Mobile Device Management (MDM)

by

In many organizations, employees have mobile devices that they use to do their jobs. Those mobile devices can be tablets, smartphones, smart phones, watches, airbuds and many others. To be able to manage these devices, these organizations often will use Mobile Device Management (MDM). This management can be very important if users are bringing their own devices into the workplace and then we’re putting sensitive company information on the user’s own device. MDM plays crucial role in preventing attack vectors and establishing security in depth precise in an organization.

Mobile Device Management Deployment Models

Mobile Device Management allows us to keep track of where all these systems might be, what data is on the system, and we can manage different aspects of those mobile devices. There are a number of different options available when deploying mobile devices:

1. Bring your own technology (BYOD) is a policy that allows employees in an organization to use their personally owned devices for work-related activities. There are some security challenges with having a single device that stores both personal information and corporate information. And there probably needs to be a way to differentiate between what is personal and what is corporate.

2. Company Owned Personally Enabled (COPE) device. You’re still using the same single device for both corporate use and personal use, but instead of you purchasing a device and bringing it to work, your office is purchasing the device and letting you use it. 

3. Choose your own device (CYOD). This is very similar to COPE where the organization chooses what device you’re going to carry around. With CYOD, you get to decide the device that you’re going to use, and then the organization purchases that device for you.

4. Company Owned (CO) device is the most restricted policy. Organization owns the device and you can’t use it for personal use.

Protecting mobile devices is a great challenge for any organization and MDM. Depends on deploying model it might be more easy to manage by isolating user personal data from company data. To do so, system administrators use variety of components known as Mobile Content Management (MCM) and Mobile Application Management (MAM).

Mobile Content Management (MCM)

With MCM we not only managing the applications that are installed, but also managing how the data is stored on these mobile devices, especially if that data happens to contain sensitive information. We have to remember about a few important aspects of data security as secure access, secure storage and secure transfer:

  1. Access Policies, to be able retrieve and store content from on-side data storage, like SharePoint or corporate file server only.
  2. Once the data is stored, we can use Mobile Content Management to ensure that the data remain safe using Data Encryption. That way if someone does gain access to this device or the storage of this device, they would not be able to retrieve and view the information.
  3. Data Loss Prevention systems help to prevent someone from sending sensitive information or Personal Identifiable Information (PII), like health records, credit card information to someone else outside of this mobile device.

One of the challenges having BYOD or bring your own device is that some of the data on the device is the personal user’s data and must be separated from company data. One of the most popular way to manage this is through Segmentation. It creates separate areas or partitions on the mobile device where we can keep private information in one partition and company information in another. This is especially important during the off boarding process, where you want to be sure the company information is deleted, but you don’t want any of your personal information to be removed from your private phone.

It happens, a mobile device can go missing or stolen. So we need to make sure that we have a way to delete everything on that mobile device, even though we don’t have physical access to the device. We can do that through a remote Wipe functionality. This is usually managed from the Mobile Device Manager and allows you erase all of the data on that device, even though we may not know exactly where that device happens to be. If this device is connected to a cellular network or connected to a wireless network, it will receive those notices that we want to connect and wipe everything that happens to be on the device.

Another important features of mobile device security are Geotagging and Geofencing:

  1. Geotagging is the geolocation functionality of our mobile devices allows us to get very accurate measurements on where that device is physically located in the world. So you can turn this off and not track where this device happens to be. But if you’re on a corporate network, this is usually managed from the Mobile Device Manager. It might enforce additional authentication method if device is outside of allowed location.
  2. Geofencing allows the mobile device to enable or disable certain features, depending on the location of where that device is at any particular moment. You could use geofencing as part of your authentication. So when someone is logging into the network, you can check to see where this device is physically located.

Mobile Application Management (MAM)

We would still use mobile device manager to manage the device itself. But you would use the mobile application management (MAM) to be able to manage the applications that are running on those mobile devices. Mobile device is connected to corporate app catalog, and owner the device may download the applications that he need to use as part of your job. The administrator of the MAM can also monitor what apps been installed and what devices do not follow restriction policies and enforce the device to use only allowed software or block it.

Your MAM can also provide you with very fine grained control of the data that’s on these mobile devices. So it may be able to delete data associated with one particular application. Administrator may block assess to games or social media software which are not related to work.

