We have explored the importance of setting policies and training users on mobile device security and management; now, we wrap-up with how to enforce these policies, recommended tools, and first steps to mobile device security.
Enforcement
Enforcement is usually assisted through a Mobile Device Management (MDM) tool; typically a software-based application that requires an agent be installed to the mobile device. Once installed, this agent connects back (remotely) to a central console from which an administrator can monitor, manage, and secure the mobile device and also support its user.
MDM features typically include:
- Enforce user security policy:
o Require complex password with frequent changes
o Permit remote access only via SSL or VPN
o Lock-down browser settings
o Enable encryption
- Recover lost or stolen devices:
o Activate alarm (set off an audible alarm on the device)
o Enable track and locate (track and locate the device via GPS)
o Permit remote wipe (complete erasure of the device as a last resort)
- Control mobile device applications:
o Recognize and prevent installation of unauthorized applications
o Permit whitelisting and blacklisting of application
o Restrict or block application stores
- Remotely deploy and configure applications (email, etc.)
- Audit the mobile device for installed software, configuration, and capacity
ComputerWorld has a comprehensive article on the challenges of MDM. View it at
Mobile device management: Getting started.
To support our mobile device clients, we use the MDM capabilities built intoKaseya, our Remote Monitoring and Management tool. Other MDM providers include:
- AirWatch
- LabTech
- MobileIron
- Symantec
- Zenprise
While MDM provides a comprehensive tool, it can be costly to procure and support. Many companies utilize a trusted business partner (like Bryley) to provide MDM tooling, monitoring, and support for their mobile devices on an ongoing basis with pricing that ranges from $15 (in quantity) to $75 per device per month.
Non-MDM Tools
Alternatively, Microsoft Exchange 2010 offers many MDM-type features through Exchange ActiveSync (EAS), an included protocol that licenses by end-user or end-device Client Access License (CAL). The Exchange 2010 Standard CAL licenses:
- Password security policies
- Encryption required
- Remote wipe
The Exchange 2010 Enterprise Add-On CAL licenses advanced features including:
- Allow/disallow Internet browser, consumer email, unsigned installation, etc.
- Allow/disallow removable storage, Wi-Fi, Internet sharing, etc.
- Allow/block specific applications
- Per-user journaling
- Integrated archive
Exchange Server Standard 2010 is $709; Standard CALs are $68 each while the Enterprise Add-On CAL is an additional $42 each (based on list prices for business).
Main difference between MDM and EAS: Most MDM tools provide greater control over the mobile device during its lifecycle and can provide control over the device even before email is configured.
Other recommended tools include:
- Anti-malware: AVG Mobilation – From free to $9.99 for Pro version
- Protect and find phone via key-case fob – Kensington Bungee Air at $79.99
First step suggestions
These are our minimum, first-step suggestions:
- Deploy anti-malware software immediately and manage it continuously
- Require password to activate the device with a low auto-lock time
- Update mobile devices through vendor-approved patching
- Enable on-board encryption if handling sensitive data
Visit 10 Steps to Secure Your Mobile Device for detailed recommendations on securing your mobile device.
