James Avery
Just another GEEK expressing his thoughts
RSS
  • Home
  • Resume
  • Blog
    • Microsoft Azure
      • Microsoft Intune
    • Access and Information Protection (AIP)
    • SC Configuration Manager 2012
      • Configuration Manager 2007
    • Windows Server-2012
    • Desktop Virtualization
    • Remote Desktop Services
  • e-Books
  • Contact

Series MDM – Part 5 – How-to protect business apps and data on mobile devices

javery June 4, 2014 Microsoft Intune, SC Configuration Manager 2012

Author: Enterprise Mobility Team
Subject: How-to deploy apps to mobile devices

View article…

This is the fifth and final installment in my blog series on mobile device management (MDM) by using Microsoft System Center 2012 R2 Configuration Manager and Windows Intune. In this post, I’ll like to talk about how-to protect business apps and data on mobile devices.

Access control

Of course, security is always best implemented as defense in-depth, which simply means setting up multiple layers of security to protect your information. One of the first things you want to do is prevent unauthorized access by implementing strong password (PIN) compliance settings.

System Center 2012 R2 Configuration Manager supports several password compliance settings to help protect devices:

  • Requiring passwords
  • Minimum password length
  • Password history
  • Idle time before the device is locked (and requires password to unlock)
  • Number of failed logons before the device is wiped.

Check out Compliance Settings and Company Resource Access in Configuration Manager for a brief list of some of the settings. Or, check out the actual list in the Configuration Manager console of which settings are applicable to a specific device platform.

Information protection

Another area in a comprehensive defense in-depth security approach is protecting the data already on the device. This level of protection is centered on encryption of either individual files or the entire device. Some devices (such as Windows and Windows Phone devices) support encryption of internal storage, while others encrypt individual files only.

Another possible source of leaked information is the secure digital (SD) card that some devices support. One approach is to disable the SD card slot entirely, but this isn’t practical for personally owned devices in Bring Your Own Device scenarios. Some devices (such as Windows Phone) create an encryption partition for any apps or data stored on the SD card. User data is still stored on an unencrypted partition on the SD card.

Again, you can configure these settings by using System Center 2012 R2 Configuration Manager configuration items (CIs) and baselines (see part three of this series: how-to configure mobile device settings).

Finally, some devices (such as Windows and Windows Phone devices) support Information Rights Management (IRM), which allows users to protect access to information used in apps. For example, you can use IRM to protect email conversations, prevent unauthorized users from opening a document, or prevent forwarding of email messages. Just as with other settings, you can configure IRM by using System Center 2012 R2 Configuration Manager CIs and baselines.

Communication protection

Another aspect of security that is often overlooked is protecting communication between the device and the information on your intranet. This protection can be broken down into strong authentication protocols and encrypting communication.

Many new device operating systems support Trusted Platform Module chips and virtual smart cards. You can use these technologies to provide stronger authentication and protection of certificates and PINs.

Also, ensure that all virtual private network (VPN) connections to your intranet use strong authentication protocols and require encryption. You can push VPN connection profiles to devices based on your organization’s security standards.

Again, you can configure all of these things by using System Center 2012 R2 Configuration Manager CIs and baselines (see my previous blog post, “Configuring mobile device settings”).

Remotely remove business apps and data

So, what happens if the device is lost or stolen? Or, what if a user is dismissed while they still have a mobile device with your information? Not to fear! System Center 2012 R2 Configuration Manager and Windows Intune allow you to remotely:

  • Wipe the entire device. Restore the device to factory settings and remove all apps and data (that your organization and the user installed). Built-in apps and data are restored to factory defaults, as well.
  • Remove only your organization’s apps, data, and configuration settings. Remove only the apps, data, and configuration settings deployed through your MDM system from the device. Any user-owned data and apps are retained.

Of course, most device vendors allows users to locate and remotely wipe their own devices by using a device-specific web app (such as Find My iPhone for Apple iOS devices or Find My Phone for Windows Phone devices). And if the user has physical access to the device, they can do a hardware reset, which restores the device to factory settings and removes all data. The ability to remotely remove business apps and data is essential for any comprehensive MDM system!

Summary

Protecting business apps and data is critical for mobile devices that are “out in the wild.” But you can sleep easier by using the protection that System Center 2012 R2 Configuration Manager and Windows Intune provide. Regardless of the device platform, you can set security baselines that can be applied across them all to help prevent information theft or disclosure.

This wraps up my series of blogs on MDM by using System Center 2012 R2 Configuration Manager and Windows Intune. I bet you can’t wait to try them both, so I have good news for you. You can download an evaluation version of System Center 2012 R2 Configuration Manager and a trial subscription of Windows Intune to experience what I’ve been talking about for yourself. Thank you for reading this series. Until next time!

Disable “you have new apps that can open this type of file” in Windows 8 Part 1 of 4 – Desktop virtualization deployment

Related Posts

SC Configuration Manager 2012

How to publish URL shortcuts to Windows 8.1

Author: David O’Brien Date: 06/26/2014 Article… A customer of mine asked me to create a new Windows 8.1 Enterprise SOE (golden image, standard image, whatever) and also customize the Start Menu and Start Screen layout. This customer is pretty easy as most of their applications are web apps. Therefor I only have to deploy all […]

SC Configuration Manager 2012

Controlling Windows Update Using PowerShell

Author: Rod Trent Date: 06/23/2014 Article… Using PowerShell to manage Windows Updates on computers follows along the old "even if you could, should you?" adage. From a techie’s perspective that answer is always a resounding "Yes!" In the movies, though, repercussions are always unexpected, usually dreadful, and most times hilarious. Strap a bra on your […]

SC Configuration Manager 2012

New SCCM Support Tools – Configuration Manager Support Center

Author: Justin Gao Date: 06/21/2014 Hi All : System Center 2012 Configuration Manager Support Center helps you to gather information about System Center 2012 Configuration Manager clients, so that you can more easily address issues with those clients when working with product support specialists. Configuration Manager Support Center includes a tool that gathers a bundle […]

Blog Categories


Notice: Undefined offset: 3440 in /var/www/wp-includes/nav-menu-template.php on line 211

Notice: Undefined offset: 3443 in /var/www/wp-includes/nav-menu-template.php on line 211

Notice: Undefined offset: 3452 in /var/www/wp-includes/nav-menu-template.php on line 211

Notice: Undefined offset: 3465 in /var/www/wp-includes/nav-menu-template.php on line 211
  • Access and Information Protection (AIP)
  • Desktop Virtualization
  • MDOP
  • Application Virtualization
  • Microsoft Azure
  • Remote Desktop Services
  • James Avery Resume
  • Tools
  • References
  • Exchange 2007
  • Windows-8-Desktop
  • Configuration Manager 2007
  • Microsoft Intune
  • SC Configuration Manager 2012
  • SMS 2003
  • Windows Server-2008
  • Windows Server-2012

Search

Tags

Cherished Moments Dreams family Friends Hobby Photography Romance Travel

Recent Posts

  • Scaling a standard Azure website to 380k queries per minute of 163M records with loader.ioScaling a standard Azure website to 380k queries per minute of 163M records with loader.io
    July 3, 2014
  • How to publish URL shortcuts to Windows 8.1
    July 3, 2014
  • Microsoft Virtual Machine Converter 2.0
    June 24, 2014

Social Media

© James Avery 2023
Powered by WordPress • Themify WordPress Themes