USB security: Finger print authentication for removable storage authorization!

11/07/2021 – Product overview: secRMM is a Windows security solution that audits and controls access to removable storage devices (i.e. USB drives and mobile devices).  secRMM is very easy to implement in that it can operate on a standalone Windows computer (even XP!) or can be centrally managed for thousands of computers.  It can be configured to have security policies for computers and/or groups of users.

Video: https://www.youtube.com/watch?v=4m4syW1_5f0

Article details: Security uses authentication (prove who you are) and authorization (what can you access…permissions).  secRMM has policy properties that combine the two.  In this blog, we will show you this with a new secRMM property called “RequireFingerPrint”.  This is a checkbox property (i.e. on or off). 

With this property, secRMM will give you access to a removable storage device after you provide a finger print scan (of the user who is logged into the Windows computer).  You use the Microsoft “Windows Hello” (i.e. Control Panel->User Accounts->Windows Hello Fingerprint) to associate a finger print to a userId.
Below are the screenshots that appear (in the order shown) when the user plugs in a removable storage device.

Finger print prompt 1

Finger print prompt 2

The first prompt asks the user to click Yes or No.  Which ever button they click, their answer is logged into the event log.

If they did click the Yes button, then secRMM activates the finger print scanner and waits for the results.  If the user cancels the finger print scan, this is also logged into the event log.

Below is a screenshot of the 2 events that get logged for a successful finger print scan.

Closing: We hope you find this new secRMM feature useful for your environment(s).  Please let us know what you think or if you have a specific requirement for your environment.  You can get more details about secRMM by visiting https://www.squadratechnologies.com.

USB security: From Dashboard/Charts to specifics/details with a single mouse click!

10/07/2021 –

Video: https://www.youtube.com/watch?v=j_YTEtE_Dl4

Product overview: secRMM is a Windows security solution that audits and controls access to removable storage devices (i.e. USB drives and mobile devices).  secRMM is very easy to implement in that it can operate on a standalone Windows computer (even XP!) or can be centrally managed for thousands of computers.  It can be configured to have security policies for computers and/or groups of users.

Article details: Since secRMM is a security tool, it comes with a real-time Dashboard (i.e. Charts).  These charts automatically refresh themselves at a configurable time.  So, if you want to monitor removable storage events in real-time, the Dashboard/charts are very useful.  But suppose one or more of the charts shows that there is an incident happening, the next thing you would like to know (as a security administrator) are the specific details of why the chart is showing activity.  The secRMM Charts feature now contains a “Details” button next to each Chart that will show you the events that represent the Chart data.  The “Details” button ties together the real-time Dashboard/Charts with the secRMM Excel AddIn.  Once you click the “details” button for a Chart, it will continue to update the secRMM Excel Addin until you close it.  The secRMM Excel AddIn can also be used independent of hooking up with the real-time Dashboard. 

This feature (i.e. Charts and Excel AddIn) is available as a standalone program or directly within the SCCM Console.  The 2 screenshots below are showing the SCCM Console integration.

Closing: We hope you find this new secRMM feature useful for your environment(s).  Please let us know what you think or if you have a specific requirement for your environment.  You can get more details about secRMM by visiting https://www.squadratechnologies.com.

USB security in cloud, on-premise, hybrid and/or air-gapped environments

08/09/2021 – Product overview: secRMM is a Windows security solution that audits and controls access to removable storage devices (i.e. USB drives and mobile devices).  secRMM is very easy to implement in that it can operate on a standalone Windows computer (even XP!) or can be centrally managed for thousands of computers.  It can be configured to have security policies for computers and/or groups of users.

Article details: The ‘secRMM Policy Configurator’ program makes it easy for you to use one ‘User Interface’ (UI) program regardless of the way you want to deploy the ‘USB security policies’ to your endpoint computers.  Even if you have computers that are on an isolated network (the popular computer phrase for this is ‘air-gapped’).  This is common in highly classified environments where the computers may be running in a ‘sensitive compartmented information facility’ (SCIF).  Or even if you have completely standalone computers (i.e no network connection). 

The ‘secRMM Policy Configurator’ supports (today) 4 different modes:

1. Microsoft SCCM (also called: Microsoft Endpoint Configuration Manager (MECM))

Microsoft calls this the on-premise solution.

