Enterprise Mobile Device Function Restriction
There is a wide range of device functionality that you may want to control on your organization’s mobile devices in the interest of security. Not all of the following features are available in all mobile device management (MDM) platforms or on all smartphone operating systems:
Application store access: The primary issue with app stores is that they make it much easier for end users to inadvertently download and install malicious software such as a virus or spyware. The amount of security scrutiny that posted applications get varies greatly depending on the application store in question.
It probably does not make sense to restrict access to application stores because applications are a big reason why smartphones have become so popular. Your end users will likely revolt if you try to restrict access. A more feasible option may be to allow access, but to protect users’ devices with many of the other security best practices.
Third-party application downloads: This restriction applies to applications added to the device outside of application stores. This policy is important because outside of the sanctioned application stores, your users don’t really know who has created the software that they have downloaded. Malicious entities look for these types of application stores precisely because they know nobody is forcing them to validate their identity or reviewing the application.
Removable media access: This setting controls whether an end user can copy data and files to removable media such as an SD card. It is a good idea to restrict what your users can move from their mobile device to removable media.
Screen capture: This type of policy controls the user’s ability to take screenshots of what is on the device screen and make that data available to applications on the device. Ensure that if you have very sensitive data on the device, you protect against all mechanisms of data leakage, including screenshots.
Clipboard operations: Similar to screen capture, these functions allow you to control whether an end user can cut, copy, and paste text on an end device.
Bluetooth access: In the past, Bluetooth was viewed as a potential mechanism for breaking into a device or distributing viruses. All smartphones today, however, include a security functionality that requires the use of authentication before pairing devices, greatly reducing this risk.
Use of the device's camera: In certain situations, such as in defense-related organizations, users are not allowed to use the cameras on their mobile devices. Typically, an MDM solution gives the organization the capability to enable or disable use of the camera on mobile devices under management.
Access to consumer e-mail accounts such as Gmail or Yahoo! Mail: Your users might make it difficult to enable this type of policy on devices that they also use for personal reasons, but for a corporate-owned and -issued device, restricting access to consumer e-mail accounts might make perfect sense.
A range of possible device restrictions that you have at your disposal have been described — a very powerful proposition. Be careful, though, because that power can easily be abused. These restrictions have the potential to severely cut down on the functionality and usability of a mobile device.
From a security perspective, that sounds great. From a productivity perspective, however, it’s not very good. At the end of the day, your job is to enable users to be productive without putting sensitive corporate assets at risk.