While applications are indispensable to any modern organisation, managing them at scale can take time, manual effort and money. To such an extent, application management stands as the most expensive and labour-intensive element of managing end user devices. Poorly managed applications have a greater adverse impact on both efficiency and security than any other aspect of device management.  

Given the complexities of application management, some IT teams put it in the ‘too hard’ basket —perceiving it as too costly or too challenging to maintain. Application management will often get deprioritised, which exposes organisations to heightened security and compliance risks. 

Neglecting application management is not an option. Not only is it the secret sauce for successfully managing end user devices, but effective application management is also critical for implementing many crucial security controls against common threats including phishing. 

Effective application management provides benefits beyond security, including:  

• Lower end user device total cost of ownership (TCO) 

• Reduces opportunity for human error  

• Increased operational efficiencies  

• Positive end user experience 

This guide outlines key strategies and best practices to effectively secure and manage applications. 

Visibility and inventory for effective management 

To manage applications effectively, organisations should have visibility over their inventory. This includes which versions of applications are in use and where they’re located. 

Understanding the application landscape enables IT teams to identify redundant or underutilised applications, pinpoint outdated applications and prioritise updates or patches. 

Inventory is also indispensable for security and compliance. If you don’t know the application's location within your organisation, it’s impossible to properly secure it. This is always the critical first step organisations need to make before they can effectively manage applications. 

Complete visibility of all applications on every employee device across the entire organisation must not be compromised. If a system isn't visible, it isn't managed, therefore exposing organisations to unmitigated risks from the most common and effective vulnerabilities exploited by criminals. 

Access application data and reporting for security and compliance 

To maintain and validate security and compliance, organisations need to have immediate access to current and historical data regarding applications running on end user devices. 

To facilitate this, adopt software that offers up to date reporting that can be effectively managed by your organisation long term. It's equally important to ensure you have access to tailored insights that show a comprehensive history of patching, maintenance, and compliance across end-user devices.  

Having accurate and up-to-date reporting helps prove your organisation adheres to strict compliance measures. It also reinforces overall security protocols. Once you maintain an accurate and up-to-date inventory of applications within your organisation, security monitoring tools like SIEM (Security Information and Event Management) can use this data to identify applications that are not part of your organisation. 

Implementing a tiered framework for application management 

Devise and implement a tiered framework for identifying application dependencies for end users. This is a key process for effectively managing applications. 

A tier-based framework allows you to easily categorise and assign applications based on your organisation’s structure, departments, employee roles and application lifecycle. This also allows for self-service onboarding for new employees—providing a seamless experience and a positive first impression of the organisation. 

Five-tier application management maturity framework:  

• TIER ZERO: Self-installed applications, not managed by your application management solutions. This is not recommended as it requires users to have local admin access to install applications and they won’t be listed in the company portal, potentially resulting in a poor end user experience and compromising security. Tier zero should be avoided due to its substantial reduction in security controls that leaves devices more susceptible to malware and phishing campaigns.

• TIER ONE: Applications are published in the company portal but not kept up to date. This includes end-of-life applications that no longer receive updates or low-risk non-essential applications, such as a music player. Local admin access is not required for this tier. 

• TIER TWO: Trusted non-essential applications made available in the company portal for users to download. This might include a preferred browser, a PDF reviewer or a music application. These applications do not require installation before end users gain access to the device; instead, self-service installations are enabled. Local admin access is not necessary for this tier. 

• TIER THREE: Applications based on role groups defined by your organisation. Examples include finance, developer and marketing teams. Installed during the system build before the end user receives the device. Local admin access is not granted. 

• TIER FOUR: Standard applications for every end user device, regardless of department. This often includes antivirus and security software. Installed during the system build before the end user receives the device. Local admin access is not granted. 

Have a company portal for secure application management 

A straightforward and secure approach to application management is to have a company portal that allows employees to access, download and install authorised applications. When combined with a strict policy on administrative privileges, this helps to effectively maintain security by preventing unauthorised or unmanaged applications from being downloaded.  

This approach gives end users unrestricted access to necessary resources. It also eliminates time-consuming support requests to install applications, helping new starters hit the ground running from day one. 

