Welcome to Brown’s Bytes! Your weekly insight from Mobliciti’s CTO Andy Brown. Follow #brownsbytes
A quick one for you this week….
Following on from last week’s byte, today we’ve seen the latest release of iOS come out (10.3.3).
It’s mainly a security fix release (and most likely the last release for iOS10). I’d suggest taking a look at the Apple page here: https://support.apple.com/en-us/HT207923 for details of what is included.
Suffice to say that’s a whole heap of potential holes. As is always the case, releasing the patch only highlights the vulnerability to the bad guys.
So, the simple advice – patch now!
Read the list of vulnerabilities and then also decide if you should now get in touch about how to better protect your Mobile devices in the wild….
A recent blog titled “The iPhone at 10: Still No Major Malware” was an interesting perspective on iOS and how it is often seen as the most secure Mobile OS.
It’s a view I come across a lot when speaking with customers – in particular when we talk about Mobile Threat Detection. Often the response is “what really is the risk?”
For the record, I do agree that iOS is the most secure Mobile OS. However, I’ve also seen what is possible when it is compromised and I wouldn’t want to put it out in the wild without a security solution on it any more.
There are many reasons for this, but the major one would be the old IT support adage – PICNIC (Problem in Chair, Not in Computer).
Apple makes the user king on iOS – it is one of the reasons why Enterprises have traditionally struggled to mould the OS into their locked down corporate requirements. This is therefore the key weakness of the OS.
The OS security is only as good as the user who is using it.
Malware, Sideloaded Apps, Man in the Middle Wi-Fi, etc, are often designed to be initiated by the user overriding all the security controls in the OS.
What was particularly interesting about this blog was that it’s been put up by Intego. They specialise in selling security solutions such as Antivirus and Firewalls for the Apple Mac. Not so long ago the same “what’s the risk” argument would have been used for MacOS and yet here we are with an ecosystem of AV for Mac. There was a tipping point where that view could not be sustained and the need for Mac security was accepted.
Mobile Operating Systems are at this tipping point. I would strongly suggest you get in touch to see how you can easily deploy security solutions to protect your Mobile estate.
Whenever you negotiate your mobile contract, whether it’s for thousands of connections or for your personal device, you will always come up against the same problem….
Carriers Love to Bundle!
By this I mean whenever you look at the deal you get a per device per month charge that covers:
- Device Cost
- UK Call Minutes
- SMS allowance
- UK data allowance
Even on a personal level, have you noticed it’s almost always impossible to compare like for like when you’re shopping around as each available option from different carriers will be subtly different with the options bundled together.
Multiply this up with a Corporate account and it gets even harder…
Why do carriers do this?
Pretty obvious when you break it down – it allows costs to be moved around and hidden away and prevents customers from working out if they’re getting a good deal!
The tip is therefore:
As a bare minimum, I’d suggest getting the hardware out of the bundle – what’s left will be a LOT easier to pick apart.
This is why we only offer separate device and SIM options and we provide transparent tariffs with no nasty surprises.
I’d strongly recommend looking into this further (especially with the £1000 iPhone 8 on the way).
For more information on how we can help you manage your mobile spend better then please get in touch.
A large percentage of enterprises are looking to utilise cloud services such as Office 365, and it makes sense as these cloud services offer a number of benefits including less capital expenditure, increased collaboration and the ability to work from anywhere.
But although cloud service providers implement the best security standards and adhere to industry certifications, storing data and important files on external service providers coupled with the ‘always available’ data model, it always opens up risks and provides a sizable area of attack for people with malicious intent.
Here are some statistics sourced via Skyhigh around Office 365 Adoption Rate, Stats, and Usage.
Office 365 implementations are under attack:
- 71.4% have at least one compromised account each month
- 57.1% have at least one insider threat each month
- 45.9% have at least one privileged user threat each month
That is scary reading!
So how can we reap the benefits of cloud services without compromising our data?
Adding adaptive authentication capabilities to ALL Office 365 entry points, this includes 3rd party mail clients (i.e. Apple Mail) which can currently only protect with username/password, gives much greater protection.
The result is the most complete protection, using multi-factor authentication with risk analysis, for the world’s most widely used cloud app – regardless of how users are accessing their Office 365.
To find out more get in touch.