Please note the secRMM also has a fully integrated ‘SCCM Console Extension’ so that you can deploy, configure, report and view ‘live dashboard charts’ from right within the SCCM console.
Which User Interface you use (or both!) is entirely up to you.

_{secRMM Policy Configurator in SCCM mode}

2. Microsoft Intune (also called: Endpoint Manager)

Microsoft calls this the cloud solution.

_{secRMM Policy Configurator in Intune mode}

3. Microsoft Active Directory Group Policy Objects (AD GPO)

This is another on-premise solution from Microsoft.

_{secRMM Policy Configurator in Active Directory GPO mode}

4. Endpoint

This is the term we chose to call when you are operating in an air-gapped or standalone computer mode.

_{secRMM Policy Configurator in Endpoint mode}

As you can see from the screenshots above, each mode has a slightly different set of properties that are required to utilize the mode.  The ‘secRMM Policy Configurator’ handles the differences between the modes so that when you are creating, editing or deleting a USB security policy, it always looks just the same, regardless of the mode.  You can see the common editor in the screenshot below.

_{secRMM Policy Configurator editor}

If you would like to use the ‘secRMM Policy Configurator’ support, you can download it from the Squadra Technologies web site:
 www.squadratechnologies.com->software->secRMM->Download->Optional Downloads->secRMM Policy Configurator as shown in the screenshot below.

_{Where to download the secRMM Policy Configurator}

Closing: We hope you find this tool useful for your environment(s).  Please let us know what you think or if you have a requirement for a different environment/framework.  You can get more details about secRMM by visiting https://www.squadratechnologies.com.

Capture “removable storage device serial number(s)” using Powershell

03/23/2021 – Product overview: secRMM is a Windows security solution that audits and controls access to removable storage devices (i.e. USB drives and mobile devices).  secRMM is very easy to implement in that it can operate on a standalone Windows computer (even XP!) or can be centrally managed for thousands of computers.  It can be configured to have security policies for computers and/or groups of users.

Article details: One of the most popular security policies for removable storage is to only allow certain devices into your environment.  This is done using the removable storage device “serial number”.  Every device has a unique serial number.  secRMM has a property called “AllowedSerialNumbers”.  So, all you have to do is to tell secRMM which devices you want to allow (white-list) into your environment by telling it the serial number of the device(s).  Easy…but how do you get the serial number to begin with?  Well, you can use secRMM to do this.  Just plug in the device and go into the secRMM event log.  There will be an ONLINE event for the device you just plugged in and it will tell you the serial number.  But, somewhat of a pain if you must do this for tens or hundreds of devices.  OK, let’s combine Powershell and secRMM to put the serial numbers into the clipboard so we can just do a paste each time we plug in a device:

Sorry some of the lines wrap in the script but just copy the whole script and save it to a ps1 file.
We named it GetSecRMMOnlineEventsFromEventLog.ps1 but you can name it anything you like, just make sure the file has a ps1 extension so that Windows will associate the file with the PowerShell program.

#****************************************************************************
#
#  Module: GetSecRMMOnlineEventsFromEventLog.ps1
#
#  Purpose: Get secRMM ONLINE Events asynchronously.
#           The script will put the device serial number into the Clipboard.
#           It can be pasted into the secRMM AllowedSerialNumbers property.
#
#  Copyright (c) 2021 Squadra Technologies 
#   
#****************************************************************************

$secRMM = "secRMM";
$secRMMEventId = 400;
$secRMMPowershellModule = "secRMMParsingPowershell";
$sourceIdentifier = $secRMM;
$messageData = $secRMM;

$WMINamespace = "root\CIMV2";
$WMIClass = "Win32_NTLogEvent";
$WMIQueryFormatString = 
	"select * from __InstanceCreationEvent " + `
	"where TargetInstance isa '{0}' " + `
	"and TargetInstance.logfile = '{1}' " + `
	"and (TargetInstance.EventCode = '{2}')";
$WMIQuery = $WMIQueryFormatString -f $WMIClass, $secRMM, $secRMMEventId;
    
