A computer is considered compromised if:
When a system is compromised, it may exhibit some of the following signs:
In some cases, the suspicious behaviors may be simply a case of software, hardware or data entry errors, but erring on the side of caution is always advised. If malware is the cause, it can perform a variety of activities on your system, such as capturing sensitive information (including passwords) that you key into the system, altering stored data, holding your data for ransom, or disrupting service. It is important to determine, as soon as possible, whether or not malicious activity has occurred. If you suspect that your computing device is compromised, you should immediately:
We ask that you take the above steps for the following reasons:
Affected Products: Workspace ONE Mobile devices allow constant communication and access to enterprise content on the go. While mobile devices keep vital business information flowing, malware and corrupted content can be introduced into your network. Given these potential security threats, your Mobile Device Management (MDM) strategy should be prepared for any challenge. One such security challenge is the presence of a compromised device in your mobile fleet. Overview Compromised devices include "jailbroken" iOS and "rooted" Android devices that a user has altered from manufacturer presets. These devices strip away integral security settings and may introduce malware in your network and access your enterprise resources. In an MDM environment, the overall chain is only as strong as its weakest link. A single compromised device could leak sensitive information or corrupt your servers. Monitoring and detecting compromised devices becomes even trickier in a Bring Your Own Device (BYOD) environment, with varying versions of devices and operating systems. Compromised devices are a major security concern for an enterprise and should be tackled immediately. Jailbroken and rooted devices surrender basic safeguards, making them vulnerable entry points for undesired activity, such as:
The Challenge of Detection Devices running on different platforms respond differently towards compromised detection. For example, iOS 7+ devices support background checks but may carry additional limitations. Android devices, allow for background checks to happen without any restrictions or limitations. Workspace ONEs (formerly AirWatch) solution to this problem ensures detection across multiple devices and operating systems. Workspace ONE Approach To deal with such variations, Workspace ONE has developed a unique multi-tiered approach to compromised device detection. Reference the below table to understand the limitations and capabilities of iOS and Android platforms. Platform Capabilities
Note: For devices running iOS 6 and lower that can access a cellular connection, background checks are available using Workspace ONE MDM Agent if GPS tracking is enabled. For devices running iOS 6 and lower that may only access a Wi-Fi connection, background checks are available using Workspace ONE SDK embedded in internal apps. Detecting Compromised Devices with Workspace ONE Workspace ONE's solution spans the entire life of an enrolled device, locking out uninvited devices and severing ties with compromised or noncompliant devices. Our proprietary detection algorithms constantly undergo penetration testing, Research, and Development based on new operating systems, ensuring the most advanced detection capabilities possible. This multi-tiered detection approach for compromised devices consists of the following: Agent Enrollment Workspace ONE's first line of defense against unwanted devices starts at enrollment. Configure compliance settings and detect compromised devices before allowing entry to a device. Require all devices to comply with security settings or install profiles for the user. Security compliance detection varies based on the type of enrollment:
For more information comparing the various enrollment approaches, see the iOS platform guide. Background Checks Once the device is enrolled, manage its compliance. The Workspace ONE MDM Agent provides ongoing background checks for compromised status for all Android devices and newer versions of the iOS operating system (iOS 7+) with access to a cellular network. Available to iOS 7 devices, you can take advantage of Workspace ONE Agent-based features including:
Figure 1: (English Only) AirWatch MDM Agent You can also manually run a query by going to the Device Details page for a specific device and click More > Query > Workspace ONE MDM Agent, as seen below. This query only appears if the required version of the Workspace ONE Agent is installed on the device. Note: Both of these iOS 7 specific Background Check features require Workspace ONE Agent v4.9 and higher. Also, the Workspace ONE Agent cannot be in an Inactive state. It must be Active, Suspended, or Background. If the application is manually closed, background checks do not resume until the application is opened by the user again. Also, using the compromised detection functionality in the Workspace ONE SDK, you can tie into this backgrounding logic in your internal application to accomplish background jailbreak detection. App-Initiated Checks Establish detection checkpoints for enterprise information and Workspace ONE feature use. When a device launches the Workspace ONE Secure Content Locker, the AirWatch Browser, or the AirWatch MDM Agent, the detection system automatically verifies compliance status, adding an additional wall of protection to your information. Enable your wrapped apps for iOS and Android with compromised protection. Enable the setting from the Settings and