I recently spent some time with Jeff Kukowski & Keith Graham (CEO & CTO of SecureAuth) when they were in the UK. As part of a briefing we did together for our customers they included some key facts from the latest Verizon Data Breach Investigations Report that I think need to be called out in isolation:
1. Last year there was more spent on security solutions than ever before, but it was also a record year for security breaches.
Simply put – either the threats are growing faster than the solutions being implemented, or the wrong solutions are being implemented! This is scary stuff, but then consider that
2. The Number 1 way that attackers get in is… VALID CREDENTIALS!!
Is this the problem? Security solutions are letting bad guys in because the username/password they’re using is correct – it’s either been compromised, guessed or even deliberately shared by a rogue employee.
I believe that Multi-Factor Authentication is now a must for all organisations. It is the context of the authentication that protects against the use of valid credentials by attackers – even if the password is correct!
This is precisely why we’ve partnered with SecureAuth. Their technology makes life very hard for the bad guys, whilst making life easier for the genuine users… whether they’re authenticating to Cloud Services or traditional VPN and on-premise infrastructure.
I’d strongly recommend looking into this further if it’s not on your security radar already. For more information on how we can help then get in touch.
As expected, at this year’s Apple Worldwide Developers Conference (WWDC), Apple announced iOS 11 would be available in the Autumn.
Although there are a number of GUI updates and enhancements, it was really the new MDM features that I was focusing on.
Apple did not disappoint.
The feature that really caught my eye was the ability to add any device to DEP.
Companies will be able to add iOS and Apple TV devices that were purchased outside of the traditional DEP-supported channels. Admins just need to connect devices to Apple Configurator 2.5 (currently in beta) and the serial numbers will be added to the organisation’s DEP portal.
This means you can now erase the device and the next time the device turns on, it will go through the DEP steps during setup.
Note: there is a 30-day provisional period where admins can still remove the device from DEP to prevent accidental enrolment
To find out more about our iOS beta testing do get in contact.
So as predicted Apple have announced the end of updates for the iPhone 5 and 5C.
If you were one of the last to buy an iPhone 5C in September 2015 then you will (just) have got 2 years use out of that device before it no longer gets updates.
Many enterprises work on a 2-year cycle to replace devices so no great shakes there, but I’ve seen others sweat the assets for much longer so please make sure you’ve covered this risk off!
So, what about the world of Android?
Also, coming soon is Android “O”. Like all Mobile Operating Systems this will be an amalgam of feature enhancements, bug fixes and crucially security fixes.
What gets rather interesting is if you look at OS adoption figures.
Fortunately, both Apple and Google share this information:
Apple has 86% of devices on the latest major OS version (iOS10).
Android is by comparison a mess of different versions. Only 9.5% of devices are on Android N despite it being released nearly a year ago! Amazingly nearly 20% of devices are still on Android KitKat!!
Now there are a lot of reasons for this disparity, but the key message here is simple. If you’re thinking about deploying Android (or indeed any) devices in your enterprise, you need to make sure you understand the patch cycles for the entire lifecycle of that device. You do not want to be in a position where your devices are unable to get the latest patches in a timely manner.
If you’d like to know more about this and how to best adopt Android in the Enterprise, then please get in touch.
In advance of the weekend a little reminder that Apple has it’s WWDC event next week. There are plenty of pages full of the usual speculation about what might be announced, but for now I wanted to flag that this is highly likely to be the event where the wraps come off iOS 11 for the first time.
Further to my previous posts, this is likely to be a significant update for couple of reasons:
- The end of 32 Bit Hardware support (anything older than an iPhone 5C will need replacing)
- The end of 32 Bit App support
The good news is that Apple should start making Beta releases of iOS11 available very soon so you have an excellent opportunity to try it and see what breaks before your users do…
If you don’t already do this I would highly recommend spending some time completing regression tests of your Apps and environment using the Apple Beta releases.
As with all Beta testing you will likely find more issues the earlier in the Beta cycle that you test this, but it is definitely worth investing the time in it. At the very least you’ll know if there is an issue before your users find it for you!
One note of caution – it’s not unheard of for features to drop in the Gold release that were missing in the Betas. You still can’t quite guarantee what will happen, but you’ll definitely be better prepared than most.
We’ll also be completing regression testing in our labs for the technologies we support as well. So, if you’d like to hear more about how our testing is going then get in touch.