$OutputFormat = "xml"; # csv, xml, html, json

	# [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');

$PsModulePath =  [Environment]::GetEnvironmentVariable('PSModulePath',						[System.EnvironmentVariableTarget]::Machine);

	if ($PsModulePath -like '*AdminUtils\\SDK\\Powershell\\secRMMParsingPowershell*')
	{
		$AssemblyName = $secRMMPowershellModule + ".dll";
	}
	else
	{
		$AssemblyName = 
		"C:\\Program Files\\secRMM\\AdminUtils\\SDK\\Powershell\\secRMMParsingPowershell\\secRMMParsingPowershell.dll"
	}

	Import-Module $AssemblyName;

	try
	{
		try
		{
			$message = 
			'Waiting on {0} event.  Please hit CTRL-C to stop waiting.' `
			-f $secRMM;
			
			Register-WmiEvent `
				-ComputerName "." `
				-Namespace $WMINamespace `
				-Query $WMIQuery `
				-Timeout 0 `
				-SourceIdentifier $sourceIdentifier `
				-MessageData $messageData;
			
			Clear-Host;

			While ($true) 
			{
				Write-Host $message;
				$event = Wait-Event -SourceIdentifier $sourceIdentifier;
				Remove-Event -SourceIdentifier $sourceIdentifier;
				$TimeGenerated =
				[Management.ManagementDateTimeConverter]::ToDateTime(
				$event.SourceEventArgs.NewEvent.TargetInstance.TimeGenerated);
				$secRMMEventInterface =
				Get-secRMMEventData `
					-Id $event.SourceEventArgs.NewEvent.TargetInstance.EventCode `
					-TimeCreated $TimeGenerated `
					-MachineName $event.SourceEventArgs.NewEvent.TargetInstance.ComputerName `
					-Message $event.SourceEventArgs.NewEvent.TargetInstance.Message;
				if ($secRMMEventInterface)
				{
					$secRMMEvent =
					$secRMMEventInterface.
						Output("OnlyRelevantColumns", # OnlyRelevantColumns, AllColumns
						$OutputFormat);
					if ($secRMMEvent)
					{
						[xml]$Xml = $secRMMEvent;
						$Xpath = "/secRMMEvent/SerialNumber";
						$XmlNodes = $Xml.SelectNodes($Xpath)
						if ($null -ne $XmlNodes) 
						{
							foreach ($XmlNode in $XmlNodes) 
							{
								$innerText = $XmlNode.InnerText;
								if ($innerText)
								{
									Set-Clipboard -Value $innerText;
									# $messageBoxMessage = ("serial number: {0} in Clipboard" -f $innerText);
									# [System.Windows.Forms.MessageBox]::Show($messageBoxMessage, $secRMM);
									[System.Console]::Beep(1000,300);
								}
								else
								{
									Write-Error "Could not get serial number";
								}
								break;				
							}
						}						
						else
						{
							Write-Error "Could not get secRMMEvent XML";
						}
					}
					else
					{
						Write-Error "Could not get secRMMEvent";
					}
				}
				else
				{
					Write-Error "Could not get secRMMEventInterface";
				}
			}
		}
		catch
		{
			$Exception = $_;
			Write-Host $Exception.Exception.Message;
			$sourceIdentifier = $null;
		}
	}
	finally
	{
		if ($sourceIdentifier)
		{
			Write-Host 'Unregistering event source and terminating.'
			Unregister-Event -SourceIdentifier $sourceIdentifier -Force;	
		}
		Remove-Module -Name secRMMParsingPowershell;
	}

Just run this script (as a local or domain Administrator) and when you want to stop it from running, just hit CTRL-C.

We hope you find this script useful for your environment.  Please let us know what you think or if you have a requirement for a different script.  You can get more details about secRMM by visiting https://www.squadratechnologies.com.

Microsoft EndPoint Manager (SCCM) gets live dashboard for USB removable storage security events

06/10/2020 – Brief Overview: secRMM is a Windows security solution that audits and controls access to removable storage devices.  secRMM is very easy to implement in that it can operate on a standalone Windows computer or can be centrally managed for thousands of computers.  It can be configured to have security policies for computers and/or groups of users.