Very interesting concept which is become popular nowadays is mobile deployment type which separates the data from the device. It might be achieved using Virtual Mobile Infrastructure (VMI). With VMI, you can separate both your applications and the data from the mobile device and have all of that information stored somewhere else. This would keep all of the data and app stored external from your mobile device and you would simply access all of those applications and data using some type of remote access software.

This means that all of your data is stored securely and separate from your mobile device, which means if you lose your mobile device, you’re not losing any of that data. You can easily replace the mobile device and simply reconnect to that data store that’s located somewhere else. This model works very well for the application developer, because they can build an app based on a single type of platform.

Your MAM can also provide you with very fine grained control of the data that’s on these mobile devices. So it may be able to delete data associated with one particular application. But leave all of the other data on that mobile device intact.

Mobile Device Enforcement

A mobile device administrator often use different enforcement mechanism to prevent malicious application to be installed or company date leaked from personal device. Mobile Device Manager can allow or disallow certain apps from running on your mobile device.

Another mechanism to prevent third-party application to be installed is Blocking Access to the operation system of the mobile device. Apple or Android devices provides built-in technology to prevent access to OS installed on device. But there are a workaround called rooting or jailbreaking. This will replace the operating system that’s currently running on that system, with one that would allow you access to the operating system itself. This means that user gain access to install and modify any application he needs. With this rooting or jailbreaking in place, your mobile device Manager doesn’t have much control of those systems. This is why you as administrator must prevent doing such kind of reconfiguration.

Everyone should have a Screen Lock configured on their mobile device. And this might be especially important if you keep company data on your mobile device. Using a screen lock can ensure that people do not have access to corporate data that might be stored on that particular tablet or smartphone. The administrator of the Mobile Device Manager can set policies that can control exactly what would appear with the notifications on our screen. And they may choose to disable all notifications except those that are pushed directly from the MDM.

Multi-factor Authentication (MFA) is an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as an application. MDM administrator may enforce additional authentication based on user geo location, ip address, or even based on connected device like airphone which can provide additional criteria to help during that authentication process.

MDM is able to enable or disable the features of the Camera. And it may configure them based on where you happen to be. If you’re anywhere near the main corporate building, which is very secure, the camera feature may be disabled. But once you leave the building, the geo-fencing features of your MDM can recognize that you’re no longer near the main office, and it can re-enable the camera functionality.

As administrator you have to take care about another communication ways like SMS/MMS or Voice Recording. And block it if necessary.

MDM can also set security policies that might allow or disallow access to these Flash Drives or USB OTP from our mobile devices. It’s becoming easier and easier to move data from a secure area to somewhere that is insecure through the use of these mobile storage devices. This is external media that’s commonly associated with an SD card or similar flash drive configuration.

Another opportunity for devices to transfer data between each other without using security features is using Ad Hoc Access mode or Wifi-Derect. Turn phone into a Wi-Fi hotspot, and have unfettered access to the internet. This means your phone is now communicating to internet connections through your cellular phone provider, avoiding security configuration and firewalls.

Mobile Devices Hardening

Hardening is process of securing a system by reducing its attack surface. There are many way to harden mobile device, I would list only the most important steps here:

  1. Update your device to the latest version of the software
  2. Install AntiVirus
  3. Train users on proper security and use of the device
  4. Only install apps from the official mobile stores
  5. Do not root or jailbreak your devices
  6. Only use v2 SIM cards with your devices
  7. Turn off all unnecessary features
  8. Turn on encryption for voice and data
  9. Use strong passwords or biometrics
  10. Don’t allow BYOD
  11. Ensure your organization has a good security policy for mobile devices

Mobile Device Management allows to protect organization from most common attack vectors and save company assets. To maintain security across all of these devices, we can take advantage of a Unified Endpoint Management solution or a UEM. This allows us to easily manage the security posture across all of these different devices, like tables, laptops, phones and others. Using UEM organization security policies and the management becomes unified no matter what kind of device is connected to company network. All of these devices need to have the same philosophy.

Be an ethical, save your privacy! 

subscribe to newsletter

and receive weekly update from our blog

By submitting your information, you're giving us permission to email you. You may unsubscribe at any time.

Leave a Comment