Mobile device security includes a number of best practices specific to these unique platforms. In this video, you’ll learn about full device encryption, screen locks, configuration profiles, remote wipe, and more.
We keep a lot of information on our mobile phones, our tablets, and our other mobile devices. So it’s always a good idea to keep that data safe by encrypting everything that we store on any of these devices. That way, if the device happens to be out of our control, we still know that all of that data will remain safe. If you’re using an Apple iOS or iPadOS device, then all of your personal data is going to be encrypted. And your passcode provides the decryption key.
Android has a similar feature, and it also uses your login pattern, pin, or passcode to be able to encrypt this data. This feature is usually on by default with most of these devices. And if you’re not currently using encryption on your mobile device, you might want to consider enabling it on your phone.
These mobile devices not only store our sensitive information, they also provide access to important external resources, like our bank account or credit card information. To be able to protect all of these, we need to make sure that we’re using screen locks. This is going to restrict any access to our mobile devices if somebody happens to pick it up or gain access to it.
There are many different ways to lock this screen. One easy way to lock and unlock the screen is using facial recognition. You simply pick up your phone, and the camera on your phone performs facial recognition and then unlocks the phone if you’re authorized. You could also use a personal identification number that you type in each time you’d like to unlock the phone, or you could use a built-in fingerprint reader if your mobile device supports that. And another interesting locking mechanism is one you might see on Android devices, where you would swipe a particular pattern, and only after using the correct pattern will your phone unlock.
You can also configure what happens if somebody tries to gain access to your phone multiple times with a failed unlock code. On iOS, there’s an option to erase data. This will erase all data on the phone after 10 failed passcode attempts.
This is another good reason to have backups of all of your systems, especially if it’s a cloud-based backup because anyone can pick up your phone, use 10 different attempts to log in, and suddenly everything on your phone is erased. A similar feature happens with Android. It locks the device after a number of login attempts, and then you must provide your Google login or you have to wipe the device and start from the beginning.
Many organizations will have centralized management for all of their mobile devices through Mobile Device Management or MDM. And in most organizations, there are a set of standards associated with these mobile devices. So there might be a certain requirement for passwords, lock screens, what’s allowed or not allowed on that device, and many other options. All of these policies can be added to a single profile, and that profile can be associated with all of the devices on your network. This might include configuration options, so all of the different settings that you need to be able to access your corporate email may be part of this profile.
And security options for lock screens and data encryption could also be enabled or disabled in any of these security profiles. And security options for encrypting all of your data, locking the screen, and the type of passcodes you might be able to use might also be added to one of these profiles. You would normally build one of these profiles, add it to your mobile device manager, and then have the mobile device manager push those out to all of your devices.
Let’s start with the process of creating one of these configuration profiles. You can use Microsoft Intune or Apple Configurator to provide a nice front-end, where you can easily see your options and enable or disable different features. For example, you might want to add to your profile information about Exchange ActiveSync. So you can add the ActiveSync Account name, the ActiveSync Host name, whether you’d like to use SSL, and any other important configuration parameters. Security features are also in here, so you can find information about VPN, certificates, and other security features that you might want to enable or disable.
Most of these configuration programs will create a single profile represented in XML. This is a standard format and can be read by many different applications. That profile can then be added to a mobile device manager, like the one we see here.
This MDM screen is drilled down into my iPhone. And I can enable or disable any of the features on that phone, all from this single management console. For example, if I click on the Security option, I can define information about passcodes.
I can define whether I would like to require a complex passcode or even require alphanumerics as part of the passcode. I can define minimum password lengths, whether I would like this to have a password age and how long that would be, and other important security parameters. Once I built this profile, I can save this and now use it across multiple devices on my network.
Just as we have updates for our desktops and laptop computers, we also need to make sure that we provide updates for our mobile devices. Most mobile devices have the update process built into the operating system itself. These updates might provide device patches, especially security updates. And these might come on a regular basis. There might also be operating system updates that fix problems with existing operating system features or add new features to the device.
You might also be running many different applications on these mobile devices, and each of these apps also has to be updated. Most of these updates occur in the background or at night when you’re asleep. This way, we’re able to deploy those updates seamlessly and keep the system up and running with the latest software.
And just as we have antivirus and anti-malware software for our desktop operating systems, we also have options for our mobile devices. This might be different depending on the operating system you’re using. With Apple iOS, the entire environment is completely closed. The only way to install software onto that device is from the Apple App Store. If malware wants to find its way onto your iPhone, it needs to take advantage of a vulnerability that has not already been patched.
The Android operating system is a bit more open. There’s no centralized store that everyone must go through. Instead, you can install software from any website. This provides a much easier way for malware and other malicious software to find its way onto your Android device.
Fortunately, there’s antivirus software available for both iOS and Android, so you can download the software from known antivirus providers to help keep your mobile devices safer. These mobile devices can also support content filtering. So if you would like to prevent someone from visiting certain websites or from running certain applications, you can enable this capability on all of your mobile devices.
One of the things you’ve undoubtedly used with your mobile device is a way to view where that device may be located. There is a locator application built into most mobile devices, and it integrates with GPS and other mobile networks to pinpoint exactly where your device might be. This usually shows a map where it provides an icon of exactly where your device may be located.
And if that device is moving, you will see it move in real time on this map. Although you may not have direct control over this mobile device, you might still be able to play a sound or put a notification on the screen for someone to read. And if you feel that this device is lost and you’re not going to be able to recover it, you can choose to mark this device as “lost” and erase all of your personal data on that mobile phone.
Traditional backup methods don’t work very well for a mobile device. These devices are in a different place all the time, they might not be in the same place every day, and it’s difficult to find a time to plug it in, to be able to back up all of the data. Fortunately, most of these devices integrate with a cloud-based backup service, which works perfectly for the mobility associated with these mobile phones and tablets. This is something that is constantly backing up these devices, so you always know that you’re going to have the most recent information always stored in the cloud.
This is also using our wireless networks and our cellular networks to provide this backup, so we don’t have to plug in a cable or wait for a backup to occur just to have a backup of all of our data. And the process for restoration is just as easy. We simply log into our cloud account, it begins downloading everything to our new device, and we now have restored from a completely cloud-based backup system.
Most of our mobile phones and tablets don’t include a separate firewall app. That’s because most of the activity on these devices is going outbound, and there’s very few cases where you’re using that device as an inbound server. But if you did want to download a separate firewall app, there are many options available on Android.
Not quite as many available on iOS, but even those applications seem to be rarely used. In most enterprise environments, the security for that device is defined on the mobile device manager. And that manager can determine whether someone is able to connect to a website, download information, or install certain applications on their mobile device.
For that reason, most organizations will have a clearly defined set of policies and procedures for how these devices are to be used. This starts with how the device is acquired to begin with. Many organizations will manage both company-owned devices and user-owned devices from a single mobile device manager. And if it is a user-owned device, you might see this referred to as a BYOD, where it’s a “bring your own device.”
We’ve already seen how the MDM can be the central point for all management for all of these mobile devices. And if you are defining policies and procedures, you can integrate those policies into the MDM and push those out to all of the devices on your network. So you may be in a highly secure environment, and one of your company policies may be that no photography is allowed inside of the building. You can create a profile in your mobile device manager that matches that policy or procedure within your company, and push out that policy to all of your mobile devices.
That way, anyone entering the building will automatically find that their camera is no longer working. And as we’ve already seen, we can even include security features. So if you want to force a particular type of passcode or enable full disk encryption on a device, you can set all of those policies within your mobile device manager.