Policies page (Groups & Settings > All Settings > Apps > Settings and Policies > Security Policies) along with other settings for your wrapped apps and assign the profile to your wrapped app. For more information and step-by-step instructions, see the Workspace ONE App Wrapping Guide. Enable your SDK apps for iOS with compromised detection. Starting with the iOS SDK v.3.2 you can check the compromised status of the device directly in your application, whether the device is online or offline. Your application can only use this function if the device has run a Beacon call successfully at least once in the past. For more information and sample code, see the Workspace ONE iOS SDK Guide. Compliance Engine Once Workspace ONE detects compromised or noncompliant devices, the compliance engine quickly takes action on those devices based on the device policy set by the administrator on the console. Workspace ONE provides flexibility to the administrator to require the initial device status and set the time interval frequency of the compliance engine. Detection Built Into Enterprise Apps Rather than installing the Workspace ONE Agent to access the SDK, build the Workspace ONE SDK into your internal apps. The SDK comes with key features of MDM (which are outlined in our complete SDK Profile), including jailbreak and root detection that constantly scans for compliance. Commonly run Enterprise Apps that are pushed down to a device run detection scans more frequently, so you catch compromised devices sooner. An administrator can then specify the actions to be taken for an app that is installed on the compromised device in the Admin Console. For example, if a device is found to be compromised, the administrator can apply the following actions:
Enforcing and Monitoring Compromised Devices Enforce compliance policies to monitor the compromised status of iOS and Android devices. The Workspace ONE Admin Console furnishes the administrator with tools to keep the system alert and secured. Note: Compromised device detection for Windows Phone devices is unnecessary, as there are no known jailbreaks or roots due to the operating system's UEFI and Secure Boot processes. Compliance Engine The Compliance Engine serves as a security checkpoint, automatically locking out or taking additional action on devices or users. Based on the compliance rules set by the administrator for a device, the compliance engine can detect if a device is noncomplaint and take defined actions on it. These rules and actions can be defined in the Workspace ONE Admin Console. Once the rules and actions are established, the Compliance Engine takes care of the rest. Remediation is automated. If a scan uncovers a compromised device, the computer runs through preset warnings and escalated actions. Administrators are not forced to address each instance as they are found. However, the Admin Console does enable self-service for compliance protocol. Administrators can wipe a device and send an email or SMS message to the user explaining how and why their device is out of compliance, without the user having to contact the administrator. With the time that saved by the Compliance Engine managing devices, Administrators can review weekly or monthly compliance reports to understand repeat offenders. Last Compromised Scan compliance The Last Compromised Scan compliance allows the administrator to set the time interval within which the agent should be performing the device scan. This ensures that if AirWatch has not received a compliance status from the device for a certain amount of time, precautionary measures can be taken. Compromised Status compliance The Compromised Status compliance rule allows the administrator to setup actions for a compromised device. For the above two compliance rules, the following actions can be applied:
Device Control Panel Administrators can view the summary of the devices enrolled. The summary includes the security details informing the administrator whether compromised detection was done on the device or not. If the device is not compromised, green check mark is shown. Figure 2: (English Only) Device Control Panel Visualize Device Compliance Your Dashboard provides a graphical representation of the percentage of compromised devices that are enrolled in an organization group. This gives the administrator a high-level view of the compromised devices and helps in the tracking of such devices. Figure 3: (English Only) Dashboard Run Scheduled or On-Demand Compliance Reports The Workspace ONE Admin Console also comes with more than 100 standard reports, including a list of Compliance Reports that can run automatically at scheduled intervals or generated on-demand. Quickly view any noncompliant devices in your entire fleet or in specific organization groups. Isolate offending devices for blocklisted apps, weak passcode settings, and overall security compliance. Compliance reports allow a birds-eye view of compromised or noncompliant devices in your system. Figure 4: (English Only) All Reports Conclusion Secured MDM is an ever-growing need, and thus, Workspace ONE takes a step ahead in that direction by offering an unparalleled solution that provides and arms you to detect security threats such as compromised devices. Workspace ONE's unique multi-tier detection solution was designed to be effective on all device platforms and also provides flexibility to take required actions on the detected devices. All the above ingredients of the detection solution make Workspace ONE an effective solution to keep your enterprise secured, smooth, and frictionless. To contact support, reference Dell Data Security International Support Phone Numbers. |