Open Letter to MDM Companies

  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Declaration of views_handler_field_user_name::init() should be compatible with views_handler_field_user::init(&$view, $data) in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/views/modules/user/views_handler_field_user_name.inc on line 61.
Your rating: None (5 votes)

[Editor's note: This letter from a member of our community brings up some interesting points. But as noted in the comments, the MDM providers are simply using the APIs provided by the device manufacturers.]

You all have it wrong. All of your products are good don't get me wrong! You enable us to protect our networks, provide our users with ease of use and ease of setup. You allow us to block or allow anything we feel is harmful (separate opinion about that). The thing you have wrong is wiping the phone after failed attempts at the password!

Why is this wrong?

  • Whoever steals the phone knows this so they just enter random passwords and then have a usable phone to sell. That is until you figure it out or it is reported to you.
  • If the end user forgets a lot of times the phone will wipe and they will continue to use it. Then a couple weeks later they bring you the phone saying that it isn't working right.
  • While the user is using the phone unprotected they install their personal email or just text company information leaving your company at risk.

What the is the "right" way?

  • After 10 (or whatever your specified time would be) wrong password attempts you lock the device with an alternate password that only the administrator knows.
  • Each phone could have a different admin password that auto populates when you register the device.
  • The password is only viewable in the MDM console.
  • The phone can be unlocked with this passcode or through the MDM provided the end user answers the appropriate questions correctly.
  • Also there should be a notification on the MDM and an email sent to the MDM admin. This would allow them to be a bit more proactive and give the admin some visibility to what is happening in their world.

I think this method is more secure for our data and protects the assets we place in the field mischief better. What are your thoughts?
http://redd.it/1xzxd2

Share your ideas

Uroshnor's picture

Uroshnor

Joined: Nov 5, 2012

I'm not getting it ...

Your rating: None

So I think there's some assumptions behind what you are saying that don't quire tie in with what Apple has provided.

Apple's basically saying a device is either:

- company owned, so its supervised ; OR
- personally owned, so its not supervised

AND

- MDM is key
- access to company resources should only be possible through configuration pushed out via MDM

So with respect to your key problems :

a) Activation Lock largely takes care of this case. If you are supervised, your MDM will need to enable Activation lock explicitly, as it defaults to off. The Device Enrolment Program, combined with mandatory MDM enrolment can also sort it for company owned devices.

b) If the user has wiped the phone, it won't be enrolled in MDM (nor will it be checking in with MDM). So the MDM will know that device X hasn't checked in in Y days. Have the MDM notify the person's supervisor at Y+1.

c) This is felt with by Managed Accounts, Managed Apps , VPN, and not using plain old passwords for authentication. Certificates and Kerberos are your friend here. Passwords are just horribly broken, let them go, and you'll be better for it.

Your recommendation is really just bringing things back to passwords, which aren't the way to go if you can at all avoid it. There are some things you can't avoid them for, but get away from them as much as you can, for the love of cheese.

If lots of users are wiping phones, your passcode complexity is likely too high for the user population, or you have your failed attempt wipe threshold set too low.

On an iOS device, a 7-8 character password will keep the data safe for decades, if not centuries. Is your data really that sensitive ? Some people's is, but maybe you can get away with 6 characters for example ? The difference can be amazing in wipe rates.

Top
critic4321's picture

critic4321

Joined: Aug 10, 2016
WWW

MDM providers

Your rating: None

On an iOS device, a 7-8 character password will keep the data safe for decades, if not centuries. Is your data really that sensitive ? Some people's is, but maybe you can get away with 6 characters for example ? The difference can be amazing in wipe rates.

Top

Recent Activity