Capabilities for application lifecycle management
Applications support businesses with various day-to-day operations and communication, making them indispensable in the modern workplace.
When executed correctly, application management becomes the catalyst for unlocking various organisational benefits. This includes enhancing the user experience and boosting security, productivity and efficiency.
Many organisations grapple with the demanding and resource-intensive processes tied to application lifecycle management, which often necessitates a substantial investment in skilled personnel.
Automation is the key to mastering application lifecycle management.
Devicie significantly reduces manual effort and resource overheads by automating and standardising application management tasks—an efficient and risk-reducing approach.
This guide outlines Devicie's capabilities for application lifecycle management, including:
automated packaging of off-the-shelf applications
bespoke application packaging
automated deployment of applications updates
application inventory and reporting
application control and allowlisting
application hardening.
Automated application lifecycle management
In the absence of automated workflows, IT teams can spend days packaging, deploying and managing applications.
Devicie's approach for automating application lifestyle management eliminates the need for manual handling, reducing the overall IT effort from days to hours.
The outcome is a reduction in costs, lower potential for human error and enhanced operational efficiencies. The Devicie platform provides:
flexible application packaging as a service
packaging for custom, proprietary and legacy applications
customised deployment options and timeframes
automated updates, repackaging, testing and deployment
packaging designed with security and compliance in mind.
Application packaging
Devicie automates the standardisation of common configuration settings to enable their customers to effortlessly deploy and manage applications at scale.
Processes for automated application packaging consist of the following stages:
onboarding applications to the platform
maintaining a back catalogue of Outlet Test System (OTS) applications that are automatically provisioned to the customer’s Intune tenant
collaborating with customers to onboard and provision custom applications and configurations, including proprietary applications, on an agreed release cadence.
Figure 1 (below) outlines this process for automating both catalogue and custom applications.
Automated application deployments
Devicie provides a comprehensive solution for managing the deployment of applications across the organisation’s device fleet. The process of updating existing applications, onboarding new applications and validating applications in production is entirely automated (see Fig. 1).
New application onboarding
New applications are divided into categories. Depending on the requirements of the applications and organisation, these categories can be based on the application’s function, the department that uses it, or the stage of its lifecycle.
This categorisation helps streamline the onboarding process and ensures each application is handled according to its specific needs. The onboarding process includes testing and troubleshooting to confirm that the application functions correctly within the new system. This comprehensive and efficient approach allows for enhanced management and allocation of resources, promotes efficient integration of applications into the organisation’s workflow, and helps organisations maximise the benefits of their new applications.
Application package tiers
During the onboarding session, Devicie guides its customers in creating a tiered framework that identifies application dependencies for end users. This foundational process allows Devicie customers to categorise and assign applications based on their organisation’s structure, departments, employee roles and application lifecycle.
Applications can be automatically deployed and installed using group roles through this tiered framework. This empowers new employees with self-service onboarding, offering a smooth experience and a positive first impression of the organisation.
The tiers are:
Tier Zero: Self-installed applications, not managed by Devicie. This is not recommended as they require administrative access to install and will not be listed in the company portal, potentially resulting in a poor end user experience and undermining security. Tier Zero should be avoided due to its substantial reduction in security controls that leaves devices more susceptible to malware and phishing campaigns.
Tier One: Applications are published in the company portal but not kept up to date or managed by Devicie. This includes end-of-life applications that no longer receive updates or low risk non-essential applications, such as a music player. Local admin access is not required for this tier.
Tier Two: Trusted non-essential applications made available in the company portal for users to download. This might include a preferred browser, a PDF reviewer or a music application. These applications do not require installation before end users gain access to the device; instead, self-service installations are enabled. Local admin access is not necessary for this tier.
Tier Three: Applications based on role groups defined by the customer. Examples include finance, developer and marketing teams. Installed during the system build before the end user receives the device. Local admin access is not granted.
Tier Four: Standard applications for every end user device, regardless of department. Examples often include Microsoft 365 Apps, antivirus and security software. Installed during the system build before the end user receives the device. Local admin access is not granted.
Production validation
During the scoping process, Devicie gathers a list of required and desired applications and classify them accordingly.
Applications critical to the organisation are referred to as business-line applications. These are packaged and made available for deployment and testing during the production validation process.
Once available for deployment, business-line applications are tested by pilot users. These pilot users work with Devicie to perfect the configuration and functionality of the applications and identify and mitigate any bugs or issues.
The pilot concludes with sign-off and approval of the packaged application pool, facilitating safe deployment to the rest of the fleet.
Application testing
Devicie deploys new applications and updates to a pilot group for User Acceptance Testing (UAT) before deploying across all end user devices. This helps IT teams guarantee the application is functional before it's rolled out to the entire fleet.