YouTube Video at: https://youtu.be/vBinHpeqAl8

secRMM can be integrated directly into the SCCM console by installing the “secRMM SCCM console extension”.  The “secRMM SCCM console extension” now includes a “live” dashboard (i.e. charts showing you various aspects of your removable storage environment).  Microsoft has a specific location under the Monitoring->Security folder and this is also where you will find the “Removable Media Dashboard”.

An important note for all of the secRMM customers who do not use SCCM, the “Removable Media Dashboard” is also available without SCCM so you may use it as well!

Well, a picture is worth a 1000 words so below are some screen shots of the SCCM console.

RemovableMediaDashboard1

RemovableMediaDashboard2

If you will notice the green progress bar on each chart (under the title), this is where you can tell the charts to refresh themselves.  They can each be configured to different times depending on your environment.  You can rearrange the charts in any order you like just by dragging and dropping them.

Configuring the charts is also easy.  Below is the Settings window which gives you access to configuring the charts.

RemovableMediaDashboard3

If you want the charts to not refresh automatically (like the other SCCM charts), just set the “Refresh time units” to “None”.

Those of you who are already using the “secRMM SCCM console extension” know that you can configure the “Removable Media security policies” for your environment in the SCCM console->”Assets and Compliance”->”Endpoint Protection”->”Removable Media Policies”.  Now, at that location, there is a new menu button called “Removable Media Dashboard”.  This is if you want to run the “Removable Media Dashboard” outside of the SCCM console.

RemovableMediaDashboard4

If you run the “Removable Media Dashboard” outside of the SCCM console, you have the exact same functionality as within the SCCM console but you can also connect to different data sources (where your secRMM data resides).  The “Removable Media Dashboard” includes the following data sources:

1. SCCM WQL
2. SCCM Database (direct)
3. secRMMCentral Database
4. SCOM Database
5. secRMM Event Log
6. secRMMCentral Event Log
7. Azure Log

RemovableMediaDashboard5

We hope you find this new tool useful for your environment.  Please let us know what you think or if you have a requirement for a new chart.  You can get more details about secRMM and the “Removable Media Dashboard” by visiting https://www.squadratechnologies.com.

Use a Smartcard (DOD CAC card) to access a USB removable storage device

Smart Card

03/25/2020 – Overview: secRMM is a Windows security solution that audits and controls access to removable storage devices.  secRMM is very easy to implement in that it can operate on a standalone Windows computer or can be centrally managed for thousands of computers.  It can be configured to have security policies for computers and/or groups of users.

As of secRMM version 9.9.24.0, secRMM has a security property (named RequireSmartCard) that requires the end-user to specify a Smartcard password before he can access a USB connected removable storage device.  This includes mobile devices and any other type of device that exposes storage to the Windows operating system.

Watch the youtube video at : https://www.youtube.com/watch?v=i8HUjUQpYkk.

If you are an IT person, you have probably heard the term “multi-factor authentication” (MFA).  The secRMM RequireSmartCard property is a classic example of MFA because when you turn it on (it is a simple checkbox), the end-user will then need 2 things to be able to access the USB removable storage:

1. A Windows userid/password
2. The password that is associated with the digital certificate on the Smart-Card

Note that a lot of the documentation you will see about Smartcards refers to the password as a PIN.  A PIN is the same as a password in that only the owner of the Smartcard should know it (the PIN/password).

While we are on MFA, you should know that secRMM offers another form of MFA for mobile devices.  That secRMM property is named RequireSmartPhoneLogin (although more accurately should be named RequireMobileDeviceLogin because it works just the same for tablets as well).  To implement RequireSmartPhoneLogin, the end-user’s mobile device needs the secRMM Login app which is in the Android, Apple, BlackBerry and Windows App stores (see https://www.squadratechnologies.com/Products/secRMM/secRMMSmartPhoneApps.aspx)

Back to RequireSmartCard, let’s look at what the end-user will see when they insert a removable storage device into their Windows computer.  In the screenshots below, you will notice that we are using a self-signed digital certificate to show you how the software works.  In production environments, you will have a certificate that comes from a “trusted certificate authority” (CA).  Trusted certificate authorities are companies (but can also be a server within your company) that are trusted and validated to issue security digital certificates to your company/organization.

