In my 20+ years in mobile computing for the government sector, I’ve seen firsthand how mobile technology has transformed from rudimentary feature phones to today’s sophisticated smartphones. Alongside this evolution, our security and management of mobile devices have had to adapt and keep pace with rapid advancements in technology. To protect mobile data from breaches and securely embrace new technologies, organizations can implement strategies that establish a robust foundation for mobile without compromising productivity.
The great thing is that we already have the necessary tools to launch a new mobile environment or modernize an existing one. Using smartphone features, along with your existing enterprise mobility management (EMM) platform, you can often implement a secure mobile deployment without incurring extra costs.
I have observed that organizations can implement four best practice strategies to establish a robust foundation for mobile without compromising security or productivity.
1. Mobile OS updates
Update notifications
How many times have you received a notification that an operating system update is available and just clicked “Remind Me Later”? Everyone’s busy, and it can be tempting to postpone updates to a more convenient time. Although understandable, we must minimize update delays to protect against the ever-increasing risks posed by malicious parties that exploit unpatched OSes. All users should be trained to watch for OS update notifications and install them as soon as possible.
Better yet, users should be trained to turn on automatic updates. The Cybersecurity and Infrastructure Security Agency (CISA) posts instructions for turning on automatic updates with different computing platforms. For devices managed by an EMM platform, there are controls that can turn on automatic updates by policy.
Testing OS updates
Some IT admins may want to test an update before deploying it widely. This can be managed by an EMM feature allowing an OS update to be deferred for up to 90 days. While this is a useful feature to allow time for testing, the risk of an unpatched OS can often be greater than the risk of an update breaking an existing application. IT admins should take this into consideration and minimize update delays.
Managing updates with Knox
For Samsung Android devices, there are solutions like Knox Security Center that give administrators visibility into the devices impacted by published common vulnerabilities and exposures (CVEs). The IT admin can then use Knox E-FOTA to create custom OS update campaigns to schedule the deployment of security patches to targeted devices, with or without user intervention. This can be valuable when a critical update needs to be rolled out quickly. IT admins can even schedule to update devices during off-hours to avoid downtime and preserve productivity.
2. Mobile apps
It is well known that the convenience offered by mobile apps can transform your business and accelerate productivity. That being said, I sometimes encounter organizations whose mobile app strategy is rooted in basic email, calendar, contacts and instant messaging. With the abundance of transformative mobile apps, the ideal scenario is to deliver more apps to users while maintaining security. Fortunately, modern smartphones and EMMs have strong controls to remove unnecessary pre-loaded apps, manage what apps are allowed to be installed, and control app permissions.
Build a successful BYOD plan for your business
Get our comprehensive guide and template for developing a BYOD policy tailored to your organization. Download Now
Control unnecessary apps
The first step is to make sure that any unnecessary apps that come with a new device are removed out of the box. This capability is available on Samsung devices, at no cost, using Android Enterprise and enrollment technologies like Knox Mobile Enrollment (KME). By clicking a simple checkbox in the KME service, you can ensure that unnecessary consumer apps are removed from new devices. This has the added benefit of providing users with a simplified, uncluttered device, improving the overall experience. Furthermore, using your EMM device policy controls, you can ensure that users can only install apps that have been pre-approved by your security department.
App permissions
Permission management is the next thing to consider. By managing the permissions that are allowed for installed apps, you can ensure apps only access aspects of the device that are required to function.
When a user installs an app, they will be prompted about what permissions to allow. Users should be trained to be mindful of the permissions to allow. Better yet, for the mobile enterprise, this can be controlled by EMM. An IT admin can configure the allowed and blocked permissions ahead of time so installed apps conform to pre-approved permissions. When configured properly, you can allow greater app adoption while confident sensitive data will be protected.
3. Use case-based mobile policies
Every organization has categories of workers with different job functions who require different levels of data access with varying sensitivity. Yet I often see large deployments of mobile devices configured with a single set of policies. A remote inspector, an office worker and a first responder have different requirements. Why should all users be configured with the same policies? Often, the reason is to avoid the headache of managing many different profiles. This is an absolutely valid concern, but with a well-thought-out mobile strategy, you can reduce the number of policy profiles while providing different user communities with risk-appropriate productivity.
Risk-based policies
An effective strategy I have observed is matching different policies to different user communities, such as IT admins, leadership, knowledge workers and non-knowledge workers. Each user group would then have access to the data and apps they need that are optimized for their risk profile. Your mileage may vary on what is optimal for your organization. However, it is worth the effort to identify the user community categories and manage mobile policies to match the risk profile of each group. Keep it simple and avoid the temptation of too many profiles to manage.
4. Periodically reevaluate your mobile security
Periodically reevaluating your mobile deployment configurations may be the number one best practice I have observed, and it is the cornerstone of a forward-thinking mobile strategy. For some organizations, mobile strategies were developed in the early days of smartphones and grew over the years to what they are today. But ask yourself: If I was building a mobile deployment from scratch today, would I configure it the same way? Are the assumptions from 10+ years ago still valid today?
Modernize security policies
I occasionally meet organizations that tell me they think Android is not secure. With the incredible advancements of Knox Platform for Enterprise and Android Enterprise, nothing could be farther from the truth. I will often respond to such comments by asking when they last looked at Android. In virtually every case, the answer will be “many years ago.”
The reality today is there are robust security controls for managed mobile devices to fit any use case. However, without a periodic reevaluation of your mobile deployment, you may be unaware of available controls and features. Samsung exemplifies this by leading the industry with the most global security certifications in the industry. Moreover, for tactical and high-security use cases, Samsung is the platform of choice, with the highest number of mobile phone devices listed on the NSA’s Commercial Solutions for Classified (CSfC) components list.
By periodically reevaluating your deployment, challenging assumptions and taking advantage of advancements that make management easier than ever, you can ensure your mobile deployment is up to date, meets the needs of all user communities and is, most importantly, secure against emerging threats.
Mobile phones and tablets are ubiquitous in enterprises but often become background noise to other concerns. I would argue that following proven strategies using the latest mobile endpoint enterprise features is well worth the effort. Your organization’s work to ensure a robust and up-to-date mobile ecosystem will pay for itself many times over with the ease of use, ease of management, and productivity achieved, not to mention safeguarding your organization’s private and sensitive data.