--- name: endpoint-management description: Manage endpoints across the organization including device provisioning, patching, security, compliance monitoring, remote management, and lifecycle management. Use when deploying endpoint management solutions, managing device compliance, handling endpoint security incidents, standardizing device images, or managing endpoint lifecycle. Triggers on phrases like "endpoint management", "MDM", "device provisioning", "endpoint security", "patch management", "device compliance", "BYOD", "zero touch deployment". --- # Endpoint Management & Device Lifecycle Standardize, secure, and manage all corporate endpoints from procurement through retirement. ## Workflow ### 1. Endpoint Inventory & Classification 1. **Comprehensive device inventory**: - Discover and catalog all endpoints: laptops, desktops, mobile devices, IoT, servers - Device attributes: OS, model, serial number, user assignment, location, department - Asset tagging and barcode/RFID labeling - Integration with procurement and finance systems - Regular reconciliation (physical audit quarterly) 2. **Device classification and policy mapping**: - Corporate-owned/corporate-managed (COPE) - BYOD (employee-owned, corporate-managed) - Shared/kiosk devices - Industry-specific device policies (healthcare, manufacturing) - Classification determines management level and security requirements 3. **Ownership and accountability**: - Assign device owner (user) and manager owner (department head) - Acceptable use policy acknowledgment per user - Return policy documentation - Loss/damage reporting procedures ### 2. Device Provisioning & Onboarding 1. **Zero-touch deployment**: - Auto-enrollment via Apple DEP/MDM, Android Zero Touch, Windows Autopilot - Pre-configured device images with required applications and policies - User self-activation portal (device unboxing to productive use < 30 minutes) - Department-specific configuration profiles - Automated asset tracking update on activation 2. **User onboarding workflow**: - IT receives onboarding request from HR (automated via HRIS integration) - Device selection based on role requirements (standard, developer, designer) - Pre-configuration before ship/pickup (accounts, permissions, software) - Day-1 checklist: device test, access validation, training resources - Post-onboarding follow-up (week 1, month 1) 3. **Application deployment and standardization**: - Standard application suite by role (base package + role-specific) - Application whitelisting and approval process - Automated deployment via MDM/EMM platform - Software licensing tracking and compliance - Shadow IT application monitoring ### 3. Endpoint Security & Compliance 1. **Security baseline enforcement**: - OS hardening guidelines implementation (CIS benchmarks) - Full disk encryption enforcement (BitLocker, FileVault) - Firewall enablement and configuration - Antivirus/EDR agent installation and management - Application control and whitelisting 2. **Compliance monitoring and remediation**: - Continuous compliance scanning (weekly minimum) - Compliance checks: encryption, antivirus status, patch level, password policy - Non-compliant device remediation: auto-remediate, block network, quarantine - Compliance reporting by department and device type - Compliance score dashboard 3. **Patch and update management**: - Automated OS patch deployment with staged rollout - Critical security patches: deploy within 7 days of release - Standard patches: deploy within 30 days - Application patches: coordinate with application owners - Patch testing in pilot group before broad deployment - Patch compliance reporting ### 4. Remote Management & Support 1. **Remote support capabilities**: - Remote desktop/connect tools (TeamViewer, BeyondTrust, Splashtop) - Remote troubleshooting and software installation - Remote wipe capability for lost/stolen devices - Remote password reset and account recovery - Chat and co-browsing support options 2. **Monitoring and alerting**: - Endpoint health monitoring (disk space, memory, CPU, battery) - Security event monitoring (EDR alerts, malware detection) - Performance monitoring and trend analysis - Proactive alerting for issues before user impact - Device usage analytics 3. **Self-service support**: - IT service portal for common requests (software install, password reset) - Knowledge base articles for common issues - Automated troubleshooting scripts - Chatbot for tier-0 support - Escalation path to tier-1 support ### 5. Device Lifecycle & Retirement 1. **Lifecycle management**: - Define device refresh cycle by type (laptops: 3-4 years, phones: 2-3 years) - Budget forecasting based on device age and refresh schedule - Pre-refresh planning (6 months before end-of-life) - Refresh automation (order new, migrate data, retire old) - Technology roadmap planning for hardware standards 2. **Data migration and transfer**: - Automated data migration to new device - User profile and preferences transfer - Application and license transfer - Validation that all