A mobile device administrator uses many different enforcement options to keep the organization’s data safe. In this video, you’ll learn about rooting, carrier unlocking, firmware OTA upgrades, accessory use, and more.
If you are an Apple iOS device, then you’re probably very aware of the Apple App Store and if you have an Android you’ve probably visited the Google Play store. Each of those third-party stores contain apps that you can browse through, download, and run on your mobile device. However not every application that you’re going to get from those app stores is secure. These organizations do a very good job at finding applications that are malicious and preventing them from being part of their App Store.
Unfortunately, there have been times when an application has managed to get on the App Store that contains some type of security concern. This could be a vulnerability that could be taken advantage of by an attacker, or it may be that the application leaks data and makes that private information available to others.
And if we’re using this mobile device at work, you may find that a number of apps on these third-party app stores contain applications that probably aren’t appropriate for work. These might be games or social media apps, or they just go outside the scope of what’s considered appropriate for work. If your organization uses a Mobile Device Manager, the administrator of that system can allow or disallow certain apps from running on your mobile device.
If you have a smartphone or tablet, you’ve probably never seen the command prompt at the operating system level for that device. That’s because you don’t generally need access to the operating system of these mobile devices. They are purpose-built systems that provide you with a user interface that keeps you away from the operating system of those machines.
But there are some technologies that like to have control of the operating system of their devices, and in Android, you can gain that by rooting the system, in iOS, we often refer to this as jailbreaking the system. To root or jailbreak your mobile device, you commonly need to install a specialized type of firmware.
This will replace the operating system that’s currently running on that system, with one that would allow you access to the operating system itself. This means that you could circumvent any existing security systems that might be in place, you can go outside the scope of the App Store and simply download and install apps directly. We call this side loading.
With this rooting or jailbreaking in place, your mobile device Manager doesn’t have much control of those systems. That’s why most of the devices you’ll see administered by a centralized management tool like an MDM, are almost always using the standard firmware and are not using a gel broken or routed version of firmware.
You may not realize it, but the smartphone that you’re using is probably locked to the carrier that you’re using. So in the United States, if you’re using AT&T, you can only use this phone on an AT&T network. You can’t take this phone from AT&T and start using it on a Verizon network, because the phone has been locked to the AT&T network.
This is primarily because the carrier is subsidizing the cost of the phone. Instead of purchasing the phone for its full cost, the carrier is subsidizing the cost of that phone over your monthly contract. And that’s why AT&T doesn’t want you to get a phone for very little money and then immediately take that phone over to Verizon and start using their network.
However, there might be times when using this phone on a different network may be required. It may be that you’ve already paid off this phone and had it for a certain amount of time, so your carrier will allow you to unlock that phone and use it on a different network, or perhaps you’re leaving the country and you want to have a way to use this phone while you’re outside of the normal AT&T network area.
In those cases, you’ll need to contact your carrier directly and they have a series of processes they follow to unlock the phone so that you can use it elsewhere. Since a lot of the security that we configure on our mobile device managers are associated with the configuration of this phone, unlocking it and moving it to a different carrier could potentially circumvent the security of that Mobile Device Manager.
The MDM administrator would need policies that would either allow or not allow someone from unlocking their phone to move it to a different carrier, or they would need a series of processes in place to put it back into the MDM after it’s been moved to the new carrier.
The operating systems of our mobile devices are constantly being updated. Sometimes these updates include feature updates, other times they are security patches. Whenever your system needs to be updated, it’s often receiving these updates over the air or OTA. This means that you don’t have to plug it into your system, you don’t have to download any software, all of these updates are automatically pushed down to your mobile device when they’re ready.
You often see a message pop up on your mobile device that says, a new version of firmware is available, you can click here to install it now or click this other button to install it overnight. This means you can go to sleep you wake up in the morning and you have a brand new version of firmware available with all of the new features of that version.
If this is a mobile device used for corporate applications, you may want to test this firmware before deploying it in your environment. In those cases, the deployment is handled through OTA but from the mobile Device Manager itself. That way the update can be tested internally, and when you’re ready to roll it out, you can push it out to all of your systems from your Mobile Device Manager.
Now that everybody is walking around with their own smartphone, they’re also effectively walking around with their own camera. This is a feature a lot of people use on their smartphone and it’s perfectly acceptable in most environments. But you may be working at a very high-security environment that doesn’t want everyone bringing in their own camera into an environment where no data should be getting out.
It’s difficult to control camera use on the device itself. There’s no way to completely turn off the camera, and you’re never quite sure if somebody is using a camera on their device or not. Fortunately, the MDM is able to enable or disable the features of the camera. And it may configure them based on where you happen to be.
If you’re anywhere near the main corporate building, which is very secure, the camera feature may be disabled. But once you leave the building, the geo-fencing features of your MDM can recognize that you’re no longer near the main office, and it can re-enable the camera functionality.
One way that users can transfer data off of their mobile device is by using SMS and MMS. This stands for Short Message Service and Multimedia Message Service but we often just refer to this as texting. These text messages can contain pictures, audio, movies, and other types of data as well. So they can be used for outbound data leaks or disclosure of financial information.
