We have been flooded with DEEM, DEX, and all of the acronyms of tech over the last few years. I’ve been saying for a few years that digital employee experience management is the most important and influential technology in EUC. We’ve mostly cornered all of the other aspects of EUC, so this is a foregone conclusion. Today, we are discussing the new offering ControlUp Secure DX, which transforms DEX (Digital Employee Experience) into a desired state management approach. This is an enhancement on ControlUp Edge DX, which I have discussed previously.

DEX is a great technology, but ControlUp Secure DX is truly transformative. We can build policy with what our rules are for devices, and it helps ensure desired state management is achieved. Today, we are going to cover the following:

• ControlUp Edge DX Security Architecture
• What is Secure DX?
• Configuring Secure DX
• Secure DX Templates
• The Admin Experience
• Initial Thoughts on Secure DX

ControlUp Edge DX Security

ControlUp Edge DX, which is the platform that ControlUp Secure DX lives on starts with the platform itself.

Edge DX lives on Microsoft Azure with each customer having a dedicated instance, which is huge. There is a long history of shared environment issues so that starts with security in mind. Inside of Azure, the Edge DX database stores all Edge DX data. Around the security model:

• Access to the DB is restricted to the API.
• Data storage is encrypted.
• Device Access Tokens generated on device registration are used to secure the API calls for data upload and configuration retrieval.
• Admin actions require User Access Tokens generated after MFA.
• API keys are also a possible way to get data but require admin creation.
• DB and tenant nodes by default are in Azure US East and are also supported in Europe for European customers.
• Secure Communication is built purposefully. Traffic is outbound initiated by the agent using WebSockets to the Edge DX Cloud Service. There is a fallback to polling, which gives nice flexibility.
• Data is retained for 30 days for each device with metrics being captured every 60 seconds. Local data caching accounts for network issues with updates occurring when device network connectivity is restored.

What is Secure DX?

ControlUp Secure DX is a new module with ControlUp Edge DX to help identify and address security issues on your devices. It focuses on items that are misconfigured, compliance issues, application patching, and security vulnerabilities.

You create a policy called a “template” to tell Secure DX what behaviors to look for and what items to automatically remediate. You will also see Secure DX calculate secure scores for devices based on the number of issues that currently exist:

To leverage Secure DX, we have some pre-reqs like:

• Licensed to Edge DX
• ControlUp administration must be through app.controlup.com
• Windows devices with Edge DX Agent installed
• Device access to cdn.spm.controlup.com/*
• Unrestricted HTTPs outbound access

It’s also good to point out for people who are going to evaluate it that like many security tools it will simulate threats like it triggers EICAR to see if Defender is enabled.

Configuring Secure DX

The configuration of Secure DX is amazing. Let’s start by saying thank you. Thanks for not making people have to deploy a new agent via Intune or otherwise. I love that it will just deploy Secure DX leveraging the existing agent deployment.

They have a nice setup wizard on your initial setup, which makes life pretty easy. The whole deployment overall takes like 5 minutes and is nice and simple. Check out these intuitive windows below:

Now, let’s check out a demo on how we can set this up quickly and easily:

Working with Secure DX Templates

One of the changes for me was that I had to start mindfully using device groups. Let’s face it, we don’t want to screw up our Cloud PCs because they’re not the same as physical devices. Some stuff you will want to tweak.

It’s very cool for those who don’t realize you can go into your devices, select some devices, and click “Set Device Group” and just create new groups from there:

We will cover more in the video demo below, but I wanted to provide a few tips that I have learned during the process:

• Start in manual remediation mode and test each individual one that is flagged so you don’t brick yourself.
• Make sure you go through the compliance section and select the products you actually own.
• In Misconfig, make sure you read each item and only select ones that are safe for your environment. As an example, don’t strip local admin if you don’t have LAPS setup. Another one is make sure you don’t enforce BitLocker settings if you’re managing this via Intune.
• When you enable automatic remediation, you need to turn on the stuff you want to automatically remediate. It’s opt-in.
• Select all apps in patches.
• Selecting “All” for vulnerabilities and patches will remediate new ones in the future.
• Automatic remediations do not trigger jobs.

Check out my video to learn more about working with templates:

Secure DX Admin Experience

Overall, I really like the admin experience. Some stuff is a bit confusing and needs explanation. Let’s start with the issues tab below. One of the things that will confuse people, you would expect you could trigger a manual remediation from here, but you can’t. Overall, they do a nice job on this screen. You will notice filters, the ability to move columns around, etc. I would like the ability to show/hide columns, but it’s useful. It’s also a little weird that you can check the issues but not do anything yet.

The Users tab is pretty similar to issues in layout, which is good:

Our devices tab is where things start getting good and we can finally trigger rescans or remediate devices, which is a good thing. We get a nice view into our devices, their security controls, and much more:

The Apps tab is also useful showing apps, their issues, CVEs, etc. You can also trigger remediations from this tab, which is what I would expect.

One or two other things I wanted to show was the details pane, which I really like. Firstly, the device details pane. In here, we get a detailed view on the device score, remediation status, issue details and much more:

Lastly, the apps detail pane. They cover the app risk score, version landscape, and more:

Now, let’s check out the demo:

Initial Thoughts on Secure DX

Overall, I love the product. Secure DX is exactly what I had hoped for Workspace ONE Intelligence and Remediations in Intune. Those two products have high potential, but the level of effort for administrators isn’t small. They’re good products but can be really challenging.

ControlUp Secure DX currently boasts a catalog of 15 misconfigurations, 40 compliance issues, 37997 vulnerabilities, and 673 application patches. The biggest challenge is decision-making. People need to make sure they don’t duplicate what they’re already doing in their device management platforms. I think redundancy between Secure DX and stuff like Patch My PC are fine.

My biggest concern is when other vendors have released app deployment/management easy button solutions like the WS1 Enterprise App Repository that it started off hot but tailed off. If ControlUp can consistently add new apps, new patches, and new versions to their app patching then I think it will be an amazing solution.

Mindfulness is going to be the key to Secure DX. We can build products and release them, and they might be amazing. If they want to STAY amazing, they need to shift, evolve, and move to the changes in the constantly evolving IT landscape.