Thursday, 19 November 2015

Secunia CSI is a Microsoft Preferred Solution

Back to Secunia menu

The advantages of SCCM-integrated vulnerability security

In the corporate setting, there’s a good chance you’re already using Microsoft System Centre Configuration Manager (SCCM). It’s possibly the most comprehensive, mature, and efficient way to manage all the systems across your network. And, for many administrators, it’s the nucleus of the entire IT workflow. So, when it comes to taking care of application vulnerabilities, it makes sense to look for a solution that plays nicely with SCCM – a solution like Secunia CSI.

Secunia CSI is an integrated platform that can leverage all the useful data that SCCM offers as standard, while introducing new functionality tailored to the fight against application vulnerabilities. And – most importantly of all – it can keep workflows efficient and streamlined, with first and third party patching all working the same way.

SCCM helps you see your software inventory

The first stage of proactive vulnerability security is finding out what’s happening on your network. As well as your Microsoft applications, you need to take stock of every third party application, from tools you use every day to those unexpected installations on client nodes. With its inventory collection features, SCCM does a remarkably good job of discovering all the drivers and executables that indicate the presence of an application.

But Secunia CSI takes things further. This software inventory data is then compared against Secunia’s own remote database backend. Here, the headers of files across your infrastructure are compared against thousands of known applications – helping to give you a clear view of their nature and what they do.

As a result, your inventory can be compared against Secunia’s repository of known vulnerabilities.

SCCM helps you deploy and verify patches

Once an application vulnerability has been uncovered, you need to find a quick, efficient way to deploy a patch. Microsoft SCCM and Windows Server Update Services (WSUS) already do an excellent job of packaging and deploying patches for Microsoft applications.
That’s why Secunia CSI uses the same technology through its own packaging tool. By creating custom packages, you can deploy fixes in record time, remediating known vulnerabilities before they can be exploited. What’s more, Secunia CSI then uses SCCM to rescan updated applications, ensuring that patches are applied correctly.

SCCM is what you already know

Secunia CSI’s SCCM integration gives you a high quality, high performance solution, with all your updates and patches in one place – regardless of whether they’re first or third party.

But it gives you something even better. Because CSI is integrated with SCCM, you can handle most of your application vulnerability workflow from an interface you already use every day. No complicated new packaging workflow to learn. No starting from scratch with your software inventory.

Just the same old SCCM. With stunning new capabilities.

Secunia is Microsoft’s preferred partner

In the growth of Secunia CSI, the company made a smart choice to focus on integration with Microsoft’s platforms. Today, it’s the most fully-integrated vulnerability solution on the market – and Secunia is recognised by Microsoft for what it brings to the security space.

Secunia was the first Microsoft Security Alliance Partner for vulnerabilities, and remains Microsoft’s only recommended solution for third-party patching. The team works closely with Microsoft stakeholders to continually refine, develop, and improve the integration, looking for new ways to deliver the most convenient and complete vulnerability system.

Secunia and Microsoft work together. So CSI and SCCM can do the same.

Tuesday, 17 November 2015

Intune Mobile Application Management without enrollment

EMS Landing page

Microsoft made a big announcement today regarding the direction of Mobile Application Management. They were conscious of the fact that users may not want to enrol their devices for Intune management in a BYO scenario and this prevented the use of MAM.

A new feature will be released as part of the November service update to Intune. We will now be able to apply MAM policies without the devices actually being enrolled in Intune. An Intune subscription is still required but the apps will be managed - not the device. As part of this month’s service update, Microsoft Word, Excel, PowerPoint, and OneDrive will support Intune MAM without enrollment. Support for Outlook is coming soon.

You can read the full announcement (which also discusses other new features) on the Microsoft Intune Team Blog

Monday, 16 November 2015

Microsoft Intune - renew Apple APN certificate

EMS Landing page

Anyone who has worked with Intune will know that an Apple APN certificate is required in order to manage iOS devices. This is an Apple requirement. So what is this APN? The Apple Push Notification Service (APN) is a service created by Apple. It forwards notifications from 3rd party applications to Apple devices - and it requires an Apple certificate (which is free, of course).

It's pretty straightforward to generate and apply this certificate. I've previously blogged about that here. That example describes the process in a hybrid environment of ConfigMgr and Intune. The big drawback of this process is that you can only generate a certificate which lasts for one year. Then it must be renewed. It is vital that the certificate is renewed before it expires. Otherwise you will have to re-enrol ALL your iOS devices. You do the Maths on that one.

It's vital that you set up an alert to warn you that the certificate is about to expire.

This is an example of the alert in standalone Intune. It's the same idea in hybrid.

Here we can see the details of the alert. Click on "iOS Mobile Device Management" to take you to the section where you can fix this.

We can see exactly when the certificate will expire. Click on "Enable the iOS Platform".

Select "Download the APNs Certificate Request" to generate a CSR.

Save the CSR locally.

Now select "Apple Push Certificates portal" and log in with your Apple ID. See the existing certificate and the expiry date. Click to Renew the certificate (it's better not to use IE for this process - other browsers are more reliable here).

Browse to your CSR and select Upload

If you are using IE you will see this almost immediately.. This is the wrong file format and you do not need it. Cancel and refresh the browser.

You will see your new certificate. Select "Download".

See the correct file extension (.pem).

Save the certificate.

Now back to the Intune portal. Select "Upload the APN certificate"

Browse to the certificate and enter your Apple ID.

All is now OK in the console.

The process for renewing the Apple APN certificate in a hybrid environment is almost identical.


Until next time.