We all know that mobile data consumption is on the rise. In fact, according to predictions in a recent whitepaper from Cisco (well worth a read by the way) it’s set to balloon even more over the next 5 years. There are a lot of drivers for this, but fundamentally as the adoption rate and capabilities of Smartphones grow so does data consumption.
So, the amount of data being consumed is rising.
Unless the tariffs you’ve negotiated are as smart as the ones we offer our customers then your carrier costs are rising too.
Many customers therefore see Wi-Fi offload as a useful tool in the kit bag and a simple way to offset the increase in data consumption. Either as a formal policy, or just because your users do it anyway, you will have a lot of your devices connecting to public Wi-Fi at some point.
It gives many benefits:
- Connectivity where carrier signal isn’t available
- Reduced mobile data consumption
- Roaming data offload to significantly drive down costs
Now for the issues:
- Can you trust the Public Wi-Fi you’re connected to?
- How do you know if the hotspot is genuine?
- How do you stop users from connecting?
- Do you even know when users have been on Public Wi-Fi?
It’s an interesting challenge.
You can’t trust the network; you can’t stop users connecting and you don’t know when there’s been an issue.
That’s pretty scary stuff…
As always, we have solutions to solve this which allow you to securely embrace Public Wi-Fi correctly. Get in touch if you want to know more.
19th May 2017
Holding Back the Tide
The WannaCry malware has brought patching back into focus and I thought it would be useful to look at how traditional OS patching often drives behaviour relating to patching in the world of Mobile.
First, let’s start with a few basic facts around the issue:
- All Operating Systems have security weaknesses
- When these are found there needs to a patch to fix it
- Implementing a patch is implementing a change to your environment
- Changes break things in unexpected ways!
Windows has traditionally released each individual fix as an individual patch and then given the Administrator the power to decide which patches are rolled out and when. Patches can even be removed if a problem is found. This has driven a cycle of patch testing and a slow release of tested updates into the environment in a very controlled manner.
However Mobile Operating Systems such and iOS and Android take a different approach:
- Mobile OS updates are Monolithic – they contain a mixture of many security updates, bug fixes and feature enhancements in a single update
- Updates are one way – you can’t go back
- The user decides when to install them (usually very quickly)
- The updates can come at any moment!
This causes a significant headache for Mobile Administrators. I’ve seen in many organisations where they’re still thinking like a Windows Admin and send a message to the users saying something like:
“Please don’t install the update yet as it’s not been tested and may break things”
“Please don’t install the update as it breaks xxx App”.
Put simply, this is trying to apply the traditional patch testing cycle without the controls to do it properly.
It is the same as trying to hold back the tide.
Worse is the hidden issue…
Now imagine there is a Malware targeting the Mobile OS that the update fixes (and they do already exist). That email to the users is now effectively saying “Please leave your device open to attack”. Nobody wants to be the Admin who has had a security incident as a result – the NHS running Windows XP is a prime example.
So, the top tip is simple here.
Implement patches as fast as you can and accept that things may break.
We’ve been banging the drum about Mobile Malware for a long time now. The threat is real and increasing! We can help you with this by implementing our Mobile Threat Defence solutions.
But at a basic level make sure the OS is patched as a minimum!
5th May 2017
Windows 10 comes to the party
For a long time the way you managed your “full fat” Windows estate and the Mobile estate have been very different.
The way Windows is built/deployed/managed hasn’t really changed that much since the days of Windows NT4 (that’s over 20 years ago now…. I’m getting old!!). Usually it goes something like:
- Build / maintain corporate Windows 10 image
- Buy kit
- Hand over to “Build Team” who flatten the disk and re-image it with a corporate build
- Add to domain
- Add management agent
- Install software
Once built the machine is then designed to live inside the firewall on “the network”. For laptops, you then have to add in VPN and security layers to allow the device out into the wild world. The VPN was critical for managing and updating the machine too…all the updates/software/support are still back behind the firewall.
Mobile OS’s are the complete opposite – they are designed to live on the internet by default. As a result, the way they are implemented is very different. This time it’s something like:
- Buy kit
- End user activates device over the air
- THAT’S IT!!
Windows 10 has changed this.
You can still build it the old way if you want to, but crucially you can also now activate it out of the box just like a mobile OS. Once you do that you can still lock down the machine, apply security policy, deploy apps and much more – all over the air, anytime that the device is connected to the internet.
