Effective Mobile Device Monitoring Policy Creation
Mobile device monitoring policies have for the longest time been veiled under shrouds of secrecy so that employees are not quite aware of how, why, and when their actions are being monitored, and the IT departments – read you – have also not been explicit and forthcoming about exactly what is being monitored and what policies govern the use of the data that is captured.
Unlike the device-based policies, which clearly distinguish between policies for employee-owned mobile devices and enterprise-issued mobile devices, monitoring policies are uniformly applicable toward all mobile devices regardless of their origin. The reason for this is once the mobile device connects to the network, it is incumbent upon you to be able to guarantee the security and integrity of the enterprise network and its assets.
Obviously, you have additional tools at your disposal for monitoring enterprise-issued mobile devices because you have local agents on the mobile device itself that you can exploit to gather this information. However, in the case of employee-owned mobile devices, you need to rely on the network exclusively to provide for monitoring capabilities.
To further muddy the waters, unscrupulous applications that employees download sometimes surreptitiously monitor detailed mobile device activity and sell it to advertisers and other scavengers. Once this is exposed, employees are extremely wary of any such monitoring apps, and you need to be all the more transparent in order to comply with your enterprise policies.
In fact, a research project called TaintDroid (developed by researchers at Duke University and Penn State University) gives more power to advanced Android users by allowing this application to run in the background and alert users if any applications on their mobile device are shipping off their private information to a remote location.
It is expected that more commercial tools will be developed that will allow users to take back control of their mobile devices, or at the very least, be made aware of any applications that are spying. Your job is to spy on your employees with a goal of keeping them compliant, so in effect, you should be doing what projects such as TaintDroid are doing on the mobile device: keeping tabs on everything that applications are doing and intervening where necessary.
You can use the following guide to educate your end users about the monitoring policies:
All your activity when connected to the enterprise network will be monitored. This includes all enterprise applications as well as personal applications.
Any data collected during the monitoring may be archived.
Any willful obstruction of such monitoring may result in revocation of connectivity rights to the enterprise network.
Purposely obfuscating data with the express intent of bypassing such monitoring is expressly prohibited.
The following guideline applies to enterprise-issued mobile devices only; this cannot be mandated on employee-owned mobile devices:
Even when the mobile device is offline (not connected to the network), it may still be monitored.
Because Android is an open environment where applications can be developed and marketed with little or no oversight by Google (as compared to the iTunes applications that Apple oversees closely), it is to be expected that a more fertile ecosystem of applications will thrive; some of them will give the user great control and visibility, the TaintDroid project being one example.
In other less-open environments, like the iPhone or the Blackberry, it is far less likely that you can find monitoring applications that provide this level of scrutiny. However, where there is demand – in the form of users who are willing to pay for this level of scrutiny and take back control of their devices from opaque applications – there will be supply.