IT AI Skill

Endpoint Management

Manage endpoints across the organization including device provisioning, patching, security, compliance monitoring, remote management, and lifecycle management. Use when deploying endpoint management solutions, managing device compliance, handling endpoint s...

Endpoint Management & Device Lifecycle

Standardize, secure, and manage all corporate endpoints from procurement through retirement.

Workflow

1. Endpoint Inventory & Classification

Comprehensive device inventory:

Discover and catalog all endpoints: laptops, desktops, mobile devices, IoT, servers
Device attributes: OS, model, serial number, user assignment, location, department
Asset tagging and barcode/RFID labeling
Integration with procurement and finance systems
Regular reconciliation (physical audit quarterly)

Device classification and policy mapping:

Corporate-owned/corporate-managed (COPE)
BYOD (employee-owned, corporate-managed)
Shared/kiosk devices
Industry-specific device policies (healthcare, manufacturing)
Classification determines management level and security requirements

Ownership and accountability:

Assign device owner (user) and manager owner (department head)
Acceptable use policy acknowledgment per user
Return policy documentation
Loss/damage reporting procedures

2. Device Provisioning & Onboarding

Zero-touch deployment:

Auto-enrollment via Apple DEP/MDM, Android Zero Touch, Windows Autopilot
Pre-configured device images with required applications and policies
User self-activation portal (device unboxing to productive use < 30 minutes)
Department-specific configuration profiles
Automated asset tracking update on activation

User onboarding workflow:

IT receives onboarding request from HR (automated via HRIS integration)
Device selection based on role requirements (standard, developer, designer)
Pre-configuration before ship/pickup (accounts, permissions, software)
Day-1 checklist: device test, access validation, training resources
Post-onboarding follow-up (week 1, month 1)

Application deployment and standardization:

Standard application suite by role (base package + role-specific)
Application whitelisting and approval process
Automated deployment via MDM/EMM platform
Software licensing tracking and compliance
Shadow IT application monitoring

3. Endpoint Security & Compliance

Security baseline enforcement:

OS hardening guidelines implementation (CIS benchmarks)
Full disk encryption enforcement (BitLocker, FileVault)
Firewall enablement and configuration
Antivirus/EDR agent installation and management
Application control and whitelisting

Compliance monitoring and remediation:

Continuous compliance scanning (weekly minimum)
Compliance checks: encryption, antivirus status, patch level, password policy
Non-compliant device remediation: auto-remediate, block network, quarantine
Compliance reporting by department and device type
Compliance score dashboard

Patch and update management:

Automated OS patch deployment with staged rollout
Critical security patches: deploy within 7 days of release
Standard patches: deploy within 30 days
Application patches: coordinate with application owners
Patch testing in pilot group before broad deployment
Patch compliance reporting

4. Remote Management & Support

Remote support capabilities:

Remote desktop/connect tools (TeamViewer, BeyondTrust, Splashtop)
Remote troubleshooting and software installation
Remote wipe capability for lost/stolen devices
Remote password reset and account recovery
Chat and co-browsing support options

Monitoring and alerting:

Endpoint health monitoring (disk space, memory, CPU, battery)
Security event monitoring (EDR alerts, malware detection)
Performance monitoring and trend analysis
Proactive alerting for issues before user impact
Device usage analytics

Self-service support:

IT service portal for common requests (software install, password reset)
Knowledge base articles for common issues
Automated troubleshooting scripts
Chatbot for tier-0 support
Escalation path to tier-1 support

5. Device Lifecycle & Retirement

Lifecycle management:

Define device refresh cycle by type (laptops: 3-4 years, phones: 2-3 years)
Budget forecasting based on device age and refresh schedule
Pre-refresh planning (6 months before end-of-life)
Refresh automation (order new, migrate data, retire old)
Technology roadmap planning for hardware standards

Data migration and transfer:

Automated data migration to new device
User profile and preferences transfer
Application and license transfer
Validation that all data migrated successfully
User sign-off on new device functionality

Device retirement and disposal:

Data sanitization (NIST 800-88 compliant wipe or physical destruction)
Sanitization certificate generation
Asset record update (status: disposed)
Environmentally responsible disposal (e-waste recycling)
Resale or donation for functional devices
Finance reconciliation (depreciation, write-off)

Templates & Frameworks

Endpoint Standard Configuration

ENDPOINT CONFIGURATION STANDARDS
=================================

LAPTOP — Standard Business:
  OS: Windows 11 Pro / macOS Sonoma
  RAM: 16 GB minimum
  Storage: 256 GB SSD minimum
  Encryption: BitLocker / FileVault — Required
  Antivirus: Microsoft Defender / CrowdStrike — Required
  MDM: Microsoft Intune / Jamf Pro — Required
  Standard Apps: Office 365, Chrome, Teams, Zoom, VPN, 1Password
  Lock screen timeout: 5 minutes
  Password: Domain AD — complexity per policy

