- Manage BitLocker centrally with AppTec360 EMM - Thu, Feb 9 2023
In addition to standard endpoint management features, such as inventory, software distribution, and patch management, EMM software also addresses the growing need to secure endpoints against various threats.
Drive encryption is a standard feature on Windows PCs, especially since BitLocker is included in every edition of Windows except Home. BitLocker prevents data theft and ensures that attackers cannot hack the local admin account, even if they have physical access to the device.
Central BitLocker management via MDM
BitLocker can be managed centrally via group policies, but the onboard tools do not offer any reporting from which you can see the BitLocker status of all computers. In addition, there is no convenient management of recovery keys.
Since retiring BitLocker Administration and Monitoring (MBAM), Microsoft only offers Endpoint Manager and Intune for BitLocker management. AppTec fills the gap in user-friendly tools that can also be installed on-prem.
AppTec360 recognizes all BitLocker options and enables granular configuration of encryption settings
AppTec360 completely replaces group policies and uses the Windows MDM interfaces for BitLocker management. This applies to activating encryption, configuring authentication for computers with or without TPM, or whether only the storage space used or the whole drive should be encrypted.
Simple onboarding
As an MDM tool, AppTec360 manages both mobile and desktop endpoints via a common web console. To register Windows PCs for management and encrypt them with BitLocker, users must first be onboarded to the system with their devices.
To do so, the admin can either create users manually, import them via a CSV file in multi-enrollment, or connect the EMM service to Active Directory via an LDAP connector to import users and device data from there.
Users then receive a request to register their device via email or SMS. All they have to do is enter the credentials in the Windows settings under Add or Remove Provisioning Package. The AppTec360 software takes care of the rest and allows central management of each registered device from then on.
AppTec360s MDM software manages smartphones as well as Windows PCs and Mac OS devices
Roll out BitLocker with AppTec360
The administrator defines the BitLocker settings in the Security Management section, either via a group profile or in the settings of an individual device. In doing so, he now has the option of running unattended encryption (silent encryption) on the device.
AppTec360 EMM supports bulk activation of BitLocker encryption thanks to silent encryption
This allows BitLocker to be rolled out without local intervention on a PC, making it faster and easier to prepare a larger number of PCs. For unattended encryption of fixed drives, the recovery key and recovery password must be enabled.
The AppTec360 console provides information about encryption progress. If problems occur, a detailed device log supports troubleshooting with a complete log of all transmitted commands and the feedback received from the Windows PC.
The integrated reporting tool has been expanded to include a BitLocker section that provides an overview of the encryption status of all managed Windows PCs.
The report provides information about the encryption status of all managed Windows PCs
Key management
AppTec360 protects the operating system drive with automatically generated credentials. If a TPM is available on the device, a TPM PIN is used; otherwise, a password of at least 6 characters is used. It is sent to the email address that is stored for the device.
If this PIN is lost, the user can no longer boot the computer. In this case, only the recovery key generated during setup can unlock the device. Companies are therefore well advised to store the recovery key in a central location where it is protected against unauthorized access. Microsoft provides, among other options, Active Directory as storage for this purpose.
With AppTec360, the administrator can optionally use the EMM's automatic key management. If required, he can retrieve the recovery password for the respective endpoint at any time, for example, to pass it on to the user or the helpdesk.
An additional option can ensure that the password is regenerated the next time the user contacts the AppTec360 server after recovery.
The AppTec360 software manages the BitLocker keys centrally and allows both retrieval and regeneration of the recovery passwords
Using the EMM web console, admins can configure additional options provided by BitLocker itself. They can restrict the BitLocker activation to PCs connected to the domain and require that the BitLocker recovery information be successfully stored in the AD DS.
The audit log that is automatically maintained for each device allows sysops to trace all steps taken for encryption.
The communication of the EMM server with the managed end devices is recorded in detail
Price and availability
AppTec360 users can choose between an EMM installation set up on-premises and a cloud service.
While SaaS use only requires registration to start managing devices, a private instance first requires importing the virtual appliance delivered in OVF format on a supported hypervisor (VMware ESXi, Hyper-V, VirtualBox, or Citrix XenServer).
The free license for up to 25 endpoints is particularly interesting for smaller companies. It offers the full range of functions, is unlimited in time, and can be downloaded as an on-premise package from the manufacturer's website. Its entitlement to support is limited to 30 days.
AppTec360 will charge $1.24 USD for every additional device per month for on-prem. The BitLocker features are included. There are additional charges for the use of add-ons such as Universal Gateway, ContentBox, and Custom Launcher, as well as support.
Device management in the cloud costs $0.61 USD per device and month for a minimum term of 24 months.
Conclusion
The EMM software from AppTec360 impresses with a wide range of features. The installation is fast and straightforward, and the system is easy to use via a web console. Unlike Intune, you can also host the system on-prem, and it does not require Windows PCs to be joined to Azure Active Directory.
Especially for SMBs, the support for a wide variety of devices, from smartphones to Macs and Windows PCs, should be appealing. It simplifies the task of ensuring end-to-end security and compliance in heterogeneous endpoint environments.
Subscribe to 4sysops newsletter!
The price for the management solution also compares favorably in the market, especially since encryption with BitLocker does not generate any additional costs.