Any defects identified during UAT must be reported to Devicie support for resolution and redeployment. If a defect or any issue arises in UAT, the previous version can be rolled back to facilitate organisational change control processes and address issues without disrupting business operations.
Back catalogue applications
Devicie maintains a catalogue of generally available commercial and other off-the-shelf software. If an application is not already maintained by Devicie, it is onboarded for the production validation and then managed proactively.
Back catalogue applications are made available to multiple customers and are updated at least every 30 days, in line with security best practice.
To efficiently maintain a back catalogue application, software vendors should supply advisories of new updates and allow methods for systematic download. For example:
access to query software repositories to systematically monitor for releases
published releases on product or support pages that can be scraped
software repositories that can be accessed without multi-factor authentication (MFA/2FA)
applications identified and requested by a Devicie customer that are already part of the back catalogue can typically be tested and deployed without further configuration.
Bespoke applications
Bespoke applications are those where version information and media are not generally available. Possible scenarios include:
when the software has been internally developed and is unique to the customer
when the software is end-of-life and is no longer supported by the vendor
when the software requires customisation that would not be appropriate for other customers. For example, customers who provide their own software repositories, licensing, configuration or management infrastructure hard coded into the application.
Application media files
Devicie can directly access most commercially available and other application media files. For bespoke application configurations, customers may provide media files directly.
This can be managed:
Informally: Software can be provided to Devicie via a third-party application such as Microsoft OneDrive.
For regular release: Devicie can provide access to blob storage with authentication for programmatic upload.
Version checking
Most vendors provide access to version information, for example via a generally available software repository or release notes, allowing software to be added to the back catalogue.
When versions cannot be programmatically queried, manual intervention may be required, resulting in bespoke application configuration.
Update deployments
When application updates are made available, Devicie automates their deployment across the entire fleet of end user devices.
This is achieved through Devicie’s automated application management process, which includes deployment to a pilot group for post-verification testing to ensure the updated application is functional. Once the pilot users confirm the absence of issues, the deployment continues to roll out across the fleet.
Emergency deployments
For urgent application deployments outside of the standard maintenance process, customers can create high priority support tickets in their company portal and follow up with their appointed customer success specialist.
Devicie may reach out to customers to prioritise deployment when:
an end user issue has been resolved by a new software version of updated package
a critical security event is identified and requires a patch or update.
Company Portal
Devices onboarded to Devicie automatically receive the Company Portal application. Authorised non-essential applications are housed in the customer’s Company Portal, which allows end users to download and self-install these applications without requiring local administrative privileges.
Support Portal
New and changing application requirements are a part of business. Devicie manages new application requests and technical support through the Devicie Support Portal.
In the Devicie Support Portal:
customers can select applications from the Devicie back catalogue. If it's not listed in the back catalogue, then customers can select New Application
business-line applications are made available and automatically install through the Company Portal
authorised non-essential applications are available through the Company Portal for self-install by users who want them
business-line applications and authorised non-essential applications can be assigned to role groups, particularly if they are intended for deployment to specific users, roles, or groups.
Application security
Devicie provides layered security to applications with many controls working together to provide comprehensive protection from cyber threats, while meeting compliance requirements and providing functionality for users and the organisation.
Application allowlisting
Devicie restricts users from downloading and installing applications that are not available in the Company Portal. This is established by a trust chain between applications that are deployed by Devicie, rather than using hashing.
Applications downloaded and installed via the corporate Company Portal may share the same binary and hash as a file downloaded by an end user. Applications that do not originate from the Company Portal will be blocked, even if the end user is an administrator.
Applications not managed by Devicie will not have permission to install or update, however sub-processes that allow for auto-update will be permitted, as they follow the trust chain back to the Company Portal.
Devicie does not support deny-listing, however all applications not explicitly allowed will be denied. Devicie can manage and install third party software to add additional controls over binary execution.
Removal of administrative privileges
When applications are managed correctly, end users do not need privileged access. Devicie eliminates the need to provide end users with administrative privileges by maintaining all applications in a Company Portal for employees to access and download.
Ensuring the required applications are readily available is the critical factor for ensuring end user productivity.
By empowering organisations to restrict local administrative privileges, Devicie helps mitigate the risk of a breach involving privilege escalation, while enabling them to meet compliance.
Devicie blocks applications from being downloaded from anywhere outside the Company Portal, providing protection against unauthorised malicious software.
Application hardening
Devicie incorporates various security controls in its automated application lifecycle management processes. These controls are aligned with several frameworks and standards, including:
Centre for Internet Security Benchmarks
The Australian Signals Directorate Essential 8 controls
Microsoft’s Attack Surface Reduction rules.
