Category Archives: MDM

Windows Phone 8.1 Security and MDM Part 8 – MDM Settings in Windows Phone 8.1

Windows Phone 8.1 Security and MDM Part 8
Anyone who knows me can tell you how much I all things mobile and how to secure and mange those deices. That is why I am excited to write that Microsoft has released information regarding Windows Phone 8.1 Security and Mobile Device Management. Here is a chart from the white papers on MDM and EAS polcies, and what features and settings you can now manage in Windows Phone 8.1 with each.

Links

Windows Phone 8.1 Security Overview

http://tinyurl.com/pybf8yv

Windows Phone 8.1 MDM Overview

http://tinyurl.com/ndtvcgx

o_e0a2c5bbfef3d906-0o_e0a2c5bbfef3d906-1

Windows Phone 8.1 Security and MDM Part 7 – Remote Inventory and Assistance and Device Retirement

Windows Phone 8.1 Security and MDM Part 7
Anyone who knows me can tell you how much I all things mobile and how to secure and mange those deices. That is why I am excited to write that Microsoft has released information regarding Windows Phone 8.1 Security and Mobile Device Management. Here is some additional informational excerpts from the white papers on Remote Inventory and Assistance and Device Retirement.

Links
Windows Phone 8.1 Security Overview
http://tinyurl.com/pybf8yv
Windows Phone 8.1 MDM Overview
http://tinyurl.com/ndtvcgx

Remote Inventory and Assistance

Mobile devices rarely remain stationary, and they may rarely connect to your organization’s intranet. This means you need to manage and provide support for devices remotely. Windows Phone includes the Remote Inventory and Remote Assistance features to help keep on-the-go users productive in their job roles.
Remote Inventory
Remote Inventory helps you better manage devices by providing in-depth information about each device.

Windows Phone 8 and Windows Phone 8.1

Installed enterprise apps
Device name
Device ID
OS platform type
Firmware version
OS version
Device local time
Processor type
Device model
Device manufacturer
Device processor architecture
Device language

New information in Windows Phone 8.1 only

Phone number
Roaming status
IMEI & IMSI
Wi-Fi IP address
Wi-Fi DNS suffix and subnet mask

Your MDM system collects the inventory information remotely from the device, then you can use the reporting capabilities of your MDM system to analyze device resources and information. Using this information, you can determine the current hardware and software resources of the device, which helps you keep track of which devices are current with updates.

Device Retirement

Device retirement (un-enrollment) is the last phase of the device life cycle. Typically, mobile device retirement is a complex and difficult process for organizations. When the device is no longer needed, any corporate data must be removed (wiped) from the phone. BYOD scenarios make retirement even more complex, because the user might have personal data on the device that they want to keep. So, organizations must remove their data without affecting the user’s data.
If the device is lost or stolen, the organization must remove any corporate data from the device, as well. For these scenarios, device retirement must be done remotely, because authorized users won’t have physical access to the device.
You can remotely remove all corporate data from a Windows Phone device without affecting the existing user data. IT pros or the device’s user can initiate device retirement. When the retirement is completed, the device is returned to a consumer state. The following list offers some of the corporate data removed from a device when it is retired:

Email accounts
Enterprise-issued certificates
Network profiles
Enterprise-deployed apps
Any data associated with the enterprise-deployed apps
Enterprise-issued device policies

Note All of these features are in addition to the software and hardware factory reset features of the device, which people can use to restore the device to the factory configuration.

The policies that are available for managing device retirement include:

Disable user manual MDM un-enrollment
Disable user manual MDM software and hardware factory reset

Your MDM system can set these policies on devices as required (see the “Configuration policies management” section earlier in this guide). For BYOD device, user may want to retire the device as well. When the user retire a device, you MDM system receives a report from the device that user is retiring the device. Use this information to perform additional analysis, if necessary.
For more information about the policies used to manage device retirement (un-enrollment) in Windows Phone, see http://go.microsoft.com/fwlink/?LinkId=394996.

