10 BEST PRACTICES FOR MOBILE DEVICE MANAGEMENT (MDM)



Similar documents
11 Best Practices for Mobile Device Management (MDM)

ForeScout MDM Enterprise

The ForeScout Difference

Addressing BYOD Challenges with ForeScout and Motorola Solutions

CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module MaaS360 Version ForeScout Mobile

ForeScout CounterACT. Continuous Monitoring and Mitigation

Symantec Mobile Management 7.2

Embracing Complete BYOD Security with MDM and NAC

Symantec Mobile Management 7.1

Kaspersky Security for Mobile

Symantec Mobile Management for Configuration Manager 7.2

Network and Device Level Mobile Security Controls IT Considera-ons in the BYOD Era

M a as3 6 0 fo r M o bile D evice s

IBM Endpoint Manager for Mobile Devices

Technical Note. ForeScout MDM Data Security

McAfee Enterprise Mobility Management Versus Microsoft Exchange ActiveSync

Athena Mobile Device Management from Symantec

Cisco Mobile Collaboration Management Service

Advanced Configuration Steps

Symantec Mobile Management 7.1

WHITEPAPER. Addressing Them with Secure Network Access Control. Executive Summary... An Evolving Network Environment... 2

1. What are the System Requirements for using the MaaS360 for Exchange ActiveSync solution?

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

Symantec Mobile Management Suite

Embracing BYOD with MDM and NAC. Chris Isbrecht, Fiberlink Gil Friedrich, ForeScout

Systems Manager Cloud Based Mobile Device Management

Mobile Device Management for CFAES

Providing a work-your-way solution for diverse users with multiple devices, anytime, anywhere

BEST PRACTICE GUIDE MOBILE DEVICE MANAGEMENT AND MOBILE SECURITY.

Network Access Control in Virtual Environments. Technical Note

WHITEPAPER. Addressing Them with Adaptive Network Security. Executive Summary... An Evolving Network Environment Adaptive Network Security...

Choosing an MDM Platform

Addressing NIST and DOD Requirements for Mobile Device Management

How To Write A Mobile Device Policy

Answers to these questions will determine which mobile device types and operating systems can be allowed to access enterprise data.

FileDrawer An Enterprise File Sharing and Synchronization (EFSS) solution.

What We Do: Simplify Enterprise Mobility

Btech IT SECURITY SERVICES. Financial Mobility Balancing Security and Success

Mobile Workforce. Connect, Protect, and Manage Mobile Devices and Users with Junos Pulse and the Junos Pulse Mobile Security Suite.

The Maximum Security Marriage:

CHOOSING AN MDM PLATFORM

How To Manage A Mobile Device Management (Mdm) Solution

Data Loss Prevention Whitepaper. When Mobile Device Management Isn t Enough. Your Device Here. Good supports hundreds of devices.

Secure Your Mobile Device Access with Cisco BYOD Solutions

Systems Manager Cloud-Based Enterprise Mobility Management

ForeScout CounterACT Endpoint Compliance

Secure, Centralized, Simple

SANS Mobility/BYOD Security Survey

Managing Mobility. 10 top tips for Enterprise Mobility Management

SA Series SSL VPN Virtual Appliances

How To Support Bring Your Own Device (Byod)

Guideline on Safe BYOD Management

Whitepaper. Securing Visitor Access through Network Access Control Technology

Codeproof Mobile Security & SaaS MDM Platform

Mobile Protection. Driving Productivity Without Compromising Protection. Brian Duckering. Mobile Trend Marketing

Securing BYOD With Network Access Control, a Case Study

Securing Enterprise Mobility for Greater Competitive Advantage

Cisco BYOD Smart Solution: Take a Comprehensive Approach to Secure Mobility

Mobile Device Management

IT Resource Management vs. User Empowerment

How To Protect The Agency From Hackers On A Cell Phone Or Tablet Device

White Paper. Identifying Network Security and Compliance Challenges in Healthcare Organizations

ControlFabric Interop Demo Guide

MaaS360 Mobile Device Management (MDM) Administrators Guide

MDM: Enabling Productivity in the world of mobility. Sudhakar S Peddibhotla Director of Engineering, Good Technology

Generating leads with Meraki's Systems Manager. Partner Training"

6 Things To Think About Before Implementing BYOD

Integrating Cisco ISE with GO!Enterprise MDM Quick Start

What Do You Mean My Cloud Data Isn t Secure?

