MobileIron Policy Recommendations

MobileIron Policy Recommendations

Please note that the recommendations in this document are provided as a starting point. Each customer must determine the policy that will work best in their company. 1. Security Policy 1.1 Configured in the Policies Tab as new Security Policy General Recommendations Based on Risk Tolerance Level Defensive Alphanumeric, 10-16 digits 1-2 minutes 3 90 6 10 Immediately
1

Password Time-out (screen goes black) Minimum Complex Characters Password Age Max Failed Attempts Password History Grace Period for Device Lock Enable Secure Apps (Android Only) Secure Apps Password Mode (Android Only) Encryption Device Encryption

Risk Tolerance Level Reluctant Opportunistic Alphanumeric, Simple, 4-7 digits 5-10 digits 2-5 minutes 5 minutes 1-2 90 6-10 5-10 1 or 5 minutes 0 90-180 10-15 3-5 5 or 15 minutes

Aggressive Simple, 4 digits 5 minutes 0 0 0 0 15 minutes

Password

This box must be checked to enable AppConnect for Android. Password must also be set to Mandatory. Requires VSP and Android Client version 5.1. Secure Apps Only is recommended for BYOD devices. Secure Apps & Device is recommended for corporate-owned devices. Applies to Android devices only running 3.x or higher, or Samsung devices with Enterprise APIs running 2.3 or higher. Recommend encrypt all Data Types, File Types, and SD Card
2

In the Access Control section of the Security Policy, you can configure compliance actions to automatically trigger when an out-of-compliance security posture (e.g. compromised device, downloaded blacklisted app) is detected. There are four actions that you can take, outlined below from most severe to least severe: 1) Quarantine: the quarantine action removes all configurations, including email, WiFi, VPN, certificates, apps, and app data that MobileIron has placed or allowed to be placed on the device. The user will no longer be able to access corporate resources, including email and any apps downloaded through the MobileIron App Storefront. Quarantine is only available for iOS devices. Block: the block action prevents access to corporate resources, but does not remove any configurations from the device. Any email, calendar, and contact information already present on the device is still accessible to the user, but the user cannot send or receive new email, calendar events, or contact information on the device. Please note that the MobileIron Sentry is required to enable blocking.

2)

The analyst group Gartner developed this four-point scale to assess CIO's attitudes toward IT consumerization, from defensive to aggressive. MobileIron adopted the scale to indicate an organizations general risk tolerance, with a defensive organization more focused on security and control an aggressive organization more focused on redefining the relationship with users. 2 Please note that this setting refers to the password that the VSP will enforce on the device. The user can still set a password for their device.

11/30/2012

2012 MobileIron. All rights reserved.


3) Alert User and/or Administrator: the alert action can be configured to alert the user, an administrator, or both. Alerts can be sent via SMS, email, or push notification. All alerts are managed through the Event Center tab. The wording of the alert is configured through the Settings tab under Templates. Report: the report action is enabled by simply setting an alert in the security policy, as in the table below. Nothing else needs to be configured. The system captures the events and presents them in a default report that can be accessed at https://{host-name for your VSP}/api/v1/dm/devices.csv. Additional reporting can be configured using the Assemble tool, available through the MobileIron Support Portal.

4)

MobileIrons compliance action recommendations, based on risk tolerance level, are presented in the table below. We recommend setting up your policy with these recommendations for your pilot group, assessing how well they work, and adjusting them as needed for production. Considerations include: Disruption to business from block or quarantine actions Excessive calls to the Help Desk to resolve lost access to corporate resources due to block or quarantine actions Poor user experience from too many alerts Poor administrator experience from too many alerts.
1

General Recommendations Based on Risk Tolerance Level Defensive Block and Send Alert; 21 days Block and Send Alert; 1 day Quarantine; MI app is not present Quarantine; iOS 5.0, Android 2.3 Quarantine Quarantine iOS: Quarantine Android: Block and Send Alert Block and Send Alert (Quarantine when able) Block and Send Alert (Quarantine when able) Not Recommended

