Device Management the DevOps Way

Transcript

1. Device Management the DevOps Way 20.05.2026 WhizUs GmbH by Erik

   & Dimi

2. Agenda 1. Current State of Cybercrime 2. How we did

   security before? 3. Why MDM? 4. Our Requirements 5. MDM - Our Solution 6. Transparency 7. Technical Implementation 20.05.2026 WhizUs GmbH 2

3. Current State of Cybercrime

4. Intro Global cybercrime damages projected at $10.5 trillion USD annually

   by 2025 If measured as a country, cybercrime would be the world’s 3rd largest economy (after the US and China) A ransomware attack hits a business every 11 seconds 60% of small businesses close within 6 months of a cyberattack Supply chain attacks have doubled since April 2025 Likelihood of detection and prosecution of cybercriminals is as low as 0.05% in the US | Cybercrime ref: https://cybersecurityventures.com/cybercrime-damage-costs-10-trillion-by-2025/ https://cyble.com/blog/supply-chain-attacks-double-in-2025/ https://www3.weforum.org/docs/WEF_Global_Risk_Report_2020.pdf 20.05.2026 WhizUs GmbH 4

5. Intro | Cybercrime ref: https://de.statista.com/ 20.05.2026 WhizUs GmbH 5

6. Intro Axios (2026): ~100M weekly npm downloads; North Korean state

   actors socially engineered the lead maintainer, injecting a RAT via malicious dependency ( plain-crypto-js ); reached OpenAI’s macOS signing pipeline, forcing certificate rotation Trivy (2025): aquasecurity/trivy-action GitHub Action was impacted in the tj-actions/changed- files supply chain cascade; compromise originated from reviewdog/action-setup , affecting 23,000+ repositories; attackers dumped CI/CD secrets, originally targeting Coinbase (CVE-2025-30066) | Recent Attacks ref: https://socket.dev/blog/axios-npm-package-compromised https://unit42.paloaltonetworks.com/github-actions-supply-chain-attack/ 20.05.2026 WhizUs GmbH 6

7. Intro AI/KI is changing the threat landscape: attackers use AI

   to scale and improve attacks – both in quantity and quality More code is being published faster (AI-generated) and is harder to control Questions we previously couldn’t answer well: How do we handle vulnerabilities on our devices? How do we detect if a device has a vulnerability? How is patch and update management established? | Growing Technical Threats 20.05.2026 WhizUs GmbH 7

8. How we did security before?

9. Intro we have a slack channel #security | How we

   did security before? 20.05.2026 WhizUs GmbH 9

10. Intro we have a slack channel #security we have Guidelines

    / internal RFCs | How we do security? 20.05.2026 WhizUs GmbH 10

11. Intro we have a slack channel #security we have Guidelines

    / internal RFCs how do we react to such security incidents? | How we do security? 20.05.2026 WhizUs GmbH 11

12. Why MDM? Why are we doing it now?

13. Why NIS2 directive is coming to Austria this autumn –

    stricter cybersecurity obligations ISO 27001 is increasingly required in tenders and business relationships Proof of methodical security & data protection is becoming mandatory for working with large enterprises We are actively audited by customers – detailed reports on business continuity, data protection, and security processes are expected | Regulatory & Market Pressure 20.05.2026 WhizUs GmbH 13

14. Why Tenders: ISO 27001 (or proof of established processes) is

    now a hard requirement in many RFPs Customer in financial sector: a supplier was removed entirely because they couldn’t demonstrate adequate security measures; Customer in energy sector: before we could even start the project, we had to provide detailed documentation of our technical and organizational security measures No security = no customers. There is no alternative for our business. | Real-World Examples 20.05.2026 WhizUs GmbH 14

15. Our Requirements

16. Requirements proper security operations and centralized management proactive instead of

    "good luck" (e.g. alerts, real-time) overview where we are (e.g. dashboards) vulnerability detection on devices patch and update management software inventory and cleanup of unused/outdated apps industry proven solution(s) work with: linux, windows, mac, ios, android automation (best with IaC) pricing/costs we can manage Device Management is not just a corporate requirement – it is a personal security hygiene tool. | What do we need? 20.05.2026 WhizUs GmbH 16

17. MDM - Our Solution (Mobile Device Management)

18. MDM | What is it? ref: https://www.extnoc.com/learn/security/challenges-of-mobile-device-management-md m/ 20.05.2026 WhizUs

    GmbH 18

19. MDM INFO: most of the companies out there are using

    MDM | How does it work? ref: https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-manage ment 20.05.2026 WhizUs GmbH 19

20. MDM Intune (Microsoft): Leader in the Gartner Magic Quadrant for

    UEM; deeply integrated with Microsoft 365 and Entra ID; supports all our platforms (Windows, macOS, Linux, iOS, Android); Terraform/OpenTofu provider available; GDPR compliant; dominant in Austrian enterprise environments Jamf: Apple-focused MDM, industry leader for macOS/iOS fleets Hexnode: Multi-platform UEM aimed at SMBs, competitive pricing FleetDM: Open-source, osquery-based; popular in engineering-heavy teams We chose Intune – covers all our requirements BUT we’re free to switch to a better alternative | Solutions ref: https://www.gartner.com/reviews/market/unified-endpoint-management 20.05.2026 WhizUs GmbH 20

