2.5 Given a scenario, deploy mobile devices securely.

Question 1

Connection Methods

Answer 1

Mobile devices have become a huge concern in companies today due to the fact that they store local copies of company messages and company data. It is important to have strong policies surrounding the use of mobile devices such as smart phones and tablets and to ensure those policies are being followed

Question 2

Connection Methods - Cellular

Answer 2

The most common method that mobile devices use to connect to the network or the Internet is via their cellular network. The cellular network is provided by the mobile device’s service provider.

Question 3

Connection Methods - WiFi

Answer 3

Mobile devices can connect to company Wi-Fi networks to gain Internet connectivity and to access network resources. The Wi-Fi network is then connected to the corporate network.

Question 4

Connection Methods - SATCOM

Answer 4

SATCOM is short for satellite communication and is a common connectivity method when sending or receiving small amounts of data, such as via point-of-sale systems.

Question 5

Connection Methods - Bluetooth

Answer 5

Mobile devices can use Bluetooth to obtain a connection to a computer or device as long as the devices are in close proximity. Bluetooth uses the 2.4-GHz frequency.

Question 6

Connection Methods - NFC

Answer 6

Near Field Communication allows two electronic devices to exchange data when they are placed within two inches of one another. You can use this to have devices share information such as contacts or to pay for a transaction.

Question 7

Connection Methods - ANT

Answer 7

ANT is a wireless communication protocol that allows you to transfer data between devices. ANT uses the 2.4-GHz frequency like Bluetooth. Unlike Bluetooth, ANT does not use up as much battery life, which makes it a great fit for smart devices.

Question 8

Connection Methods - Infrared

Answer 8

Infrared, or IR, is a wireless communication that relies on line of sight between the two devices sharing data via an infrared light.

Question 9

Connection Methods - USB

Answer 9

You can connect your mobile device to the USB port of a system using a USB cable. This is common to transfer data such as videos or pictures to the computer.

Question 10

Mobile Device Management Concepts

Answer 10

.

Question 11

Mobile Device Management Concepts - Application Management

Answer 11

Implement any application controls on the device that restrict what the application can do or access.

Question 12

Mobile Device Management Concepts - Content Management

Answer 12

Look to content-filtering features on the device that can block certain types of content.

Question 13

Mobile Device Management Concepts - Remote Wipe

Answer 13

Mobile devices such as smartphones and tablets support remotely wiping the device if it is lost or stolen. Remotely wiping the device will erase all the data off it.

Question 14

Mobile Device Management Concepts - Geofencing

Answer 14

Geofencing is a feature that allows administrators of software to define GPS coordinates that create a boundary (or virtual fence). When a device running the software goes outside the boundaries, an alarm is triggered.

Question 15

Mobile Device Management Concepts - Geolocation

Answer 15

Geolocation is the term for identifying the geographic location of an item such as a mobile phone. For example, once the geolocation (GPS coordinates) of a mobile phone is determined, you can then associate that with a street address using mapping technologies.

Question 16

Mobile Device Management Concepts - Screen Locks

Answer 16

It is critical to ensure that screens on mobile devices such as smartphones and laptops are configured to lock after a short period of inactivity. As a result, anyone wishing to use the mobile device and access the data on it must type the password for the device. So if you lose the device and someone finds it, they would need to know the password to access the data on the device.

Question 17

Mobile Device Management Concepts - Push Notification Services

Answer 17

Mobile devices allow you to configure which push notification services to use to send status and notifications to the device.

Question 18

Mobile Device Management Concepts - Passwords and Pins

Answer 18

Ensure all mobile devices have complex passwords configured to use the device and thus to access the data on it. For corporate devices, you can configure policies to enforce complex passwords for the device. For example, you can do this in ActiveSync policies on the Microsoft Exchange Server for mobile devices that support ActiveSync

Question 19

Mobile Device Management Concepts - Biometrics

Answer 19

Some devices may allow the configuration of biometrics in order to use the device. For example, some devices may do a retina scan or fingerprint read in order to authenticate to the device.

Question 20

Mobile Device Management Concepts - Context-aware Authentication

Answer 20

Context-aware authentication is a new type of security feature that allows an application or cloud service to be aware of your habit —for example, the location you usually log on from, or the device you typically use to log on. With context-aware authentication, if the system determines there is high confidence it is actually you using your credentials (based on the context), then you have a simple logon experience. If the system rates low confidence that it is actually you who is logging in, then it resorts to enforcing a more complicated logon approach involving solutions such as two-factor authentication.

Question 21

Mobile Device Management Concepts - Containerization

Answer 21

Sometimes referred to as sandboxing, you can run software on the device that creates a security container that prevents access to sensitive data stored on the device.

Question 22

Mobile Device Management Concepts - Storage Segmentation

Answer 22

Some devices allow you to segment the storage on the device, allowing you control over what data can be accessed. For example, a mobile device may segment corporate data from personal data, allowing you to wipe the corporate data only if the company needs you to.

Question 23

Mobile Device Management Concepts - Full Device Encryption

Answer 23

Most mobile devices support encrypting data on the device. Device encryption is critical to ensure that anyone who is able to connect the device or its memory to a computer cannot read the data.

Question 24

Enforcement and Monitoring

Answer 24

Organizations typically have strict requirements regarding how their devices should and should not be used. When managing your organization’s mobile devices, it is important that you enforce the organization’s policies by monitoring how devices are being used and looking for policy violations.

