Automating third-party software deployments and updates with Intune and ScappmanAlex Fields
For those of you in my audience who work at Managed Services Providers (MSP’s), I wanted to introduce you to a product called Scappman that I am really excited about. Rarely do I come across something like this, which solves such an important problem in just the way I was hoping someone would solve it. Specifically I’m referring to the headache of managing application packages and deployments as well as updates (yes, even for third-party apps), across multiple tenants.
To be clear, Scappman is not paying me for advertising or anything like that; I just really like them, and I asked them to share with us here today. So with that, I will let them describe their product in the below guest post. I think those of you struggling to implement Microsoft Endpoint Manager (Intune) at scale for your customers will really like what they’ve put together so far (and where they are heading in the future).
Overcoming multi-tenancy challenges
This blog is for Managed Service Providers or organizations who have more than one tenant to manage. To make things easy, we will just call them Managed Service Providers (MSPs) or Managed Security Service Providers (MSSPs). MSPs encounter the same problems as most companies, but they are multiplied by the amount of their customers they serve.
As an MS(S)P, you need to make sure your customers or tenants are protected and secured against hackers, zero-day vulnerabilities, malicious links, and attachments. If you have more than one tenant to control, you are often performing the same task repeatedly for each tenant that you serve.
Scappman focusses on automating common MEM tasks. One of these tasks is to automatically update applications. Currently, as an MS(S)P you need to sign to every single customer’s MEM tenant to update the applications for your customers. That means that you need to go through the never-ending patch cycle like anyone else, but from the upload phase you must repeat each step for every customer separately. It suffices to say that the time you spend managing and updating those applications can be enormous.
Because the manual update process takes so much time and resources, and mistakes are easily made, you could end up creating vulnerabilities rather than resolving them.
As an MS(S)P you want a single pane of glass to manage all your customers. Logging in to each tenant for each customer takes a lot of time. Imagine having to update and monitor a zero-day vulnerability for 100 customers… You would have to update the application in MEM, log on to each tenant and check the status of the application deployment. If you must do this a couple of times, you will lose a lot of time with each update.
To save time for MS(S)P’s, Scappman has implemented a multitenant architecture. This allows MS(S)P’s to easily switch between their customers and get a global overview across all applications. In this dashboard, you get an overview of all your managed applications.
As a service provider, you can sign in to the Scappman portal and from the menu in the right upper corner select the customer you would like to access. From there, you’ll be able to co-manage that customer’s tenant. Only MS(S)P admins can switch between their customers.
If you manage multiple tenants or customers, many of them will share the same base set of applications. To make it easier to control these applications in bulk, you can use a feature called application sets. Application sets enable you to select several applications like Google Chrome, Adobe Acrobat Reader, Greenshot, etc., and install them for several customers at once. And when it’s time to onboard a new customer or tenant, you can deploy a whole list of applications to them, with just 4 simple clicks. After that, they can all enjoy the benefits of Scappman’s automation, to make sure they’re always up to date and secure.
Another powerful feature of application sets is patching zero-day vulnerabilities. As soon as a zero-day is patched, that patch will be packaged and tested in our test environment. When the update has successfully passed all our testing procedures, including Autopilot scenario deployments, we will release it to our production customers. Updates are automatically rolled out to the MEM of our customers between 4AM and 6AM UTC. But if you don’t want to wait that long or when you have configured a rollout delay for your customers, you can open the application set and click the update now button for the application requiring an update. Scappman will then immediately start deploying the update to all customers that are in the application set.
Customer update rings
Even though Scappman tests its application deployment process very thoroughly to make sure an application deploys reliably in many different scenarios, including Autopilot deployments, an application update might still be incompatible with other applications, or the update could cause issues because of some other conditions that we could not test.
That is why we created update rings. This enables you to test the update on a subset of your users first and then continue the update deployment to your remaining users. As an MS(S)P you may want this feature as well across all your customers or tenants. However, as it’s not feasible to configure those groups for every customer separately, one of our customers came up with the idea for customer-based update rings. Instead of selecting a set of users or devices for every update ring, you just select a (set of) customers for each update ring. All users or devices for that customer would automatically be included in that update ring, requiring very little configuration on your part, but a convenient way to test and validate updates.
Even with customer update rings enabled, you can still overwrite the delay by manually clicking the ‘Update now’-button for each update ring. That way you can deploy updates for zero-day patches faster than what is configured as normal update delay.
The reverse is also possible. If you notice an update is causing conflicts or issues for your customers in the fast update ring, you can disable the deployment of that update for your other customers by simply toggling the update switch to off.
Although Microsoft Endpoint Manager provides a plethora of options to manage and maintain applications across your estate, there is potentially a lot of work involved doing so. Especially because zero-day vulnerabilities seem to become more and more prevalent, extra effort (and caution!) is required when keeping an eye on your application landscape and patching status.
This is where a solution like Scappman can bring tremendous value. Just like technology from Microsoft, it adds the smarts and automation to specific processes, freeing up time to focus on other important elements of the management of your environment, like responding to alerts and events.
So there you have it, folks! I would encourage you to check it out over at scappman.com, and reach out through their website if you would like a demo or more information.