Action when Device not connected in: Action when a policy has been out of date for: Action when a device violates these App Control rules: iOS and Android: Action when version is less than: iOS 5 and higher: Action when MDM is disabled iOS: Action when Data Protection is disabled 3 iOS and Android: Action when device is compromised Android: Action when Data Encryption is disabled Android: Action when device admin is deactivated Android: Wipe if not connected for:

Access Control

Risk Tolerance Level Reluctant Opportunistic Block and Send Alert; 21 days Alert; 21 days Block and Send Block and Send Alert; 1 day Alert; 5 days Block and Send Block and Send Alert; MI app is not Alert; MI app is not present present Block and Send Block and Send Alert; iOS 5, Alert; iOS 5, Android 2.3 Android 2.3 Block and Send Block and Send Alert Alert Block and Send Alert iOS: Quarantine Android: Block and Send Alert Block and Send Alert Block and Send Alert Send Alert Block and Send Alert Block and Send Alert Block and Send Alert

Aggressive Report Alert; 10 days Alert; MI App is not present Alert; iOS 5, Android 2.3 Alert Report Alert Alert Alert

In order to detect compromised iOS devices, the MobileIron client must be installed on the device, iOS multitasking must be enabled in the privacy policy, and the device must have granted MobileIron permission to use location services.

11/30/2012

2012 MobileIron. All rights reserved.


1.2 Configured in the Policies Tab as new Lockdown Policy General Recommendations Based on Device Ownership Device Ownership CompanyEmployeeowned owned 4 Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable

Camera (only for WinMo, Symbian, and Android v2.3 and higher with Samsung APIs enabled) SD Card (only for WinMo, Symbian, and Android v2.3 and higher with Samsung APIs) Bluetooth Audio and Data (only for WinMo, Symbian, and Android v2.3 and higher with Samsung APIs enabled) Bluetooth Audio (WinMo only) IRDA (WinMo only) WiFi (only for WinMo and Android v2.3 and higher with Samsung APIs enabled)

Below available only for Samsung Enterprise-Ready devices running OS version 4.0 or higher Android browser Enable Copy/paste Enable Factory reset Enable 5 Google Backup Disable Google Play Enable Microphone Enable 6 Near Field Communications Disable Over the air upgrade Enable Roaming data Enable Roaming voice calls Enable Screen capture Enable Settings changes Enable 6 Tethering - Bluetooth Disable 6 Tethering - USB Disable 6 Tethering Wi-Fi Disable 6 USB debug Disable 6 USB mass storage Disable 6 USB media player Disable You Tube Enable

Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable

1.3 Configured in the Apps & Configs tab as new iOS Restrictions Settings. Different settings can be configured for different device/user groups using Labels and LDAP groups. General Recommended iOS Restrictions Based on Device Ownership Device Ownership Company-owned Employee-owned Yes Yes 4 Yes Yes Yes Yes Yes Yes No Yes

App installation Camera FaceTime Screen capture Automatic sync while roaming

MobileIron recommends enabling the camera as the camera is commonly leveraged for use in mobile apps developed for internal employees. Some customers may require the camera to be disabled for certain employees due to security concerns. 5 Google Backup backs up configuration data including Wi-Fi passwords, browser bookmarks, apps installed from Google Play, and other customized settings. For low risk-tolerance organization, MobileIron recommends disabling Google Backup because some third-party apps may also take advantage of this feature. High risk-tolerance organizations should consider enabling it to improve use experience. If enabled, to prevent employees from connecting to email after restoring to an unmanaged device, set the Sentry to auto-block unregistered devices. 6 MobileIron recommends disabling this functionality to reduce data loss risk.

