When a new device lands in its owner’s hands they will more than likely be too busy looking at how shiny and large the screen is, or comparing the resolution when playing Avatar or Angry Birds to think about potential security issues.
However, from a business perspective, security is paramount. Your rollout of devices under an Enterprise Mobility Management (EMM) solution holds the responsibility for ensuring that any upgrade or replacement device given to a user adheres to the policies put in place when issuing the primary smartphone or tablet.
It might be your policy to ensure devices are issued to end-users after first being enrolled within EMM, but in many cases users will find a way to request replacement equipment either directly from their carrier/service provider, or perhaps by simply moving their SIM card to another phone, at this point the upgrade is out of your control and corporate data may potentially be at risk.
While most smartphones have a cloud-based phone backup/restore service, you cannot guarantee that a user, if left to their own devices, will setup their next phone using this backup. Even if they do, the backup data and EMM security may not apply to their new phone. This is because typically EMM requires each new device to be enrolled, using backup alone does not enforce security.
It is important to ensure security is held in the domain of the person or department issuing staff devices and that if anyone requires an upgrade or replacement phone, this person or department is aware of the new devices being issued for any reason and has the ability to monitor the re-enrolment within the chosen EMM solution.
At the very least, it is essential that this department or individual has access to the organisation's EMM so that they can see if the issued equipment has been enrolled properly, as well as having the access to remove older equipment from EMM, so that time isn’t wasted chasing equipment that no longer exists.
You will have an on-boarding process for new smartphones and tablets, but what about off-boarding? Make sure old equipment (and any memory card) is wiped of all personal and corporate data before putting it back in the stock cupboard or re-selling it online.
Users who have been authorised to use personal equipment with corporate data (BYOD) should alert the company to changes in their personal hardware, the corporate data on these devices must be removed before the equipment is retired or resold.
EMM provides the visibility to see devices dropping from security and automatic responses can be setup to alert the admin and the user, for example, ‘switch your phone back on’, but also alert the admin to devices which need actions and recall devices not being used, such as remote wipe data etc. and above all, questions the user.
Spot the difference
When users upgrade their equipment, the new device may include features and capabilities that the existing policy may not have considered. For example, an older policy may have not considered memory cards and if the new equipment does have this feature, your policy will need to be updated to apply encryption or outlaw memory cards, depending on your standard business policies surrounding removable media.
If possible, it’s useful to create policies that cover the features of the most advanced device in your fleet. If the lesser devices don’t have these features, don’t worry, it means that they will be covered for any future upgrades. As part of this process, your deployment or security team should evaluate new devices that come onto the market prior to issuing to end-users to ensure that policies are up to date.
Ensure the back door has been closed
The biggest concern regarding the deployment of device security is that many corporate email systems have auto-discover features enabled, which allows a user to add an email account to any device. In many cases, the security or deployment team concentrate on the primary device being issued, ensuring it is within EMM and that it has email. But in an environment with auto-discover, what will happen if the user attempts to manually add a secondary smartphone/tablet, or even a private device?
Within many Exchange environments (on-premise Exchange/Office365) the feature that helps here is the Allow/Block/Quarantine Access setting. This can stop all attempts at adding email until the admin selectively allows the specific smartphone/tablet, after first checking that the device in question has primarily enrolled in your EMM.
This is important not only to the first time use of smartphones or tablets, but it is vital in preventing secondary and personal devices from receiving email without authorisation and deployment with EMM security.
Depending upon your EMM of choice, the two can be tied together so that devices that enrol via EMM are automatically allowed, as you will be confident it will have security in place, you can be hands off in allowing this.
Shiny hardware is always enticing in this tech oriented business world, but with many organisations introducing BYOD options for users, it’s imperative that you know if the new handset your user has just carefully unwrapped will be added to the security you have enrolled the previous handset into.
Sourced from David Brady, Senior Technical Consultant, Intercity Technology