IT Guide

Understanding Endpoint Management For Small Business

employee working on secure laptop

In this guide to understanding endpoint management for small business and growing companies, we will cover the basics of why you need endpoint management for your small business, some common scenarios and their consequences, and how you can keep your IT risk and costs lower by applying best practices such as endpoint management.

We will be talking about Microsoft security tools including InTune, AutoPilot and EndPoint Management. Microsoft’s team of developers have devoted thousands of hours of development time by top engineers to create IT security tools and solutions for small and medium business that SMB’s could not create on their own. The price point and the value they provide make them an easy choice.

In this guide we will cover:

  • Why you should never buy your business computers from a big box store.
  • Why you should control which computers are allowed to access your company files – and how to do that.
  • How to reduce your initial and ongoing IT costs and risks by making all your computers similar, and having standard processes for setting up a new employee with a computer, or how to handle employee departure’s and access to email, accounts, etc.
  • How to reduce risk and maintain productive workdays with continuous computer management.

You can scroll to read the full piece or jump ahead to a section of interest by clicking on a link below.

Computer Deployment - Mass deployment of remote computers, built to your specs and secured from the first unboxing.

Conditional Access - Create policies that specify only approved and managed computers are permitted access to your cloud data in Sharepoint/Onedrive/Exchange or even third party storage like Google Drive Enterprise.

Configuration Management - Automatically ship computers with all the necessary configuration elements built in. Software installed, email accounts pre-configured, VPN settings, windows preferences and restrictions, etc. Also makes it so that if a computer is infected or compromised it can be reset and automatically receive the same settings again.

Asset Management - Inspect which computers in your fleet are 'checking in' properly, and which devices may not be properly checking-in or may be mis-configured, permanently offline, retired, problematic, etc

Computer Deployment – Why You Should Never Buy Your Business Computers From A Big Box Store

And how InTune can help you achieve platform consistency.

computer electronics department

Here is how it often plays out in a small business scenario: Your company has a handful or more of staff and has been growing steadily. You've either gone to Staples/Best-Buy or the Apple store for every new hire and picked up a computer for the new person a few days before they start. You hand it to them on their first day, along with their email address and password and supply them with the boot-camp training you think they'll need, then send them on their way.

What's wrong that approach, you ask? It's worked for you since you started the company... why can't that continue? I mean, avoiding policies and red-tape are probably why you didn't gel with corporate life in the first place. It's probably why you started your own business, right?

The answer is simple. It is costing you more money, and exposing you to more risk, to purchase a less-expensive off the shelf computer than to purchase the right technology up-front. Here's why and what to do about it.

You Need Windows Professional For Business

Retail computers, most often, are running Windows 10 Home edition. This is a problem because Home Edition lacks features necessary for networking with a server or applying IT security policies such as Identity Management and BitLocker encryption. This means that to use those security features or to connect that computer to a server, you'll need to pay for an upgrade to Windows 10 Pro right off the bat. This can add $200-$400 in licenses and labour to the new computer right away.

Retail computers are always bundled with extra software installed (colloquially called crapware in IT circles). This means that your IT company needs to remove all that extra bloatware either initially or down the road when it is found to be buggy, not updated, and having security flaws without available security patches. This can add $100-$300 upfront or more likely, $300-$500 over the life of the computer.

When you buy retail, computer configurations are never the same if purchased more than a few months apart. Each systems has It’s own quirks, problems, known issues, and unknown issues. To keep your IT support costs down, you want to limit the number of configurations your It company supports for you. The more configurations you have, the more your IT people will need to troubleshoot and maintain many different sets of quirks, problems, known issues and unknown issues. This takes more time and costs more money. You can save time and money by sticking to one configuration. All problems across your computers will be better documented, fixed faster, and your team will be more efficient and productive when they can get back to work faster.

