Now that we know which Mobile Device Managements applications are out there, let’s examine how to correctly use them.

Boss man wants a new management plan for the BYOD people in the company. I suggested that we say no BYOD, but he insists that in is imperative to have them. People have rights you know.

So I researched, and found a most beautiful article on the subject. The website is: http://techorchard.com/wp-content/uploads/2015/02/BestPracticesforPolicies-2.pdf. (Citation machine won’t work on this url.) The article is based off the MaaS360® application by Fiberlink, which is an IBM Company. This is a good reference for setting up security policies. Big surprise here, it is also mentioned in the textbook.

I’m going to follow their example and hope to cover all the requirements of this assignment.

Step # 1: Know your Industry’s regulations. Author is referencing healthcare, or school districts were the policies are regulated for the privacy of each individual. Author gives the following:

Armed with this knowledge you can set up your policies. Most companies only have a few policies:

• Corporate devices

• Personal devices

• iOS devices

• Android devices

Keep it simple. Many of your settings will be the same for each policy, because the requirements of your industry will be the same. Maintenance will be easier if, as much as it is possible, you treat all your users the same way.

Step #2: Require passcodes. Of all the ways to protect your devices, requiring passcodes probably gets you the greatest results with the least effort. Small devices like tablets and smartphones are easy to lose, so the chances of them ending up in someone else’s hands are pretty good.

This is my policy suggestion:

Step #3: Enforce Encryption: Apple’s iOS provides block-level encryption on all devices that are 3GS and higher. When a user sets up a passcode, however, it starts using the file-level encryption data protection element. As a result, if you are requiring your users to protect their iOS devices with a passcode, you don’t really need to worry about encryption. iOS will handle it automatically.

Google’s Android operating system is a different matter. Some devices don’t support encryption at all (usually the earlier models and operating system versions). To enforce encryption, you might have to refuse to support some Android devices.

The author recommends encryption; Encryption is a must-have. You may encounter some resistance if you don’t support devices that cannot be encrypted, but it’s worth it in the end to know that your data is safe.

We recommend you prevent any devices that cannot be encrypted from connecting to your corporate resources.

Step #4: Restrict Device Features as Necessary. (Self-portal service) If your industry requires it, you may need to disable certain features on the devices. For example, you might want to disable cameras to protect proprietary information if your users work in a plant.

The operating system makes a difference here, too, because device features are different. For example, you may want to prevent iOS users from storing data to iCloud or from accessing Siri when the device is locked. Back in the day… If you wanted to use your own device, it fell under the policies of the company or you just didn’t get it connected. No ifs, ands, or butts.

Author Recommendations:

If these devices are owned by your employees, not given out by the company, you may want to restrict as little as possible. Author recommends restricting:

Accessing Siri when the device is locked

Bluetooth (or making it non-discoverable)

Mock locations

Syncing documents to iCloud (although we don’t recommend restricting backing up other things to iCloud or syncing using Photo Stream)

Camera, screen captures, and YouTube if it is required for your industry

On iOS devices, we recommend the following settings for Safari:

Leave the fraud warnings on

Block pop-ups

Accept cookies only from visited sites

Step #5: Keep a Watchful Eye on Apps. (Application management) This is where the rubber hits the road and a good security policy is implemented. Use the Mobile Device Management application and set it tight.

Using this application to run each time the device is turned on would probably be the best scenario. This should protect the network from viruses and mal-ware from devices that may have been taken off site and introduced to the nasties of the world.

Step #6: Use TouchDown for Setting up Email (Android Only)

With NitroDesk’s TouchDown product, you can encrypt emails and attachments, prevent unauthorized backups, prevent copying and pasting contacts or emails, and can block attachments from Android devices. It also gives your users a consistent experience, even if they are on different versions of Android.

Author Recommendations

• Block native email capabilities on the device

• Block Gmail

• Require users to have TouchDown (pass it down using your MDM)

• Encrypt emails

• Encrypt attachments

There’s an added bonus, too: it’s easier to remove corporate settings when employees leave the company.

The e-mail would be restricted to company items only. Anything else is time theft and would be considered a violation of company policy. The MDM would be able to monitor this.

Step #7: Distribute Settings Over the Air (OTA). Your wireless network, VPN and passcode settings will probably be the same for all your users. Configuring them all individually would be a lot of extra time and trouble for your IT department. Some MDM solutions will let you create settings once and then push them to your users.

Author Recommendations:

Use a policy to push your wireless network, VPN and passcode settings to your users. If you push them OTA, you won’t have to touch each device. That can save your IT department a great deal of time and effort. There’s an added bonus, too: you don’t have to track down all your users and get their devices.

When someone leaves the company, you can remove their access and data the same way. You don’t need to try to track down someone’s personal device as they’re leaving—just remove the settings and information remotely.

Step #8: Warn First, Then Remediate Policy Violations. This would have to be my favorite policy; when your users do something that puts them out of compliance, it’s a good idea to give them some kind of notice. Although you probably have the ability to take action right away, a better approach is to send them a message and let them remediate the noncompliance on their own.

Author Recommendations

Set up device management options to automatically handle out of compliance situations. Send users a message explaining the company’s policy and why they are out of compliance with it. In most cases, you can give them some time to fix the problem before taking action (although there are exceptions). (I’d give them 5 seconds).

Your MDM solution should be able to do all this automatically, without your IT department having to learn of the problem and then take action.

The remote wipe policy wasn’t covered. If the device is somehow lost or stolen, the employee must report this immediately upon discovery of said event, and the device will be wiped remotely using the MDM software. My suggestion would be to not use your own device for work purposes.

Platform Support: The company will only provide support for Mac OSx, and Windows 7 thru 10 systems. Any other support will be by approval of company and to be installed by company IT personnel only.

Administrative permissions as well as Group profiles: Any and all changes to Mobile devices will be done on the upper level of management. Meaning management must approve all changes and again, IT will only be allowed to perform said named changes. All permissions will be set in the server Active Directory and deployed by use of MDM/MAM.

Captive portal policy: is used through log-on devices such as BTC uses with Blackboard. An employee is required to log into the site and authenticate his/her permissions before being allowed to use the network resources. The passcode or password policy will be integrated into this policy as well.

And of course- test your policies.

So there you have it, I'm starting to think that reading the book before endulging into these blogs would be most benefitial, yes. Well anyhow, so ends another adventrue in the "Backyard Blog". I'm thinkng maybe I should call this the "back of the yards" blog.

Have a nice day, and happy researching.