An MDM solution can be used to manage both company-issued devices and personal devices.
the management of CID and BYOD is quite different.
The management strategy for company mobile devices usually entails more in-depth security because very often the CIDs have company documents and information stored on
When company devices are provisioned with an MDM solution, many configuration settings such as virtual private network (VPN) client access, email account settings, Wi-Fi
profile settings, passwords, and encryption settings are enabled.
The ability for employees to remove MDM profiles from a CID is disabled and the MDM administrator can remotely wipe company mobile devices if they are lost or stolen.
Because these devices are not personal devices, the IT department can also dictate which applications can or cannot be installed on tablets and/or smartphones.
The concept of BYOD emerged because personal mobile devices are much more difficult to manage unless a proper MDM solution has been deployed.
Every company should have its own unique BYOD containment strategy while still allowing access to the corporate WLAN
For example, when the personal devices are provisioned with an MDM solution, the camera may be disabled so that pictures cannot be taken within the building
The basic architecture of any MDM solution consists of four main components:
The mobile Wi-Fi device requires access to the corporate WLAN
can be either a company-owned or employee-owned device.
The mobile devices are not allowed onto the corporate network until an enrolment process has been completed and an MDM profile has been installed
All Wi-Fi communications are between the mobile devices and the access point to which they connected
If the devices have not been enrolled via the MDM server, the AP or WLAN controller quarantines the mobile devices within a restricted area of the network known as a walled garden
The MDM server is responsible for enrolling client devices
provisions the mobile devices with MDM profiles that define client device restrictions as well as configuration settings
Certificates can be provisioned from the MDM server
Whitelisting policies restrict enrolment to a list of specific devices and operating systems.
Blacklisting policies allow all devices and operating systems to enrol except for those that are specifically prohibited by the blacklist.
Device inventory control and application management are key components of any MDM solution
Push Notification Servers
The MDM server communicates with push notification servers such as Apple Push Notification service (APNs) and Google Cloud Messaging (GCM) for over-the-air management of mobile Wi-Fi devices
Mobile devices must go through an enrolment process in order to access network resources
Mobile device connects with the access point
The mobile device must first establish an association with an AP.
The Wi-Fi security could be open, but usually the CID or personal devices are trying to establish a connection with a secure corporate SSID that is using
802.1X or preshared key (PSK) security
At this point, the AP holds the mobile client device inside a walled garden.
AP checks if the device is enrolled.
The next step is to determine if the mobile device has been enrolled.
If the mobile device is already enrolled, the MDM server will send a message to the AP to release the device from the walled garden.
Unenrolled devices will remain quarantined inside the walled garden.
MDM server queries LDAP
The MDM server queries an existing LDAP database, such as Active Directory.
The LDAP server responds to the query, and then the MDM enrolment can proceed
Device is redirected to the MDM server
When the user opens a browser on the mobile device, it is redirected to the captive web portal for the MDM server
The enrolment process can then proceed.
For legal and privacy reasons, captive web portals contain a legal disclaimer agreement that gives the MDM administrator the ability to restrict settings and remotely change the capabilities of the mobile device.
If the user does not agree to the legal disclaimer, they cannot proceed with the enrolment process and will not be released from the walled garden.
Devices installs certificate and MDM profile
Once enrolment begins, a secure over-the-air provisioning process for installing the MDM profile is needed
Over-the-air provisioning differs between different device operating systems, but using trusted certificates and SSL encryption is the norm.
MDM server releases mobile device
once the device has completed the MDM enrolment, the MDM server sends a message to the AP or WLAN controller to release the mobile device from the walled garden.
Mobile device exits the walled garden
The mobile device now abides by the restrictions and configuration settings defined by the MDM profile
MDM profiles are used for mobile device restrictions
MDM profiles can also be used to globally configure various components of a mobile device.
MDM profiles can include device restrictions, email settings, VPN settings, LDAP directory service settings, and Wi-Fi settings
MDM agent software
The operating systems of some mobile devices require MDM agent application software.
An MDM agent must support multiple Android device manufacturers.
The MDM agent on the iOS device could potentially send information back to the MDM server that is not defined by the Apple MDM APIs
The MDM server can monitor device information including device name, serial number, capacity, battery life, and the applications that are installed on the device
Information that cannot be seen includes SMS messages, personal emails, calendars, and browser history.
The mobile device can still be managed remotely, even if the mobile device is no longer connected to the corporate WLAN
The communication between the MDM server and the mobile devices requires push notifications from a third-party service.
Both Google and Apple have APIs that allow applications to send push notifications to mobile devices.
What kind of remote actions can an MDM administrator accomplish over the Internet
Make changes to the configuration.
Make changes to the device restrictions.
Deliver a message to the device.
Lock the device.
Wipe the device.
Make application management changes.
Enterprise MDM solutions also offer various levels of management of the applications that run on mobile devices.
Managing applications on company-owned devices is commonplace; however, application management on employee’s personal devices is not as prevalent.
Wi-Fi client onboarding
The main purpose of these onboarding solutions is to give the customer an inexpensive and simple way to provision mobile devices onto the secure corporate SSID.
