Mobile device management

A mobile device is any portable device that can access and hold organisational data. It's important to secure these devices, as you would any other device that sits within your network.

Summary

It's become more common to use mobile devices for work. Your staff may:

  • use a laptop to work remotely
  • travel often and work on their mobile phones.

This is convenient, and can provide real benefits to your staff and business. But, there are a few security points to consider before you give these devices access to your network. You need to think about:

  • physical security. Because these devices are portable, they're more likely to get lost or stolen
  • network security. Devices may connect to networks that are not controlled by the organisation, such as a home or hotel Wi-Fi. This means they won’t get the benefit of any network-level security controls, like web proxies. These networks may also be able to see sensitive data in the connections made from these devices. This is because other people manage this routing equipment
  • device security. Your organisation may not manage these devices if it has a bring-your-own-device (BYOD) policy. It may be your staff who keep these devices updated, and control what software is on the device.

CERT NZ sees reports of incidents caused by downloading software or apps that turn out to be malicious. An organisation's data could get compromised if devices:

  • are not patched
  • allow any installation or executable file to run.

Purpose

The intent of this control is to ensure organisations have a way to manage and monitor the security of authorised mobile devices.

Measuring success

For successful mobile device management your organisation needs to:

  • easily identify which mobile devices can hold or access organisational data. This includes work-provided mobile devices and BYOD. These are all considered to be 'authorised mobile devices'
  • manage all authorised mobile devices through a central system. This allows you to track the security configurations and software on these devices
  • set rules and policies in the central management system to control mobile access to organisational data and systems. They will control access based on the security of the device, such as the operating system that is used or the security configurations set (for example a PIN to unlock the device).
  • make sure authorised devices have the software they need to access organisational systems. This includes VPNs or digital certificates.

Mobile device management: key takeaways

  • Mobile device management can help you control which devices access your internal systems.
  • Cloud-based systems are being used more and more over time. They can be accessed from anywhere on the internet, regardless of the device used. If your organisation uses cloud-based systems, consider using other security controls to help protect its data. This includes:
    • centralised identity management systems, and
    • multi-factor authentication.

Advice for implementation

Managing mobile devices on your network