Windows Phone 8.1 Security and MDM Part 4 – Wi-Fi Identity and Access

Windows Phone 8.1 Security and MDM Part 4
Anyone who knows me can tell you how much I all things mobile and how to secure and mange those deices. That is why I am excited to write that Microsoft has released information regarding Windows Phone 8.1 Security and Mobile Device Management. Here is some additional informational excerpts from the white papers on Wi-Fi Identity and Access.

Windows Phone 8.1 Security Overview
Windows Phone 8.1 MDM Overview

Wi-Fi Identity and Access

Users use Wi-Fi connections almost as much as they use their cellular data connections. And with regard to the sheer volume of data, Wi-Fi connections are used to transfer the largest amounts of data more often. Many apps that users run require secured, persistent, high-speed connections to resources, and although cellular data connections continue to improve, they cannot keep pace with Wi-Fi connection speeds. This means that users will prefer to use Wi-Fi connections regardless of whether they are at the office, at home, or in public areas.

Windows Phone 8 can encrypt Wi-Fi connections using Wi-Fi Protected Access (WPA and WPA2) and Wired Equivalent Privacy (WEP). Both of these methods are still available in Windows Phone 8.1, but Windows Phone 8.1 now includes support for Wi-Fi authentication using EAP-TLS and EAP-TTLS, which provide enterprise-class Wi-Fi features.

EAP-TLS and EAP-TTLS require devices to have a client certificate installed on the device. This certificate is used to authenticate the device for wireless connectivity and is typically issued by a CA within your organization. The wireless access points in your organization will deny access to devices that don’t have the correct certificates.
The use of client-side certificates dramatically increases the authentication and identity strength for Wi-Fi connections. WPA, WPA2, and WEP are significantly more open to security attacks than Wi-Fi networks that require EAP-TLS or EAP-TTLS authentication.

Of course, the downside to client-side certificates is the management of those certificates. Fortunately, you can manage client-side certificates through your MDM system. A properly designed MDM system can deploy the certificates to devices.

In addition to managing certificates for EAP-TLS and EAP-TTLS authentication, you can use your MDM system to perform the following Wi-Fi–related management tasks:

Provision Wi-Fi profiles, which include the service set identifier (SSID), even if it’s hidden, and any PSKs.
Prevent a device from being used as a Wi-Fi hotspot.

Prevent users from manually adding Wi-Fi profiles and connecting to untrusted hotspots.

Prevent users from routing traffic through Wi-Fi connections (Wi-Fi offloading).

You can control all of these tasks by using security policies configured in you MDM system, and then applied to your Windows Phone devices.

Leave a Reply

Your email address will not be published. Required fields are marked *