Enterprise Mobile Device Protection with Application Policies - dummies

Enterprise Mobile Device Protection with Application Policies

By Rich Campagna, Subbu Iyer, Ashwin Krishnan, Mark Bauhaus

Application policies outline what applications users are permitted to use while accessing the enterprise network with a mobile device. Application policies are particularly crucial because the plethora of applications that users are able to download is growing exponentially. This increases the risk your users are likely to innocently download a malicious application that causes havoc both to the user and, more to the point, the enterprise network.

Number of apps in app stores.
Number of apps in app stores.

Typically, application policies can be categorized in the following subdomains:

  • White listing of approved applications that can be used by end users: Clearly for enterprise-issued mobile devices, this policy can be justified because the mobile devices are enterprise assets. However, there is a bonding that develops between the users and their mobile devices, and the users become de facto owners of these devices and assume moral authority over their usage.

    Quite obviously, for mobile devices that users own and bring into the enterprise, the actual application policies cannot be readily enforced on the devices. In this situation, you need to rely on the monitoring policies to ensure that enterprise compliance is being maintained when the device is connected to the enterprise network.

    Application policies categorization.
    Application policies categorization.
  • Profile settings for approved applications: This policy applies to enterprise-issued mobile devices only, because it controls how applications can be configured and used. This is critical not only to ensure that the employee has connectivity and can actually use critical enterprise applications on the mobile device but also to limit the exposure that these applications have from a security standpoint.

    For employee-owned devices, it’s the user’s prerogative what types of applications that she chooses to install, so there is no control you can exercise over that. However, you can impose restrictions on applications that connect to the corporate network like e-mail.

  • User notification of application policy violations: This policy applies to all mobile devices, enterprise-issued as well as employee-owned devices. For enterprise-issued devices you may have additional tools at your disposal, including monitoring capabilities on the device and network-based detection. For employee-owned devices, you need to rely on your monitoring capabilities on the network to detect out-of-policy application usage.

    The response to application policy violations should be enforced in two steps. The first one is a warning notification indicating that the user is in violation of enterprise application policies. After a clearly outlined number of warnings, enforcement (the second step) is indicated. The remediation at this point is to inform the user that his right to connect to the enterprise network may be curtailed

Be wary of embracing apps that don’t have much pedigree in the form of a big reputable firm behind them. You should avoid recommending any applications as part of your defense arsenal that are made by unknown parties. Although some of them may sound promising and make bold claims, these could be cloaked malware or poorly written applications that do more damage than remedy.

Regardless of these advancements, your defensive posture should be taking out support for devices that are not trusted (also known as those that are no longer supported by the manufacturers because of active intervention by the users that change the posture of these devices).