The best approach is to implement a process that automatically enrols new devices onto the company portal and installs necessary applications without requiring any manual action. 

For non-essential authorised applications, make sure end users can access the software library and install any other applications they need without requiring local administrative privileges (as described in tier three). 

One of the most significant operational advantages for IT, beyond cost and time savings, is the elimination of application sprawl and mitigating the risks associated with unlicensed shadow software circulating throughout the organisation. 

Hardening security with automated application allowlisting 

All organisations should adopt automated application allowlisting. 

You can effectively enforce application allowlisting by permitting only authorised applications to be installed on end user devices through the company portal. Use a trust chain between applications that are deployed by your application management platform. This is easier than having to maintain a library of approved application hashes, which has its own set of challenges. 

Applications that do not originate from the company portal should be blocked, even if the end user is an administrator. These applications are unmanaged and will not have the correct trust chain to install or update. You can create an exception for sub-processes to allow for auto-updating, as they follow the trust chain back to the company portal. 

Unlock efficiency with automated workflows 

Automation allows you to streamline application packaging, deploy updates, and maintain continuous comprehensive device management. 

From onboarding new devices to packaging and deploying updates, application management is traditionally a very time-consuming and repetitive process. When organisations embrace automation, they can reinvent the way they manage and secure applications.  

It may seem obvious, but automation is crucial for application management. When deciding to onboard or integrate an application into an organisation, one must make considerations at that time to assess support implications. For instance, if ensuring the safe automation of future updates is not possible, you should weigh the risks to productivity, security and compliance, in addition to the ongoing manual effort required by IT teams. 

Automation is the key to reducing manual ‘busy work’ and liberating valuable IT resources. Organisations can embrace automation for: 

• Onboarding new devices 

• Onboarding new applications into the company portal 

• Application packaging  

• Deploying application updates  

• Deploying application updates to pilot users 

• Application testing and roll out 

New applications and application updates should be deployed to a pilot group for testing before being deployed across all end user devices. This helps IT teams guarantee the application is functional before it’s rolled out to the whole organisation. 

With a comprehensive and mature process for application testing, IT teams can identify and address potential issues, including: 

• Compatibility problems: Applications may not work seamlessly on all devices, operating systems, or configurations. Testing with a small group allows you to identify any compatibility issues. 

• Integration problems: New versions may not always integrate seamlessly with other software or systems, particularly if they require further updates for compatibility. Testing with a pilot group helps to identify integration challenges and ensure devices run smoothly when deployed. 

• Performance optimisation: Issues like slow loading times, excessive resource consumption, or crashes can be detected and optimised before application updates are deployed to the entire fleet. 

• Security vulnerabilities and bugs: Within the test environment, pilot users can uncover potential vulnerabilities and bugs that could be harmful to end user devices. 

• Custom or bespoke configurations:  Some organisations customise applications specifically to their environment to function. Post Verification Testing (PVT) by a representative of a particular role group can be conducted before deployment to all users in the role group. 

• Impact on user experience: Pilot group feedback can help organisations to improve the user interface and overall user experience, ensuring it meets the expectations and needs of your end users. 

By addressing these issues at an early stage in a controlled environment, organisations can ensure productivity, data security and overall user satisfaction are not negatively impacted. Organisations save time and resources which would otherwise be spent managing and rectifying problems post-deployment. 

The value of application management in meeting security and compliance standards 

The value of effective application management extends beyond immediate cost savings and efficiency improvements; it plays a pivotal role in enhancing an organisation's security and compliance posture.  

Standards including CIS Critical Security Controls and ASD Essential Eight stipulate application management requirements. Proper application management hardens security by reducing vulnerabilities that could be exploited by cybercriminals and reduces the likelihood of unmanaged or out-of-date software being used in an organisation. 

When done well, application management becomes the catalyst for achieving many other organisational benefits. This includes reducing the impact of human error and enhancing user experience. 

Serving as the foundation for numerous organisational benefits, application management is the engine that drives modern businesses forward, enabling them to build a more efficient and secure future.  

Automation remains the key to mastering application management, offering an efficient, timesaving and risk-reducing approach. It not only streamlines operations but also helps identify and rectify compatibility issues, integration challenges, performance bottlenecks and security vulnerabilities.