General application security
The security controls applied to limit the download and execution of malicious code include:
blocking the execution of potentially obfuscated scripts
preventing Adobe Reader from creating child processes
preventing untrusted and unsigned processes from running from removable media
blocking executable content from email client and webmail
preventing JavaScript VBScript from launching downloaded executable content
disabling persistence through WMI event subscription
blocking credential stealing from the Windows local security authority subsystem (lsass.exe).
Microsoft Office security
The additional Microsoft Office specific controls applied include blocking:
Win32 API calls from Office macro
Office applications from injecting code into other processes
Office applications from creating child processes
Microsoft Office communication application from creating child processes
Office applications from creating executable content.
Application access and authentication
For all Software as a Service (SaaS) applications configured within the organisation, Devicie configures browsers to support Single Sign On (SSO) automatically. While the Microsoft Edge browser is configured to do so by Microsoft, Devicie extends this native support to Chrome and Firefox browsers.
Browser security
Browsers provide a significant attack surface as they directly interact with content on the internet, some of which may be malicious.
Devicie deploys Windows Defender Browser Protection to all supported browsers and configures password vault extensions, such as 1Password and LastPass.
Other browser configuration or extensions can be deployed through Devicie to raise the security posture or enforce corporate policies.
Application compliance
Device makes it easier for organisations to achieve and prove their compliance across several security standards, including PCI DSS, CIS, the ASD Essential 8, ISO 27001 and SOC2.
NOTE: This is not a comprehensive list of Devicie security compliance, rather just relating to applications specifically.
The Devicie dashboard
Devicie’s dashboard provides immediate access to current and historical data on applications running on end user devices, which is beneficial for showing and proving security and compliance measures.
Devicie deploys three Win32 applications, CIS Monitoring, Local Admin Reporting Solution (LARS) and Software Inventory, to capture and display information.
Application inventory
Application inventory management is indispensable for security and compliance. Understanding the application landscape enables IT teams to identify redundant or underutilised applications, pinpoint outdated applications and prioritise updates or patches.
The Devicie dashboard enables local administrators to:
maintain an audit trail
select a specific period to show the applications installed on every device and what version was running at the time
filter specific devices or user groups in or out of reports
identify all the applications installed on a specific device
identify the devices with a particular software installed
track application updates as version/release numbers and log for report application update compliance.
ASD Essential Eight
Devicie enables customers to implement various best-practice security controls and processes rapidly and effectively in line with the Essential Eight.
The framework and capabilities provided by Devicie immediately improve your company's security posture and maturity.
Devicie can help companies reach and improve maturity on:
application control
patch applications
configure Microsoft Office macros settings
user application hardening
multi-factor authentication.
Payment Card Industry Data Security Standard (PCI DSS)
Devicie provides controls for compliance to the PCI DSS.
Devicie meets or exceeds:
Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs (5.1, 5.2, 5.3).
Requirement 6: Develop and maintain secure systems and applications (6.2, 6.4).
HIPAA Compliance
Devicie controls can be used to meet HIPAA Secure Rule safeguards compliance on end user devices.
Audit Controls in the Technical Safeguards section is addressed by the Devicie dashboard.
Access Control in the Technical Safeguards section is addressed for SaaS applications by Devicie’s browser security, and integration with Entra ID for application authorisation and access. Windows Hello and Microsoft Conditional Access can be leveraged further if licensed.
Australian Prudential Regulation Authority (APRA) CPS 234
Devicie aligns with the APRA CPS 234 on Information Security and enables application compliance in several ways.
The APRA CPS 234 requirements Devicie helps organisations align to are:
Requirement 20: Devicie provides asset and software asset inventory.
Requirements 21 and 22: Devicie manages application vulnerabilities with regular updates and reporting. The version of each application is provided with an audit trail to identify in-scope application within their lifecycle.
Requirements 23, 24, 25 and 26: For any incidents relating to managed applications, Devicie provides the ability to redeploy applications to a ‘known good’ state.
Requirements 27, 28, 30: Devicie maps security controls to the MITRE ATT&CK Framework to ensure controls address cyber attack tactics. Devicie maintains internal penetration testers and compliance professionals to ensure control effectiveness when addressing cyber-attack risk.
Requirements 33 and 34: Devicie’s dashboard provides data useful in meeting internal audit requirements pertaining to application management. For example, a history of security controls applied to applications can be reviewed by auditors for control effectiveness.
Enhancing business outcomes with effective application lifecycle management
As businesses increasingly rely on technology, ensuring applications are well-maintained becomes essential.
Effectively managing applications:
maximises productivity across the organisation by streamlining processes, reducing downtime and enhancing user efficiency
optimises the user experience and contributes to user satisfaction
allows organisations to save on support costs and minimise downtime
hardens security and helps organisations maintain and prove compliance.
Effective application lifecycle management ensures software remains robust, efficient and aligned with organisational goals. Prioritising application management is not just a technical necessity; it directly impacts business outcomes and user well-being.