Windows Phone 8.1 Security and MDM Part 6 – Email Message and Account Management

Windows Phone 8.1 Security and MDM Part 6
Anyone who knows me can tell you how much I all things mobile and how to secure and mange those deices. That is why I am excited to write that Microsoft has released information regarding Windows Phone 8.1 Security and Mobile Device Management. Here is some additional informational excerpts from the white papers on Email Message and Account Management.

Links
Windows Phone 8.1 Security Overview
http://tinyurl.com/pybf8yv
Windows Phone 8.1 MDM Overview
http://tinyurl.com/ndtvcgx

Email Account Management

Probably one of the most important services for users is email. Today, most users are unable to perform their normal job functions without email, and mobile users are no exception. In fact, they are even more dependent on email to maintain communication while on the move.
Windows Phone allows your MDM system to manage user email accounts. You can push specific email accounts to devices as well as prevent users from adding personal email accounts, which helps ensure that organization-owned devices are used for their intended purpose and also prevents users from getting malware from unprotected email accounts.

Email Message Management

You can use your MDM system to manage the email accounts and connectivity to your mail system, but what about the management of the email messages themselves? You can use EAS services that Microsoft Exchange Server provides in conjunction with your MDM system to manage email messages. Table 2 lists the policies that MDM and EAS support as well as and the policies that only EAS supports.

Windows Phone 8.1 Security and MDM Part 5 – VPN Identity and Access

Windows Phone 8.1 Security and MDM Part 5
Anyone who knows me can tell you how much I all things mobile and how to secure and mange those deices. That is why I am excited to write that Microsoft has released information regarding Windows Phone 8.1 Security and Mobile Device Management. Here is some additional informational excerpts from the white papers on VPN Identity and Access.

Links
Windows Phone 8.1 Security Overview
http://tinyurl.com/pybf8yv
Windows Phone 8.1 MDM Overview
http://tinyurl.com/ndtvcgx

VPN Identity and Access

Many organizations use VPNs to provide access for remote users. Windows Phone includes built-in support for a number of VPN providers in addition to Microsoft, including Check Point, F5, Juniper, and SonicWall.
Windows Phone includes support for IKEv2, IPsec, and SSL VPN connections, but the SSL VPN connections require a downloadable plug-in from the VPN server vendor. Windows Phone also includes auto-triggered VPN support (similar to the auto-triggered VPN support [see http://blogs.technet.com/b/networking/archive/2013/10/03/automatically-triggering-vpn-connections-and-vpn-diagnostics-enhancements-in-windows-8-1.aspx] in Windows 8.1), and unique VPN connections can be defined on a per-app basis. When the user switches between apps, Windows Phone automatically establishes the VPN connection for that app.

Your MDM system can deploy (push) VPN connection profiles to users, which helps ensure that VPN connections have the appropriate security settings.

Windows Phone 8.1 Security and MDM Part 4 – Wi-Fi Identity and Access

Windows Phone 8.1 Security and MDM Part 4
Anyone who knows me can tell you how much I all things mobile and how to secure and mange those deices. That is why I am excited to write that Microsoft has released information regarding Windows Phone 8.1 Security and Mobile Device Management. Here is some additional informational excerpts from the white papers on Wi-Fi Identity and Access.

Links
Windows Phone 8.1 Security Overview
http://tinyurl.com/pybf8yv
Windows Phone 8.1 MDM Overview
http://tinyurl.com/ndtvcgx

Wi-Fi Identity and Access

Users use Wi-Fi connections almost as much as they use their cellular data connections. And with regard to the sheer volume of data, Wi-Fi connections are used to transfer the largest amounts of data more often. Many apps that users run require secured, persistent, high-speed connections to resources, and although cellular data connections continue to improve, they cannot keep pace with Wi-Fi connection speeds. This means that users will prefer to use Wi-Fi connections regardless of whether they are at the office, at home, or in public areas.

