Implementing Unified Endpoint Device Management (Activity 2.6.1)

This activity specifically directs DoD Components to procure and implement a Unified Endpoint Device Management (UEDM) solution. The activity explicitly mandates close collaboration with the “Implement Asset, Vulnerability, and Patch Management Tools” activity (2.5.1) to ensure requirements are integrated into procurement. Once procured, the UEDM team(s) are responsible for ensuring that Zero Trust Target Level functionalities are in place, including: minimum compliance, asset management capabilities, and, importantly, API support. This emphasis on APIs is key for enabling future automation and integration with the broader security ecosystem.

This activity is vital because the UEDM serves as an authoritative source for a device’s “managed” status and its continuous “compliance,” which are fundamental criteria for accessing resources in a Zero Trust environment (as defined in Activity 2.4.1).

The outcomes for Activity 2.6.1 highlight the central role of UEDM in device compliance and reporting:

1. Components can confirm if devices meet minimum compliance standards or not. (This is the UEDM’s primary role in assessing and reporting compliance).
   • Detailed Example for Outcome 1: Imagine your organization has a minimum compliance standard that states: “All laptops must run Windows 10/11 Enterprise (latest two builds), have BitLocker enabled, the organization’s approved EDR agent active and up-to-date, and all critical security patches installed within 72 hours of release.” Your UEDM solution continuously monitors each managed laptop. It collects real-time data on the OS version, checks BitLocker status, receives telemetry from the EDR agent confirming its running state and signature version, and scans for missing patches. If a laptop’s BitLocker becomes disabled, or a critical patch goes unapplied for more than 72 hours, the UEDM instantly flags that device as “non-compliant.” Conversely, if all criteria are met, the UEDM confirms the device as “compliant.” This status is then available for real-time reporting and decision-making by other Zero Trust components.
2. Components have asset management system(s) for user devices (phones, desktops, laptops) that maintains IT compliance, which is reported up to DoD enterprise. (The UEDM provides this integrated view for core user devices).
   • Continuing the Example for Outcome 2: Building on the previous point, as the UEDM continuously assesses the laptop’s compliance status, it’s also acting as a primary source for an enterprise-level Asset Management System, such as ServiceNow IT Asset Management. When that laptop was initially enrolled and identified by the UEDM, the UEDM automatically pushed its core asset details (serial number, model, OS, user assignment) to ServiceNow’s CMDB (Configuration Management Database) via a direct integration. Now, as the UEDM continuously updates the laptop’s compliance status (e.g., changing from “compliant” to “non-compliant” and back), ServiceNow’s CMDB automatically receives these updates. This ensures that the enterprise-wide Asset Management System maintains a real-time, comprehensive record not just of the laptop’s physical attributes, but also its current IT compliance posture. This consolidated view of device compliance is then available for reporting up to the DoD enterprise, providing a unified picture of endpoint security across all Components.
3. Components asset management systems can programmatically (i.e., API) provide device compliance status and if it meets minimum standards. (This emphasizes the critical API capability for automation).
   • Continuing the Example for Outcome 3: Because the enterprise’s central Asset Management System (ServiceNow CMDB), now richly populated with compliance data from the UEDM, is designed to be API-first (a key procurement requirement from Activity 2.5.1), it exposes its own robust APIs. Imagine a user on that laptop (currently flagged as “non-compliant” by the UEDM due to an unapplied critical patch) attempts to access sensitive data remotely via a Zero Trust Network Access (ZTNA) solution (from Activity 2.4.1). Before granting access, the ZTNA solution can make a real-time API call to ServiceNow’s CMDB: “Is device with ID X (the laptop) currently compliant with enterprise minimum standards?” The Asset Management System’s API responds: “No, it is not compliant (missing critical patch).” Based on this programmatic, automated response, the ZTNA solution immediately denies access, or quarantines the device, enforcing the “deny device by default” policy without any manual intervention. This exemplifies how the API capability of the Asset Management System, fueled by the UEDM, enables dynamic, automated security decisions across the Zero Trust ecosystem.