LAPTOP — Developer:
  + RAM: 32 GB
  + Storage: 1 TB SSD
  + Apps: VS Code, Docker, Git, Python, JDK, Terraform
  + GPU: Optional based on role

MOBILE — Corporate:
  OS: iOS 17+ / Android 14+
  MDM: Intune / Jamf Pro
  Encryption: Required
  App whitelist: Corporate apps only
  Jailbreak/root detection: Block
  Remote wipe: Enabled

SHARED/KIOSK:
  Kiosk mode: Enabled
  Auto-lock: 1 minute
  No persistent login
  Reset to baseline on reboot
  Monitoring: Enhanced

Device Lifecycle Timeline

DEVICE LIFECYCLE — Standard Laptop
====================================

YEAR 0 (Procurement):
  Q1: Budget approval and procurement order
  Q2: Zero-touch provisioning, user assignment
  Q3: First compliance scan, baseline established
  Q4: Mid-year review, warranty registration

YEAR 1 (Active Use):
  Regular: Patch management, compliance monitoring, antivirus updates
  Annual: User satisfaction survey, performance assessment

YEAR 2 (Mid-Life):
  Assessment: Hardware performance review, user needs evaluation
  Possible: RAM/storage upgrade, OS upgrade
  Planning: Begin budgeting for replacement (Year 3)

YEAR 3 (End-of-Life Planning):
  Q1: Replacement device ordered
  Q2: Data migration, old device retirement
  Q3: Disposal or recycling
  Q4: Finance reconciliation, lifecycle complete

TOTAL LIFECYCLE COST (3 years):
  Device cost: $1,200
  Software/licenses: $400
  Support/maintenance: $300
  Disposal/recycling: $50
  Total: $1,950 per device

Integration Points

MDM/EMM platforms (Microsoft Intune, Jamf Pro, VMware Workspace ONE, MobileIron): Device management
EDR/XDR platforms (CrowdStrike, SentinelOne, Carbon Black): Endpoint security
HRIS (Workday, BambooHR): Employee lifecycle triggers (onboarding/offboarding)
Procurement systems (Coupa, SAP Ariba): Device ordering and budgeting
ITSM platforms (ServiceNow, Jira Service Management): Incident and request management
Identity platforms (Okta, Azure AD): Authentication and access management
Asset management systems (Snipe-IT, AssetTools): Inventory tracking
Finance/ERP systems: Asset depreciation, cost tracking

Edge Cases

BYOD environment: Containerization of corporate data; limited MDM scope on personal devices; clear acceptable use policy; insurance coverage considerations
Global device deployment: Region-specific software and compliance requirements; customs and import management; local IT support coverage
Bring Your Own Laptop (BYOL): Minimum security requirements enforcement; compliance monitoring without full MDM; network access controls
IoT and specialized devices: Limited OS support for standard management; network segmentation; physical security controls
Legacy device support: Extended support contracts; compensating security controls; migration timeline to modern hardware

Output

Endpoint Management Dashboard

ENDPOINT INVENTORY — April 2025
================================

DEVICE OVERVIEW:
  Total managed endpoints: 2,847
  Laptops/desktops: 1,923
  Mobile devices: 834
  Servers/workstations: 90
  Online (last 24h): 2,612 (91.7%)

COMPLIANCE STATUS:
  Fully compliant: 2,534 (89.0%)
  Partially compliant: 267 (9.4%)
  Non-compliant: 46 (1.6%)
  Top compliance issues: Outdated OS (18), Missing patches (15), Encryption disabled (13)

PATCH STATUS:
  Critical patches current: 97.2%
  Standard patches current: 94.8%
  Devices pending reboot: 34
  Patch compliance target: >95%

SECURITY STATUS:
  EDR agents active: 2,834/2,847 (99.5%)
  Encryption enabled: 2,841/2,847 (99.8%)
  Firewall enabled: 2,847/2,847 (100%)
  Security incidents (30 days): 23

LIFECYCLE FORECAST:
  Devices reaching EOL (next 6 months): 187
  Estimated refresh cost: $224,400
  Budget allocated: $210,000 (gap: $14,400 ⚠)

SUPPORT METRICS:
  Open endpoint tickets: 47
  Avg resolution time: 4.2 hours
  Self-service resolution rate: 34%
  Remote resolution rate: 61%

Trigger Phrases

"endpoint management", "MDM", "EMM", "device provisioning", "endpoint security", "patch management", "device compliance", "BYOD", "zero touch deployment", "device lifecycle", "asset management", "endpoint inventory", "remote wipe", "device retirement", "autopilot", "device imaging"