I have a client that is reluctant to establish *any* minimum OS levels for BYOD mobile devices. They have an MDM solution in place that would allow them to do so - so it's not a capability issue.
I'm thinking "any OS you want" puts them squarely in the minority of BYOD shops... What types of OS-related BYOD policies are you folks seeing?
That's a tough question that is highly variable based on the client company and its users. Many companies are reluctant to put solid technical requirements in place because you could end up with a C-level executive or some other VIP unable to access their email or other network resource at a critical time. As a compensating control, some companies might prefer to use their MDM system to provide a periodic report on out-of-date OS's and then follow up directly with the users to get the devices updated. Another approach is to separate VIPs into different groups within the MDM so that they can treated differently.
The good news is our VIPs tend to have the new shiny, so they aren't my worst problem. I do like the idea of surgical strikes user-by-user... Truth be told, the Meltdown/Spectre hysteria does have me worrying about the integrity of the MDM containers on BYODs... Hence the question. I would like nothing better than to be able to partially mitigate the iOS risk by mandating 11.2.2... Only about 50 devices in the fleet would be left behind.
Our policy is that OS need to be running a supported version which is eligible to receive security updates. From a maintenance perspective, annually (typically end of year) we audit and require any users not on the most current major release (e.g., iOS 11.x) to update and we give them 30 days to update or we boot them from the network. We have found, as long as users are on the most current major version they tend to keep up with minor version updates on their own. In cases of major vulnerabilities we will then require users to update to a specific minor version but again, that is reservered for major issues.
Requiring minimum versions is fairly simple on iOS since hardware support lasts for a fairly long time (~5 years) and the devices get updated directly from Apple. Managing this on Android is a bit more complicated since very few devices actually get updated directly from Google so even if there is a major or minor update made available, its a crap shoot if the OEM will publish the update and further if the carrier will make that update available. Things are getting a bit better with Androids in this respect with certain OEMs committing to timely updates but it complicates matters with requiring Android users to update within a certain timeframe.
I believe that security requirements towards mobile devices are a must for all company level employees. C level people should not be an exception as if security is lowered on their devices - their "C" level sensitive info is more exposed. Some of the basic security requirements I've seen and believe - adequate include min OS level:
- Minimum OS version ensuring security and capability to update/patch
- Administrator privileges on the device (I know that for BYOD that would include personal stuff but still) for the MDM admins so a remote wipe/updates etc. could be done if needed.
- Encryption on the information on the phones
- Enforced locking feature on the phone (PIN/Password/Pattern - depending on the company's policies/decisions)
- Least privilege/Need to Know principles applied in the access mgmt - meaning - mail might be ok to be accessible from the phone, however other company resources within the intranet might not - allowing only pre-approved resources to be accessible on the phone.
The one case I've seen so far (a company I was consulting for) had a policy that they wouldn't support lower than iOS 9.X, but didn't have a policy for Android. I suggested nothing below 6.0.
But then the problem with Android is that unless you have Google, Samsung or stock, there's every likelihood that you'll be anything up to a year behind with patches. (IIRC with Motorola it's about 6 months)...
The problem is that your MDM solution will likely not help you mitigate issues such as Spectre and Meltdown. You will need a enterprise mobility management tool that integrates with mobile threat defense (MTM).
Basically, you're not worrying about the hardware - especially if they are BYO. You worry about the data. Problem being that vulnerabilities that allow bypassing your security controls (such as encrption) make your MDM irrelevant. You will need to somehow ensure that devices with known vulnerabilities capable of rendering your controls useless will not be allowed storing the data you seek to protect.
The whole purpose of a BYOD policy is to ensure that personal devices meet security requirements to connect to the corporate network. This includes having the device's OS kept updated, not running any unknown applications on the device, securing the device with a PIN or fingerprint, etc. It's all to reduce the risk of threats to your information system originating from users' devices.
You can formulate a BYOD policy, wherein you state that devices connecting to the corporate network have to comply with requirements of a standard, and then create a standard to state device specs, such as the OS allowed. (The reason for this is that you needn't update the policy frequently --- you can just update the standard when needed.)
You policy should include security requirements, such as maintaining a vendor-provided OS & keeping it patched, not attempting to jailbreak the device, using the device in compliance with the Acceptable Use Policy, having to enrolling it in an MDM, etc.
You can also put in a clause in your policy to exempt devices from compliance requirements --- subject to the owners signing a risk acceptance form before connecting their devices to the corporate network. Finally, you would want to have a system for guest access, with no access to the internal network.
All this to ensure that the BYOD policy mandates users' compliance to security requirements to connect their personal devices to the corporate network, while allowing a certain amount of flexibility --- as may be needed to accommodate VIPs / cater to guests.