The screenshot below just shows how to turn on RequireSmartCard.  Whether you are performing this on a standalone computer or centrally, it is just a checkbox to check.

secRMM RequireSmartCard

Now, let’s see when the end-user plugs in a thumb drive into the computer.  The end-user gets prompted (Yes or No) to proceed with authenticating their access to the thumb drive with their Smartcard.

secRMM RequireSmartCard

If they choose No, then the thumb drive is not available and a pop-up message is sent to the end-user (see screenshot below).  Note that this text is customizable for your environment.

secRMM RequireSmartCard

As a security administrator, we would like to know what the end-user did, so an event is sent to the secRMM/security event log indicating the end-user clicked No as shown in the screenshot below.

secRMM RequireSmartCard

In addition, we get an error in the secRMM/security event log indicating a more detailed event which includes the details of the device that the end-user tried to mount (as shown in the screenshot below).

secRMM RequireSmartCard

Now, let’s look at the end-user’s experience when they click the Yes button.

secRMM RequireSmartCard

secRMM RequireSmartCard

Once the PIN is entered, then they can access the thumb drive as they normally do (probably using Windows Explorer).  What the security administrator sees are the following 2 screenshots below.

secRMM RequireSmartCard

secRMM RequireSmartCard

Since the Additional Smart Card Info is on a single line, we have expanded it below.  The values are the details about the security certificate on the Smartcard.

Additional Smart Card Info:
CertName: SquadraRoot,
ContainerName: SquadraRoot-524f3017-2e9b-4cbd-a5-00974,
SerialNumber: ff1a97dc6dc1149b4e47bf356b06b072,
Issuer: SquadraRoot,
Subject: C=US, S=NV, L=Las Vegas, OU=Development, O=Squadra Technologies, CN=SquadraRoot,
Valid from: Saturday, January 1, 2000 12:00:00 AM,
Valid to: Thursday, January 1, 2099 12:00:00 AM
(Pacific Daylight Time [GMT-7])

We hope this secRMM feature helps you secure your environment when it comes to removable storage access by your end-users.  Please let us know if you have any questions.  You can reach us at:  support@squadratechnologies.com

Squadra Technologies Launches New Security Information and Events Management (SIEM) integration Powered by Microsoft Azure Sentinel

For Release 08:00 AM PST
01/27/2020

Squadra Technologies secRMM continues Microsoft security services integration

Las Vegas, NV. — 01/27/2020 — Using the services provided by Microsoft Azure, Squadra Technologies announces the availability of secRMM integration with Microsoft Azure Sentinel.

The secRMM integration with Azure Sentinel supplies Azure Sentinel customers with secRMM generated events and alerts to further enrich Azure Sentinel investigations, particularly where USB is a vector for Initial Access and Exfiltration.

“Our customers use Microsoft security services and need us to integrate into the various Microsoft security services and products.  secRMM’s integrations with Microsoft help our customers understand USB removable storage usage within their environment and then to define security policies to restrict USB removable storage usage where possible,” said Anthony LaMark, Chief Technology Officer at Squadra Technologies.

secRMM integration with Azure Sentinel has also earned  Squadra Technologies membership in the Microsoft Intelligent Security Association (MISA).

“secRMM has been a valuable add-on security component to Microsoft Endpoint Manager over the past years.  By integrating with Microsoft’s  cloud-native SIEM, secRMM will help security teams to easily identify removable storage usage/incidents both in the cloud and on-premises,” said Adwait Joshi, director, Azure Security at Microsoft Corp.

Microsoft security stack with secRMM

For more information:

Kevin Furgal
760.846.6844
kevin@squadratechnologies.com

For more information on Squadra Technologies secRMM:

http://www.squadratechnologies.com

Combining secRMM with Windows Remote Management and Powershell

01/14/2020 – secRMM is tightly integrated into most all of the Microsoft enterprise security tools:  SCCM, Intune (now combined into Microsoft Endpoint Manager [MEM]), Active Directory Group Policy Objects (AD GPO), Azure Sentinel and Security Center via Azure Log Analytics, etc.

