Enterprise Mobile Device Profiling and Policy Application - dummies

Enterprise Mobile Device Profiling and Policy Application

By Rich Campagna, Subbu Iyer, Ashwin Krishnan, Mark Bauhaus

The most commonly used and easiest to configure types of mobile device endpoint security policies are those that verify the presence and status of third-party endpoint security applications. These types of policies ensure that the mobile devices that you are allowing access to the corporate network have an acceptable security posture and device identity.

In many cases, your VPN vendor has created a list of predefined security policies that you can easily implement to scan for this assurance. Look for these common policy types provided by VPN vendors:

  • Device type: Device type scans allow you to identify what type of device is attempting to connect, to the VPN. In some cases, you simply want to restrict access to certain types of devices. In other cases, you might want to scan for a particular version of an operating system or device type.

    Device type scans also help you determine any additional scans that you might want to run against a particular device. Knowing the device type up front allows you to scan for the appropriate antivirus application when the device attempts to connect to the network.

  • Antivirus: The ability to scan to ensure that an antivirus application is not only installed on the device, but also running and up to date, is becoming a key feature for many VPNs that provide endpoint integrity scanning.

    Most SSL VPN vendors offer a solution that checks not only the presence but the status of an antivirus application. Some of the available policies on the market include

    • *Verifying installation of a particular version or vendor of antivirus solution(s).

    • *Verifying that real-time protection is actively enabled on the system.

    • *Verifying that virus signatures are fully up to date or that they’ve been updated at some point in the recent past, depending on your policy.

    • *Ensuring that a successful full-system scan has been completed in the accepted number of days.

  • Personal firewall: This type of scan is fairly self-explanatory. Simply put, it determines whether a personal firewall is installed and running on the endpoint device.

  • Disk encryption: This functionality helps you determine whether encryption is enabled on the endpoint device. Many of the device vendors have provided native encryption capabilities on the devices themselves, alleviating the need for third-party encryption products. In most cases, these encryption policies allow you to scan for whether encryption is enabled on the embedded device disk and on removable media.

  • Antispyware: You want to ensure that the antispyware application is not only installed, but also running and actively protecting the system.

  • Bluetooth: Because a number of device exploits take advantage of Bluetooth capabilities on mobile devices, the ability to determine whether Bluetooth is enabled is important for some organizations.

  • Device lock: This type of scan allows you to determine whether the appropriate idle timeout and lock policies are enabled on the device.

  • SIM policies: You enable this type of policy to check whether the SIM card is PIN protected, and whether it is locked to the phone itself, helping to guard against theft.

This is an example of a mobile device integrity policy that you might see enabled on an SSL VPN gateway. It is not necessarily an all-inclusive or representative of best practices across every area.

Example Mobile Device Integrity Policy
Attribute Allowed Values
Device type Apple iOS 4.0 and 4.1, 4.2, and 4.3 Google Android 2.0, 2.1,
2.2, 3.0, and 3.1 Blackberry OS 5.0 and 6.0 Windows Mobile 6.5
Windows Phone 7.0
Antivirus Junos Pulse 2.x F-Secure Mobile Anti-Virus 2.x and v3.x Must be
installed and running.
Encryption Must be enabled.
Personal firewall Must be installed and running.