This is a game changer. It removes a large chunk of time and effort spent looking after the build and support of Windows machines and it’s also a far better end user experience.
It also opens the door to thinking about BYOD for Windows….
If you’ve not looked at this before I’d suggest contacting us for a demo.
Speaking with customers at one of our events this week it became apparent that there is a common issue being faced.
We all agreed that, to drive ROI on the companies Mobile spend, there had to be an App ecosystem available beyond delivering mobile email. However, the challenge for the Enterprise is deciding which Apps are “safe” and therefore allowable on a Corporate device.
Presently we see a lot of customers trying to maintain a whitelist of Apps. Usually this will be based on some form of internal security criteria (i.e. doesn’t connect to social media or access contact info, etc). Apart for the sheer scale of the potential job you’re signing up for (have you seen how many Apps there are???), there are a few items to consider:
- App testing takes longer than you think. It can be surprising how deep into the App features can be found.
- Be careful of the EULA – many Apps that are free on the App Store are licenced for personal use only
- Make sure you’re logged in to see the App working fully and can
monitor where the App is connecting to
- You need to test on all OS’s – Apps can be different on Apple vs Android
Unfortunately, there is another “gotcha” that needs to be mentioned and it’s the one that we often see missed:
APPS CAN AND WILL BE UPDATED ALL THE TIME!
You’ve completed your tests and added the App to the whitelist. Everyone has installed it and suddenly there is a new version out… the App now needs testing again.
Every Update to Every App will need testing – your team is going to be kept very busy!
We have solutions to help with this – automated App testing and reputation can completely remove this headache by allowing you to whitelist App behaviour rather than the App itself.
Get in touch if you want to know more….
All modern mobile operating systems provide organisations with native DLP controls. These controls provide a separation of corporate and personal data on the same device. Android has Android Enterprise (formally Android for Work), iOS has managed apps and since the ‘Anniversary’ update Windows 10 has Windows Information Protection (WIP – formally Enterprise Data Protection or EDP).
WIP data separation is a solution that is easy to deploy and doesn’t get in the way of the user experience. The policies can be configured easily through your existing MDM platform and it works on both Windows 10 Mobile as well as larger mobile devices such as laptops and tablets, running Windows 10.
WIP works in the background so it will work with your organisations existing applications and the policies make sure that only authorised users and apps have access to business data, they can even prevent copy and paste. It will allow users to freely copy content between business apps and documents, but it won’t allow the data to leak into the personal or public domain unless IT chooses to allow it with a policy.
For example, a user could attach a document from a corporate repository to a corporate e-mail account in Outlook, but they would be restricted from uploading it to a personal webmail account or uploading it to Dropbox.
With the latest ‘Creators’ update for Windows 10, expect Microsoft to further enhance these policies.
For a demo or to find out more, get in contact.
In a mobile first world, enterprises are looking to enable their employees to be more productive when away from their desks by providing access to corporate data i.e. intranet, CRM, SAP, etc.
However, if the data has not been formatted for display on a mobile device, the user experience will suffer and the employee is likely to stop using it.
This is the reason why mobile apps are so popular. Apps are designed to be used on mobile devices.
Let’s take a mobile banking app for example, the app allows the user to do most of the quick tasks like check their balance or transfer money, without having to visit a branch and is designed to fit on a mobile phone screen. This is a great user experience and saves time, allowing the user to do other things.
Most companies do not have app development skills internally and having a bespoke app built can be expensive.
This is why we are seeing the rise of rapid app development solutions. These solutions offer pre-built templates with drag and drop functionality, to allow customised, branded mobile apps to be developed in minutes. Using these tools is as simple as using Microsoft PowerPoint, no development experience is necessary.
Contact us to arrange a demo of rapid app development and see how easy it really is.
Building on the tip last week it’s also worth noting that Apple is killing off support for 32 Bit Applications soon.
As ever we can’t say for sure when this will be, but most likely this will be when iOS11 comes out.
What does that mean?
Up to now any App that’s been written in the past going back to the launch of the iPhone and iPod touch could potentially still be run on a modern device even if the App had not been updated in a long time.
Good news – any App that has been maintained over the years will continue to work fine as the developer will have already updated the App for 32/64 Bit running.
Bad news – there are a LOT of older Apps in the App Store that are going to break soon. These are Apps that are compiled for 32 Bit only.
