Remote Device Management

I need ongoing support for my building control system what can a BAS provider do remotely? Preventative maintenance for Building Automation Systems (BAS) or Building Management Systems (BMS) increasingly leverages remote capabilities, allowing for efficient system monitoring, diagnostics, and updates without the need for on-site presence. Here are some key preventative maintenance tasks that can typically be performed remotely: 1. System Monitoring and Diagnostics Real-Time Monitoring: Utilizing software to continuously monitor system performance and parameters such as temperature, humidity, energy consumption, and system alerts. Trend Analysis: Analyzing data trends to identify potential issues before they become critical, such as increasing energy usage that might indicate equipment failure. 2. Software Updates and Patches Firmware Updates: Remotely updating firmware for controllers, sensors, and other components to ensure the latest security patches and features are in place. Software Upgrades: Applying software updates to improve system performance, add new functionalities, or address known issues. 3. Alarm Management Alarm Configuration and Optimization: Adjusting alarm settings to ensure critical alerts are prioritized and false alarms are minimized. Alarm Response: Quickly addressing system alerts remotely to diagnose and, in some cases, resolve issues without needing to dispatch a technician. 4. Parameter Adjustments Control Setpoints: Remotely adjusting setpoints for temperature, humidity, CO2 levels, etc., based on occupancy patterns or environmental changes. Scheduling: Updating system schedules for HVAC, lighting, and other controlled systems to match building usage, thus optimizing energy consumption. 5. Data Backup and Recovery System Backups: Performing regular backups of system configurations and data to prevent loss in case of a hardware failure or other issues. Recovery Procedures: In case of system failure, remotely restoring system configurations and parameters from backups. 6. Remote Calibration This might be more limited compared to physical calibration but can include adjustments based on known calibration curves or by comparing sensor readings across the system. 7. Energy Management Energy Usage Analysis: Remotely reviewing energy consumption data to identify inefficiencies. Implementing Energy Savings Measures: Adjusting system settings to reduce energy consumption without compromising comfort or safety. These tasks leverage the connectivity and smart capabilities of modern BAS/BMS to maintain optimal performance and reliability. The ability to perform these tasks remotely not only increases the efficiency of maintenance efforts but also significantly reduces the need for physical visits, which can be especially beneficial in large or geographically dispersed properties.

OT Asset Management under NIST 1800-23 >> NIST 1800-23: Energy Sector Asset Management (ESAM) delivers a blueprint for visibility, control, and resilience across electric utilities, oil & gas, and other critical infrastructure sectors. >>> This project addresses the following characteristics of asset management: > Asset Discovery: establishment of a full baseline of physical and logical locations of assets > Asset Identification: capture of asset attributes, such as manufacturer, model, OS, IP addresses, MAC addresses, protocols, patch-level information, and firmware versions > Asset Visibility: continuous identification of newly connected or disconnected devices and IP and serial connections to other devices > Asset Disposition: the level of criticality (high, medium, or low) of a particular asset, its relation to other assets within the OT network, and its communication with other devices > Alerting Capabilities: detection of a deviation from the expected operation of assets >>> A standardized architecture allows organizations to replicate deployments across sites while tailoring to local needs, ensuring both scalability and security. > At each remote site, control systems generate raw ICS data and protocol traffic (Modbus, DNP3, EtherNet/IP), which is collected by local data servers. > These servers act as the secure bridge, encapsulating serial traffic and transmitting structured data through VPN tunnels back to the enterprise. > Once in the enterprise environment, asset management tools aggregate inputs from multiple sites, giving analysts a single source of truth. > Events and asset health indicators are displayed on centralized dashboards, enabling timely detection of anomalies, vulnerabilities, or misconfigurations. > Importantly, remote management is limited only to the data servers, ensuring that core control systems remain shielded from unnecessary exposure. >>> Here’s a 10-point summary of the ESAM reference design asset management system: > Data Collection – Gathers raw packet captures and structured data from OT networks. > Remote Configuration – Allows secure management and policy-driven data ingestion. > Data Aggregation – Centralizes collected data for further processing. > Monitoring – Continuously observes network activity for anomalies. > Discovery – Detects new devices when new IP/MAC addresses appear. > Data Analysis – Normalizes multi-site traffic into one view and establishes baselines of normal behavior. > Device Recognition – Identifies devices via MAC addresses or deep packet inspection (model/serial). > Device Classification – Assigns criticality levels automatically or manually. > Data Visualization – Displays collected and analyzed information in a centralized dashboard. > Alerting & Reporting – Notifies analysts of abnormal events and generates reports, including patch availability. #icssecurity #OTsecurity