The ultimate end state underscores the operational power of a well-implemented UEDM: UEDM implementation enables effective patch management and configuration baselines. It also provides an ability to deny/quarantine devices remotely that are not in compliance. This directly links UEDM to active enforcement and remediation for non-compliant devices, supporting the “deny by default” policy from 2.4.1.

Solutions for Activity 2.6.1: Implementing Unified Endpoint Device Management

Implementing Activity 2.6.1 requires selecting a robust UEDM platform and ensuring its integration capabilities are leveraged to unify endpoint management, compliance, and reporting for Zero Trust:

1. Procurement and Implementation of a UEDM Solution:
   • Select a UEDM platform that can manage diverse device types (laptops, desktops, smartphones, tablets, and potentially certain IoT devices) and supports the security requirements of your organization, including enforcing configuration baselines (e.g., STIGs) and integrating with vulnerability and patch management
   • During procurement, mandate strong API support from the UEDM vendor for both querying device status and pushing configurations/actions.
   • Deploy the UEDM solution across your enterprise, ensuring all user devices are enrolled and managed.
2. Unifying Asset Management, Compliance, and Patch Management with UEDM Integration:
   • Leverage the UEDM’s capabilities for asset management for enrolled devices (device inventory, attributes, ownership).
   • Configure the UEDM to continuously assess device compliance against defined minimum standards (e.g., OS version, security software status, encryption status, configuration adherence to STIGs).
   • Integrate the UEDM with your patch management tools (from Activity 2.5.1) to ensure patches are deployed and verified effectively. Many UEDMs offer integrated patch management.
3. Enabling Remote Deny/Quarantine Capabilities:
   • Integrate the UEDM with your IdP, NAC, or ZTNA solutions to enable the remote denial of access or quarantine of devices that fall out of compliance. The UEDM provides the “compliance status” (via its integration with the Asset Management System and its own APIs) that triggers the enforcement action by these other systems. Some UEDMs may also have direct remote wipe/lock capabilities.

Key Considerations:

• Comprehensive Device Coverage: Ensure the UEDM can effectively manage all types of user devices in your environment.
• API-First Approach: The UEDM’s API capabilities are paramount. Verify the granularity, documentation, and reliability of its APIs for enabling future automation and integration, especially for feeding compliance status to other systems.
• Seamless Integration Ecosystem: The UEDM must integrate seamlessly with your existing and planned Zero Trust tools (ITAM/CMDB, VM, PM, EDR, IdP, NAC/ZTNA, SIEM/SOAR) to function as the central orchestrator of device trust.
• Defining Minimum Compliance Standards: Clearly define and configure the specific, measurable compliance baselines within the UEDM that devices must meet for Zero Trust access.
• User Experience: For BYOD specifically, balance security requirements with a manageable user experience for enrollment and ongoing compliance.
• Centralized Reporting: Ensure the UEDM provides centralized reporting on device compliance across the enterprise, potentially feeding into a CMDB or SIEM.

For the Technical Buyer:

Activity 2.6.1 is a key component to operationalizing continuous device trust within your Zero Trust architecture. By procuring and implementing a robust UEDM solution, you establish the central platform for managing your endpoint inventory, enforcing configuration baselines, and continuously assessing device compliance against your defined standards. For technical buyers, the absolute critical factor here is selecting a UEDM with strong, well-documented APIs that can programmatically provide device compliance status to other Zero Trust components. This API capability, particularly when integrated with your enterprise Asset Management System, is what truly enables dynamic access policies, remote denial/quarantine of non-compliant devices, and automated remediation workflows across your integrated security ecosystem. Success in this activity means your UEDM becomes the authoritative source for device trust, enabling a proactive and resilient defense of your endpoints.

Pillar: Device

Capability: 2.6 Unified Endpoint Management and Mobile Device Management

Activity: 2.6.1 Implement UEM or Equivalent Tools

Phase: Target Level

Predecessor(s): None

Successor(s): 

2.3.6 Enterprise PKI Part 1, Device Authorization w/Real Time Inspection Capability