Guest WLAN access
In the past, a common SSID strategy was to segment different types of users—even employees— on separate SSIDs; each SSID was mapped to an independent VLAN
That strategy is rarely recommended now because of the layer 2 overhead created
What has not changed over time is the recommendation that all guest user traffic be segmented onto a separate SSID by having many SSIDs
The guest SSID will always have different security parameters than the employee SSID, and therefore the necessity of a separate guest SSID continues
Although encryption is not usually provided for guest users, some WLAN vendors have begun to offer encrypted guest access and provide data privacy using dynamic PSK credentials. Encrypted guest access can also be provided with 802.1X/EAP with Hotspot 2.0
Guest user traffic should be segmented into a unique VLAN tied to an IP subnet that does not mix with the employee VLAN
Segmenting your guest users into a unique VLAN is a security and management best practice.
Although isolating the guest VLAN in a DMZ has been a common practice for many years, it is no longer necessary if guest firewall policies are being enforced at the edge of the network.
Guest firewall policy
The most important security component of a guest WLAN is the firewall policy
The guest WLAN firewall policy prevents guest user traffic from getting near the company network infrastructure and resources
The guest firewall policy should simply route all guest traffic straight to an Internet gateway and away from the corporate network infrastructure.
It really is up to the security policy of the company to determine what ports need to be blocked on the guest VLAN
Captive web portals
Often, guest users must log in through a captive web portal page before they are provided access to the Internet
One of the most important aspects of the captive web portal page is the legal disclaimer.
A captive portal solution effectively turns a web browser into an authentication service.
Client isolation, rate limiting, and web content filtering
Client isolation is a feature that can be enabled on WLAN access points or controllers to block wireless clients from communicating directly with other wireless clients on the same wireless VLAN.
Client isolation is highly recommended on guest WLANs to prevent peer-to-peer attacks.
Enterprise WLAN vendors also offer the capability to throttle bandwidth of user traffic.
Enterprise companies often deploy web content filter solutions to restrict the type of websites that their employees can view while at the workplace.
Most guest WLANS require a guest user to authenticate with credentials via a captive web portal
Unlike a pre-existing Active Directory database, guest user databases are normally created on-the-fl y
Someone has to be in charge of managing the database and creating the guest user accounts
IT administrators are typically too busy to manage a guest database; therefore, the individual who manages the database is often a receptionist or the person who greets guests at the front door
A good guest management solution allows the receptionist to register a single guest user or groups of users
Over the past few years, there has also been a greater push for guest users to create their own account, what is commonly referred to as self-registration.
When the guest is redirected to the captive web portal, if they do not already have a guest account, a link on the logon web page redirects the guest to a self-registration page.
Self-registration via a kiosk is quite useful when the kiosk is deployed in the main lobby or at the entrance to the company
An advantage of self-registration kiosks is that the receptionist does not have to provision the users and can concentrate on other work duties.
Guest users can also be required to enter the email address of an employee, who in turn must approve and sponsor the guest
Employee sponsorship ensures that only authorized guest users are allowed onto the guest WLAN and that the company employees are actively involved in the guest user authorization process.
A new trend in guest networks in retail and service industries is social login
Social login is a method of using existing logon credentials from a social networking service (such as Twitter, Facebook, or LinkedIn)
Social login is often enabled using the OAuth protocol.
OAuth is a secure authorization protocol that allows access tokens to be issued to third-party clients by an authorization server
The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service and can be used for social login for Wi-Fi guest networks
Encrypted guest access
The problem is that the many consumers and guest users are not savvy enough to know how to use a VPN solution when connected to an open guest WLAN
However, if a company can also provide encryption on the guest SSID, the protection provided to the guest user is a value added service.
Another growing trend with public access networks is the use of 802.1X/EAP with Hotspot 2.0
Hotspot 2.0 is a Wi-Fi Alliance technical specification that is supported by the Passpoint certification program
Though open networks are still the norm today, growing interest in security and automated connectivity in public access networks will motivate adoption and use of Hotspot 2.0
Network access control (NAC)
Network access control (NAC) began as a response to computer viruses, worms, and malware that appeared in the early 2000s
Posture is a process that applies a set of rules to check the health and configuration of a computer and determine whether it should be allowed access to the network.
NAC products do not perform the health checks themselves but rather validate that the policy is adhered to.
Essentially, posture assessment “checks the checkers.”
After the posture check is performed, if a computer is considered unhealthy, the ideal scenario would be for the posture agent to automatically fi x or remediate the problem so
that the computer can pass the check and gain network access.
NAC and BYOD
With the proliferation of personal Wi-Fi-enabled devices, enterprises were forced to decide if these devices would be allowed to connect to the enterprise network and if so, what type of access would be allowed.
Allows you to set device and user to be looked at if device is allowed onto network
NAC uses various monitoring and fingerprinting techniques to identify different devices so that access can be controlled.
The operating system of WLAN client devices can be determined by a variety of fingerprinting methods, including DHCP snooping.