Have been working in the mobile enterprise business for the last few years, I often heard IT managers talking about how to get the security bits correct. This is definitely a good way of thinking and starting the enterprise mobility, but security is not just about getting the design, architecture and initial deployment right, it’s about different way of thinking your IT and business, and most importantly how your employees think.
With most of mobility projects I involved, the first question to answer is always about how to improve the users experience of your employees and your customers, how to make your employee more productive while adopting the mobile working style, and make your customers more satisfied while using your services on mobile.
Then it’s about how to securely provide your services at each stage. Take the example of rolling out corporate phones in your company. No doubt the first thing to think of from a IT perspective is whether to embrace the buzz word of BYOD, or stay peace mind with fully controlled COBO, or even have a mix of COPE encourage more use of phones instead of ending as expensive desktop. None of this question can be answered without thinking your employees experience, and no one model is absolutely better than others. With the more and more regulatory around finance and data privacy, we assume the COBO and COPE are becoming more controllable and adaptive model when it comes to the IT end users device policy.
Let’s walk through the journey of a IT manager of deploying his/her digital transformation project. Journey starts with enrolling devices.
Use dedicate WiFi network or private APN for enrollment when needed
For these security critical customers, they might prefer to provide a dedicated WiFi or private APN for enrollment purpose only. A dedicate WiFi network for enrollment is good in the sense of employees work at a remote site without a IT team, or companies provide self-service IT service employees for ordering and enrolling their devices to the EMM. It’s a challenge to provision the WiFi or APN information before a device is enrolled.
Of course, you can setup a certificate based authentication WiFi network which might require a Active Directory Domain Service (AD DS) and Network Police Server (NPS) to make it properly functioning. You can even choose the private APN service from your ISP or operators to achieve even securer enrollment. But it’s cost money.
There is a simple solution from Samsung called Knox Configure (KC) which doesn’t any additional services. You can simply upload the WiFi SSID and password information to a KC profile. Devices registered with KC will automatically receive the WiFi configuration information prior to the KME enrollment process.
You can achieve further security by hidding your enrollment WiFi SSID, so that none KC registered device will not able to connect to the dedicate enrollment WiFi network. Bear in mind, KC can configure far more than just WiFi SSIDs. There are tons of other settings you can pre-configure before enroll devices to EMMs. To find more information, go to www.samsungknox.com
Enforce only corporate device enrollment
Automated mobile enrollment service such as Apple Device Enrollment Program (DEP) and Samsung Knox Mobile Enrollment (KME) have became the de facto way to enroll your mobile devices to EMMs. It simplifies the process of downloading and installing MDM agents on the device, push the MDM configurations onto the device, and making sure the device is provisioned before IT allowing the device to be connected to the corporate network. In this sense, the enrollment service is the gatekeeper of your security. So how to get it right then?
First and foremost thing the IT manager needs to consider is to enforce only corporate devices can be enrolled to your EMM. Different EMM has different way to achieve this. Take an example of AirWatch,
Step 1: There is a settings under the Devices & Users >Enrollment, you can check the Registered Device Only button to allow only registered device from DEP or KEM device to enroll.
Step 2: You can add devices into the registered or whitelisted devices list under the Devices>Lifecycle>Enrollment Status tab. Devices registered via DEP will automatically appears under the Registered device. For KME, you can using batch import to manually import your KME device into AirWatch.
Once you’ve done this, you have a decent gatekeepers of your EMM and corporate networks that no random devices can enroll to your EMM and connect to your corporate networks.
In Blackberry UEM case, you can achieve this by simply applying “Do not allow unsupervised devices to activate” under the Activation Profile.
At the time of writing, you can’t enforce KME device enrollment with UEM.
It’s very interesting how MobileIron is implemented to achieve the registered device only enrollment. There is no obvious settings available from MobileIron to enable this. You have to figure out by yourself. The trick is to utilise the different types of Device Registration settings. The way MobileIron distinguish normal enrollment and DEP enrollment is via Device Registration settings and a DEP Enrollment Profile. For example, you can set the In-app registration to use Registration PIN, while in the DEP enrollment profile to use password.
In this way, any non-DEP device is forced to use a Registration PIN which is generated by the IT admin as it is categorised as in-app registration. Depends on PIN issued or not, a IT admin has the full control whether a secondary personal devices is allowed to registered or not.
Use attestation & compliance rules to safeguard your system
We talked about how to gain extra security during enrollment and configuration phases. There are tones of other things you can do during the in-life management of a device. I am sure as a IT manager, you are well-knowledged about best practise of EMM policies, such as separate personal data and corporate data using Knox Workspace or Android Enterprise, protect data at rest (DAR) by encryptions, or secure data-in-transit (DIT) using VPN.
But EMM should not simply assume a device is not compromised. Attestation allows EMM to check the device integrity, and apply compliance rules to protect your corporate network being compromised.
Instead, a Knox-enabled device provides the EMM with an , a cryptographically verifiable collection of device state measurements.This attestation includes bootloader hashes, kernel, TrustZone, and logs from runtime protection mechanisms, among others. Attestation is signed using a key derived from a hardware protected (DRK). Because Knox Attestation is TrustZone based, and the Attestation agent is sitting inside the Secure World, so there is no way to forge the attestation results even the Normal World is compromised, such as a rooted device. So the attestation results from the device can be trust.
For EMMs to verify the attestation, The remote Samsung server can verify message integrity using Samsung’s root key. The signature includes a server-generated cryptographic nonce (a random number used only once) to ensure an attacker cannot replay old valid attestation messages on an already compromised device.
Major EMMs all support Knox attestation when the Knox Workspace is created on the device. For example, in MobileIron, you can enable the attestation from the Samsung General policy. (N.B. You need a valid Knox license to enable this feature)
With BlackBerry UEM, you can enable the attestation from Settings > General settings > Attestation. To turn on attestation for Samsung Knox devices, select Enable periodic attestation challenges for KNOX Workspace devices.
Remove devices from the enrollment service after retiring & delete a device
The mobile enrollment service we talked about earlier such as DEP and KME provides great convenience on a newly purchased device enroll to EMMs, but as a IT manager, when a broken device returned to the device service centre, it’s good to remember to remove the device from your KME console as well. This will make sure the refurbished devices doesn’t trigger the enrollment when it is re-used by other customers.
In this blog post, we talked about how to sure your enrollment network by using dedicated WiFi network or completely closed network using private APN. Knox Configure could be a great helper to get the network settings correct before devices enrolled. We then moved to the enrollment stage, how you can enforce a corporate device only enrollment police to build the gatekeeper for your EMMs. During the in-life management stage, Knox Attestation can give you the trusted attestation to provide your fleet integrity and further safeguard your corporate network. At the end, we talked about some best practise when retiring and delete a device fore a return or break fix.
Believe or not, most of above points doesn’t cost you anything if you are already using a EMM.
