Promisec Endpoint Manager: So we gotta cope with BYOD... Help!

Don't shy away from grappling your users' wonky endpoints

Top 5 reasons to deploy VMware with Tegile

Review The explosion of internet-connected gadgets, sensors and other devices that underpins the "internet of things" concept makes my head hurt.

When combined with the completely new security model presented by IPv6, BYOD and cloud computing, automation of endpoint management is rapidly becoming non-optional.

I've started taking a look at some of the vendors in this space and Promisec Endpoint Manager (PEM) has jumped out at me as an interesting case.

Earlier this year I looked at over 100 endpoint management companies and then bashed together a quick overview of what the space looked like. There was not nearly enough space (or time) to report on them all, but the crux of the issue shone through: there's an endpoint management company for just about any combination or configuration of endpoints you could possibly want.

In my experience, most endpoint management companies are obsessed with getting as many different OSes as possible integrated into their application. Promisec differs in that it is not busy spamming OS support for everything under the sun - it supports Windows and Unix/Linux.

Promisec's approach to mobile devices is to identify them for you and say: "this widget is Android, this one is iOS." From there you can manage it with your preferred application for that device type. Promisec is content to take it a little slower and try to get everything right with one OS at a time before adding support for more.

How to judge this? On the one hand, Promisec comes out looking to some like a company that isn't keeping up with the rest of the industry. On the other, the majority of the endpoint management industry flails around like headless chickens spewing buzzwords but failing to inspire confidence.

Managing endpoints is big business, in no small part because your network is done for if you screw it up. Given this, I respect the company that chooses to do one thing well rather than try to be all things to all people.

How PEM works

To make the thing go the system installs a "sentry" onto one of your sites. They can be installed on any Windows system (including virtualized machines). The “sentry” gathers info and acts on what it discovers. This approach – called by various names such as agent, sentry or observer, depending on the company involved – is pretty typical of the endpoint management space; the biggest caveat being that you need one agent per subnet.

This means that there is nothing installed onto the endpoint you're going to manage. It scans your network using a variety of protocols in a manner that reminds me of LANguard sweeps, although Promisec is continuous and uses a different inspection methodology.

PEM manages more than just the OS; it also uses multiple APIs to scan for apps and it performs Network Access Protection (NAP)-like checks on the devices it uncovers. Is the OS joined to the domain? Is a given patch/app installed? Is a required service up? Make it so!

There is a white-list baseline service. Point the application at a "known good" system and pull a list of startup items, running processes, services, apps, etc. From there you can use that baseline to hunt non-compliant items on the network and kill them. Part of this is a Secunia-PSI-like update tracker that finds updates for third-party apps (such as Java) and gets them updated.

PEM has the ability to lock out unauthorized hardware (USB, CD-ROM, etc.) and otherwise carries the endpoint management items you would expect to see. I am intrigued about how Promisec has combined these abilities together into a policy compliance engine.

PEM has "policy scanners" that check for things like CIS, NIST, PCI compliance and so forth. It will scan GPOs, Active Directory, etc. to make sure it all complies. You simply select a policy that you need to comply with, run the scan and it tells you what you need to fix.

The rah-rah selling feature of the whole thing is "right click remediation." Install the patch, app, start service, and so on, all from a single context menu in the management application. Combine this with the policy scanner idea and I like what's on the table here.

There's a place for this

I use a combined manager for my own network, and my weapon of choice is Mmsoft's PC Monitor. This is good enough for the needs of my three-person company and – most importantly, given my recently validated privacy paranoia – Mmsoft is Irish, not American. Though my current choice of provider is different, I can see a place for Promisec's PEM in the larger networks I manage.

I find myself constantly running into the issue of ignoring the desktops and even my servers. They feel old and comfortable. I know those computers. The operating systems and the applications that run on them fit like an old glove. Comfort leads to contempt and in the IT industry that is very dangerous.

I may well know my operating systems, applications and systems inside and out. The problem is that so does everyone else. The threat model I have to defend against is constantly evolving. My network isn't.

I'm up to my ears in planning for the next generation of server upgrades or trying to figure out what to do about BYOD, mobiles, cloud computing and the rest. In this environment, something like Promisec's PEM is a good thing. It keeps an eye on the old guard for me while I try figure out what to do about the rest of the stuff out there.

If nothing else, the sheer diversity of endpoint management products is worth debate. What is your take, dear Register readers? Leave your thoughts in the comments. ®

Beginner's guide to SSL certificates

More from The Register

next story
It's Big, it's Blue... it's simply FABLESS! IBM's chip-free future
Or why the reversal of globalisation ain't gonna 'appen
'Hmm, why CAN'T I run a water pipe through that rack of media servers?'
Leaving Las Vegas for Armenia kludging and Dubai dune bashing
Microsoft and Dell’s cloud in a box: Instant Azure for the data centre
A less painful way to run Microsoft’s private cloud
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
CAGE MATCH: Microsoft, Dell open co-located bit barns in Oz
Whole new species of XaaS spawning in the antipodes
AWS pulls desktop-as-a-service from the PC
Support for PCoIP protocol means zero clients can run cloudy desktops
prev story


Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.