Sponsored byTop 8 Things to Secure on iOS and Android to

Protect Corporate Information

© 2013 Monterey Technology Group Inc.

Thanks to

© 2013 Monterey Technology Group Inc.

www.Lumension.com

Preview of Key Points

1. Unattended control

2. Password complexity

3. Encryption

4. Remote lock

5. Remote wipe

6. Jailbroken/rooted detection

7. Hardware/software inventory

8. Device feature restrictions

9. The Carrot

Reality Check

Biggest risk Lost and stolen devices

Legal issue BYOD with MDM

1Unattended control(aka PIN/Password)

iOS

Options PIN Password Touch ID

When to kick in Single threshold

Brute force defense Optional erase after

10 entries Increasing delay

Android

Options PIN Password Pattern Face

When to kick in More sophisticated

Brute force defense Optional erase after X

entries Increasing delay

Auto account wipe

2Password complexity

iOS

Allow simple value

Require alphanumeric value

Minimum passcode length

Minimum number of complex characters

Maximum passcode age

Passcode history

Auto-lock timeout

Grace period for device lock

Maximum number of failed attempts

Allow Touch ID

Android

Password enabled

Minimum password length

Alphanumeric password required

Complex password required

Minimum letters required in password

Minimum lowercase letters required in password

Minimum non-letter characters required in password

Minimum numerical digits required in password

Minimum symbols required in password

Minimum uppercase letters required in password

Password expiration timeout

Password history restriction

Maximum failed password attempts

Maximum inactivity time lock

3Encryption

iOS This is complicated

2 levels or encryption

First level encrypts all storage

But only for purpose of quickly wiping – doesn’t protect data

2nd level encrypts data of supporting applications

Such as email

Unclear whether jailbreaking can defeat encryption

Android

Based on tried and tested Linux dm-crypt

Encryption ultimately based on passcode

Only encrypts /data partition

Some devices offer SD card encryption

This is not your PC’s BitLocker

4Remote lock

iOS

Protect lost phones in hopes of recovering

Unlikely to defend against jailbreaking

Android

Same purpose

Unclear how secure

5Remote wipe

iOS

Wipes encryption key used to encrypted entire device

Fast and effective

To defeat, must jailbreak before wipe instruction received

Android

Does a fast erase and not a secure erase of the SD card

6Jailbroken/rooted detection

iOS

Important to detect because jailbroken devices can run software from any source

Android

Rooted

Unlocked boot loader

Custom recovery

USB debugging enabled (allows ADB)

7Hardware/software inventory

Health

iOS

Important because different devices have different vulnerabilities and jailbreak options

Android

Important because different devices have different vulnerabilities and security compliance

Android security features vary by version

But more importantly by brand because of fragmentation

Encryption fails on multi-user devices

8Device feature restrictions

iOS

App installs, camera use, screen capture, iTunes store usage, in app purchases

Force encrypted backups

JavaScript

Allow Touch ID

Supervised restrictions Other store usage,

allow app removal

Android

Require storage encryption

Disable camera

9The Carrot

iOS

WiFi configuration

Exchange configuration

Android

WiFi configuration

Exchange configuration

Bottom line

Key requirements Stay up on device health and inventory Enforce password and encryption Discourage older devices Remote wipe

Hone procedure Use carrots

Mobile Device Management Another security solution to manage? Mobile devices are just another type of endpoint Manage iOS and Android devices along with Windows

endpoints on the same pane of glass

L.E.M.S.S. Mobile Device Management

17 June 2014

Dee LiebensteinVice President Product Management

Unifies workflows and technologies to deliver enhanced capabilities in the management of endpoint operations, security and compliance

Lumension Platform Benefits

16

Endpoint Operations Endpoint Security

Device ControlDevice Control

Asset Management

Asset Management

Software Management

Software Management

Power Management

Power Management

Configuration ManagementConfiguration Management

Mobile Device ManagementMobile Device Management

ReportingReporting

Data EncryptionData Encryption

Antivirus/SpywareAntivirus/Spyware

Patch Management

Patch Management Application

ControlApplication

Control

FirewallManagement

FirewallManagement

Mobile DevicesMobile Devices

DesktopsDesktops

LaptopsLaptops

ServersServers

Lumension MDM Capabilities Overview

17

L.E.M.S.S. Integration Device Management Device & Data Security

Integrated Management iOS / Android Enrollment via App

Remote Lock

Localized Console & Apps AD Authentication Remote Wipe

Per-device Licensing Device Administration (Delete/Disable/Offline)

Password Enablement (Enforcement / Clearing)

Role-based Access Control (RBAC)

Check-in Interval: Configurable and On-Demand

Password Complexity Configuration

Manage Mobile Endpoints Hardware Inventory Device Encryption Enforcement

iOS and Android Support Managed Devices Dashboard / Reporting

Device Feature Restrictions

Consistent Policy Workflow Root/Jailbreak Detection (Device Health)

Exchange Configuration (iOS)

Over the Air Management Action Traceability Wi-Fi Configuration

Free Device Scanner tool – discover all the devices being used in your network~/Resources/Security-Tools

More on BYOD issues and solutions in the Lumension Optimal Security blog atblog.lumension.com/tag/byod

More Information at www.lumension.com

18

More information on the Lumension MDM at~/mobile-device-management-software

Get the 2013 BYOD Survey Report at~/more-info/BYOD-and-Mobile-Security