Windows Phone 8 can encrypt Wi-Fi connections using Wi-Fi Protected Access (WPA and WPA2) and Wired Equivalent Privacy (WEP). Both of these methods are still available in Windows Phone 8.1, but Windows Phone 8.1 now includes support for Wi-Fi authentication using EAP-TLS and EAP-TTLS, which provide enterprise-class Wi-Fi features.

EAP-TLS and EAP-TTLS require devices to have a client certificate installed on the device. This certificate is used to authenticate the device for wireless connectivity and is typically issued by a CA within your organization. The wireless access points in your organization will deny access to devices that don’t have the correct certificates.
The use of client-side certificates dramatically increases the authentication and identity strength for Wi-Fi connections. WPA, WPA2, and WEP are significantly more open to security attacks than Wi-Fi networks that require EAP-TLS or EAP-TTLS authentication.

Of course, the downside to client-side certificates is the management of those certificates. Fortunately, you can manage client-side certificates through your MDM system. A properly designed MDM system can deploy the certificates to devices.

In addition to managing certificates for EAP-TLS and EAP-TTLS authentication, you can use your MDM system to perform the following Wi-Fi–related management tasks:

Provision Wi-Fi profiles, which include the service set identifier (SSID), even if it’s hidden, and any PSKs.
Prevent a device from being used as a Wi-Fi hotspot.

Prevent users from manually adding Wi-Fi profiles and connecting to untrusted hotspots.

Prevent users from routing traffic through Wi-Fi connections (Wi-Fi offloading).

You can control all of these tasks by using security policies configured in you MDM system, and then applied to your Windows Phone devices.

Windows Phone 8.1 Security and MDM Part 3 – Certificate Authentication

Windows Phone 8.1 Security and MDM Part 3
Anyone who knows me can tell you how much I all things mobile and how to secure and mange those deices. That is why I am excited to write that Microsoft has released information regarding Windows Phone 8.1 Security and Mobile Device Management. Here is some additional informational excerpts from the white papers on Certificate authentication.

Links
Windows Phone 8.1 Security Overview
http://tinyurl.com/pybf8yv
Windows Phone 8.1 MDM Overview
http://tinyurl.com/ndtvcgx

Certificate authentication

Many apps and remote connectivity solutions use certificates as an additional authentication factor and for signing. Windows Phone supports the use of certificate authentication for:

Wi-Fi connections. Windows Phone supports EAP-TLS and EAP-TTLS authentication for Wi-Fi connections. For more information about Wi-Fi connections in Windows Phone, see the “Wi-Fi identity and access” section later in this guide.

Virtual smart cards. Windows Phone supports the use of virtual smart cards for more secure browsing and also for S/MIME signing and encrypting of email messages.

S/MIME signing. S/MIME signing requires a certificate or virtual smart card that is used to create the digital signature for email messages. For more information about S/MIME signing, see “S/MIME signing and encryption” earlier in this guide.

Windows Phone protects certificates and keys by using the TPM that is built into each device. The TPM can release keys automatically, on demand, or based on a secondary authentication factor (such as a PIN in the use of virtual smart cards). Windows Phone 8.1 security overview.

Most MDM systems allow you to manage certificates throughout their life cycle, including certificate enrollment, renewal, and revocation. Windows Phone uses the Simple Certificate Enrollment Protocol (SCEP) to perform certificate management. SCEP allows you to use the certification authority (CA) of your choice (or as required by the MDM system).

Windows Phone 8.1 Security and MDM Part 2 – App Allow and Deny Lists Management

Windows Phone 8.1 Security and MDM Part 2

Anyone who knows me can tell you how much I all things mobile and how to secure and mange those deices. That is why I am excited to write that Microsoft has released information regarding Windows Phone 8.1 Security and Mobile Device Management. Here is some additional informational excerpts from the white papers on App Allow and Deny Lists management.

Links
Windows Phone 8.1 Security Overview
http://tinyurl.com/pybf8yv
Windows Phone 8.1 MDM Overview
http://tinyurl.com/ndtvcgx

App Allow and Deny Lists management

To manage this feature, define a list of authorized and blocked apps for your devices by using the App Allow/Deny list policy. Windows Phone uses these lists to determine which apps it allows to run and which it does not. You can authorize or block apps based on:

The app publisher name only. Authorize or block all apps from a specific app publisher.
The app product ID only. Authorize or block a specific app by the app product ID, which is a globally unique identifier assigned to the app.

