windows. So, most of the time when I go look at, different environments, if they have Windows, they're using group policy. So we we pull up GPO and and review GPO. And and you don't necessarily recommend, group policy as maybe the primary way to manage Windows systems. What what's your viewpoint on that?
So I was actually I was talking to someone the other day that, had come out of the oil and gas world, and he was talking about GPOs. And, like, I mean, part of it is just the connection with traditional network tech. If you're using GPOs, there's a good chance that you're also using other network, level solutions. Yep. And you're liable to to kind of trip over yourself there as you move to, like, remote work and and zero trust.
We're seeing a lot of folks get to that point where they're like, okay. Maybe it's time. You know, we've seen startups, like, later stage startups that are like you know, all of our Macs are, in an MDM, but our Windows devices are still sort of, like, in big fix and using GPOs.
And it's kinda like the last thing to go.
Microsoft's done a great job with with Intune.
Their MDM and and Defender have heard great things about as well. Yeah. So there really are there's options out there, to make the switch. The trouble with that is once you end up with two different MDMs, one for Mac and one for Windows and a different ad hoc solution for Linux.
Now you got a security team trying to pull data from, like, three different systems Mhmm.
Just to get baseline visibility into into your fleet of workstations.
It feels like you almost have to add headcount in order to manage these different environments with different views into the environment.
And and so just in the real world, that's one of the things that that I challenges that I'm seeing people run into.
But also the the entire so I'm not saying Windows is a bad product. I actually really like Windows.
But I I also see the old kind of philosophy on how you set up and use a Windows environment with the on prem, the the GPO, the network based, all of those things that that rely on maybe nineties thinking are are less and less supportive of how we work today. And so maybe looking at how you pull windows into a more zero trust, basically, based approach, which I think Fleet really supports, could be more useful to organizations that are trying to streamline or or get a single what's the the word? The single pane of glass into how things are running in their environment. Is that what you're seeing?
Yeah. Totally. It's you know, there's very few organizations that have successfully gone full Mac, you know, for every single thing. At the end of the day, you end up at least with one Windows test laptop for, like, some use case that one of your engineers is working on.
Right.
And even if you're a full Windows environment, it's even more likely that you've probably had some I'll I'll pick on engineers again that wanted Macs or or that wanted a Linux, Linux laptop.
So with that kind of world, there are there are device management solutions that are cross platform out there. You know, VMware has one.
Fleet has one.
And I think they're gonna become more and more common.
A solution JumpCloud is another example, which you can use.
And with Fleet, we're just we're focused on solving that problem as cleanly and simply and in a developer friendly way as possible, and keeping it a hundred percent open source.
So I and I wanna talk a little bit more about open source in a minute. But I first, I wanna touch on APIs.
A lot of organizations, especially if they're not engineer heavy, struggle with how the APIs fit into the the larger scheme of of security and management.
Yeah. So it's it's weird. Is it we're at this spot where there's kind of this changing we have a customer, right, at a at a Fortune one thousand networking company.
And, the team, you know, they they lost a couple of people from their team, and they brought on some new security engineers.
And one of their new security engineers is basically just out of college, computer science graduate, someone who would have been a normal software engineer, right, just working on on apps in the past, and now getting slotted right into security.
College is teaching more security, content, right, in the curriculum.
And and these folks are coming in with a lot more coding skills than, and they're a lot more, like, kind of developers than security people, you know, stereotypically were in the past.
So suddenly, you've got you've got people that, they got a lot of energy. They've got a lot of coding skills, and they're starting to look around at these kind of stuffy old vendor apps out there, and they're kinda wondering, like, maybe we just, like, build it ourselves or, like, hook on top of something open source. And then if we need to if we need to, like, get more data, we'll just pull it from the API.
And if we if we wanna, like, set up some alerts, like, maybe we'll just, like, set up some webhooks, or maybe we'll use a little bit of, like, low code or no code, something like Tynes to be able to trigger whenever, you know, a relevant event happens and then run some custom logic.
You know, we just had Thomas Kinsella from Tynes on on a recent episode. So, very cool that you would you would mention that.
