Mobile devices like the iPhone and iPad are a top security concern for 2011. The first step to addressing this risk is to put a security policy in place that addresses mobile devices. We recently released a free Mobile Security Policy template to help folks get started. If you don’t have a mobile security policy yet, use our template to get started. If you already have one in place you can review ours and see if there are any additional controls you may want to add.
Once you have a documented security policy in place you will know what technical controls should be implemented. To help make that process easier for iPhones and iPads Apple has the iPhone Enterprise Configuration Utility. This utility will provide you with a technical means to start enforcing your security policy. So if you are looking to take control of your Apple mobile devices it’s definitely worth a look! Many of the controls in a good security policy can be enforced with it. IT organizations can set up “Provisioning Profiles” which have policy based lock downs. A few examples of the controls that you can implement:
- Full AES encryption with mandatory encrypted backups.
- Remote Data Wipe via Microsoft Exchange in the event of theft.
- Mandatory VPN lock in (with optional 2-factor authentication including SecurID and CRYPTOCard).
- Application restriction including disabling certain iTunes store/camera/screenshot, limiting access to network services, etc.
- Disabling automatic upgrading, allowing for organizationally controlled application upgrades, etc.
- Sandboxing via individual cryptographic compartments with hardware-accelerated (and lockable) encryption accessible to applications.
The Configuration Utility is available here:
A detailed Enterprise Configuration guide is available here:
And you can get our Mobile Device Security policy template at no charge here: