Welcome to Brown’s Bytes! Your weekly insight from Mobliciti’s COO Andy Brown.
The WannaCry malware has brought patching back into focus and I thought it would be useful to look at how traditional OS patching often drives behaviour relating to patching in the world of Mobile.
First, let’s start with a few basic facts around the issue:
- All Operating Systems have security weaknesses
- When these are found there needs to a patch to fix it
- Implementing a patch is implementing a change to your environment
- Changes break things in unexpected ways!
Windows has traditionally released each individual fix as an individual patch and then given the Administrator the power to decide which patches are rolled out and when. Patches can even be removed if a problem is found. This has driven a cycle of patch testing and a slow release of tested updates into the environment in a very controlled manner.
However Mobile Operating Systems such and iOS and Android take a different approach:
- Mobile OS updates are Monolithic – they contain a mixture of many security updates, bug fixes and feature enhancements in a single update
- Updates are one way – you can’t go back
- The user decides when to install them (usually very quickly)
- The updates can come at any moment!
This causes a significant headache for Mobile Administrators. I’ve seen in many organisations where they’re still thinking like a Windows Admin and send a message to the users saying something like:
“Please don’t install the update yet as it’s not been tested and may break things”
“Please don’t install the update as it breaks xxx App”.
Put simply, this is trying to apply the traditional patch testing cycle without the controls to do it properly.
It is the same as trying to hold back the tide.
Worse is the hidden issue…
Now imagine there is a Malware targeting the Mobile OS that the update fixes (and they do already exist). That email to the users is now effectively saying “Please leave your device open to attack”. Nobody wants to be the Admin who has had a security incident as a result – the NHS running Windows XP is a prime example.
So, the top tip is simple here.
Implement patches as fast as you can and accept that things may break.
We’ve been banging the drum about Mobile Malware for a long time now. The threat is real and increasing! We can help you with this by implementing our Mobile Threat Defence solutions.
But at a basic level make sure the OS is patched as a minimum!
5th May 2017
Windows 10 comes to the party
For a long time the way you managed your “full fat” Windows estate and the Mobile estate have been very different.
The way Windows is built/deployed/managed hasn’t really changed that much since the days of Windows NT4 (that’s over 20 years ago now…. I’m getting old!!). Usually it goes something like:
- Build / maintain corporate Windows 10 image
- Buy kit
- Hand over to “Build Team” who flatten the disk and re-image it with a corporate build
- Add to domain
- Add management agent
- Install software
Once built the machine is then designed to live inside the firewall on “the network”. For laptops, you then have to add in VPN and security layers to allow the device out into the wild world. The VPN was critical for managing and updating the machine too…all the updates/software/support are still back behind the firewall.
Mobile OS’s are the complete opposite – they are designed to live on the internet by default. As a result, the way they are implemented is very different. This time it’s something like:
- Buy kit
- End user activates device over the air
- THAT’S IT!!
Windows 10 has changed this.
You can still build it the old way if you want to, but crucially you can also now activate it out of the box just like a mobile OS. Once you do that you can still lock down the machine, apply security policy, deploy apps and much more – all over the air, anytime that the device is connected to the internet.
This is a game changer. It removes a large chunk of time and effort spent looking after the build and support of Windows machines and it’s also a far better end user experience.
It also opens the door to thinking about BYOD for Windows….
If you’ve not looked at this before I’d suggest contacting us for a demo.
Speaking with customers at one of our events this week it became apparent that there is a common issue being faced.
We all agreed that, to drive ROI on the companies Mobile spend, there had to be an App ecosystem available beyond delivering mobile email. However, the challenge for the Enterprise is deciding which Apps are “safe” and therefore allowable on a Corporate device.
Presently we see a lot of customers trying to maintain a whitelist of Apps. Usually this will be based on some form of internal security criteria (i.e. doesn’t connect to social media or access contact info, etc). Apart for the sheer scale of the potential job you’re signing up for (have you seen how many Apps there are???), there are a few items to consider:
- App testing takes longer than you think. It can be surprising how deep into the App features can be found.
