Wednesday, December 6, 2023

Safeguarding Enterprise Data on Mobile Devices on the Go: The Crucial Role of MDM and Jamf Mobile Threat Defense

In today's digital age, the workforce is increasingly mobile, with employees relying on smartphones and tablets to carry out their daily tasks on their own devices. As enterprises embrace this shift towards mobile productivity, the need to secure sensitive company data on these devices becomes paramount. we'll explore how enterprise data resides on mobile devices and delve into the significance of Mobile Device Management (MDM) and Mobile Threat Defense (MTD) solutions, specifically focusing on Jamf Protect for Mobile security.


 Enterprise Data on Mobile Devices:

Mobile devices have become an integral part of the modern workplace, enabling employees to work remotely, collaborate seamlessly, and access critical information on the go. However, this convenience comes with inherent risks, as enterprise data often resides on these devices, making them potential targets for cyber threats and unauthorized access. Whether it's proprietary business information, customer data, or intellectual property, safeguarding this sensitive data is crucial for maintaining trust, compliance, and the overall security posture of an organisation.


What is MDM and Its Key Role in Data Protection:

Mobile Device Management (MDM) is a comprehensive solution designed to manage, monitor, and secure mobile devices within an enterprise. MDM systems empower IT administrators with the tools to enforce policies, configure settings, and ensure compliance across a fleet of mobile devices. Key features of MDM include remote device wiping, app management, and the ability to track device locations, providing a centralized approach to device security.


MDM plays a vital role in data protection by:

1. Policy Enforcement: MDM allows organisations to establish and enforce security policies, ensuring that devices accessing company data adhere to predefined standards.

2. Data Encryption: MDM solutions often include encryption features, protecting data stored on devices from unauthorised access.

3. Remote Management: In case of loss or theft, administrators can remotely wipe sensitive data from the device, preventing it from falling into the wrong hands.



 Introduction to Mobile Threat Defense (MTD) and Jamf Protect for Mobile security:

Mobile Threat Defense (MTD) is a specialized solution focused on identifying and mitigating mobile-specific security threats. With the increasing sophistication of mobile malware and phishing attacks, having a dedicated MTD solution becomes crucial for a comprehensive security strategy.

Jamf Protect for Mobile security is a leading MTD solution designed specifically for Mobile devices, providing advanced threat detection and real-time response capabilities. It offers:

1. Threat Detection: Jamf Mobile Threat Defense employs advanced algorithms to detect and respond to mobile-specific threats, such as malicious apps and network vulnerabilities.

2.  Zero-Day Threat Prevention: The solution proactively identifies and blocks threats, even those that exploit vulnerabilities not yet known to the security community.

3.  Integration with MDM: Jamf Mobile Threat Defense seamlessly integrates with MDM solutions, creating a holistic approach to mobile device security.

Below is a feature table of  Jamf Protect for Mobile security, Mobile Device Management (MDM), and Mobile Application Management (MAM):

FeatureJamf Protect for Mobile securityMobile Device Management (MDM)Mobile Application Management (MAM)
SecurityProvides advanced threat detection and remediation for iOS and AndroidFocuses on device-level security, enforcing policies, encryption, and compliance.Concentrates on securing and managing individual applications, ensuring data protection.
Threat DetectionIdentifies and mitigates mobile threats, malware, and vulnerabilities in real-time.Monitors and manages device security, but may not offer advanced threat detection.Primarily concerned with securing and managing the applications rather than threat detection.
Device PoliciesLimited to threat defence policies, ensuring a secure environment.Enforces a wide range of device-level policies such as passcodes, encryption, and restrictions.Focuses on application-level policies, controlling how applications interact with data and other apps.
App DeploymentPrimarily focused on threat defence; may not handle app  deployment.Centralized deployment and management of apps on devices.Manages the distribution, updating, and removal of applications on individual devices.
Device ConfigurationLimited device configuration options, mainly related to security settings.Offers comprehensive device configuration settings for a wide range of parameters.Primarily concerned with configuring how individual applications operate on devices.
User AuthenticationMay integrate with existing authentication systems for enhanced security.Enforces user authentication and access controls to the device.Focuses on securing access to and within individual applications, often using single sign-on (SSO).
ContainerizationMay utilise containerisation for isolating and securing apps and data.Generally focuses on device-level containerization for work and personal data separation.Leverages containerization to isolate and protect individual applications and their data.
Data ProtectionEmphasises threat defence for data protection against malicious activities.Enforces encryption and policies to protect data on the device.Concentrates on securing data within individual applications, often through app-specific policies.
Device InventoryLimited device inventory features; primarily focused on threat-related information.Provides detailed device inventory, tracking hardware and software details.Offers basic information on devices, but emphasizes more on app-related details.
Platform SupportTypically focused on iOS, Android, Windows and Mac devices.Supports a wide range of mobile operating systems, including iOS, Android, and others.Works across various platforms, ensuring compatibility with different operating systems.