IBM United States Software Announcement , dated February 3, 2015

Protecting Content and Securing the Organization Through Smarter Endpoint Choices

BYOD: Should Convenience Trump Security? Francis Tam, Partner Kevin Villanueva, Senior Manager

DISCOVER, MONITOR AND PROTECT YOUR SENSITIVE INFORMATION Symantec Data Loss Prevention. symantec.com

Enterprise Mobility Management Migration Migrating from Legacy EMM to an epo Managed EMM Environment. Paul Luetje Enterprise Solutions Architect

BYOD Strategies: Chapter I

IT Resource Management & Mobile Data Protection vs. User Empowerment

Healthcare Buyers Guide: Mobile Device Management

Administrator's Guide

Introducing KASPERSKY ENDPOINT SECURITY FOR BUSINESS.! Guyton Thorne! Sr. Manager System Engineering!

Technical Note. CounterACT: Powerful, Automated Network Protection Inside and Out

Mobile Device Management

OWA vs. MDM. Once important area to consider is the impact on security and compliance policies by users bringing their own devices (BYOD) to work.

Mobility Challenges & Trends The Financial Services Point Of View

Building Apps for iphone and ipad. Presented by Ryan Hope, Sumeet Singh

Feature List for Kaspersky Security for Mobile

Symantec App Center. Mobile Application Management and Protection. Data Sheet: Mobile Security and Management

Transcription:

10 BEST PRACTICES FOR MOBILE DEVICE MANAGEMENT (MDM)

CONTENT INTRODUCTION 2 SCOPE OF BEST PRACTICES 2 1. HAVE A POLICY THAT IS REALISTIC 3 2. TAKE STOCK USING A MULTIPLATFORM REPORTING AND INVENTORY TOOL...3 3. COVER THE BASICS: PASSWORDS, ENCRYPTION, AND REMOTE WIPE 3 4. MAKE IT SIMPLE TO GET UP AND RUNNING 4 5. START PLANNING FOR CENTRALIZED CONTROL 4 6. INCLUDE YOUR MOBILE DEVICE INVENTORY AND POLICY STATUS IN OPERATIONS REVIEWS...4 7. ENABLE COST MANAGEMENT FOR NETWORK USAGE 5 8. MANAGE APPLICATION RESTRICTIONS AND YOUR OWN APPLICATION STOREFRONT...5 9. PROVIDE NETWORK PROTECTION 5 10. LIMIT DATA TRANSFERS, AND SEPARATE CORPORATE AND PERSONAL INFORMATION...5 FORESCOUT MDM FOR MOBILE DEVICES 6 FORESCOUT COUNTERACT INTEGRATION 7 ABOUT FORESCOUT 8 1

MDM systems include a wide range of tools that help you to support the entire enterprise mobility lifecycle from provisioning to configuration management, compliance and security, app and document management, support, expense management, and reporting Introduction Businesses and employees are now using mobile devices in ways not envisioned as recently as a year ago. Personal device ownership and usage in the enterprise is growing rapidly, and more businesses than ever before are facing the challenge of how to fully provision, manage and secure mobile devices in their corporate environments. Desktops, laptops, smartphones and tablets are coming together and need a single platform to manage every device, both personal and corporate owned. Scope of Best Practices So why is it taking so long for businesses to officially assimilate mobile devices into their organizations? It s usually because they want to put an IT strategy for management and operation in place first. We understand that IT would like to add a degree of rigor, but the solution doesn t have to be that difficult. This document describes 10 best practices for Mobile Device Management (MDM). Regardless of your business, industry or users, be sure to adopt the following practices: 1. Have a policy that is realistic 2. Take stock using a multiplatform reporting and inventory tool 3. Cover the basics: passwords, encryption, and remote wipe 4. Make it simple to get up and running 5. Start planning for centralized control 6. Include your mobile device inventory and policy status in operations reviews 7. Enable cost management for network usage 8. Manage application restrictions and your own application storefront 9. Provide network protection 10. Limit data transfers, and separate corporate and personal information 2