Am I impacted?
Surprisingly it’s a bit of a pain to check, but here’s how:
On your iOS device click on “Settings” / “General” / “About”. On screen there is a section called Applications.
If you don’t have any Apps that have a problem then you will just see a count of the number of installed Apps.
If you do have an issue then you will have the arrow that indicates you can tap on this section to get to a further screen that lists the Apps that are about to break:
As you can see my fix of Grand Theft Auto: San Andreas is now under threat. Which is sad, but not the end of the world – I’ve still got a PS2 at home!
However, for enterprise we often see that internal focused apps can be less regularly updated. As such I’d strongly recommend checking to see if you’ve got an imminent issue before it’s too late…
For help with this issue get in contact.
As many of you will have noticed there was a new version of iOS released this week. What may have slipped under the radar is that the next Beta of iOS was also made available.
For a while now Apple have been dropping hints that they are not going to support 32-bit hardware and applications for much longer.
Based on the Beta it does appear that iOS 10.3.2 could well be the moment when this happens. Even if Apple change their minds (it is just a Beta at present) then it seems highly likely that iOS 11 will be the end.
If you’re running any iPhone 5, 5C or 4th generation iPad devices in your estate then it’s time to act. These devices are running on borrowed time!
Given that each iOS release is a mixture of feature enhancements, bug fixes and crucially Security Fixes then you can’t afford to leave these devices in your estate for long once they go to end of life.
Contact us if you want help with evergreening your estate. You may also want to look at one of my earlier tips about reducing the cost of Apple kit by leasing it from Mobliciti.
For a while we’ve been banging the drum about how traditional authentication methods (AD password and 2 Factor) don’t really fit well when logging in from the world of mobile.
While the mobile devices move forward with various improvements to this such as fingerprint to unlock, we often find that the enterprise resources that they connect to still prompt for passwords pretty much the same as they have done for years.
Having everyone typing their passwords on a keyboard in the office is clearly not an issue, but on mobile it creates a risk that needs to be tracked:
Simply put, if you’re getting your users to enter their Active Directory password on their mobile devices then you have a problem. That sensitive password is now being entered in public (on a packed train, in a coffee shop, etc) via a touchscreen keyboard….and if that password gets “shoulder surfed” then it’s the same password for everything on AD…
Tip of the week – use something other than the AD password on Mobile!
Contact us if you want help with configuring alternative authentication options for the Mobile estate.
Once upon a time you could buy a mid-tier BlackBerry for £150-£200. This was a good enough device for a large number of users and was considered good value.
As a result, most people didn’t even bother to look at what it was worth at the end of its life (the answer was not a lot) and so I suspect a lot of these devices are still knocking around in drawers & cupboards of the office.
Roll forward to now and everyone is looking at the price of a top-end smartphone and thinking it’s too expensive, compared to the cheap phones of the past it is!
What’s forgotten is that after 2 years that smartphone is still worth a significant portion of its purchase price (especially if it’s been looked after – just look at eBay). Tip number 1 is therefore:
– Get your phones back and your money back on the residual value! You are missing out on a significant chunk of cash if you’re not doing this.
And then if you’re looking to deploy smartphones here is tip number 2:
– Lease the phone from us. For example, on an iPhone you could pay just 80% of the purchase price and we’ll take the phone back at the end and securely deal with getting the residual value back for you.
So, if you fancy saving 20% on your smartphone costs and you want someone to deal with the end of life process for you then give us a call.
And you’ve got 2 tips for the price of one this week – bargain!
DEP has been around for a while now and we’re finally seeing it as a deployment option from multiple suppliers around the world. DEP is great for Enterprise for several reasons:
1. The devices are Supervised by default – this unlocks a greater level of access for the admin to control the device
2. It streamlines and simplifies the out of box experience for the end user
3. It locks the device to your enterprise. It cannot be used elsewhere without your permission. This controls the End of Life better and allows recovery of the Residual Value
All these are great, but it also controls a risk that often gets overlooked – How do you know the device is in a Trusted State BEFORE it arrives in your environment (think of Jailbreak or malicious Apps installed before activation). Apple is guaranteeing the device is shrink-wrap fresh when it arrives. THIS IS UNIQUE!
To understand more about DEP and how to control this with EMM get in touch.
*DEP provides a fast, streamlined way to deploy your corporate-owned Mac or iOS devices.