Endpoint Privilege Management:

Intune EPM (Now Microsoft Entra) helps organizations manage admin rights in a very basic manner. The following scenarios highlight the areas that Intune doesn't address:

• Organizations deal with privileged accounts beside the local administrator account. This includes domain admin accounts, service accounts, etc., that are commonly used to carry out privileged activity across devices in the infrastructure. Intune and LAPS do not help with managing these privileged accounts besides the local admin account.
• Intune only supports endpoint management on Windows 10 and 11 devices and machines with Windows server 2016 and above. Most companies still use and require managing legacy systems and applications.
• Intune does not discover applications and processes running on endpoints through its agent. This makes it very difficult to define application whitelisting policies as you need to define the application attributes manually for each application being used in the organization. This number could be in the hundreds for mid-sized and large organizations.
• Microsoft Intune does not have granular application control capabilities or support for privilege management on Mac devices.
• There are multiple settings and rule policies that you need to configure to enable the EPM client and define what can be elevated. This complicates the overall process of application elevation on endpoints.
• There is no support for an admin/support to approve applications on-demand, based on a user specified reason. Self-service admin rights for users turns out to be a major requirement for organizations - and is currently not supported by Intune EPM.
• Intune EPM has limited reporting capabilities and does not have provisions to generate customized reports or automatically send reports to the administrator based on a schedule. These reports come in handy to satisfy compliance and meet audit requirements.

Besides these limitations, the Intune Endpoint Privilege Management module requires an additional license beyond the Microsoft Intune Plan 1 license: Either Intune Suite or additional EPM licenses. This turns out to be an expensive affair for organizations with a tight cybersecurity budget.

At its current state, Intune turns out to be a very simple solution and may just cater to those companies who don’t have a large IT/security team and are just learning that users don’t need to be running as admin all the time.

It lacks support for many application types used by organizations and message customizations that would be vital at an enterprise level. Mature endpoint privilege management solutions better suit organizations that require enterprise capabilities such as comprehensive application controls, customization options and offline scenarios handling.

Modern EPM solutions fortify endpoint security in SaaS and hybrid environments

Endpoint Privilege Management has bourgeoned over the years to include several functions that are vital for organizations to holistically manage admin privileges and effectively prevent threats. Dedicated EPM products address the shortfalls of Microsoft Intune and cover security gaps with their comprehensive capabilities.

While the features of third-party EPM solutions slightly vary, the major and most important EPM capabilities are as follows:

• Local admin rights removal: Making all users in an organization as standard users by revoking their admin/root privileges.
• Application and software discovery: Scanning all the endpoints and consolidating a list of all applications and software being run on those devices. This would then help in creating and enforcing application control policies.
• Ability to define centralized control policies: Allowing trusted applications and blocking malicious applications through control policies for both domain and non-domain systems.
• Approval Workflows for elevation: Allowing users to gain elevated access to applications on approval from a designated approver in the organization.
• Time-restricted elevation of applications: Giving users access to applications within a timeframe, this could be within their work hours or limited to exactly how long they would need to carry out tasks on a specific application.
• Temporary, monitored full admin rights allocation: Allowing users gain temporary full administrator rights while auditing all the activity they carry out while having elevated privileges.
• Offline access: Ensuring that the principle of least privilege is maintained even in offline scenarios where the user is disconnected from the company network and needs to elevate and use applications. This comes in handy especially when employees work from home and need restricted access only to applications they need.

Securden EPM possesses all the major capabilities a modern endpoint privilege manager must have. It allows users to seamlessly run applications and software tools that they need without raising dozens of tickets for hybrid organizations. Whether the organization is fully self-hosted on-premises, hosted completely on the cloud or has a hybrid environment – Securden Endpoint Privilege Manager can cater to its needs.