Endpoint Management: "Falling into alarmism doesn't help operationally"

Andreas Stihl AG & Co. KG from Waiblingen-Neustadt in the Stuttgart metropolitan region is world-renowned for its chainsaws and has been considered the market leader for over 50 years. How does IT work in a company with over 20,000 employees worldwide? In conversation with heise online, Jürgen Sitzler, the manager responsible for platform systems at the large, medium-sized company, provides insight into his work.

heise online: Mr. Sitzler, what tasks are you responsible for at Stihl?

Sitzler: I am the manager of platform systems. In my team, we essentially bundle what is classically understood as endpoint management for Windows: the platforms for Windows clients and Windows servers, including software management and software distribution as standard systems. In addition, we also handle adjacent platform topics, such as Intune as an MDM component, as well as virtualization and application deployment with VMware and Citrix. This is not just about operating individual tools, but above all about stable, traceable processes: standardization, rollout, lifecycle management, patching, inventory, and the ability to make reliable statements quickly in case of disruptions or security incidents.

heise online: What dimensions are you operating in?

Sitzler: In total, we are talking about around 25,000 endpoints. Depending on how you count mobile clients, this can also be higher in practice. On the classic client side, we have approximately 17,000 Windows devices. Macs play a significantly smaller role for us; we have about 50 MacBooks. This alone makes the focus clear: the processes and tooling are heavily oriented towards Windows because the majority of workstations and many specialized applications are anchored there.

heise online: Many companies are currently talking about the conflict between Operational Technology, i.e., the data processing of production systems, and the rest of IT. Is this also an issue for you?

Sitzler: Yes, it is very concrete for us. We are currently working on a project to separate OT and IT more strongly. Historically, these have often grown together; in reality, this is often a common network with too many interfaces. From a security perspective, this clear segmentation is an important step. At the same time, it is an ambitious undertaking because production environments have different stability requirements and often different update and maintenance windows than classic office IT.

heise online: You come from the Ivanti DSM world. Why is that now in motion?

Sitzler: We are still using Ivanti DSM in central parts of our software distribution and management. The main driver is that DSM is scheduled for discontinuation on December 31, 2026. Although there is a successor system, from our perspective, it is currently not yet at the functional level required for a large environment. As a result, we see many DSM customers re-evaluating the market. We are also examining how to establish a modern, viable platform in the long term that covers both client and server requirements.

heise online: What expectations do you have for a successor system?

Sitzler: The crucial factor for us is comprehensive coverage: servers and clients must not end up in separate worlds with different data models, different agents, or different operating logic. In addition, inventory, configuration status, compliance, and distribution must scale reliably. It's not enough for something to work “somehow”; at this scale, statements must be reproducible, reports reliable, and changes cleanly controllable. And finally, speed is relevant: how quickly can you see the actual status in the field, and how quickly can measures be implemented?

heise online: Microsoft is a given for many companies. Why isn't that enough?

Sitzler: Microsoft is naturally present as a strategic partner, and on the client side, there are modern approaches. However, when discussing server topics, reference is often made to classic tools, particularly SCCM, the Microsoft Endpoint Configuration Manager. For us, this was not a convincing path because we are looking for a future-proof platform that integrates well into daily operations and meets today's requirements. Our starting point was that we already had a powerful system. If you replace something, the target state should be at least equivalent, better in important aspects, and sustainable in the long term.

heise online: We are speaking with each other at Tanium's house fair, Converge. How did Stihl come to Tanium?

Sitzler: Tanium was present in our partner and market context, and we looked at the solution more closely during our evaluation. The central point was the real-time approach. Many tools are heavily database-driven: endpoints report at fixed intervals, data is collected, processed, and then available for reporting. This is sufficient for many purposes, but it has a catch: the data is often already outdated at the time of viewing. In quiet times, this is tolerable, but in critical situations, you don't want to work with the feeling that the last reliable information was “five minutes ago” or “an hour ago.”

heise online: What does “real-time” mean for your daily work?

Sitzler: Real-time doesn't mean that every decision is automated, but that queries and visibility are closer to reality. In practice, this means: If I need to know whether a specific vulnerability, a specific software package, or a specific configuration status is actually present on the devices, I want an answer that is not primarily a historical snapshot from a database. This is a difference, especially in the security context.

Attacks are becoming more professional and faster, and thus the value of current telemetry is increasing. Furthermore, the operating logic is also relevant: instead of building rigid reports, you can gradually approach an answer through targeted questions. This way of working is more efficient for many use cases because it better reflects the actual diagnostic process.

heise online: You have been with Stihl for many years. How has the topic of software distribution evolved historically?

Sitzler: I have been with the company since 2001. It's interesting that we actually have a history that goes back to early software distribution approaches. A very early product, called “NetInstall” at the time, originated in the Stihl environment. Through various stages and mergers, it eventually landed in the product line that was later managed as DSM at Ivanti. You could say: the topic has been present with us for a long time, and the replacement is therefore not just a tool issue but also a question of established processes.

heise online: What security tools are you using?

Sitzler: We work with Microsoft Defender and CrowdStrike. What's important here is less the label of the product, but rather that coverage, operation, and the licensing model fit the reality of the different system classes.

heise online: How do you manage Macs and mobile devices?

Sitzler: We manage Macs via Intune. However, to be realistic, macOS is an exception for us, as many work processes, templates, and automations are heavily oriented towards Windows and Microsoft ecosystems. For mobile devices, we strategically rely on iOS and iPadOS and also manage them via Intune. Android is primarily used by us in the shop floor environment. There, we use Soti because it often fits better in terms of cost and organization for the respective use case, registering and managing devices rather than users.

heise online: How important is security awareness in your opinion?

Sitzler: Awareness is important, but it's not a state you achieve once and then “tick off.” It requires repetition, training, and also verifiable formats, such as campaigns and tests. At the same time, you have to consider the reality in the company: employees have different roles, different digital prior experience, and above all, a clear work mandate. Security is often in tension with usability. Therefore, in my opinion, it is crucial to implement effective measures in such a way that they hinder operations as little as possible. One example is patching: a short target deadline, for example, within a few days, is sensible. At the same time, the timing of a restart can often be flexible, so that workflows are not unnecessarily disrupted.

heise online: What does your operational security organization look like in the background?

Sitzler: There is a dedicated Cyber Security department. In addition to appropriate governance, this department also provides services such as Threat Intelligence & Posture Management, cyber defense, and security architecture. Furthermore, measures to further strengthen the security culture are implemented here and reinforced with regular training.

To ensure the effectiveness of our efforts, regular external audits (e.g., Red Team Assessments and PenTests) are planned, as internal perception can differ from reality.

heise online: How do you assess the current threat landscape?

Sitzler: In my opinion, it has become significantly more serious. Falling into alarmism doesn't help operationally, but you have to treat the topic with great respect. With large language models, the barrier to entry for creating code is significantly lowered. Previously, some things failed because attackers had to at least understand and adapt scripts. Today, this can happen much faster through generative systems. If attacks become more AI-driven, defense will also have to become more AI-driven, if only to maintain speed and scale.

The interview was conducted at Tanium Converge 2025. The author traveled at the invitation of Tanium.

(bsc)