Functionality

11/30/2012

2012 MobileIron. All rights reserved.


General Recommended iOS Restrictions Based on Device Ownership Device Ownership Company-owned Employee-owned Yes Yes No No Yes Yes Yes Yes Yes No No No Yes No Yes Yes Yes Yes Yes Yes Yes Yes Yes from visited sites No No 9 No No Yes No No Yes No Yes No No As appropriate Dont Allow Dont Allow 17+ Yes Yes Yes Yes Yes No Yes No from visited sites 7 Yes 8 No Yes Yes 10 N/A 10 N/A 10 N/A Yes Yes Yes Yes 10 N/A Allow All Allow All Allow All
11

Security and Privacy

7

Siri Allow Siri when device is locked (iOS 5.1+) Voice dialing In-app purchases Force entering store password for all purchases (iOS 5 only) Multi-player gaming Add Game Center friends Allow installation of configuration profiles and certificates (Supervised devices only, with iOS 6+) Allow Passbook notifications while locked (iOS 6+) You Tube iTunes Music Store Safari Enable autofill Force fraud warning Enable Javascript Block pop-ups Accept cookies Allow backup Allow document sync Allow Photo Stream Allow shared Photo Streams (iOS 6+) Allow use of iBookstore (Supervised devices only with iOS 6+) Allow Game Center (Supervised devices only with iOS 6+) Allow iMessage (Supervised devices only with iOS 6+) Allow diagnostic data to be sent to Apple (iOS 5+) Allow user to accept untrusted TLS certs (iOS 5+) Force encrypted backups Allow explicit music and podcasts Allow erotica in iBookstore (Supervised devices only with iOS 6+) Ratings region Movies TV Shows Apps

Please note that this allows backup of the email configuration, not email data. To prevent employees from connecting to email after restoring to an unmanaged device, set the Sentry to auto-block unregistered devices. 8 For low risk-tolerance organizations, we recommend not allowing document sync on employee-owned devices to mitigate the risk of company-related email attachments being synced to iCloud. However, you will need to balance this decision with user experience. If you are in a high risk-tolerance organization, you may decide to accept this risk to preserve user experience. 9 For low risk-tolerance organizations, we recommend disabling photostream on corporate-owned devices to prevent employees photographing corporate data or documents and streaming to iCloud. However, you will need to balance this decision with user experience. If you are in a high risk-tolerance organization, you may decide to accept this risk to preserve user experience. 10 Please note that restriction is not applicable to personal devices because it requires supervision by the Apple Configurator, which is inappropriate for personal devices. By default, the restriction should be set to enable. 11 Based on our experience, accepting an untrusted or invalid certificate rarely presents a real risk since iOS is so protected. The exception would be for a compromised device, which should not be allowed to connect to corporate resources anyway.

Content Ratings

11/30/2012

iCloud

Applications Access

2012 MobileIron. All rights reserved.


2. Privacy Policy 2.1 Configured in the Policies Tab as new Privacy Policy. Only the configuration options for iOS and Android are presented below, since they are the most common. General Recommendations Based on Device Ownership Device Ownership Company-owned Employee-owned Sync Inventory Sync Inventory Enable Enable

Apps (recommended to detect whether MI app is installed; may be adjusted to address privacy issues) Application multi-tasking (iOS only; required to detect compromised (jailbroken) devices

3.

Exchange/Email Settings 3.1 Configured in the Apps & Configs Tab as new Exchange or Email Setting, as appropriate. Only the configuration options related to security are presented below. General Recommendations Based on Risk Tolerance Level Defensive Exchange Setting Only Disable Cut//Copy/Paste for Android (Applies to the NitroDesk TouchDown email app only) Exchange and Email Settings Block move/forward messages to other accounts (also blocks messages from being sent from a different account than the originating messate) rd Block mail access to 3 party email apps (the account will not be available for rd sending mail in 3 party accounts) Allow recent address syncing (iOS 6+, allows recent email addresses to show up on other iOS devices) iOS 5 or later Yes Yes Risk Tolerance Level Reluctant Opportunistic Yes Yes Yes Yes Aggressive No No

Yes No

Yes No

No Yes

No Yes

11/30/2012

2012 MobileIron. All rights reserved.