However, some environments may not have these enterprise tools at their disposal.  After all, one of the main points about secRMM is that it is fully functional on a standalone Windows computer (from XP up to W10 and all server versions).  So if I were an IT admin in a small networked environment, I would still desire to be able to manage secRMM on multiple computers from a central location just like SCCM, Intune and Active Directory provide.  The way to do this is to use “Windows Remote Management” (WinRM).

Powershell and WinRM are integrated and combined, it lets you run scripts on one or more remote computers.  This is the perfect technology to “roll our own” SCCM or Intune or AD GPO functionality for secRMM!

Watch the youtube video at : https://youtu.be/05U8Zw2NBdU.

So, here is an example of how we can do this.  Below are 2 powershell scripts named RemoteSecRMMDriver.ps1 and SetSecRMMProperty.ps1.  As the name implies, RemoteSecRMMDriver.ps1 will be our driver program and it will call SetSecRMMProperty.ps1 via the Invoke-Command so that SetSecRMMProperty.ps1 will be executed on the remote computer(s).

The relevant PowerShell command to make note of are:
New-PSSession
Invoke-Command
Remove-PSSession

RemoteSecRMMDriver.ps1:

$RemoteComputerNames=”Computer1, Computer2″; 

$secRMMProperties = @{
   “BlockProgramsOnDevice” = “$TRUE”;
   “AllowedSerialNumbers” = “123;ABC”;
   “RequireSmartPhoneLogin” = “$TRUE”;
};

$ScriptToRun=”SetSecRMMProperty.ps1″;
$AdditionalData = -join(“ran remote script “,
   $PSCommandPath,
   ” from “,
   $env:computername,
   ” on target computer(s): “,
   $RemoteComputerNames);

$PSSession = New-PSSession -ComputerName $RemoteComputerNames;

If ($PSSession.State -eq ‘Opened’)
{
   $RemoteCommand = -join($PSScriptRoot,”\”,$ScriptToRun);

   foreach ($secRMMProperty in $secRMMProperties.GetEnumerator()) {
      $PropertyName = $secRMMProperty.Name;
      $PropertyValue = $secRMMProperty.Value;
      Invoke-Command -Session $PSSession -FilePath $RemoteCommand `
      -ArgumentList $PropertyName, $PropertyValue, $AdditionalData;
}

   Remove-PSSession $PSSession;
}
else
{
   Write-Host “Error opening remote session to $RemoteComputerNames”;
}

SetSecRMMProperty.ps1:

param([string]$PropertyName_in,
[string]$PropertyValue_in,
[string]$AdditionalData_in=””,
[string]$UserSID_in=””)

$PropertyName = $PropertyName_in;

if ($PropertyValue_in -eq “$TRUE”) {
   $PropertyValue = $TRUE;
} elseif ($PropertyValue_in -eq “$FALSE”) {
   $PropertyValue = $FALSE;
} else {
   $PropertyValue = $PropertyValue_in;
}

$AdditionalData = $AdditionalData_in;

$objSecRMM = new-object -comobject secRMMInterface;
$objSecRMM.SetProperty($PropertyName, $PropertyValue, $AdditionalData);

Write-Host “$PropertyName set to $PropertyValue”;

We hope these secRMM Powershell scripts help you easily manage your USB security data when you may not have the luxury of using enterprise management tools.  Please let us know if you have any questions.  You can reach us at: support@squadratechnologies.com.

USB Devices: “Analyzing security”: “what is happening in my environment” using Excel Charts

02/08/2019 – secRMM is Windows security software that records all the events related to USB storage devices.  This includes thumb/flash drives, external hard drives, SD-Cards and mobile devices.  With secRMM, you see the who, what, when, where and how about all the USB storage in your computer environment.

secRMM comes with a utility to help you analyze the data in an easy way.  The utility is called the secRMM Excel Add-In.  As the name implies, it extends Excel.  Microsoft offers Office Add-Ins for most of the programs in the Office suite.

secRMM Excel Add-In Ribbon Bar (click to enlarge screenshot)

As you can see in the screenshot above, Excel has a tab in the ribbon bar named secRMM.  The secRMM section contains various methods for you to pull the secRMM data into the Excel Worksheets.  Once you have loaded the secRMM security data, you can use all the native Excel features (filtering, finds, macros, etc.).