Finally, there is your privacy to consider. Many manufacturers have made headlines for violating privacy and selling data exploited in bundled software and crapware that comes pre-installed on machines. These bundling partnerships often mean hardware manufacturers agree to bundle a software manufacturers product at a discount to “add value” to the consumer. End users think it’s great that they get all this “free stuff” with their new computer, but free always has a price. Often with bundled software, that price is data mining and sharing.

So how can standardization of your devices and Intune from Microsoft help you overcome these challenges and save you money?

You Can Use AutoPilot To Standardize Computer Configurations For Your Business

AutoPilot is a tool to automatically provision a computer based on your specifications when purchased from select vendors. Microsoft has partnered with these vendors to make it easier for SMB’s to purchase and ship computers with their desired configuration pre-installed. This means, you can buy computers that match your internal IT policies for team members in your office or those working in satellite offices or remotely from home offices. And every computer you buy with your AutoPolit pre-configuration will be standardized to the IT policies you and your IT department or IT Provider have set.

By contrast, when you buy off the shelf from a big box store, there are the common problems to pay to fix that we listed above - Windows Home edition needs to upgraded, crapware needs to be removed, IT policies and settings need to be applied etc.

So you can see how that retail computer for $800 actually costs more than the standard, pre-configured computer from a select vendor, when you factor in the time and labour required to bring it up to standard before you can safely use it in your business.

With AutoPilot and your IT provider, you can now buy a computer from Dell, Lenovo, HP, ASUS, or whoever your manufacturer of choice is, and during the checkout process, supply them with your AutoPilot ID.  Your IT provider can then pre-program and associate that device with its destined user before it ever leaves the suppliers shipping yard. As soon as your employee turns it on and connects it to the internet, it will begin the automated provisioning process your IT provider coded. It will download and install software. It will configure windows security settings that your IT team have defined. It will configure outlook with the recipients email account and OneDrive to sync files from SharePoint. It will encrypt the hard disk and finally mark the device 'compliant'. Once compliant it will automatically be granted access to company resources. How much time will this save per deployment? Our estimate is that it saves our customers between $200 and $300 in labour costs per computer.

You can determine ahead of time that the computer has Windows 10 Pro instead of home edition. This may add a negligible amount to the initial purchase price of the computer but nowhere near the $200-$400 cost for the upgrade license and the labour to do the upgrade after purchase.

When your users encounter an infection or accidentally install malware, the computer can be redeployed again with a single click in the admin console. It will then wipe the device and run through that initial deployment operation again. Your users can get back to work within hours instead of the days it may take to ship the laptop to your IT team and them to ship it back again.

When you buy directly from Dell or Lenovo the computers are not bundled with all the extraneous software that retail computers are plagued with, thus saving that time your IT team has to spend removing it all. And of course, you get to avoid the potential security and privacy issues that running that software exposes you to.

When you buy from Dell or Lenovo, you stick with the same 'family' of computers and opt for different models within the family. This means that IT has a solid baseline for configuration parameters with only minor variances to account for. This reduces troubleshooting time and expense over the years of servicing your computers.

To summarize:

The lower priced retail computer costs more to use in a business environment, both to setup and to maintain over time. AutoPilot, select vendors and your IT services provider work together to give you business grade build quality and rapid deployment to the field, as well as lower service costs over time.

The truth is, neither you nor your IT support company want the headache of managing multiple configurations. Everything is simpler and more secure when best practices and tight configurations are used.

Now, you might say that buying retail is faster, and you can have the computer in an hour versus waiting a week to get it from Dell. If you already know you are hiring, then you have time to place your order from your select vendor. When it arrives, simply store it in the office. Once you hire and have your candidates name, your IT provider will make a quick edit to the already configured autopilot profile so that the device is properly allocated with the right username. It’s win-win for you.

Conditional Access – Control Which Computers Are Allowed To Access Your Company Data

And how InTune can help you apply policies to your devices.

control account login screen

This section is coming soon. In the meantime, schedule your free consultation to discuss your specific needs, and how TUCU can help.

Get Small Business IT Experts Working For You

Get options & an estimate - no strings attached.