21. MDM | How is it configured? 20.05.2026 WhizUs GmbH 21

22. MDM | How is it configured? 20.05.2026 WhizUs GmbH 22

23. MDM | How is it configured? 20.05.2026 WhizUs GmbH 23

24. MDM | How is it configured? 20.05.2026 WhizUs GmbH 24

25. MDM | How is it configured? 20.05.2026 WhizUs GmbH 25

26. MDM | How is it configured? 20.05.2026 WhizUs GmbH 26

27. MDM | How is it configured? 20.05.2026 WhizUs GmbH 27

28. MDM | How is it configured? 20.05.2026 WhizUs GmbH 28

29. MDM | Alerts 20.05.2026 WhizUs GmbH 29

30. MDM MDM is usually already A HUGE EFFORT we will

    do MDM together (IaC) and limit the effort to only relevant parts with MDM one "could" do "almost everything" on the device we limit this (explained in the transparency section) only settings for improving security are configured information disclosure is limited as much as possible | Issues and Solutions 20.05.2026 WhizUs GmbH 30

31. Transparency

32. Transparency each single action is logged additionally this will be

    backuped (exported) to a secure location | Audit Logs 20.05.2026 WhizUs GmbH 32

33. Transparency | IaC 20.05.2026 WhizUs GmbH 33

34. Transparency | Releases 20.05.2026 WhizUs GmbH 34

35. Transparency Admin/Maintainer Slack CI/CD GitHub Developer Admin/Maintainer Slack CI/CD GitHub

    Developer Merge Release PR Release published (trigger) tofu plan Upload plan artifact to release Create approval issue (with plan details) Notify "Release ready, waiting for approval" Review plan in issue | Workflows 20.05.2026 WhizUs GmbH 35

36. Transparency Admin/Maintainer Slack CI/CD GitHub Developer Admin/Maintainer Slack CI/CD GitHub

    Developer alt [/approve] [/reject] Review plan in issue Comment /approve Trigger apply workflow Verify permissions (admin/maintain only) Download plan from release tofu apply Close issue (completed) Comment /reject Close issue (not planned) | Workflows 20.05.2026 WhizUs GmbH 36

37. Transparency | Notifications 20.05.2026 WhizUs GmbH 37

38. Technical Implementation

39. IaC microsoft365wp is a wrapper around Microsoft Graph API simple

    | Terraform 1 terraform { 2 required_providers { 3 azuread = { 4 source = "terraprovider/microsoft365wp" 5 } 6 } 7 } 8 9 provider "microsoft365wp" { 10 client_id = var.client_id 11 client_secret = var.client_secret 12 tenant_id = var.tenant_id 13 } ref: https://github.com/terraprovider/terraform-provider-microsoft365wp 20.05.2026 WhizUs GmbH 39

40. IaC microsoft365wp is a wrapper around Microsoft Graph API simple

    does not support everything :( | Terraform linux = { # this does not exist storage_require_encryption = true } 1 resource "microsoft365wp_device_compliance_policy" "linux_encryption" { 2 display_name = "Linux - Encryption Required" 3 description = "Ensures linux devices have encryption enabled" 4 scheduled_actions_for_rule = [{ 5 scheduled_action_configurations = [{ 6 action_type = "block" 7 }] 8 }] 9 10 11 12 assignments = [{ target = { all_devices = {} } }] 13 } ref: https://github.com/terraprovider/terraform-provider-microsoft365wp 20.05.2026 WhizUs GmbH 40

41. IaC | Terraform lifecycle { # this is required as

    a PATCH on settings changes is not supported replace_triggered_by = [terraform_data.linux_encryption_replace.output] } 1 resource "msgraph_resource" "linux_encryption_compliance" { 2 url = "deviceManagement/compliancePolicies" 3 api_version = "beta" 4 body = local.linux_encryption_body 5 response_export_values = { 6 id = "id" 7 name = "name" 8 } 9 10 11 12 } 20.05.2026 WhizUs GmbH 41

42. IaC | Terraform resource "terraform_data" "linux_encryption_replace" { input = local.linux_encryption_body

    } locals { linux_encryption_body = { name = "Linux - Encryption Required" description = "Requires disk encryption (dm-crypt/LUKS) on Linux devices" platforms = "linux" technologies = "linuxMdm" settings = [ { "@odata.type" = "#microsoft.graph.deviceManagementConfigurationSetting" settingInstance = { "@odata.type" = "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance" settingDefinitionId = "linux_deviceencryption_required" choiceSettingValue = { value = "linux_deviceencryption_required_true" children = [] } } } ... 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 20.05.2026 WhizUs GmbH 42

43. Refs

44. Refs Cyberversicherungen: Für alle Fälle geschützt in der digitalen Welt?

    Wie hoch sind die finanziellen Schäden durch Cyberkriminalität? Supply Chain Attack on Axios Pulls Malicious Dependency from npm iPhone-Hackcode Intune Defender Microsoft Graph API 20.05.2026 WhizUs GmbH 44

45. QA

46. DEMO

47. Thx

48. Follow us for more LinkedIn Tech-Newsletter 20.05.2026 WhizUs GmbH 48