Comparing the Cybersecurity Capabilities of MDM, MAM and Jamf Mobile Threat Defense

Cybersecurity Capability Jamf Protect for Mobile securityMDM (Mobile Device Management)MAM (Mobile Application Management)
Device SecurityComprehensive protection against known and unknown threats, including malware, phishing, and network attacks.Device-level control and policy enforcement, ensuring devices comply with security standards.Focuses on application-level security, limiting access to sensitive data and functionality.
Data EncryptionStrong encryption protocols for data at rest and in transit, safeguarding sensitive information.Device-centric encryption to protect data stored on devices, reducing the risk of data breaches.Emphasizes encryption and secure transmission of data within mobile applications, protecting sensitive data.
Access ControlGranular control over device access, user authentication, and authorization, reducing the risk of unauthorized access.Centralized control over device access, user roles, and permissions to manage access points effectively.Application-specific access controls to restrict user access based on roles and responsibilities.
App SecurityMonitors and secures applications against malicious activities, ensuring only approved and secure apps are allowed.Controls app installation and updates, preventing the use of unauthorized or outdated applications.Focuses on securing individual applications, often using containerization to isolate app data and functionality.
Network SecurityProactive threat detection and prevention for network-based attacks, safeguarding device communications.Manages network configurations and connections to prevent unauthorized access, reducing the risk of network-related threats.Prioritizes securing data transmitted between mobile apps and corporate servers, minimizing the risk of data interception.
Threat IntelligenceIntegration with threat intelligence feeds for real-time updates on emerging threats, enhancing proactive defence mechanisms.Limited threat intelligence integration, relying on periodic updates and manual security assessments.Utilizes threat intelligence to assess risks associated with specific mobile applications, focusing on app-level threats.
Compliance ManagementComprehensive compliance tracking and reporting to ensure devices adhere to regulatory and organizational security requirements.Enforces compliance policies to meet regulatory standards, with centralized reporting for audit purposes.Focuses on application compliance, ensuring that mobile apps adhere to security policies and regulatory standards.
Security Policy EnforcementEnforces security policies at the device and application levels, ensuring consistent adherence to security standards.Centralized enforcement of security policies to maintain a standardized security posture across all devices.Implements policies specific to application behaviour, enhancing control over app-level security configurations.

Security Gaps:

  • Limited Visibility: MDM and MAM solutions often lack comprehensive visibility into app activity, making it difficult to detect malicious behaviour or data breaches.
  • Limited Control: MDM and MAM solutions may not have sufficient control over personal devices, making it difficult to enforce security policies and prevent data leakage.
  • Limited Protection: MDM and MAM solutions often offer limited protection against sophisticated threats, such as zero-day attacks and advanced malware.


Why Choose MDM and Jamf Mobile Threat Defense:

1. Comprehensive Protection: The combination of MDM and Jamf Protect for Mobile security provides end-to-end security, addressing both device management and threat detection on Mobile devices.

2. User Productivity: By ensuring the security of mobile devices, organisations can foster a productive and collaborative work environment without compromising on data safety.

3. Regulatory Compliance: MDM and  Jamf Protect for Mobile security help organisations meet regulatory requirements for data protection and privacy, reducing the risk of legal consequences.


Mitigation Strategies:
  • Implement Mobile Device Management (MDM): MDM solutions provide basic security features, such as device lock/wipe, app blacklisting and password policies.
  • Use Mobile Application Management (MAM): MAM solutions offer more granular control over app behaviour and data access.
  • Utilize Mobile Threat Defense (MTD): MTD solutions provide advanced threat detection and protection capabilities.
  • Implement strong password policies and multi-factor authentication.
  • Educate users on mobile security awareness and best practices.
  • Utilize encryption at rest and in transit.
  • Implement data loss prevention policies.
  • Enforce BYOD policies and provide secure alternatives for accessing corporate resources.