Internet traffic from remote devices is one of the most underestimated blind spots in enterprise security. Remote work is now a permanent reality. Employees connect from home networks, coffee shops, hotels, and public Wi-Fi. While secure tunnels like DirectAccess allow access to corporate resources, Internet traffic may still bypass the company network if it is not properly controlled. When this happens, security teams lose visibility. Corporate filtering, inspection, and monitoring policies may no longer apply to remote devices. The good news? Microsoft Intune can help mitigate this risk. By enforcing the right policy through the Intune Settings Catalog, organizations can control how Internet traffic is routed when remote clients connect to the corporate network. Instead of relying on network location or user behavior, traffic control becomes enforced by policy. This ensures that security controls remain active even when users work outside the office. Why This Matters Without proper traffic routing controls, remote access may allow: • Internet traffic to bypass corporate security inspection • Reduced monitoring of remote user activity • Increased exposure when connecting from public networks With Microsoft Intune, organizations can: ✅ Route remote Internet traffic through the corporate network ✅ Maintain visibility and monitoring outside the office ✅ Enforce corporate security filtering policies ✅ Strengthen endpoint and remote access security ✅ Support Zero Trust security principles In this article, I show how to configure this policy using Microsoft Intune, assign it to device groups, monitor deployment status, and validate enforcement directly on the endpoint. Because in modern endpoint security, remote traffic should never become a blind spot. How is your organization controlling Internet traffic for remote devices today? Full tunnel? Split tunnel? Secure proxy? Or Intune-managed policies? #MicrosoftIntune #EndpointSecurity #WindowsSecurity #ZeroTrust #CyberSecurity

The Hidden Killer of IoT Projects It doesn’t fail on day one. It fails slowly, painfully, over time. The pilot works. The first hundred sensors behave. The dashboard lights up beautifully. But then comes deployment at scale. A thousand sensors. Ten thousand sensors. And suddenly, chaos. Provisioning becomes a bottleneck. Firmware updates stall in the field. Some devices stop talking. Others send corrupted data. Technicians scramble, customers complain, and confidence erodes. This is the silent killer of IoT projects: poor device management. IoT isn’t just about connecting devices. It’s about keeping them alive, secure, and reliable for years. Every single one. Because a device without proper lifecycle management is like a car with no mechanic. It might drive off the lot looking great, but without maintenance, it won’t last the journey. The strongest IoT projects don’t collapse under their own weight. They succeed because they’ve built a foundation for scale with strategies for provisioning, monitoring, updating, and troubleshooting baked in from day one. The truth is, hardware fails. Networks fluctuate. Devices misbehave. But systems with strong lifecycle management bend without breaking. That’s the difference between a flashy pilot and a resilient, revenue-generating IoT ecosystem. So here’s the lesson: Don’t just ask, “Can we connect it?” Ask, “Can we manage it for the next five years?” Because the real battle in IoT isn’t turning devices on. It’s keeping them on. Have you seen a project collapse because device management was treated as an afterthought?

Most people in IT pick the wrong tool And it costs them Here's the problem: MDM (Mobile Device Management) controls the entire device. MAM (Mobile Application Management) controls just the apps and data. They're not interchangeable. But most people treat them like they are. They both manage mobile access, so people assume they're the same. They're not. Here's what happens when you get it wrong: • MDM invades BYOD personal privacy • Employees push back and disengage • IT teams face constant friction • MAM leaves corporate devices exposed • No wipe, encryption, or compliance That's not a policy gap. That's a security incident waiting to happen. So here's how to get it right: Use MDM for corporate devices. • Full device encryption • Remote wipe capabilities • Complete compliance enforcement • You own the house, you set the rules Use MAM for BYOD. • Protect Outlook, Teams, and OneDrive • Leave personal apps and photos untouched • Less invasive, more trust, less friction • You rent the room, not the whole house And for a modern Zero Trust architecture? Use both. MDM gives you power. MAM gives you balance. Together, they give you control without crossing the line.

Both SCCM (System Center Configuration Manager) and Intune can be used for BitLocker management, but there are differences in their approaches: - **SCCM BitLocker:** - *Scope:* Primarily designed for on-premises device management. - *Features:* Provides robust BitLocker management capabilities for traditional, on-premises devices. - *Deployment:* Well-suited for organizations with a significant on-premises infrastructure. - **Intune BitLocker:** - *Scope:* Focused on cloud-based device management and supports modern, mobile, and remote devices. - *Features:* Offers BitLocker management capabilities for devices that are managed in the cloud. Integration with Azure AD enhances cloud-centric management. - *Deployment:* Ideal for organizations embracing cloud-centric and modern device management strategies. **Integration:** - Microsoft Endpoint Manager integrates SCCM and Intune, allowing organizations to have a unified approach for BitLocker management across both on-premises and cloud-managed devices. **Choosing Between SCCM and Intune for BitLocker:** - Consider the nature of your organization's devices and infrastructure. If you have a mix of traditional and modern devices, a combination of SCCM and Intune through Microsoft Endpoint Manager might be appropriate. - If your organization is moving towards a cloud-centric strategy and has a significant number of remote or mobile devices, Intune's BitLocker management might align better with your needs.