- Be careful of the EULA – many Apps that are free on the App Store are licenced for personal use only
- Make sure you’re logged in to see the App working fully and can
monitor where the App is connecting to
- You need to test on all OS’s – Apps can be different on Apple vs Android
Unfortunately, there is another “gotcha” that needs to be mentioned and it’s the one that we often see missed:
APPS CAN AND WILL BE UPDATED ALL THE TIME!
You’ve completed your tests and added the App to the whitelist. Everyone has installed it and suddenly there is a new version out… the App now needs testing again.
Every Update to Every App will need testing – your team is going to be kept very busy!
We have solutions to help with this – automated App testing and reputation can completely remove this headache by allowing you to whitelist App behaviour rather than the App itself.
Get in touch if you want to know more….
All modern mobile operating systems provide organisations with native DLP controls. These controls provide a separation of corporate and personal data on the same device. Android has Android Enterprise (formally Android for Work), iOS has managed apps and since the ‘Anniversary’ update Windows 10 has Windows Information Protection (WIP – formally Enterprise Data Protection or EDP).
WIP data separation is a solution that is easy to deploy and doesn’t get in the way of the user experience. The policies can be configured easily through your existing MDM platform and it works on both Windows 10 Mobile as well as larger mobile devices such as laptops and tablets, running Windows 10.
WIP works in the background so it will work with your organisations existing applications and the policies make sure that only authorised users and apps have access to business data, they can even prevent copy and paste. It will allow users to freely copy content between business apps and documents, but it won’t allow the data to leak into the personal or public domain unless IT chooses to allow it with a policy.
For example, a user could attach a document from a corporate repository to a corporate e-mail account in Outlook, but they would be restricted from uploading it to a personal webmail account or uploading it to Dropbox.
With the latest ‘Creators’ update for Windows 10, expect Microsoft to further enhance these policies.
For a demo or to find out more, get in contact.
In a mobile first world, enterprises are looking to enable their employees to be more productive when away from their desks by providing access to corporate data i.e. intranet, CRM, SAP, etc.
However, if the data has not been formatted for display on a mobile device, the user experience will suffer and the employee is likely to stop using it.
This is the reason why mobile apps are so popular. Apps are designed to be used on mobile devices.
Let’s take a mobile banking app for example, the app allows the user to do most of the quick tasks like check their balance or transfer money, without having to visit a branch and is designed to fit on a mobile phone screen. This is a great user experience and saves time, allowing the user to do other things.
Most companies do not have app development skills internally and having a bespoke app built can be expensive.
This is why we are seeing the rise of rapid app development solutions. These solutions offer pre-built templates with drag and drop functionality, to allow customised, branded mobile apps to be developed in minutes. Using these tools is as simple as using Microsoft PowerPoint, no development experience is necessary.
Contact us to arrange a demo of rapid app development and see how easy it really is.
Building on the tip last week it’s also worth noting that Apple is killing off support for 32 Bit Applications soon.
As ever we can’t say for sure when this will be, but most likely this will be when iOS11 comes out.
What does that mean?
Up to now any App that’s been written in the past going back to the launch of the iPhone and iPod touch could potentially still be run on a modern device even if the App had not been updated in a long time.
Good news – any App that has been maintained over the years will continue to work fine as the developer will have already updated the App for 32/64 Bit running.
Bad news – there are a LOT of older Apps in the App Store that are going to break soon. These are Apps that are compiled for 32 Bit only.
Am I impacted?
Surprisingly it’s a bit of a pain to check, but here’s how:
On your iOS device click on “Settings” / “General” / “About”. On screen there is a section called Applications.
If you don’t have any Apps that have a problem then you will just see a count of the number of installed Apps.
If you do have an issue then you will have the arrow that indicates you can tap on this section to get to a further screen that lists the Apps that are about to break:
As you can see my fix of Grand Theft Auto: San Andreas is now under threat. Which is sad, but not the end of the world – I’ve still got a PS2 at home!
