As cybersecurity presents an increasingly complex and concerning environment for personal, business and government safety, attention to the secure use of mobile devices is more important than ever for individuals around the world. In fact, recent news of cybercriminals and hackers having connections deeply rooted in the Russian government, as well as the thousands of unauthorized “app stores” hosted in China, has underscored the growing number of threats in existence — and therefore a clear need to be proactive.

From our experience in consulting with companies concerning the use of enterprise mobility management (EMM), and specifically EMM through the VMware AirWatch platform, we’ve compiled the following list of tips and strategies for employees who must travel abroad. These best practices can help ensure that secure mobile device usage is paramount as part of an overall mobility strategy. While these were put together with international BYOD (bring your own device) users in mind, they really apply to users in any location on any device.

General Precautions
  • Confirm such devices are enrolled in AirWatch prior to allowing any access to company mail or other data/file systems to ensure the state of the device can be monitored and access to company data can be pulled should the OS be compromised (by jail breaking and rooting).
  • Ensure supported devices for both BYOD and CYOD (choose your own device) are capable of running the latest patched OS at all times.
  • Enforce stronger passcodes on devices used by employees who travel abroad.
  • Given that mobile device end-users are still the number one risk to cybersecurity, institute a “best practices” educational campaign informing users about the risks inherent to downloading applications when abroad (and at home, for that matter!), in addition to providing general internet and app situational use training.
    º Stress what links and attachments NOT to open. This is still a key vector for the entry of bots, malware, and phishing scams into devices and networks.
  • Include safe mobile use requirements in your mobile device usage policy, which must be signed by the employee upon mobile access being granted.
  • Train IT support staff on the proper steps to take should a mobile device become compromised (via jailbreaking, downloading infected apps, usage of risky apps, network traffic or otherwise).
  • Conduct a formal risk assessment of using mobile devices overseas, balancing business needs against risk of allowing roaming data and ability to download non-business apps.
    º Determine which roles and or use cases deserve consideration.
    º Consider HIPAA or other regulatory requirements, as well as customer requirements, for security of such data that may be within your control.
    º Consider other options for travel overseas, such as the use of local SIM cards and/or non-smartphones for use when abroad.
AirWatch Options

Review controls available in AirWatch to:

  • Limit email access to ONLY those who have their device enrolled in AirWatch.
    • Control this via PowerShell commands to Exchange in network or in Office 365 in the cloud.
    • Enable and enforce that a VPN connection is required to be used on the device at all times when off the company private network.
    • Establish compliance policies that will immediately enterprise wipe a device when:
      • Blacklisted apps are present
      • Required apps are missing i.e., VPN apps if required)
      • Latest required OS version policy is not observed on the device
    • Require that all devices/data are encrypted.
      • For devices running iOS, this is automatic when a passcode is used.
      • For devices running Android, encryption by the user is required but is enforceable in compliance policies.
    • Institute the Advanced Telecom Module in AirWatch for:
      • Monitoring of cellular data usage in real time
      • Reporting available on data usage
      • Some Logs available to monitor traffic
    • Ensure that, when provided by the company, apps are “containerized” or provided in a “catalog” in which only authenticated users have access.

Consider implementing the following additional controls available in advanced AirWatch suites:

  • Secure Email Gateway (available in Orange suite and higher)
    • Allows for limiting attachments in email and/or stripping attachments with unacceptable file types.
  • VMware Boxer (available in Orange suite and higher)
    • Allows clear separation of access to company email and DLP controls.
  • Workspace ONE
    • IDM (Identity management) is leveraged to only allow access to applications via the company authentication process, which can be SSO (single sign-on).

Finally, consider the integration of AirWatch capabilities with leading malware threat protection products like CheckPoint Capsule, which can detect and remediate malware through the three major vectors: the device OS, apps and network traffic.

  • Allow the use of the compliance engine to cut off access to company data until the compromised state of the device is remediated.
  • Utilize the MDM capabilities of AirWatch to automatically deploy Capsule to all enrolled devices automatically.
  • Target licenses and policies to a limited group as necessary.

For more information on how Tech Orchard can help you leverage tools like AirWatch and Check Point to manage security on your mobile devices wherever they are, contact us at info@techorchard.com.