We have added a new feature into the secRMM Add-In.  This is the “Charts” feature.  While you can manipulate the data in any way you want to make your own Charts, we made an automated way for you to see the most common scenarios with just a couple of mouse clicks.

secRMM Charts button (click to enlarge screenshot)

Once you have some secRMM data loaded and you click the Charts button, you will be presented with a dialog (see below) that will let you specify the start/end times and the chart(s) you want to generate.  You can also specify what type of Excel chart to create for each chart.  Microsoft offers many Excel chart types.  The Excel chart type is totally up to you.

secRMM Charts input form (click to enlarge screenshot)

Once you specify your time range, which charts and chart type, you will see the charts on the “Charts” worksheet (see below).

Currently, the automated charts are for:

1. secRMM events
2. Users
3. Computers
4. USB Devices

As you can see in the screenshots below (btw, the data at the axis has intentionally been chopped), you can easily see the: who (users), what (events), when (via time range), where (computer) and how (devices) of USB security activity occurring in your environment.

We hope the secRMM charts help you easily analyze your USB security data.  Please let us know if you have any questions.  You can reach us at support@squadratechnologies.com.

secRMM Events Chart (click to enlarge screenshot)

secRMM Users Chart (click to enlarge screenshot)

secRMM Computers Chart (click to enlarge screenshot)

secRMM Devices Chart (click to enlarge screenshot)

Combine “Mobile Device Management” (MDM) with USB Plug/Play “Data Loss Prevention” (DLP) using SCCM and/or Intune

01/29/2018 – secRMM has a security property that applies specifically to mobile devices. secRMM can verify when a mobile device is connected to a Windows computer over a USB cable if that device is enrolled in your organizations MDM. If it is not, secRMM can either unmount the device or prevent files from being copied to it. secRMM gets the list of mobile devices from either Microsoft Intune (Microsoft’s MDM) or from Microsoft System Center Configuration Manager (a complete enterprise configuration management and security tool) (SCCM). Below, are some of the relevant screenshots of how the components get tied together and just what they look like if you have not seen them.

SCCM and Intune exchange mobile device information thru a data connector. You define the data connector in the SCCM console (screen shot below).  Microsoft calls this a “Microsoft Intune Subscription”.  This terminology matches up with how you buy Intune (as a service subscription).

SCCM/Intune data connector

The next screen shot below is of the Intune console within Azure. It is a list of the mobile devices that are defined in our organizations cloud instance. This instance is used for our development purposes only.

Microsoft Azure Intune portal

When the Intune/SCCM data connector is active, then you can see the mobile devices in Intune show (and are managed) by SCCM (see screenshot below).

SCCM console for mobile devices

From the SCCM console (with the secRMM SCCM Console Extension installed), you can use SCCM to configure secRMM so that when the mobile device is connected to a Windows computer over USB, secRMM will see if it is enrolled in either Intune or SCCM.

The screenshot below shows how to tell secRMM whether to use Intune or SCCM data to verify if the mobile device is enrolled.

SCCM console to configure ‘RequreMDMEnrollment’

One important configuration item is the secRMM MDM Cache. Using the secRMM MDM Cache improves runtime performance and minimizes the number of times it will call into Intune or SCCM.

The last configuration step is associating the mobile device as it is defined in Intune or SCCM with the mobile device firmware serial number that secRMM uses when it is connected to a Windows computer over a USB cable. To make this association, there is a secRMM “link mobile device” utility (see screen shot below).

secRMM link mobile devices utility

secRMM link mobile devices utility

You get the firmware serial number that secRMM uses to identify the mobile device from the secRMM event data (screen shot below).

secRMM ONLINE event for a mobile device

If the mobile device is not enrolled, the end user will get a pop-up error (screenshot below).

mobile device is not MDM enrolled user pop-up error message

As the system or security administrator, you will see an error generated by secRMM as shown in the secRMM Excel AddIn utility (screenshot below).

secRMM error ONLINE event for mobile device not MDM enrolled

We understand there are many pieces to line up. Feel free to contact Squadra Technologies support to help in getting this powerful security feature up and running in your environment. Visit http://www.squadratechnologies.com for more information about secRMM.