Question 25

Enforcement and Monitoring for: Third-party App Stores

Answer 25

Your organization may want to disable access to third-party app stores as a method of controlling the applications that are installed on the devices.

Question 26

Enforcement and Monitoring for: Rooting/Jailbreaking

Answer 26

Rooting or jailbreaking is when the user of the device is able to gain privileged access to the device and configure the device in any way they want. Be sure to monitor for jailbreaking of the devices!

Question 27

Enforcement and Monitoring for: Sideloading

Answer 27

Sideloading refers to installing applications from a source other than the app store provided by the vendor. Many organizations attempt to restrict sideloading of applications to a central location controlled by the company

Question 28

Enforcement and Monitoring for: Custom Firmware

Answer 28

Monitor the organization’s devices for firmware upgrades that need to be performed in order to keep devices current. Also, be sure to monitor that employees are not applying custom firmware solutions to the devices.

It’s also possible to overwrite the firmware with custom firmware. Some people do this as another method of rooting Android devices. The process is typically complex and fraught with risks. However, some people find downloadable images and copy them onto their devices to overwrite the firmware.

Question 29

Enforcement and Monitoring for: Carrier Unlocking

Answer 29

Monitor devices for unlocking. Devices typically are associated with a specific carrier, but a device can be unlocked if the user wants to use the device with a different carrier. The carrier typically charges a fee to have the device unlocked.

Question 30

Enforcement and Monitoring for: Firmware OTA Updates

Answer 30

Firmware updates can be sent to mobile devices and tablets using the carrier’s wireless network with what is known as over-the-air (OTA) updates. OTA updates were originally used only to update the firmware on the device, but can also be used to update the OS as well.

Question 31

Enforcement and Monitoring for: Camera Use

Answer 31

Your organization should establish a policy regarding whether employees are allowed to use mobile device cameras in the workplace. If it is not permitted (typically for security reasons), you should disable the cameras. Organizations can deploy device policies requiring the camera on the device to be disabled.

Question 32

Enforcement and Monitoring for: SMS/MMS

Answer 32

Your organization should decide if employees should be using the text messaging services of the mobile device. Many organizations have policies in place indicating when the user is not allowed to be texting. For example, while driving or walking.

Question 33

Enforcement and Monitoring for: External Media

Answer 33

Devices can typically have external media connected to them such as SD cards or MicroSD cards. Consider disabling these slots to control media connected to the device.

Question 34

Enforcement and Monitoring for: USB OTG

Answer 34

USB On-the-Go (OTG) is a specification that enables a compliant mobile device to have many different types of devices connect to it. For example, if your mobile device or tablet supports USB OTG, you could connect a communication device such as a keyboard or mouse and use that with your mobile device.

Question 35

Enforcement and Monitoring for: Recording Microphone

Answer 35

For privacy reasons, you can disable the recording microphone on the organization’s devices.

Question 36

Enforcement and Monitoring for: GPS Tagging

Answer 36

Evaluate the GPS tagging functionality on devices to ensure that the devices are not tagging the GPS coordinates of photos that are taken (if permitted). This can be used to track an employee’s location if they are taking photos and uploading to social media.

Question 37

Enforcement and Monitoring for: WiFi Direct/Ad Hoc

Answer 37

You may want to monitor how the wireless networking feature is being used and control whether the user is connecting to wireless networks in infrastructure mode or if they are allowed to connect in ad hoc mode. With infrastructure mode, the administrator controls who can connect to the network and which security features are enabled.

Question 38

Enforcement and Monitoring for: Tethering

Answer 38

Tethering means sharing the mobile device’s Internet connection with other devices. You may want to restrict the tethering features on mobile devices to prevent users from sharing their Internet connections in this manner.

Question 39

Enforcement and Monitoring for: Payment Methods

Answer 39

Monitor and control how users can make payments from mobile devices. With technologies like NFC, it is easy for users to complete transactions from mobile devices.

Question 40

Deployment Models

Answer 40

When an organization decides to have employees use mobile devices to perform job-related tasks, the organization can choose several different ways to integrate mobile devices into the workplace

Question 41

Deployment Models - BYOD

Answer 41

The “bring your own device” model encourages users to connect to the corporate network with their personal mobile devices for work purposes. While the benefit is that the organization can avoid the cost of purchasing the mobile devices, you will need to be clear on the policy and if the organization will push settings down to the devices.

Question 42

Deployment Models - COPE

Answer 42

A “corporate-owned, personally enabled” (COPE) model can work better from a security standpoint than a BYOD model because it is hard for companies to control a device when they do not own the device. With COPE, the company supplies the device to the user, so it is managed by the IT department, but the company allows and promotes personal usage of the device as well.

Question 43

Deployment Models - CYOD

Answer 43

A “choose your own device” model involves the organization providing users with a list of approved devices and allowing each user to choose which device they would like to use.

Question 44

Deployment Models - Corporate-owned

Answer 44

With a “corporate-owned device” model, the company fully manages the devices and employees must follow company policy when using the devices.

Question 45

Deployment Models - VDI

Answer 45

Virtual desktop infrastructure is a model where the user uses a thin client to connect to their desktop environment running in a data center. With VDI you can introduce the mobile device as the thin client so that the user can access their desktop environment from anywhere. The benefit is that the resources are not on the mobile device—it simply connects to a virtual desktop within the company.