🕹️ Full Control Over Devices. Zero Guesswork With Users. SCCM (System Center Configuration Manager) is Microsoft’s enterprise-grade platform for centralized IT management. It enables organizations to deploy, manage, and secure devices and applications across their network — all from a single console. 🔧 Key Capabilities with SCCM: ✅ Software Deployment I can push or uninstall any app across the entire organization — silently, remotely, and within minutes. No user interruption. No walkarounds. Just policy-based automation. ✅ Operating System Deployment (OSD) Need to format a laptop, push a clean image, or roll out Windows 11 across 100+ machines It’s all done through PXE boot, task sequences, and zero-touch imaging — even while I’m sipping coffee ☕. ✅ Patch Management Whether it’s Microsoft updates or third-party apps, SCCM keeps all machines up-to-date — securely and automatically. No need to rely on users clicking "Install now." ✅ Remote Support & Control Forget RDP or third-party tools. With SCCM’s built-in remote tools, I can take control of any user machine instantly to troubleshoot. ✅ Compliance & Security Baselines From firewall settings to BitLocker enforcement — every security config is deployed and monitored. Non-compliant machines are detected and fixed automatically. ✅ Hardware & Software Inventory I know exactly what every user is running — from RAM size and CPU to installed software versions. Need a report for audits? A few clicks and I’ve got it. ✅ Role-Based Access SCCM allows me to delegate specific rights to junior admins or other teams — securely and in a controlled way. ✅ Task Scheduling & Automation From cleaning temp files to enforcing power settings — I can automate routine maintenance tasks on a schedule across all endpoints, reducing manual overhead. ✅ Integration with Active Directory & Intune SCCM integrates natively with AD and Intune, allowing hybrid environments where on-prem and cloud-managed devices work together seamlessly. ✅ Custom Reporting With built-in reporting powered by SQL Server, I can generate detailed dashboards on patch compliance, app usage, device health, and more — tailored to any department or audit requirement. --- 🔐 SCCM isn’t just about pushing updates, it’s about owning the IT environment and ensuring everything works exactly the way it should

“We thought the screens would just work” 🤦♂️ We hear this a lot from companies rolling out digital signage for the first time. They assume that when something goes wrong, someone on the ground will fix it. Or it’ll magically sort itself out. Newsflash: It won’t. Remote Device Management (RDM) isn’t a nice-to-have. It’s the difference between a 2-minute fix & an $800 site visit. That’s the real cost for sending a technician onsite. Just to push a cable back in or switch an input source. And it’s even more complicated in high-security environments like airports. Meanwhile, the screen stays dark. Your comms stay silent. And your team stays frustrated. The good news is RDM costs next to nothing in comparison. And your IT team will thank you. So when you’re building your digital signage network, don't forget to factor in RDM from the start. Trust me on this one. #DigitalSignage #RemoteDeviceManagement #EnterpriseIT #InternalComms #ScreenCloud

🚀 Master Intune Device Management with Microsoft Graph PowerShell Still using legacy modules? It’s time to upgrade your game. 👉 The Microsoft Graph PowerShell SDK is now the ONLY supported way to manage Intune devices. The old Microsoft.Graph.Intune module is officially deprecated. 💡 I’ve put together a complete L1 → L3 guide covering: ✔️ Installation & authentication ✔️ Real-time device queries ✔️ Compliance reporting & dashboards ✔️ Remote actions (Sync, Lock, Retire, Wipe ⚠️) ✔️ Advanced automation & bulk operations ✔️ Troubleshooting + best practices 📊 Whether you’re: 🔹 Preparing for M365 interviews 🔹 Working in L1/L2/L3 support 🔹 Automating enterprise device management This guide gives you real commands + outputs + scenarios — not just theory. 📥 You can explore the full guide here: 🔥 Pro Tip: Always verify permissions & device ID before running destructive actions like Wipe or Retire. One wrong command = irreversible impact. 💬 What’s your biggest challenge with Intune or Graph PowerShell? Let’s discuss 👇 #Microsoft365 #Intune #PowerShell #Azure #ITSupport #EndpointManagement #CyberSecurity #CloudComputing

Enrolling devices in Microsoft Intune is a key step in ensuring endpoint management and security in the enterprise. But with several options available, how do you choose the right method ? 🤔 📌 Here's an overview of the different enrollment methods for Windows machines and their recommended use: ✅ Windows Automatic Enrollment 🔹 Ideal for companies using Azure AD Premium and wanting automatic enrollment. 🔹 Compatible with Windows 11 and 10 (1803+). 🔹 Recommended for remote workers and personal or business devices. ✅ Windows Autopilot 🔹 Complete enrolment automation with an out-of-the-box experience. 🔹 Perfect for new devices purchased from a compatible OEM. 🔹 Supports Hybrid Azure AD Join scenarios and remote deployment. ✅ BYOD (Bring Your Own Device) - User Enrollment 🔹 Enables employees to enroll their personal devices without requiring Azure AD Premium. 🔹 Users must be aware that their personal device may be managed by the organization. 🔹 Less recommended for companies seeking total control over devices. ✅ Co-management with Configuration Manager 🔹 Useful for companies still using ConfigMgr (SCCM) and wishing to transition to Intune. 🔹 Sometimes requires Azure AD Premium, depending on the chosen configuration. ⚡ Conclusion : which method to choose? 💡 If you want rapid, automated deployment, Autopilot is the best solution. 💡 For smooth integration with ConfigMgr, opt for Co-management. 💡 For BYOD management, User Enrollment offers interesting flexibility. 👉 Which method do you use in your company? Share your experiences in comments! 🔽