MDM - Mobile Device Management; pro's, con's and best practices

This page describes security measures that may be taken by organizations to protect data, and the impact it may have on subjects.

Goals of Security Measures

Security measures are typically taken to protect sensitive data in organizations and/or to comply with law. The requirements that the security of an endpoint must  meet:

• The equipment must have encrypted storage, to prevent loss of setting information in the event of theft;
• User does not use USB sticks or external hard drives, unless strictly necessary and only if they are fully encrypted;
• The laptop or desktop is only accessible to the user with the institution account, or the device is provided with a specific employee account with a strong password;
• A mobile device (telephone, tablet) is provided with a strong access code (minimum 6 characters) other than the SIM card PIN code;
• The OS and all applications are maintained by a supplier or community, and are up to date;
• Performing security updates of OS and applications on the equipment are mandatory;
• Anti malware and anti virus solution are present, active and up to date;
• Local (application) firewall is active and alerts the user to unusual behavior. Preferably also with outgoing traffic;
• Laptop or desktop should be automatically locked after a preset period of inactivity after a maximum of 15 minutes;
• Phones or tablets should be automatically locked after a pre-set period of inactivity after a maximum of 5 minutes;
• Equipment must have the ability to remotely wipe the device in the event of loss or theft;
• Deviations from the previous requirements must be detected and reported.

And in general:

• two factor authentication in using (financial) authorization systems
• two factor authentication in using (Microsoft) cloud
• strong passwords
• use of VPN

• https://en.wikipedia.org/wiki/Mobile_device_management

Using any enforcement system to control and enforce this on employees requires trust, integrity, benevolence, competence and reputation. This article says it clearly:

Mobile device management requires a level of trust between the end users in your organization and the people responsible for managing the MDM platform. There needs to be clear communication between the parties to ensure that expectations are properly set. There also needs to be reasonable policies in place to reduce the risk of administrative error (or malicious action) causing a data loss or breach of privacy for the user of a managed device. This means that you should have, at a minimum:

• An acceptance policy for end users who are enrolling devices in your MDM solution. A real one, written by humans and only partially mangled by lawyers. The goal is to have a document that your users will actually read, understand, and willingly sign (or reject), and not just a formality that gets signed and filed away somewhere to cover your butt in the event of a problem later.
• A limited number of trusted and trained administrators who can manage the sensitive and impactful elements of the MDM solution (e.g. able to configure policies, access inventory data, etc). Limited access can be provided for support staff to deliver end user support, but like all administrative rights should be provided on a least privilege basis.
• Privacy advocates from the user population who can review and understand the level of control and access that the MDM solution provides over managed devices.

Microsoft InTune on Apple One popular tool to control company devices is Microsoft InTune. The website for what it does: What is device enrollment? https://docs.microsoft.com/en-us/mem/intune/user-help/use-managed-devices-to-get-work-done What information can my organization see when I enroll my device? https://docs.microsoft.com/en-us/mem/intune/user-help/what-info-can-your-company-see-when-you-enroll-your-device-in-intune Intune support for new settings and updates in iOS 13 and macOS 10.15 https://techcommunity.microsoft.com/t5/intune-customer-success/intune-support-for-new-settings-and-updates-in-ios-13-and-macos/ba-p/809055 Enroll your macOS device using the Company Portal app https://docs.microsoft.com/en-us/mem/intune/user-help/enroll-your-device-in-intune-macos-cp Note: Throughout this process, you might be prompted to allow Company Portal to use confidential information that's stored in your keychain. These prompts are part of Apple security. When you get the prompt, type in your login keychain password and select Always Allow. If you press Enter or Return on your keyboard, the prompt will instead select Allow, which may result in additional prompts. This effectively means it can access all your passwords! Also note that after install the profile most likely locks out the access to certain preference panels, e.g. the ability to remove profiles, change passwords, manage encryption. Other hardware related stuff Security functionality connected to hardware: https://arstechnica.com/information-technology/2022/01/pluton-microsofts-new-security-chip-will-finally-be-put-to-the-test/

What Can Microsoft Intune See On Your Managed Mobile Devices?

• What Can Microsoft Intune See On Your Managed Mobile Devices?
• https://practical365.com/clients/mobile-devices/can-microsoft-intune-see-managed-mobile-devices/
• note: However there’s no additional warning provided to the user of the device, so they would not know when a device has been changed from personal to corporate owned by an administrator.
• Intune MacOS management Capabilities
• https://uem4all.com/2019/03/11/intune-macos-management/

What Can Microsoft Intune with some scripting do Your Managed Devices?

• What Can one do with powershell-intune-samples:
• https://github.com/microsoftgraph/powershell-intune-samples

Authoriteit persoonsgegevens & Privacy Issues

• Controle van werknemers
• https://www.autoriteitpersoonsgegevens.nl/nl/onderwerpen/werk-uitkering/controle-van-personeel#welke-voorwaarden-gelden-voor-de-heimelijke-controle-van-werknemers-4621
• Bring your own device legal issues
• https://pure.uva.nl/ws/files/12518805/Bilanovic_Thesis_complete.pdf
• Werken op waarde geschat: Grenzen aan digitale monitoring op de werkvloer door middel van data, algoritmen en AI
• >RAPPORT-Werken-op-waarde-geschat.pdf
  

Data Protection Impact Assessment (DPIA) zakelijke microsoft intune dienst; vijf lage privacyrisicos

• Pricacy Company: In opdracht van het Ministerie van Justitie en Veiligheid heeft Privacy Company onderzoek gedaan naar de privacyrisico’s van het gebruik van de zakelijk Intune software van Microsoft. Daarmee kunnen systeembeheerders bijvoorbeeld informatie versleutelen op de apparaten van gebruikers. Privacy Company heeft ook onderzoek gedaan naar de privacyrisico’s van de browserversie van Microsoft Office 365 en de Office apps voor iOS en Android mobiele telefoons. Met toestemming van het Ministerie publiceren wij twee blogs over onze bevindingen, deze blog over Intune:
• https://www.privacycompany.eu/blogpost-nl/nieuwe-dpia-zakelijke-microsoft-intune-dienst-vijf-lage-privacyrisicos
• en de tweede blog over de browserversie en de app-versie van Office 365:
• https://www.privacycompany.eu/blogpost-nl/onderzoek-naar-microsoft-office-365-for-the-web-en-apps-microsoft-belooft-nieuwe-maatregelen-om-hoge-privacyrisicos-te-verlagen

Never accept an MDM policy on your personal phone

• 20th January 2018 on Security, Infrastructure by Christopher Demicoli
• https://blog.cdemi.io/never-accept-an-mdm-policy-on-your-personal-phone/

Transparency examples

• Rutgers University Mobile device management policy
• https://it.rutgers.edu/rutgers-connect/knowledgebase/mobile-device-management-policy/
• https://it.rutgers.edu/rutgers-connect/knowledgebase/mobile-device-management-policy-for-rbhs/

NCSC advise when moving to cloud

• National Cyber Security Center: 5 adviezen voor veilige inkoop van clouddiensten
• https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2018/before-you-commit-to-a-vendor-consider-your-exit-strategy