CWSP Chapter 9 – BYOD and Guest Access

sharanmahadevan

CID – company-Issued Device

BYOD – Bring Your Own Device

MDM – remotely manage and control CID cell phones and BYOD cell phones

NAC – provide authentication and access control for CID devices and BYOD

Mobile Device Management (MDM)

  • Main focus is to manage, secure, and monitor CID and BYOD mobile phones
  • Requires installation of client software
  • APPs installed on the phones can be managed
  • Example – VMware AirWatch, JAMF, MobileIron
  • MDM for CID
    • More security required
    • Mandates VPN, wifi profile settings, encryption etc.
    • Enables remote wipe if lost or stolen
    • Disables access to remove MDM profiles
  • MDM for BYOD
    • Control depends on the type of user
    • Alternatively can use NAC for BYOD management as it doesn’t require installation of client software
  • Components:
    • Mobile phones
    • AP & Controller
    • MDM Server – provisions the MDM profile (cloud-based or on-prem SW/HW)
    • Push Notification Server (Over-the-Air)
      • Apple Push Notification service (APN)
      • Google Cloud Messaging (GCM)
  • Enrollment
    • Onboarding process goes through walled garden, enrollment verification, LDAP authentication, and over-the-air provisioning of profiles
    • iPhones – Simple Certificate Enrollment Profile (SCEP) is used to install and protect the profile
    • MAC and IOS – XML-based profiles
    • Androids – uses agent application software
    • GCM will enforce changes to rules via the Android App that is installed (including remote wipe)
    • APN will enforce changes to rules via SCEP (including remote wipe)

Self-Service Device Onboarding

  • Windows can do GPO update for installing certificates, but to manage all types of OS, you will need onboarding
  • Single-SSID vs. Dual-SSID onboarding
  • As MDM is designed for mobile phones, onboarding process is better suited for BYOD laptops

Guest WLAN Access

  • Recommended to configure a separate SSID, VLAN, and Firewall policy with captive portal
  • Firewall policy is used to block internal network access except DNS and DHCP
  • Also allow HTTP, HTTPS, IPsec ports
  • Captive portal – legal disclaimer and guest authentication/registration
  • Can also do employee sponsorship or social login (OAuth)
  • Enable client isolation, rate limiting, and web content filtering
  • Recommended to do encrypted guest access (PSK, DPSK, Hotspot 2.0)

Network Access Control (NAC)

  • Posture checks via persistent agent
  • Client OS fingerprinting – using DHCP fingerprinting (option 55) or HTTP fingerprinting
  • AAA
  • RADIUS COA
  • Single Sign-On (SSO)
    • SAML (Authentication and Authorization – to provide access to outside resources using corporate login)
    • OAuth (Authorization standard)

Leave a comment