Tag Archive for: Protect Mobile Devices

We have explored the importance of setting policies and training users on mobile device security and management; now, we wrap-up with how to enforce these policies, recommended tools, and first steps to mobile device security.

Enforcement

Enforcement is usually assisted through a Mobile Device Management (MDM) tool; typically a software-based application that requires an agent be installed to the mobile device.  Once installed, this agent connects back (remotely) to a central console from which an administrator can monitor, manage, and secure the mobile device and also support its user.

MDM features typically include:

• Enforce user security policy:

o   Require complex password with frequent changes

o   Permit remote access only via SSL or VPN

o   Lock-down browser settings

o   Enable encryption

• Recover lost or stolen devices:

o   Activate alarm (set off an audible alarm on the device)

o   Enable track and locate (track and locate the device via GPS)

o   Permit remote wipe (complete erasure of the device as a last resort)

• Control mobile device applications:

o   Recognize and prevent installation of unauthorized applications

o   Permit whitelisting and blacklisting of application

o   Restrict or block application stores

• Remotely deploy and configure applications (email, etc.)
• Audit the mobile device for installed software, configuration, and capacity

ComputerWorld has a comprehensive article on the challenges of MDM. View it at

Mobile device management: Getting started.

To support our mobile device clients, we use the MDM capabilities built intoKaseya, our Remote Monitoring and Management tool.  Other MDM providers include:

• AirWatch
• LabTech
• MobileIron
• Symantec
• Zenprise

While MDM provides a comprehensive tool, it can be costly to procure and support.  Many companies utilize a trusted business partner (like Bryley) to provide MDM tooling, monitoring, and support for their mobile devices on an ongoing basis with pricing that ranges from $15 (in quantity) to $75 per device per month.

Non-MDM Tools

Alternatively, Microsoft Exchange 2010 offers many MDM-type features through Exchange ActiveSync (EAS), an included protocol that licenses by end-user or end-device Client Access License (CAL).  The Exchange 2010 Standard CAL licenses:

• Password security policies
• Encryption required
• Remote wipe

The Exchange 2010 Enterprise Add-On CAL licenses advanced features including:

• Allow/disallow Internet browser, consumer email, unsigned installation, etc.
• Allow/disallow removable storage, Wi-Fi, Internet sharing, etc.
• Allow/block specific applications
• Per-user journaling
• Integrated archive

Exchange Server Standard 2010 is $709; Standard CALs are $68 each while the Enterprise Add-On CAL is an additional $42 each (based on list prices for business).

Main difference between MDM and EAS: Most MDM tools provide greater control over the mobile device during its lifecycle and can provide control over the device even before email is configured.

Other recommended tools include:

• Anti-malware: AVG Mobilation – From free to $9.99 for Pro version
• Protect and find phone via key-case fob – Kensington Bungee Air at $79.99

First step suggestions

These are our minimum, first-step suggestions:

• Deploy anti-malware software immediately and manage it continuously
• Require password to activate the device with a low auto-lock time
• Update mobile devices through vendor-approved patching
• Enable on-board encryption if handling sensitive data

Visit 10 Steps to Secure Your Mobile Device for detailed recommendations on securing your mobile device.