1. Have a Policy That s Realistic You need to: 1. Support multiple device platforms 2. Allow personal devices Frankly, nearly all organizations are doing this now. They just don t know it. Chances are good that your business has a BlackBerry corporate standard, right? And that your business has at least one iphone or ipad that syncs to your email infrastructure (most likely for the CEO or president) using Exchange ActiveSync or Lotus Notes Traveler. If that s the case, you probably have a lot more personal ios, Android and Windows Phone devices inside your organization. After all, it s easy for any mobile device to integrate with email infrastructure like Exchange using the ActiveSync functionality you turned on. Just Google Setting up iphone on Exchange and see how your employees are doing it. 2. Take Stock Using a MultiPlatform Reporting and Inventory Tool Making decisions and quantifying risks about mobile devices is hard without good data on the mobile devices and BYOD computers that are in your environment. For instance, it s not uncommon for terminated employees to still be using corporate mobile devices but you can t stop this unless you know about it. With a lightweight reporting and inventory tool, you can keep tabs on how mobile devices are being used and by whom. Make sure the solution: Empowers the helpdesk to troubleshoot devices Is accessible outside of IT (for example, HR should have access during exit interviews to turn off devices for employees who are leaving the company) Includes strong application inventory and search capabilities Includes the ability to see not just mobile devices but also BYOD computers running Windows and MacOS. 3. Enforce Basic Security: Password, Encryption, and Remote Wipe Be sure to do the following: Require a strong password. Set up devices to automatically lock after 515 minutes of inactivity Configure devices to automatically wipe after 10 failed login attempts or if they are reported lost Enable local encryption Some organizations may want to consider more protection. But before you put yourself in that category, ask yourself one question: Do we enforce this level of security on our laptops? You may be worried that you ll need a new solution to implement the first three best practices. That isn t necessarily the case. If you have a BlackBerry Enterprise Server, then you are covered on that platform. And with Exchange or Lotus Notes, you can enforce your PIN policy and remote wipe your iphones, ipad s, and Windows Phone devices. (Android added this Exchangebased security control in version 2.2.) Following the three principles we ve already outlined is a responsible approach that takes advantage of existing infrastructure for device and risk management. And it s a smart one considering that you really can t stop people in your environment from using mobile devices. The biggest issue with this approach is that reporting is limited and not scalable you ll need to develop and run reports manually, and deal with the lack of a centralized view into all devices. But taking the first step with reporting and inventorying can dramatically improve your current posture on the uberpopular iphone and Android devices. Then you can plan a more scalable and robust managementand security solution (as described in the next best practices). 3