We’ve also seen these text messages used for inbound attacks, where the attackers are trying to obtain access to a system using phishing techniques. Just like the controls we have available to our camera, the Mobile Device Manager can also control the MMS and SMS functionality of your mobile device. So the text messaging on your device may be disabled completely or it may only be available when you’re in certain areas.
It’s becoming easier and easier to move data from a secure area to somewhere that is insecure through the use of these mobile storage devices. This is external media that’s commonly associated with an SD card or similar flash drive configuration. Or you may be plugging in a multi-terabyte portable USB connector drive, transferring data onto that drive, and simply putting the drive in your pocket, and walking out the door.
These are very standardized and easy to use. You simply need an interface that will support the media, you plug it into your computer, transfer the files, and unplug the media and take it with you. Some security administrators will configure their operating systems of their desktops, laptops, and other devices to limit how much data might be written to an external USB or external media drive like this one. The administrator of the MDM can also set security policies that might allow or disallow access to these flash drives from our mobile devices.
Another way to transfer data would not even use a flash drive, instead will simply plug in a cable between two devices to transfer information to your mobile device. This is called USB OTG, which stands for On-The-Go. You don’t need an external drive or flash memory, you simply need a cable that is compatible with the devices on both ends.
This was a feature that was introduced with USB 2.0. So it’s been around for quite some time and it’s very common to see on Android devices. There’s also some USB OTG capabilities built into iOS as well. And it is extremely convenient and easy to use. You can simply plug in your laptop or desktop, transfer the files, disconnect, and walk out of the building with all of that data.
Just as there is a camera on all of our mobile devices, there are also audio recording capabilities on all of our mobile devices. And these can be very useful if you’re taking notes, or you’re in a meeting and need to capture what somebody might be saying. But there are some legal issues associated with capturing audio and it depends on where you happen to be.
Each state in the US has a different set of laws associated with capturing audio and every situation you’re in, is going to be a little bit different, so you have to make sure you check the laws in your particular area. Like most features on your mobile phone, all of the audio recordings can be enabled or disabled from your Mobile Device Manager.
In this video, we’ve already talked about enabling or disabling features based on where you happen to be. We refer to this as geo-fencing. But the information of where you are can also be stored into files. This is called geotagging or GPS tagging.
When you’re saving a document, when you’re taking a picture, or storing some audio information on your mobile device, there’s additional information that’s stored as metadata, and that metadata might include information of your longitude, your latitude, or other information associated with your location.
This means view of access to some of the documents on this device, you might also know where this user has been. And that might be a security concern. So you might want to configure your Mobile Device Manager or the configuration of your mobile device to not save any of the location information when you’re storing these files.
If you’re at home, or the office, or coffee shop, you’re probably connecting to a Wi-Fi network that’s controlled from an access point. Everybody connects to the same access point, and that gives you access to the internet and any other resources on your local network. But the wireless standard also supports a mode where two devices can communicate directly to each other without the use of an access point.
In the 802.11 world, this is called ad hoc mode, and it allows these two devices to easily communicate without including any other devices on the network. Configuring ad hoc on both sides of the configuration can sometimes be difficult. But there are some enhancements to Wi-Fi called Wi-Fi direct which simplifies the process so that two devices can easily connect to each other and begin transferring data between both sides.
If you’ve ever configured any IoT or internet of things devices at home, you may have seen that it starts with a Wi-Fi direct connection, so that you could then configure the device. And then that device can connect to your access point once it’s been configured.
This is another opportunity for devices to transfer data between each other without using security features that you might have in an access point. This becomes a concern for security professionals, who want to make sure that they have control over data and can limit the scope of where the data might go.
On your corporate network, you probably have an internet connection with a next-generation firewall and security policies and procedures associated with that connection. And you may find if you’re using that corporate connection, there may be websites that are blocked, or you may have limited access to certain parts of the internet.
Some users have found that instead of using their corporate network connection, they can turn their phone into a Wi-Fi hotspot, and have unfettered access to the internet. This means your phone is now communicating to internet connections through your cellular phone provider, and then any other Wi-Fi devices you have can communicate through your phone to gain access to the internet.
This functionality is dependent on your carrier. They may have it turned off by default or may require an additional cost to be able to use this feature. Not only is this allowing people to have unsecure access to the internet from your corporate network, this could also allow access into your corporate network instead of going through the existing security controls on the outside. This is probably not a capability that you’ll want to allow by default, and it should probably be administered and monitored through your Mobile Device Manager.
And of course, most of our mobile devices these days allow for NFC or Near Field Communication. It’s a common way to transfer data between two devices that are in close proximity. We often use NFC to pay for things when we’re checking out at a store, or we can use it to transfer information between two mobile devices.
If you’re using this for purchases, you’ve probably seen Apple Pay, Android Pay, or Samsung Pay as some of the common standards that are available when checking out. And there’s usually some type of authentication that you have to do before the payment system will go through. You would, of course, not want to have a locked phone, be able to pay for things using NFC. So there’s usually the first authentication or unlock process before you’re able to use this during checkout.