Bill Smith, CIO Advisor / / Categories: Executive View, Microsoft, Virtual CIO, work from home

Managing Endpoints in Engineering, Architecture, and Construction Firms

We all know the expression “Time is Money.” This is so true in the Architecture, Engineering, and Construction (AEC) industry and other professional services businesses. If the firm’s engineers, architects, project managers, and other staff aren’t productive, the firm is not making money.

In my 19 years as the CIO of a national AEC firm, my IT team was responsible for managing and supporting a fleet of over 2,000 devices (PC’s, iPads, smartphones). Devices connected in over 30 offices through the US, and many from outside the office when used by Surveyors, Construction Inspectors, Construction Managers, Resident Engineers, and Environmental Scientists. When the pandemic hit, most office workers joined our field by shifting to working virtually.

Making endpoint management more challenging, AEC firms typically must support a wide library of software - in mine, we installed and supported ~500 different software titles across our fleet. It was abundantly clear that proactive, effective endpoint management was needed to reduce problems and support, and to enable our professionals to do their job.

Standards First

I have seen and experienced the challenges and frustrations when an organization has disparate hardware and software platforms for their endpoints.   The more diverse the platforms, the greater the support challenges, consuming significant help desk staff and adversely impacting project work.

To reduce some of these challenges, we set some goals to improve the reliability and availability of our endpoints:

  • Drastically reduce the number of images used for new machines.
  • Standardize on a specific version of the Microsoft Office 365 Suite so that endpoint users had the same features and experiences utilizing SharePoint, OneDrive and Teams.
  • Update software on a monthly cycle to keep all endpoints consistent and safe.
  • Limit the installs of design software to recent versions. Our predominate design software suppliers were Bentley Systems and Autodesk. For older design software versions, IT directed users to a virtual desktop environment to provide access to these older design software versions (new versions and older versions did not coexist well on the same machine).
  • Restrict the ability of endpoint users to install software on their machines. Unvetted and unauthorized software can create security risks. Most organization have an End User Computing Policy that states the computer is to be used for business purposes and the end user is not authorized to install unvetted and unauthorized software. IT organizations need to implement controls that go beyond the policy. Some controls are:
    • Restrict the end user completely by not providing administrator access to their machine,
    • Provide the end user the capability to add only whitelisted software vetted by the IT organization,
  • Create and provide end user access to a self-service portal to access sanctioned software.
  • Create an IT-managed Microsoft Store to limit the software that users were permitted to download and install.

These actions greatly reduced calls to the help desk for support issues and improved endpoint availability. Consequently, there was improved overall user satisfaction. Additionally, IT was able to use the manhours gained (1 to 2 FTE’s) from reduced support to provide more proactive services and innovation.

Keep Endpoint Hardware Current

Some organizations purchase equipment with an approach to run them until they die. There are downsides to attempting to support hardware beyond a reasonable refresh cycle. Often, new software releases and the latest operating system features require newer hardware to run or fully function. Supporting older technologies is counterproductive and costly. I recommend organizations refresh their hardware on a planned cycle, such as every four years. Attempt to standardize on the operating system (e.g., Windows 10 or 11) and manage the endpoints to have them on the same OS version and build.

Asset Management

IT should proactively review and evaluate their endpoint assets to plan and manage updates and replacements. For example, the IT organization can manage when software updates are pushed out to their endpoints versus leaving the decision to do updates to the end user. Leaving update frequency decisions to the end user creates risk for the organization as well as causes more support issues. The IT organization should employ an approach to test the updates on a limited pilot group in advance of pushing updates to everyone to determine if there are any unintended consequences and disruptions.

MDM and MAM

Use a product for Mobile Device Management (MDM) and Mobile Application Management (MAM). such as Intune. Intune for MDM supports endpoint enrollment, configuration, protection (security), remote wipe, support, and retirement. Intune Autopilot can be used for initial software deployment, simplifying and standardizing new employee hardware requisition and onboarding. Intune is powered by Microsoft’s cloud to secure endpoints without increasing staff.

One of the benefits of utilizing Intune for updating endpoints was that my IT organization could confidently push updates and monitor their success even when employees were working remotely. Prior to migrating to standard images for design software and using Intune to push updates and patches, there were too many one-offs requiring Service Desk manpower. From a user standpoint, this created a backlog and engineers and staff had down time waiting for a technician to support them. When the pandemic hit, 90% of our employees were no longer going to the office. Intune enabled IT to continue to perform software updates over the Internet and reach our endpoints. As all companies have experienced, virtual work his here to stay. Since the days of IT physically hands-on the endpoints, support and management must be done remotely.

Benefits when offboarding

Intune and Microsoft Active Directory (AD) have been wonderful tools for offboarding employees. When an employee leaves, IT can remotely wipe company data from the endpoints eliminating potential data loss. With AD, the departing employees’ access can be removed so that the offboarded employee will no longer have any access to company resources nor be able to log into their company issued PC.

Use of these technologies provide great value to supervisors, HR, and IT. For example, when an employee resigns, the offboarding process is fairly standard. The employee provides two weeks’ notice, and they have a specific last day at work. Involuntary departures require immediate termination and offboarding. With Azure AD identity, access can be removed on a moment’s notice, and Intune can be used to remotely wipe company data.

Tightening up BYODs

We used Intune to enroll and register personal devices and implement policies on employee phones prior to allowing their phone to connect to company resources such as email, Teams, OneDrive, etc. We required all endpoints to authenticate with Multi-Factor Authentication if their devices were not connected to the company intranet. IT utilized Conditional Access Policies to significantly reduce the times an employee would need to authenticate for different workloads.

Intune enabled IT to have knowledge and visibility to these personal endpoints. IT can monitor if the employee has been making required software updates to their device. Earlier I commented on having hardware standards for PC’s. This is also true for smartphones and iPads. When the hardware gets older, the devices will no longer be eligible for OS updates and patches. Intune makes IT is aware when devices are outdated, allowing us to contact the employee to discuss their need to upgrade.

A critical security benefit of utilizing Intune for MDM was if an employee lost their phone, or if it was stolen or hacked, with Intune, IT could remove the device from the domain. If required, IT could remote wipe the business content on the phone.

Conclusion

Standardizing the organization’s endpoints, their hardware and software, and their Endpoint Management platform will ensure a stable and consistent platform on which to work. It'll also minimize disruption caused by self-inflected support issues. In a professional services organization, downtime is costly. IT can and must lead and take a proactive role to maximize uptime and availability of company resources. My firm found Intune to be the right tool to do so.

 

Work with our team of Cloud Computing Consultants who have done this so many times they know all of the “minefields” to prevent missteps.

ref:_00D80KtFf._5000y1WwWQD:ref