data migrated successfully - User sign-off on new device functionality 3. **Device retirement and disposal**: - Data sanitization (NIST 800-88 compliant wipe or physical destruction) - Sanitization certificate generation - Asset record update (status: disposed) - Environmentally responsible disposal (e-waste recycling) - Resale or donation for functional devices - Finance reconciliation (depreciation, write-off) ## Templates & Frameworks ### Endpoint Standard Configuration ``` ENDPOINT CONFIGURATION STANDARDS ================================= LAPTOP — Standard Business: OS: Windows 11 Pro / macOS Sonoma RAM: 16 GB minimum Storage: 256 GB SSD minimum Encryption: BitLocker / FileVault — Required Antivirus: Microsoft Defender / CrowdStrike — Required MDM: Microsoft Intune / Jamf Pro — Required Standard Apps: Office 365, Chrome, Teams, Zoom, VPN, 1Password Lock screen timeout: 5 minutes Password: Domain AD — complexity per policy LAPTOP — Developer: + RAM: 32 GB + Storage: 1 TB SSD + Apps: VS Code, Docker, Git, Python, JDK, Terraform + GPU: Optional based on role MOBILE — Corporate: OS: iOS 17+ / Android 14+ MDM: Intune / Jamf Pro Encryption: Required App whitelist: Corporate apps only Jailbreak/root detection: Block Remote wipe: Enabled SHARED/KIOSK: Kiosk mode: Enabled Auto-lock: 1 minute No persistent login Reset to baseline on reboot Monitoring: Enhanced ``` ### Device Lifecycle Timeline ``` DEVICE LIFECYCLE — Standard Laptop ==================================== YEAR 0 (Procurement): Q1: Budget approval and procurement order Q2: Zero-touch provisioning, user assignment Q3: First compliance scan, baseline established Q4: Mid-year review, warranty registration YEAR 1 (Active Use): Regular: Patch management, compliance monitoring, antivirus updates Annual: User satisfaction survey, performance assessment YEAR 2 (Mid-Life): Assessment: Hardware performance review, user needs evaluation Possible: RAM/storage upgrade, OS upgrade Planning: Begin budgeting for replacement (Year 3) YEAR 3 (End-of-Life Planning): Q1: Replacement device ordered Q2: Data migration, old device retirement Q3: Disposal or recycling Q4: Finance reconciliation, lifecycle complete TOTAL LIFECYCLE COST (3 years): Device cost: $1,200 Software/licenses: $400 Support/maintenance: $300 Disposal/recycling: $50 Total: $1,950 per device ``` ## Integration Points - MDM/EMM platforms (Microsoft Intune, Jamf Pro, VMware Workspace ONE, MobileIron): Device management - EDR/XDR platforms (CrowdStrike, SentinelOne, Carbon Black): Endpoint security - HRIS (Workday, BambooHR): Employee lifecycle triggers (onboarding/offboarding) - Procurement systems (Coupa, SAP Ariba): Device ordering and budgeting - ITSM platforms (ServiceNow, Jira Service Management): Incident and request management - Identity platforms (Okta, Azure AD): Authentication and access management - Asset management systems (Snipe-IT, AssetTools): Inventory tracking - Finance/ERP systems: Asset depreciation, cost tracking ## Edge Cases - **BYOD environment**: Containerization of corporate data; limited MDM scope on personal devices; clear acceptable use policy; insurance coverage considerations - **Global device deployment**: Region-specific software and compliance requirements; customs and import management; local IT support coverage - **Bring Your Own Laptop (BYOL)**: Minimum security requirements enforcement; compliance monitoring without full MDM; network access controls - **IoT and specialized devices**: Limited OS support for standard management; network segmentation; physical security controls - **Legacy device support**: Extended support contracts; compensating security controls; migration timeline to modern hardware ## Output ### Endpoint Management Dashboard ``` ENDPOINT INVENTORY — April 2025 ================================ DEVICE OVERVIEW: Total managed endpoints: 2,847 Laptops/desktops: 1,923 Mobile devices: 834 Servers/workstations: 90 Online (last 24h): 2,612 (91.7%) COMPLIANCE STATUS: Fully compliant: 2,534 (89.0%) Partially compliant: 267 (9.4%) Non-compliant: 46 (1.6%) Top compliance issues: Outdated OS (18), Missing patches (15), Encryption disabled (13) PATCH STATUS: Critical patches current: 97.2% Standard patches current: 94.8% Devices pending reboot: 34 Patch compliance target: >95% SECURITY STATUS: EDR agents active: 2,834/2,847 (99.5%) Encryption enabled: 2,841/2,847 (99.8%) Firewall enabled: 2,847/2,847 (100%) Security incidents (30 days): 23 LIFECYCLE FORECAST: Devices reaching EOL (next 6 months): 187 Estimated refresh cost: $224,400 Budget allocated: $210,000 (gap: $14,400 ⚠) SUPPORT METRICS: Open endpoint tickets: 47 Avg resolution time: 4.2 hours Self-service resolution rate: 34% Remote resolution rate: 61% ``` ## Trigger Phrases "endpoint management", "MDM", "EMM", "device provisioning", "endpoint security", "patch management", "device compliance", "BYOD", "zero touch deployment", "device lifecycle", "asset management", "endpoint inventory", "remote wipe", "device retirement", "autopilot", "device imaging"