Note: The specific capabilities and gaps may vary based on the versions and configurations of the mentioned solutions. It is recommended to refer to the latest documentation and consult with vendors for the most accurate and up-to-date information.


For more information please contact us at https://brilyant.com/contact/

Tuesday, November 3, 2020

Are you Ready to Deploy MacOS Big Sur?

 Are you Ready to Deploy MacOS Big Sur?


Check List:

Delay software update Policy in your MDM for Testing MacOS BigSur.

Enrol to AppleSeed for IT Program and Beta Test and Complete all Test.

Evaluation of MacOS Big Sur Brand new UI, features and Capabilities.

IT infrastructure like VPN, printer Drivers, Application and Management Policy Test Completed.

Training and Announced of Launch for Internal Team.

 

macOS Big Sur Compatible devices:

(https://www.apple.com/macos/big-sur-preview/)


  • 1. iMac 2014+
  • 2. iMac Pro 2017 
  • 3. Mac Pro 2013+ 
  • 4. MacMini 2014+ 
  • 5. MacBook 2015+ 
  • 6. MacBook Air 2013+ 
  • 7. MacBook Pro 2013+


Plan for upgrade:


Prepare Package:


Download Install macOS Big Sur app from the Mac App Store.

Build a pkg using Package building tools. Like the Composer, VMware Airwatch Admin Assistant app.

Upload the pkg to MDM.

Create a Policy to deploy in End-user Device.


Jamf MDM users: 


Upload the Package to Jamf Pro console using Jamf Admin.


Option A


Cache Install


  1. Log in to Jamf Pro. 
  2. Click Computers at the top of the page. 
  3. Click Policies. 
  4. Click New 
  5. In the General payload, enter a display name for the policy. For example, “Cache Install macOS Big Sur.pkg”. 
  6. Select Recurring Check-in as the trigger. 
  7. Choose “Once per Computer” from the Execution Frequency pop-up menu. 
  8. Select the Packages payload and click Configure. 
  9. Click Add for the PKG file. 
  10. Choose “Cache” from the Action pop-up menu. 
  11. Specify a distribution point for computers to download the package from. 
  12. Select the Maintenance payload and click Configure. 
  13. Ensure that the Update Inventory checkbox is selected. 
  14. Click the Scope tab and configure the scope of the policy. 
  15. Save 


Create a Smart Computer Group with the Cached PKG File


  1. Click Computers at the top of the page. 
  2. Click Smart Computer Groups. 
  3. Click New. 
  4. On the Computer Group pane, enter a display name for the smart computer group. For example, “Install MacOS Big Sur.pkg Cached”. 
  5. Click the Criteria tab. 
  6. Click Add.
  7. Click Choose for “Cached Packages”.
    Note: Only your 30 most frequently used criteria are listed. To display additional criteria, click Show Advanced Criteria. 
  8. Choose “has” from the Operator pop-up menu. 
  9. Click Browse. 
  10. Click Choose for the PKG file.
    Note: The PKG file is not available as a value until it has been cached on at least one computer. 
  11. Click Save.


Create a Policy for Upgrading macOS


Option 1 self service:

  1. Click Computers at the top of the page. 
  2. Click Policies. 
  3. Click New. 
  4. In the General payload, enter a display name for the policy. For example, “Upgrade macOS”. 
  5. Choose “Once per Computer” from the Execution Frequency pop-up menu. 
  6. Select the Packages payload and click Configure. 
  7. Click Add for the Install macOS Big sur.pkg file.
  8. Choose “Install Cached” from the Action pop-up menu.
  9. Select the Files and Processes payload and click Configure. 
  10. In the Execute Command field, enter the file path to the installer with the --startosinstall command. For example, "/file/path/Install macOS Big Sur.app/Contents/Resources/startosinstall". (To suppress end-user messages during installation, add the --agreetolicense flag to the command).
  11. Click the Scope tab. 
  12. Click Add. 
  13. Click the Computer Groups tab. 
  14. Click Add for the smart computer group with the cached PKG file you just created. 
  15. Click the Self Service tab. 
  16. Select Make the policy available in Self Service. 
  17. Configure how the policy is displayed in Self Service using the settings on the pane. 
  18. Click Save.


