MDM or something else?

[jediatzinger]

I'm a sysadmin of a small business. We have 50'ish employees. Half have PCS the other half are field employees that don't. I work at the corporate office where the servers reside. We're setup hybrid. Meaning I do have Exchange onsite, but only for management since all of our mailboxes are MS-cloud hosted. I sync our local AD w/ Entra Connect. I only have those in the corporate office domain joined (it's also a .local domain not a .com). There are 20 of us on the domain at corporate.

When I get a new PC I setup a user account (as company_IT) and I install all necessary apps for that employees role manually and then provide/ship the laptop to the destination (home, office site, etc). I'll setup the user as a local admin. Most don't abuse their admin privileges, but I'd really like to update/modernize my deployments so that I can have a much better option of adding/removing and ensuring random apps don't get installed that the company wouldn't approve. I'd love to have some form of a whitelist. I'm not sure if an MDM is what I'm looking for, but I'm hopeful someone on here knows how to point me in the right direction

ANY thoughts, comments, and/or suggestions are appreciated.

 

[wxfisch]

Like many things in IT there are more than one way to skin this cat, and a lot will depend on how heavy handed you want/need to be and what your overall risk landscape and appetite are. You can start easy and just take away local admin rights (do your users really need them?). That will prevent the majority of random apps from getting installed. You can also use GPO to manage installed apps if you have a fairly finite number to manage, or you can use something like Intune or SCCM if you want to setup a more complete solution with better reporting and control (the MDM option you talked about essentially), If you really want to go the whole way and don't mind spending significant time and effort configuring and maintaining the solution you can use AppLocker to define specifically what can run and from where. Be warned though that AppLocker is heavy handed and a huge PITA to setup and maintain in all but the simplest deployments.

If your concern is setting up the PC initially, look into MDT for imaging so you are setting up a known image with the base software already setup. Depending on how many roles you have you could create different images for each role as well, but that may not be worth it. With only 50 employees I doubt something like SCCM is worth the cost, but it is made for doing what you are looking for.

You are in a tough spot where the company is small enough that it is hard to justify real enterprise IT solutions due to complexity and cost, but with only one admin (you) its really time consuming and difficult to mange things manually. In theory this is what Intune as a Windows MDM is good at, but you will need to adapt to doing things the modern MSFT way to get the most out of it, and youll want to do some research and planning to make sure you set it up well the first time. In a past life, many moons ago, I was where you are (a company of about 200 in 5 offices, but it was really just me and one other admin at a different office to manage it all), I used PDQ Deploy and PDQ Inventory for app deployment and inventory. It worked pretty well but it isn't nearly as full featured as SCCM. The tradeoff was worth it though to not need to manually go install applications at a users desk.

I would also recommend getting a non-.local domain and joining all of your PCs to it, it makes a lot of solutions just easier to setup and deploy, and gives you more control over PCs when they are all domain joined. A domain name can be fairly cheap (CloudFlare sells them at cost I believe and most .coms are $12/year unless you want something more in demand). Though assumingly you have an email domain at least, you can use that as your AD Domain as well without any issues.

 

[lurch1989]

Take a look at leveraging Intune and AutoPilot. If you've got Business Premium it's included already and if all your devices are domain joined you're 90% of the way there - just some config to setup.

We're a team of 2 supporting approximately 1000 devices this way. Happy to have a chat if needed.

 

[jediatzinger]

I have mostly E3 licensing with 365. I'm not sure of what capabilities I have with Intune, but definitely want to know more about leveraging it.

 

[Superduck]

I would look to switch to Business Premium, as it is a better value versus E3, but it is limited to only 300 licenses max. The most notable loss is Exchange boxes drop to 50 GB, versus 100, but it adds a number of enhancements for management and security that may work for an organization your size. To see a really good breakdown of capabilities, check out M365 maps, and there a number of different views to compare MS licensing options, and I find they keep it up to date quite well.

 

[RGrizzzz]

E3 comes with Intune P1
https://www.microsoft.com/en-us/sec...cing?msockid=31375cf80522686e1402496904e06913

 

[charliebird]

Business Premium is a much better value for you in my opinion. It comes with Windows Defender with security telemetry. You can set up an intune lite configuration and your management. It's not awesome but your already paying for it and it will improve your service and security posture. If you've ever worked anywhere that's been ransomeware attacked it's literally about the worst thing you could ever go through so you'll definitely want to help the right controls in place to stop that from happening. Don't assume that your business isn't too small to fly under the radar because they go after everyone.