Mobile device management provider Kandji has launched Device Harmony, a platform that aims to add more security to an MDM system that will benefit both enterprise IT and InfoSec teams.
Kandji's Device Harmony is built on the belief that existing MDM systems don't service both general IT teams and those in InfoSec managing security. While IT manages the usability of devices on the network, InfoSec have to monitor and defend against attacks and other security risks on the network.
With two fairly different aims, the two teams would typically work fairly separately. "But today, IT and InfoSec teams must work together to keep their company and users both secure and productive," according to founder and CEO Adam Pettit. "To win now, these teams need shared data and systems."
Device Harmony connects together a number of tool and feature categories into one bundle: Device Management, Vulnerability Management, Endpoint Detection and Response, Endpoint Visibility, and Endpoint Compliance. Using shared intelligence, automation, and cross-functional workflows, the teams can work together using the same tools and with little in the way of compromise.
"With Device Harmony, these teams can unlock a comprehensive view of every endpoint and create a shared reality between IT and InfoSec, so they can recognize and remediate risks within a single platform, reducing the gap between identifying and addressing issues," continued Pettit.
The founder continued "Now, IT and InfoSec teams can work together to navigate their fleets and take action, while providing users with the most elegant, Apple-native experience possible while maintaining a strong security posture."
The Vulnerability Management of Device Harmony now provides a full view of vulnerabilities across macOS, descriptions, history, severity, affected software, and devices where that software is installed. Teams can then use Kandji to mitigate the vulnerability by upgrading and blocking apps, and running scripts to uninstall apps.
Rather than a periodic scan, Kandji instead uses a lightweight service within the Kandji Agent running on the Mac. Leveraging Apple's Endpoint Security framework, the agent listens for application-related events to work out if new vulnerabilities have been introduced or patch, with insights provided in real time.
The Endpoint Detection and Response pillar uses the agent to monitor all files and application on the Mac in real time, providing a detailed view of detected events, threat names and classification, and other relevant actions to the main system. The agent can then terminate malicious processes, and quarantine files.
The approach also uses pre-execution and post-execution methodologies, with the former able to take down "almost all malware variants" and reduce the risk of malware running before security software can stop it. Post-execution, there is the detection of threats without needing to see the malware beforehand, by looking for actions that malware typically takes while executing.
All of the Device Harmony capabilities are being deployed through the Kandji Agent, built using Swift. Apple's technologies that are exclusive to MDM solutions are also being used to ensure the agent is alive and installed.
The Vulnerability Management and Endpoint Detection and Response arms of Device Harmony are being rolled out to select customers of Kandji, with general availability to all users within a few weeks. Endpoint Visibility and Endpoint Compliance will be previewed to customers in early 2023.
2 Comments
My main problem with many MDM tools is that they often aren't architected securely.
Ask yourself the question, if my MDM provider gets hacked (just like Solarwinds did), what's the worst that could happen?
For many MDM providers, the answer is:
- They can execute arbitrary code on any machines,
- impersonate your CEO,
- install crypto ransom and
- exfiltrate all your data
I wish more MDM providers would offer something along these lines:
- MDM providers should ideally avoid running agents on end-machines, and instead rely on the macOS framework to deliver configuration.
- If you are running an agent, that agent should be bootstrapped with a certificate signed by the organisation, and the private keys shouldn't be available to the MDM provider. Every payload/config push should be signed, and any agent software update should be cross-signed by the organisation and the MDM provider.
- That way, if the MDM provider is hacked, they cannot run arbitrary code and they cannot ship malicious updates.
- Code for any agent should be open-source.