Option 2 Creating Policy for upgrading macOS Automatically:


  1. Click Computers at the top of the page. 
  2. Click Policies. 
  3. Click New. 
  4. In the General payload, enter a display name for the policy. For example, “Upgrade macOS”. 
  5. Choose “Once per Computer” from the Execution Frequency pop-up menu. 
  6. Select the Packages payload and click Configure. 
  7. Click Add for the Install macOS Big Sur.pkg file. 
  8. Choose “Install Cached” from the Action pop-up menu. 
  9. Select the Files and Processes payload and click Configure. 
  10. In the Execute Command field, enter the file path to the installer with the --startosinstall command. For example, "/file/path/Install macOS Big Sur.app/Contents/Resources/startosinstall" (Optional) To suppress user messages while installing macOS, add the --agreetolicense flag to the command. 
  1. Click the Scope tab. 
  2. Click Add  . 
  3. Click the Computer Groups tab. 
  4. Click Add for the smart computer group with the cached PKG file you just created. 
  5. Click the User Interaction tab and enter messages to display to users or allow users to defer the policy. 
  6. Click Save.


Option B


Direct Install:


Purchase Mac OS Installer from Apple Business Manager from Apps and Book.

  1. Click Computers at the top of the page. 
  2. Click Mac App Store Apps. 
  3. Click New. 
  4. Do one of the following: 
    • To add the app by browsing the App Store, enter the name of the app, choose an App Store country, and then click Next. Then click Add for the app you want to add. 
  1. Use the General pane to configure settings for the app, including the distribution method. For apps distributed using managed distribution, you can also enable automatic app updates. 
  2. Click the Scope tab and configure the scope of the app. 
  3. Click the Self Service tab and configure the way the app is displayed in Self Service. 
  4. You can customize the text displayed in the description for the app in Self Service by using Markdown in the Description field.
  5. Click the Managed Distribution tab, and then click the Device Assignments tab.
  6. Select the Assign Volume Content checkbox. 
  7. Choose the location that has purchased the app to distribute to computers.
  8. Click Save 
  9. Click Computers at the top of the page. 
  10. Click Policies. 
  11. Click New. 
  12. In the General payload, enter a display name for the policy. For example, “Upgrade macOS”. 
  13. Choose “Once per Computer” from the Execution Frequency pop-up menu. 
  14. Select the Files and Processes payload and click Configure. 
  15. In the Execute Command field, enter the file path to the installer with the --startosinstall command. For example, "/file/path/Install macOS Big Sur.app/Contents/Resources/startosinstall" (Optional) To suppress user messages while installing macOS, add the --agreetolicense flag to the command. 
  1. Click the Scope tab. 
  2. Click Add. 
  3. Click the Computer Groups.
  4. Click Save.

VMware | workspace One MDM:



Option A


  1. In the Workspace ONE UEM Console, click Apps & Books.
  2. Expand Applications and click Native.
  3. Select Purchase
  4. Click Sync Assets 
  5. Enable Device Assignment for. MacOS upgrade
  6. Click Ok click Save and Assign
  7. Assign to Pre-Big Sur Device
  8. Set Assignment Type
  9. Click Save and Publish.
  10. Click Add Application on the Internal tab.
  11. Upload macOS Application to Workspace ONE.
  12. Upload Metadata File
  13. Add Image to App
  14. Assign the Application On-Demand
  15. Save and Publish


Option B

.

  1. Click Add Application on the Internal tab.
  2. Upload macOS Application to Workspace ONE.
  3. Upload Metadata File
  4. Add Image to App
  5. Assign the Application On-Demand
  6. Save and Publish


Configure Post Install Script in Workspace one.


  1. In the Workspace ONE UEM Console, click Devices.
  2. Expand Profiles & Resources and click Profiles.
  3. Click Add.
  4. Click Add Profile
  5. Select Profile Platform and Context - Select Apple macOS> Select Device Profile.
  6. Configure General macOS Device Profile Settings
  7. Configure Custom Attributes Payload (paste the Install script)
  8. Set the Execution Interval to Schedule.
  9. Set Report Every to 8 Hours.
  10. Click Save and Publish, then click Publish.

Note:  please validate the script, this plan is for reference only. I am not responsible if any data loss