CID – company-Issued Device
BYOD – Bring Your Own Device
MDM – remotely manage and control CID cell phones and BYOD cell phones
NAC – provide authentication and access control for CID devices and BYOD
Mobile Device Management (MDM)
- Main focus is to manage, secure, and monitor CID and BYOD mobile phones
- Requires installation of client software
- APPs installed on the phones can be managed
- Example – VMware AirWatch, JAMF, MobileIron
-
MDM for CID
- More security required
- Mandates VPN, wifi profile settings, encryption etc.
- Enables remote wipe if lost or stolen
- Disables access to remove MDM profiles
-
MDM for BYOD
- Control depends on the type of user
- Alternatively can use NAC for BYOD management as it doesn’t require installation of client software
-
Components:
- Mobile phones
- AP & Controller
- MDM Server – provisions the MDM profile (cloud-based or on-prem SW/HW)
-
Push Notification Server (Over-the-Air)
- Apple Push Notification service (APN)
- Google Cloud Messaging (GCM)
-
Enrollment
- Onboarding process goes through walled garden, enrollment verification, LDAP authentication, and over-the-air provisioning of profiles
- iPhones – Simple Certificate Enrollment Profile (SCEP) is used to install and protect the profile
- MAC and IOS – XML-based profiles
- Androids – uses agent application software
- GCM will enforce changes to rules via the Android App that is installed (including remote wipe)
- APN will enforce changes to rules via SCEP (including remote wipe)
Self-Service Device Onboarding
- Windows can do GPO update for installing certificates, but to manage all types of OS, you will need onboarding
- Single-SSID vs. Dual-SSID onboarding
- As MDM is designed for mobile phones, onboarding process is better suited for BYOD laptops
Guest WLAN Access
- Recommended to configure a separate SSID, VLAN, and Firewall policy with captive portal
- Firewall policy is used to block internal network access except DNS and DHCP
- Also allow HTTP, HTTPS, IPsec ports
- Captive portal – legal disclaimer and guest authentication/registration
- Can also do employee sponsorship or social login (OAuth)
- Enable client isolation, rate limiting, and web content filtering
- Recommended to do encrypted guest access (PSK, DPSK, Hotspot 2.0)
Network Access Control (NAC)
- Posture checks via persistent agent
- Client OS fingerprinting – using DHCP fingerprinting (option 55) or HTTP fingerprinting
- AAA
- RADIUS COA
-
Single Sign-On (SSO)
- SAML (Authentication and Authorization – to provide access to outside resources using corporate login)
- OAuth (Authorization standard)