Open source is something that maybe a lot of of my listeners are are not as familiar with. Can you give me a rundown on basically what is open source and why is it cool?
Yeah. So so there was I think I forget the year. Like, the seventies, maybe.
Probably I'm probably going too far back in the past. There was this guy, Stallman, right, who was who was in a computer lab, and and he had, these kinda crappy printers. And he would just sorta, like, keep banging on the printer, and it wouldn't work. And he was, like, a real technical guy, like, in a, you know, big fluffy neck beard. Right?
He's, he's like he's like, how can I fix these printers?
And he looks, and he sees that the software is closed source, and he can't get the software. So he's like, tell you what.
Like, how about I just, like, build everything, that anybody ever wanted as open source and just, like, release it for free, in creative ways?
These printers.
Yeah. Like a lot of things. Right? Like, you get mad at something and it turns into creative energy.
Yes.
So he, anyways, long story short, there's actually I'll I'll give you the the link. There's a video by the one of the guys behind Bootstrap.
His screen name is Fat, create Twitter Bootstrap.
The, you know, the HTML CSS kinda styling layout framework.
For sure.
And he's called, like, what is open source and why am I so guilty? And, he's kinda paraphrased his talk just now. He does a way better job of, like, going through, and he, like, has these hand drawn pictures of Richard Solomon that look really awesome.
We'll we'll put the link in our in the show notes for sure.
Awesome. But, you know, the long long story short, the, the open source movement kinda started as, like, hey. Like, the engineers, like, know how to do things. Like, let's just, like, give people the code so we can just do them and fix them.
And then really started catching on over time, like, not necessarily the GPL so much, because it has some problems if you're trying to commercialize software.
Mhmm.
It's like a viral license. If you include a GPL based dependency, it can force your overarching product to also need to be open source, which not everybody is okay with.
Okay.
But the, you know, free beer and free speech license, open source, so, like, the MIT license, the Apache license, the BSD license, have caught on, like, wildfire in the realm of, of software engineering as a whole because you got all these people who are, like, kinda very similar to the the scenario I described before, the security engineer.
Just in the past, it's like, hey. I need to build a website, and here I am building a form, right, with validations and little error messages for the twentieth time.
Why don't I just, like, copy and paste from some other code that already exists?
Mhmm.
And if you have the entire world doing that, eventually people realize, hey. Let's just, like, put the code on GitHub, and we can all copy and paste together.
That's very cool. Well, it's been really fun talking to you about this today. Any before we we break, any additional device management kinda wisdom you wanna toss at us today or something anything about Fleet or or plans that you have in the future? What do what what how do you wanna close with this?
Yeah. So, I mean, Fleet today and and OS Query is is a great solution if you if you need data from your devices, and you wanna collect that data, be able to see what you've got and what you need to do.
In the, you know, in the future, we're we're really interested in in building continuing to build out device management more in Fleet, and and give more functionality beyond just visibility. So if you're interested in working on that or or, if you have this real problem in in your life, in your job, or if you just find it fun, we welcome you as a contributor. There's a spot you can jump to on our website to join the Slack channel.
We also have a, GitHub, of course, so you can pop in and just see all the code. Everything from our handbook and how we do security internally to the docs to even the paid features are all source available in that, single repo.
That sounds really interesting. I'm sure that there are, people who would love to be part of that. And so I appreciate you sharing that with us. And thank you for your time today.
Yeah. Thanks for having me.
Alright. Take care. Thank you for joining us again. I hope you enjoyed it today just as much as I did. Make sure you check out the the meeting notes.
And if you haven't seen all of our episodes, there's some great ones out there, and I would encourage you to go back. We mentioned Thomas Kinsella today. We mentioned Jeffrey Sanders. There are a lot of really fun episodes out there that I think you'll enjoy.
Take care. Thanks for watching. To watch more episodes of SecurityMetrics podcast, click on the box on the left. If you prefer to listen to this podcast, it's available on all your favorite podcast platforms.
See you on the slopes.
.svg)
