Windows Phone 8.1 Security and MDM Part 1
Anyone who knows me can tell you how much I love all things mobile and how to secure and mange those devices. That is why I am excited to write that Microsoft has released information regarding Windows Phone 8.1 Security and Mobile Device Management.
Here is an excerpt from one of documents with an overview of the security improvements in Windows Phone 8.1. I have also included links to both white papers.
I will be posting subsequent updates on geekswithablog.com for additional highlights and details from these documents.
Windows Phone 8.1 Security Overview
Windows Phone 8.1 MDM Overview
Secured enrollment with MDM systems
Devices can be enrolled with your MDM system by using a simplified and more secure method than with Windows Phone 8. The MDM system and the organization can customize the new enrollment process and use the web authentication broker (WAB) to better secure user credentials.
Security policy management
Windows Phone 8.1 includes several new security policies that you can managed through your MDM system.
Windows Phone 8.1 supports the ability to install apps on a secure digital (SD) card. The apps are stored on a hidden partition on the SD card that is specifically designated for this purpose. This partition is encrypted just like the internal storage and is enabled when the device encryption policy is provisioned to the device through EAS or an MDM. There is no need to explicitly set a policy to get this level of protection.
Lock down the phone to a specified set of applications and settings (Assigned Access)
The Assigned Access feature works like the same feature in Windows 8.1, allowing you to define a list of authorized and blocked apps for your devices
Support for Secure/Multipurpose Internet Mail Extensions (S/MIME) signing and encryption
Users can now sign and encrypt email messages by using S/MIME signing and encryption support. You can manage the certificate used for S/MIME signing and encryption through your MDM system.
Support for enterprise Wi-Fi connectivity
In addition to the Wi-Fi connections in previous versions, Windows Phone 8.1 supports Extensible Authentication Protocol (EAP)-Transport Layer Security (TLS) and EAP-Tunneled Transport Layer Security (TTLS) wireless, certificate-based authentication. This is a stronger authentication than using preshared keys (PSKs) or other Wi-Fi authentication methods.
Windows Phone 8.1 supports the use of virtual smart cards to provide 2FA, which provides stronger authentication than single-factor options like user names and passwords.
Support for new virtual private network (VPN) tunnel types
In addition to support for the VPN connections in Windows Phone 8, Windows Phone 8.1 introduces support for Internet Key Exchange Protocol version 2 (IKEv2), IP security (IPsec), and Secure Sockets Layer (SSL) VPN connections (the SSL VPN connections require a downloadable plug-in from the VPN server vendor).
Automatically initiate VPN connections (auto-triggered VPN)
You can configure Windows Phone to automatically initiate VPN connections when a specific app runs or when a specific domain name is referenced.
The Remote Assistance feature is designed to help resolve issues that users might encounter even when support personnel don’t have physical access to the device. This feature includes the ability to remotely lock a device, remotely ring the device, and remotely reset the user password (PIN).
Remote business data removal
Any organizational information and data can be removed from a device either by IT pros using an MDM system or by the user. Any personal data stored on the device is retained, such as music, photos, and personal email messages. All apps and data that the organization deployed are removed.