4. Make it Simple to Get Up and Running Don t make IT responsible for reviewing each request for device and system access. Instead, empower users to enroll their own devices by visiting a single URL. Set up a network access control system that automatically directs new devices to a web page where the user canenroll their device themselves. Setup a default policy that approves new users devices and pushes down their email and corporate WiFi profiles. In addition to making the process easy for end users, simplify things for IT. For example, your policy could specify that any Android device with OS 2.2.4 or above is automatically granted access to corporate systems, while any Android device on earlier operating systems will be granted more limited access or blocked entirely. By integrating your MDM system with a network access control (NAC) system, this level of control can be automated. 5. Start Planning for Centralized Control Your BlackBerry Enterprise Server is probably well entrenched, both operationally and economically. But it is not multiplatform, and a multiplatform solution is needed to support the variety of devices in your environment. Consider these four emerging and economically sound best practices: 1. Integrate your MDM platform with a system that can also manage PCs and Macs as well as mobile devices. The lines between laptops, tablets, and smartphones will continue to blur in both user functionality and IT operations. A versatile MDM solution will cut down on infrastructure costs, improve operational efficiency, and create a single user view into devices and data for operations and security. 2. Be sure your reporting and inventory tool consolidates both your existing BlackBerry and your multiplatform MDM solutions. You ll rely on your data and reports daily, and you ll want to avoid any manual processes to access your business intelligence on mobile devices. 3. Take a look at cloudbased MDM services. When you account for full Total Cost of Ownership (TCO), a LANoriented management solution can be costly. Why use a more expensive and wired solution to manage remote mobile devices? 4. Go the agent route with caution. If you can meet your needs with networkbased security controls, all the better. You ll find that a networkbased solution is better for the long haul, given the proliferation of hardware/ OS/carrier combinations. If you opt for an agentbased solution, you ll spend lots of time installing and maintaining it across the mobile landscape. 6. Include Your Mobile Device Inventory and Policy Status in Operations Reviews Report on and discuss your mobile device inventory and policy status including personal devices in your IT operations reviews. It s a good way to broaden the discussion beyond those responsible for managing devices in your environment. It s also an opportunity to raise the visibility of the benefits for your organization, as well as for future resource requirements such as needed involvement from those responsible for security and other areas of IT. Your inventory and reporting tool should make it simple to produce the reports to start conversations in these meetings. The practices we ve discussed so far should meet most organizations needs. In fact, they satisfy the most stringent security and privacy regulations, such as those dictated by the HIPAA, FINRA, and PCI DSS. These regulations only require, in practice, that organizations encrypt their data and are able to destroy data on a lost device. The essential practices cover that and more. 4

7. Enable Cost Management for Network Usage Multinational businesses need to be able to monitor and limit international data roaming, since those costs can quickly reach thousands of dollars per trip. Also, with US pricing plans introduced by AT&T for iphones and ipads, usage tracking and restriction will become a requirement for domestic connectivity. Verizon also has iphone and Androids so, anything other than flat rate unlimited could lead to high costs. 8. Manage Application Restrictions and Your Own Application Storefront Today, most smartphone and tablet vendors do a good job of limiting usage to certified and approved applications. Some would argue they do too good of a job restricting access. Other vendors maintain a very open policy for creating applications, with no formal process for certifying apps. That said, certain organizations or industries may need to restrict the type of application allowed on a corporateapproved device. If you want to be proactive about it, set up your own enterprise application storefront. This allows you to present a list of approved applications and ease their delivery to mobile devices. Plus, your users will know where to go for these applications and for updates. Some MDMsolution providers can even help you deliver documents such as PDFs to devices. MDM systems typically do not control access to the network itself. Thus, MDM does not prevent unauthorized access to data on the network, nor does MDM prevent infected or compromised devices from attacking the network. MDM systems typically do not manage personallyowned Windows and MacOS computers. MDM systems are sometimes operated as another management silo, with another set of management screens, separate policies, and separate reports. Even worse is when the MDM system is managed by a different group of people than are responsible for computer security. This creates an opportunity for policies to be inconsistently applied and translated across the various IT management systems and groups. To resolve these issues, consider linking your MDM system to a network access control (NAC) system which ties into your broader security infrastructure for PCs and provides realtime visibility and control over new and unmanaged devices. 10. Limit Data Transfers and Separate Corporate and Personal Information Some businesses find it valuable to restrict downloading attachments or prevent the copying of data to removable media. Implementing these solutions is very difficult, and the data classification exercise is nearly intractable. An alternative is to create separate virtual containers for business and personal data and applications. 9. Provide Network Protection While it is true that MDM protects devices that have already enrolled in the system, MDM is not a complete security solution, for a few reasons: MDM systems can only see and manage devices that have already been enrolled in the MDM system. MDM is blind to unmanaged devices on the network. 5