However, for enterprise we often see that internal focused apps can be less regularly updated. As such I’d strongly recommend checking to see if you’ve got an imminent issue before it’s too late…
For help with this issue get in contact.
As many of you will have noticed there was a new version of iOS released this week. What may have slipped under the radar is that the next Beta of iOS was also made available.
For a while now Apple have been dropping hints that they are not going to support 32-bit hardware and applications for much longer.
Based on the Beta it does appear that iOS 10.3.2 could well be the moment when this happens. Even if Apple change their minds (it is just a Beta at present) then it seems highly likely that iOS 11 will be the end.
If you’re running any iPhone 5, 5C or 4th generation iPad devices in your estate then it’s time to act. These devices are running on borrowed time!
Given that each iOS release is a mixture of feature enhancements, bug fixes and crucially Security Fixes then you can’t afford to leave these devices in your estate for long once they go to end of life.
Contact us if you want help with evergreening your estate. You may also want to look at one of my earlier tips about reducing the cost of Apple kit by leasing it from Mobliciti.
For a while we’ve been banging the drum about how traditional authentication methods (AD password and 2 Factor) don’t really fit well when logging in from the world of mobile.
While the mobile devices move forward with various improvements to this such as fingerprint to unlock, we often find that the enterprise resources that they connect to still prompt for passwords pretty much the same as they have done for years.
Having everyone typing their passwords on a keyboard in the office is clearly not an issue, but on mobile it creates a risk that needs to be tracked:
Simply put, if you’re getting your users to enter their Active Directory password on their mobile devices then you have a problem. That sensitive password is now being entered in public (on a packed train, in a coffee shop, etc) via a touchscreen keyboard….and if that password gets “shoulder surfed” then it’s the same password for everything on AD…
Tip of the week – use something other than the AD password on Mobile!
Contact us if you want help with configuring alternative authentication options for the Mobile estate.
Once upon a time you could buy a mid-tier BlackBerry for £150-£200. This was a good enough device for a large number of users and was considered good value.
As a result, most people didn’t even bother to look at what it was worth at the end of its life (the answer was not a lot) and so I suspect a lot of these devices are still knocking around in drawers & cupboards of the office.
Roll forward to now and everyone is looking at the price of a top-end smartphone and thinking it’s too expensive, compared to the cheap phones of the past it is!
What’s forgotten is that after 2 years that smartphone is still worth a significant portion of its purchase price (especially if it’s been looked after – just look at eBay). Tip number 1 is therefore:
– Get your phones back and your money back on the residual value! You are missing out on a significant chunk of cash if you’re not doing this.
And then if you’re looking to deploy smartphones here is tip number 2:
– Lease the phone from us. For example, on an iPhone you could pay just 80% of the purchase price and we’ll take the phone back at the end and securely deal with getting the residual value back for you.
So, if you fancy saving 20% on your smartphone costs and you want someone to deal with the end of life process for you then give us a call.
And you’ve got 2 tips for the price of one this week – bargain!
DEP has been around for a while now and we’re finally seeing it as a deployment option from multiple suppliers around the world. DEP is great for Enterprise for several reasons:
1. The devices are Supervised by default – this unlocks a greater level of access for the admin to control the device
2. It streamlines and simplifies the out of box experience for the end user
3. It locks the device to your enterprise. It cannot be used elsewhere without your permission. This controls the End of Life better and allows recovery of the Residual Value
All these are great, but it also controls a risk that often gets overlooked – How do you know the device is in a Trusted State BEFORE it arrives in your environment (think of Jailbreak or malicious Apps installed before activation). Apple is guaranteeing the device is shrink-wrap fresh when it arrives. THIS IS UNIQUE!
To understand more about DEP and how to control this with EMM get in touch.
*DEP provides a fast, streamlined way to deploy your corporate-owned Mac or iOS devices.