Don't forget the supply chain

Jonas Bøgvad
Jonas Bøgvad

Table of Contents

The pandemic forced us to make rapid judgments. We must combine usability and security when working with security. Companies must be able to remotely or securely provide users with their devices. What about supply chain? Who sent our device? Never make a decision prior to conducting research. The following list of bullet points will help you determine what to consider.

Attacks on the supply chain are rare, but they do happen, and there are steps you can take to reduce your risk. For example, it's likely to be a better idea to buy devices directly from a reputable seller than to look for used devices on online marketplaces.

If your device is broken into before you have a chance to set up security settings, it can be hard to find out. But there are some smart things you can do to make it less likely that these attacks will work against your organization.

Most devices now have auto-setup programs like Windows Autopilot and Apple Business Manager. These programs are highly recommended because they reduce the amount of work needed to enrol new devices and increase enrollment security by keeping unenrolled devices safe in transit and reducing the likelihood of human error.

I suggest you read my blog post about the Zero-touch deployment program for each platform.

What is Zero-touch deployment with Intune?
Let me help you understand what Zero-Touch deployment with Intune is and how it can help your organization.

In order to use these programs, you usually have to work with a device supplier who will automatically add new devices to your organization's zero-touch enrolment program.

Getting ready to buy a device

When thinking about how to buy device I recommend:

  • Think about which of the zero-touch enrollment programs you want to use.
  • Look for companies that have a secure supply chain, and can support each platform in Intune.
  • How safe the device maker is known to be
  • If they have the devices that your company has chosen to use.
  • How new the devices they sell will be.
  • How they will deal with broken devices that are sent back. For example, you might need to return a device that has corporate data on it, so make sure you agree on a way to wipe it.
  • If they agree with your program of "zero-touch enrollment"
  • At what point in their supply chain do they give you devices? Some suppliers may use just-in-time manufacturing for large orders, which means that the factories that make the devices may know who the end customer is. Other suppliers may use domestic storage facilities, which makes it harder for supply-chain attacks to happen.
  • How users who are abroad can obtain devices when they are away
  • How will you get the devices to the people who will use them. Depending on how they are set up, devices may be vulnerable if they are stolen while they are being sent out.

More information

Device Security Guidance
Guidance for organisations on how to choose, configure and use devices securely