April 16, 2012

A Roll-Up-Your-Sleeves Look at Mobile Policy

There are all kinds of policies to create and enforce in your mobile enterprise. Topping most IT professionals' priority lists are those policies having to do with security - the network rules that help prevent data theft, keep malware off your network and ensure compliance with internal practices and industry-specific security regulations.

Mobile policy setting and enforcement have many facets. Let's look at a couple particularly challenging ones:

  1. How do you institute security on employee-owned devices that your network doesn't recognize?
  2. How do you avoid having to recreate existing network policies specifically for the mobile environment?

Take it from the Top: Discover BYODs

WirelessTechNoteApril-16-2012-SIDEBAR.jpgFirst, to succeed at any mobile security policy setting and enforcement, you need to discover all the mobile devices attempting to access your network. Until recently, many enterprises have been - or still are - flying blind (see sidebar). Usernames and passwords help identify users, but device types and their security postures remain a mystery without the aid of special visibility tools.

One reason is that many users now have one or more mobile devices they have bought themselves. When they first attempt to connect, your network won't recognize their IP addresses. If you are in favor of allowing employees to use their own devices for some level of network access, you'll need a way to determine whether it's safe to grant access to these phantom smartphones and tablets.

First, you'll need to learn who the user is (is he or she a legitimate employee?) and then check the posture of the device (has the device been jailbroken or rooted, for example, or does it contain any malware?).

Getting this information requires some sort of tool that will identify all the devices, known and unknown, trying to access your network. Usually that tool is a mobile device management (MDM) hardware or virtual appliance, server software or cloud service. Often, you can connect the MDM system to your corporate email server or an authentication server.

When a mobile device tries to connect, existing usernames/password combinations verify the user. To assess the devices themselves, it's possible to start by assembling a database of basic information that's available via the connection between the MDM system and your email infrastructure, explains Custie Crampton, vice president of product management at Tangoe, an MDM and telecom expense management company.

Since most organizations have deployed mobile email, Tangoe performs device autodiscovery via Microsoft Exchange using custom APIs that reveal the type of device connecting to a given email account, its phone number, model number and operating system, he explains.

Ideally, for the greatest control, you'll want to install MDM client software on the mobile device. The profile created via Exchange creates a temporary "mini client" for the device, Crampton says; the next time the device attempts to connect, a full client can be pushed over the air to the device. Once the full MDM client is on the device, there is much more information that can be collected about the device and its ongoing posture.

If an employee who has brought in a personal device is not OK with you installing MDM client software on it, you will likely restrict him or her to mobile email access only from that personal device.

Piggybacking on Existing Policy Infrastructure

As indicated, some MDM tools integrate directly with existing backend equipment, such as an existing Microsoft Exchange email server or Active Directory or other authentication server. In this situation, you can pass along username and password credentials and authenticate users in the same way as on the wired network.

"Most companies have already set up core hierarchies and attributes within Active Directory," observes Ojas Rege, vice president of strategy at MDM company MobileIron. "They don't want to have to recreate them in their mobile system."

Active Directory, though, verifies users' identities, not devices and their security postures, Rege acknowledges.

Similarly to Tangoe, MobileIron connects to email servers based on the ActiveSync protocol - such as Exchange, Notes, Gmail and Office 365 - as a venue for checking device posture and quarantining, remediating or blocking devices if necessary.

MobileIron will also connect to your certificate authority (CA), if you have one, to ensure that the device is in fact the device it claims to be; if you're not already running a CA infrastructure, it offers a CA specifically for your mobile population.

Search Webtorials

Get E-News and Notices via Email




I accept Webtorials' Terms and Conditions.

Trending Discussions

See more discussions...

Featured Sponsor Microsites



Please note: By downloading this information, you acknowledge that the sponsor(s) of this information may contact you, providing that they give you the option of opting out of further communications from them concerning this information.  Also, by your downloading this information, you agree that the information is for your personal use only and that this information may not be retransmitted to others or reposted on another web site.  Continuing past this point indicates your acceptance of our terms of use as specified at Terms of Use.

Webtorial® is a registered servicemark of Distributed Networking Associates. The Webtorial logo is a servicemark of Distributed Networking Associates. Copyright 1999-2018, Distributed Networking Associates, Inc.