Use both MDM and NAC for complete BYOD security. ForeScout MDM for Mobile Devices ForeScout MDM, powered by MaaS360, is an easytouse platform that includes all of the essential functionality that you need for endtoend management of ios, Android, Blackberry, and Windows Phone devices. And what s better is that it integrates with ForeScout CounterACT, our flagship network security and policy automation system, to give you unified visibility and control over everything on your network. ForeScout MDM is a cloudbased solution, so deployment is quick and easy. In just a few clicks, IT can start enrolling devices and managing the entire mobile device lifecycle, from enrollment to security, monitoring, application management and support. Together with ForeScout CounterACT, ForeScout MDM provides a whole new level of centralized visibility and control for actionable insights into your entire computing landscape. Secure all Mobile Devices: ForeScout MDM supports all major smartphone and tablet platforms including ios, Android, Windows Phone, and BlackBerry in both Exchange and Lotus Notes environments. Embrace BYOD: ForeScout MDM provides workflows to discover, enroll, manage and report on personally owned devices as part of your mobile device operations. Experience simple device enrollment and approval: ForeScout MDM provides autoquarantine for Exchange, and alerts IT personnel to approve all new devices. Additionally provides for easy user selfenrollment, via web, email or SMS. ForeScout MDM is powered by MaaS360, a powerful cloudbased technology that is used to manage and secure more than one million endpoints for more than 1200 companies around the world. The MaaS360 platform was honored with the 2012 Global Mobile Award for Best Enterprise Mobile Service at Mobile World Congress. 6

ForeScout CounterACT Integration ForeScout CounterACT is the worlds best selling selfcontained network access control (NAC) system. ForeScout CounterACT can integrate with ForeScout MDM and other leading MDM vendors, and as a result, provides you with many advantages: Visibility of unmanaged mobile devices: MDM systems can only see what they are managing. ForeScout CounterACT can provide visibility to personal mobile devices that are not managed. Enrollment. ForeScout CounterACT can automate the enrollment process for new devices, saving IT time and resources. Ondemand Profiling. MDM systems routinely check to see if the configuration of a mobile device matches a defined policy. This profile scan is done at various intervals so that battery life is maintained (like how many full virus scans can you perform to an unplugged notebook before it goes dead). This opens a security risk between when a device is on your network and when it was last scanned. When your MDM system is integrated with ForeScout CounterACT, CounterACT can trigger a fresh configuration scan the moment that the mobile device tries to connect to your network. Improved security by ensuring that only enrolled and compliant devices are admitted to your network Unified network access control and compliance reporting for all endpoint devices PCs, smartphones, and tablets. This is especially important for organizations with split responsibilities, where one team manages the MDM system and another team is responsible for security management. Guest Registration. If you wish to setup a guest network for personal mobile devices, you can use ForeScout CounterACT s builtin guest registration system. Once a guest has been approved, ForeScout CounterACT can dynamically enforce your security policies, such as restricting the user s access to just the Internet. Continuous Protection. If malware exists on the mobile device and tries to propagate or interrogate your network, ForeScout CounterACT will detect the malicious behavior, block the threat, and can automatically quarantine or remove the mobile device from your network. ForeScout CounterACT includes ForeScout s patented ActiveResponse technology which can detect and block zeroday threats. About ForeScout ForeScout enables organizations to accelerate productivity and connectivity by allowing users to access corporate network resources where, how and when needed without compromising security. ForeScout s realtime network security platform for access control, mobile security, endpoint compliance and threat prevention empower IT agility while preempting risks and eliminating remediation costs. Because the ForeScout CounterACT solution is easy to deploy, unobtrusive, intelligent and scalable, it has been chosen by more than 1,400 of the world s most secure enterprises and military installations for global deployments spanning 37 countries. Headquartered in Cupertino, California, ForeScout delivers its solutions through its network of authorized partners worldwide. Learn more at www.forescout.com. 2013 ForeScout Technologies, Inc. All rights reserved. ForeScout Technologies, the ForeScout logo, CounterACT, and ActiveResponse are trademarks of ForeScout Technologies, Inc. All other trademarks are the property of their respective owners. Doc 2013009 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information