If you’re planning to take the SY0-501 version of the Security+ exam, you should understand mobile device management concepts. This includes tools that help enforce security policies on mobile devices. They also include enforcing strong authentication methods to prevent unauthorized access.
For example, can you answer this question?
Q. Management within your company wants to implement a method that will authorize employees based on several elements, including the employee’s identity, location, time of day, and type of device used by the employee. Which of the following will meet this need?
A. Geofence
B. Containerization
C. Tethering
D. Context-aware authentication
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
Mobile Device Management
Mobile device management (MDM) includes the technologies to manage mobile devices. The goal is to ensure these devices have security controls in place to keep them secure.
System management tools, such as Microsoft System Center Configuration Manager (SCCM, also known as ConfigMgr), ensure systems are kept up to date with current patches, have antivirus software installed with up-to-date definitions, and are secured using standard security practices. While these tools originally focused on desktop PCs and laptops, they have expanded to include many mobile devices. As an example, ConfigMgr includes support for many mobile devices, including Apple iOS-based devices and Android-based devices.
Mobile Device Management Concepts
MDM applications help administrators manage mobile devices. The following bullets describe many of the MDM concepts that apply to mobile devices:
• Application management. MDM tools can restrict what applications can run on mobile devices. They often use application whitelists to control the applications and prevent unapproved applications from being installed.
• Full device encryption. Encryption protects against loss of confidentiality on multiple platforms, including workstations, servers, mobile devices, and data transmissions. Encryption methods such as full device encryption provide device security, application security, and data security. While an organization can ensure corporate-owned devices use full device encryption, this isn’t always possible when employees use their own devices.
• Storage segmentation. In some mobile devices, it’s possible to use storage segmentation to isolate data. For example, users might be required to use external storage for any corporate data to reduce the risk of data loss if the device is lost or stolen. It’s also possible to create separate segments within the device. Users would store corporate data within an encrypted segment and personal data elsewhere on the device.
• Content management. After creating segmented storage spaces, it’s important to ensure that appropriate content is stored there. An MDM system can ensure that all content retrieved from an organization source (such as a server) is stored in an encrypted segment. Also, content management can force the user to authenticate again when accessing data within this encrypted segment.
• Passwords and PINs. Mobile devices commonly support the use of passwords or personal identification numbers (PINs). MDM systems typically support password policies, similar to the password policies used in desktop systems. The only limitation is that some mobile devices only support PINs, while others support either passwords or PINs.
Biometrics. Many mobile devices now support biometrics for authentication. For example, you can teach the device your fingerprint and then use your fingerprint to authenticate instead of entering a password or PIN.
• Remote wipe. Remote wipe capabilities are useful if the phone is lost. It sends a remote signal to the device to wipe or erase all the data. The owner can send a remote wipe signal to the phone to delete all the data on the phone. This also deletes any cached data, such as cached online banking passwords, and provides a complete sanitization of the device by removing all valuable data.
• Geolocation. Mobile devices commonly include Global Positioning System (GPS) capabilities that can be used for geolocation. Applications commonly use GPS to identify the location of the device. This can also be used to locate a lost device.
• Geofencing. Organizations sometimes use GPS to create a virtual fence or geographic boundary using geofencing technologies. Apps can respond when the device is within the virtual fence. As an example, an organization can configure mobile apps so that they will only run when the device is within the virtual fence. Similarly, an organization can configure a wireless network to only operate for mobile devices within the defined boundary.
• GPS tagging. GPS tagging (also called geotagging) adds geographical information to files such as pictures when posting them to social media web sites. For example, when you take a picture with a smartphone that has GPS features enabled, the picture application adds latitude and longitude coordinates to the picture. Thinking of friends and family, this is a neat feature. However, thinking of thieves and criminals, they can exploit this data. For example, if Lisa frequently posts pictures of friends and family at her house, these pictures identify her address. If she later starts posting pictures from a vacation location, thieves can realize she’s gone and burglarize her home.
• Context-aware authentication. Context-aware authentication uses multiple elements to authenticate a user and a mobile device. It can include the user’s identity, geolocation, verification that the device is within a geofence, time of day, and type of device. Combined, these elements help prevent unauthorized users from accessing apps or data.
Remember this
Remote wipe sends a signal to a lost or stolen device to erase all data. Geolocation uses Global Positioning System (GPS) and can help locate a lost or stolen device. Geofencing creates a virtual fence or geographic boundary and can be used to detect when a device is within an organization’s property. GPS tagging adds geographical data to files such as pictures. Context-aware authentication uses multiple elements to authenticate a user and a mobile device.
Q. Management within your company wants to implement a method that will authorize employees based on several elements, including the employee’s identity, location, time of day, and type of device used by the employee. Which of the following will meet this need?
A. Geofence
B. Containerization
C. Tethering
D. Context-aware authentication
Answer is D. Context-aware authentication can authenticate a user and a mobile device using multiple elements, including identity, geolocation, time of day, and type of device. None of the other answers meets all the requirements of the question.
A geofence creates a virtual fence, or geographic boundary, and can be used with context-aware authentication.
Containerization isolates an application, protecting it and its data.
Tethering allows one device to share its Internet connection with other devices.
See Chapter 5 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on deploying mobile devices securely.