A combination of app publisher name and product ID. Authorize or block a specific app by the app product ID for a specific publisher name.

Note There is one list that includes the apps that are allowed and another, separate list for apps that are blocked.

Each of these lists is sent in XML format to Windows Phone devices and contains an XML element for:
Each publisher name that is authorized or blocked

Each product ID that is authorized or blocked

A product ID within a publisher element that is authorized or blocked for a specific publisher.

Windows Phone 8.1 Security and MDM Part 1- Overview

Windows Phone 8.1 Security and MDM Part 1

Anyone who knows me can tell you how much I love all things mobile and how to secure and mange those devices. That is why I am excited to write that Microsoft has released information regarding Windows Phone 8.1 Security and Mobile Device Management.
Here is an excerpt from one of documents with an overview of the security improvements in Windows Phone 8.1. I have also included links to both white papers.
I will be posting subsequent updates on geekswithablog.com for additional highlights and details from these documents.

Links

Windows Phone 8.1 Security Overview
http://tinyurl.com/pybf8yv

Windows Phone 8.1 MDM Overview
http://tinyurl.com/ndtvcgx

Secured enrollment with MDM systems

Devices can be enrolled with your MDM system by using a simplified and more secure method than with Windows Phone 8. The MDM system and the organization can customize the new enrollment process and use the web authentication broker (WAB) to better secure user credentials.

Security policy management

Windows Phone 8.1 includes several new security policies that you can managed through your MDM system.

Windows Phone 8.1 supports the ability to install apps on a secure digital (SD) card. The apps are stored on a hidden partition on the SD card that is specifically designated for this purpose. This partition is encrypted just like the internal storage and is enabled when the device encryption policy is provisioned to the device through EAS or an MDM. There is no need to explicitly set a policy to get this level of protection.

Lock down the phone to a specified set of applications and settings (Assigned Access)
The Assigned Access feature works like the same feature in Windows 8.1, allowing you to define a list of authorized and blocked apps for your devices

Support for Secure/Multipurpose Internet Mail Extensions (S/MIME) signing and encryption

Users can now sign and encrypt email messages by using S/MIME signing and encryption support. You can manage the certificate used for S/MIME signing and encryption through your MDM system.

Support for enterprise Wi-Fi connectivity

In addition to the Wi-Fi connections in previous versions, Windows Phone 8.1 supports Extensible Authentication Protocol (EAP)-Transport Layer Security (TLS) and EAP-Tunneled Transport Layer Security (TTLS) wireless, certificate-based authentication. This is a stronger authentication than using preshared keys (PSKs) or other Wi-Fi authentication methods.
Windows Phone 8.1 supports the use of virtual smart cards to provide 2FA, which provides stronger authentication than single-factor options like user names and passwords.

Support for new virtual private network (VPN) tunnel types

In addition to support for the VPN connections in Windows Phone 8, Windows Phone 8.1 introduces support for Internet Key Exchange Protocol version 2 (IKEv2), IP security (IPsec), and Secure Sockets Layer (SSL) VPN connections (the SSL VPN connections require a downloadable plug-in from the VPN server vendor).

Automatically initiate VPN connections (auto-triggered VPN)

You can configure Windows Phone to automatically initiate VPN connections when a specific app runs or when a specific domain name is referenced.

Remote Assistance

The Remote Assistance feature is designed to help resolve issues that users might encounter even when support personnel don’t have physical access to the device. This feature includes the ability to remotely lock a device, remotely ring the device, and remotely reset the user password (PIN).

Remote business data removal

Any organizational information and data can be removed from a device either by IT pros using an MDM system or by the user. Any personal data stored on the device is retained, such as music, photos, and personal email messages. All apps and data that the organization deployed are removed.