Series MDM – Part 5 – How-to protect business apps and data on mobile devices
Author: Enterprise Mobility Team
Subject: How-to deploy apps to mobile devices
This is the fifth and final installment in my blog series on mobile device management (MDM) by using Microsoft System Center 2012 R2 Configuration Manager and Windows Intune. In this post, I’ll like to talk about how-to protect business apps and data on mobile devices.
Access control
Of course, security is always best implemented as defense in-depth, which simply means setting up multiple layers of security to protect your information. One of the first things you want to do is prevent unauthorized access by implementing strong password (PIN) compliance settings.
System Center 2012 R2 Configuration Manager supports several password compliance settings to help protect devices:
- Requiring passwords
- Minimum password length
- Password history
- Idle time before the device is locked (and requires password to unlock)
- Number of failed logons before the device is wiped.
Check out Compliance Settings and Company Resource Access in Configuration Manager for a brief list of some of the settings. Or, check out the actual list in the Configuration Manager console of which settings are applicable to a specific device platform.
Information protection
Another area in a comprehensive defense in-depth security approach is protecting the data already on the device. This level of protection is centered on encryption of either individual files or the entire device. Some devices (such as Windows and Windows Phone devices) support encryption of internal storage, while others encrypt individual files only.
Another possible source of leaked information is the secure digital (SD) card that some devices support. One approach is to disable the SD card slot entirely, but this isn’t practical for personally owned devices in Bring Your Own Device scenarios. Some devices (such as Windows Phone) create an encryption partition for any apps or data stored on the SD card. User data is still stored on an unencrypted partition on the SD card.
Again, you can configure these settings by using System Center 2012 R2 Configuration Manager configuration items (CIs) and baselines (see part three of this series: how-to configure mobile device settings).
Finally, some devices (such as Windows and Windows Phone devices) support Information Rights Management (IRM), which allows users to protect access to information used in apps. For example, you can use IRM to protect email conversations, prevent unauthorized users from opening a document, or prevent forwarding of email messages. Just as with other settings, you can configure IRM by using System Center 2012 R2 Configuration Manager CIs and baselines.
Communication protection
Another aspect of security that is often overlooked is protecting communication between the device and the information on your intranet. This protection can be broken down into strong authentication protocols and encrypting communication.
Many new device operating systems support Trusted Platform Module chips and virtual smart cards. You can use these technologies to provide stronger authentication and protection of certificates and PINs.
Also, ensure that all virtual private network (VPN) connections to your intranet use strong authentication protocols and require encryption. You can push VPN connection profiles to devices based on your organization’s security standards.
Again, you can configure all of these things by using System Center 2012 R2 Configuration Manager CIs and baselines (see my previous blog post, “Configuring mobile device settings”).
Remotely remove business apps and data
So, what happens if the device is lost or stolen? Or, what if a user is dismissed while they still have a mobile device with your information? Not to fear! System Center 2012 R2 Configuration Manager and Windows Intune allow you to remotely:
- Wipe the entire device. Restore the device to factory settings and remove all apps and data (that your organization and the user installed). Built-in apps and data are restored to factory defaults, as well.
- Remove only your organization’s apps, data, and configuration settings. Remove only the apps, data, and configuration settings deployed through your MDM system from the device. Any user-owned data and apps are retained.
Of course, most device vendors allows users to locate and remotely wipe their own devices by using a device-specific web app (such as Find My iPhone for Apple iOS devices or Find My Phone for Windows Phone devices). And if the user has physical access to the device, they can do a hardware reset, which restores the device to factory settings and removes all data. The ability to remotely remove business apps and data is essential for any comprehensive MDM system!
Summary
Protecting business apps and data is critical for mobile devices that are “out in the wild.” But you can sleep easier by using the protection that System Center 2012 R2 Configuration Manager and Windows Intune provide. Regardless of the device platform, you can set security baselines that can be applied across them all to help prevent information theft or disclosure.
This wraps up my series of blogs on MDM by using System Center 2012 R2 Configuration Manager and Windows Intune. I bet you can’t wait to try them both, so I have good news for you. You can download an evaluation version of System Center 2012 R2 Configuration Manager and a trial subscription of Windows Intune to experience what I’ve been talking about for yourself. Thank you for reading this series. Until next time!
