Enterprise Management of Mobile Devices: Compliance Enforcement
One of the core tools suggested for management of enterprise mobile devices is continual monitoring, but monitoring is all about identifying violations. When a violation is detected, enforcement is next.
Your primary goal is protecting the enterprise from any security breach caused by the errant application. However, it is also important to ensure that your users have the most painless experience possible as you try to remediate the situation. To this end, the more transparent this reparation is to the end users, the more satisfied your users will be, and ultimately, you will breathe a whole lot easier as well.
As the name suggests, automated correction is the most painless of approaches, as it doesn't require any intervention by you or the user, and the device automatically self-corrects. This intelligence is embedded in the monitoring application itself.
For instance, consider when a smartphone connects to an enterprise wireless access point and the monitoring agent’s job is to verify that all traffic is encrypted. When a device is found to be in violation, it could be easily self-corrected to enable encryption on the smartphone (IPSec or equivalent) without affecting the end user and still ensure that your enterprise policies are met at the same time!
The semi-automated remediation capability requires the user to be involved. Typical violations are applications that are downloaded that violate enterprise policies. An example of this could be an application that provides cloud storage to local device storage. Clearly, for data that is stored locally, you would have policies such as local encryption, but once this data extends to the cloud, there's no way you can enforce such policies.
Your only resort at that point is to disable these classes of applications. However, since you can't willy-nilly delete applications on your employees' devices, your only resort is to redirect them to a remediation portal where they're presented with the facts.
Be succinct yet comprehensive so the user is faced with the choice of either deleting the app or choosing to retain the application but not connecting to the enterprise any more.
In either case, there is active user involvement, and giving users a choice offloads the burden from you and your staff having to deal with these errant users!
Manual remediation is the most intrusive as it involves you - the IT department - having to play a part in enforcing the enterprise policy. Typically, this happens if automated correction isn't possible or there have been recurring violations that need active intervention on your part.
An example where automated or semi-automated correction isn't possible is when a new vendor’s device is introduced to the network. As discussed earlier, you have a choice of blocking all access or limiting it to noncritical systems.
But a third choice is to meet with the user to learn about the device and its capabilities - and maybe even add that to your catalog of supported devices and adapt your policies based on this device’s unique capabilities.
There may be employees who are constantly looking for loopholes to violate enterprise policies. They experiment with jailbreaking, downloading rogue applications, compromising security on the network - the list goes on. Your options with these repeat offenders include temporarily suspending access to the enterprise network and, if that doesn't stop the conduct, escalating to management, when that's the only recourse.