Access control and device management

June 25, 2014

Identity and access control

Smartphones are pervasive in most organizations, regardless of whether they are organization-owned or personally owned devices. Most devices have some mechanism for helping to ensure that only an authorized user can unlock and use the device, but this is just the beginning. The apps running on the device need to ensure user identity before they allow access to confidential information. Therefore, identity and access control are of paramount importance for comprehensive security.

Device access

One of the differences between Windows Phone 8.1 and the Windows 8.1 operating system for desktop, laptop, and tablet devices is device access. Windows 8.1 operating systems support multiple user profiles and require that users log on with a managed user identity. Windows Phone 8.1 uses a password (PIN) to access the device and the information on it.

You can use MDM and Microsoft Exchange ActiveSync (EAS) policies to require users to set PINs or passwords and also to configure additional password policies to manage password length, complexity, and other parameters along with additional security functionality.

Windows Phone also supports the following methods of controlling access to devices:

• Remote wipe. Support personnel can initiate a remote wipe of the device by using their MDM system or the Exchange Server Management Console. Users can initiate a remote wipe of the device by using Microsoft Outlook Web Access (OWA).

• Remote device retirement. Support personnel can remotely retire a device. When a Windows Phone device is managed by an MDM system, it enrolls with that system. When the device is retired, all the corporate information, email accounts, VPN connections, Wi-Fi connections, policy settings, apps, and data that the apps deployed are removed by the MDM system.

• Remote lock. Support personnel can remotely lock a device, which can help in scenarios such as when a user loses the phone and can retrieve it but not immediately (such as leaving the phone at a customer site).

• Remote password (PIN) reset. Support personnel can remotely reset the password (PIN) used to unlock the device. This functionality can help when the user forgets their PIN and is unable to access their device. None of the corporate or user data is lost, and the user is able to quickly gain access to their device.

• Remote ring. Support personnel can remotely make the device ring, which can help a user locate a misplaced device. In conjunction with the Remote Lock feature, remote ring helps ensure that unauthorized users are unable to access the device if they should find the device.

  After registering their phone at https://www.windowsphone.com, users can map the location of their phone, make it ring, and wipe its data, if necessary.

• Remote wipe. Support personnel can initiate a remote wipe of the device by using their MDM system or the Exchange Server Management Console. Users can initiate a remote wipe of the device by using Microsoft Outlook Web Access (OWA).

Windows Phone devices can also be wiped if an unauthorized user attempts to use an incorrect password above a specified threshold. You can specify this threshold by using the Device wipe threshold policy in your MDM system or EAS.

Assigned Access

The Assigned Access feature in Windows Phone allows you to control the user experience on a device. Assigned Access allows you to enable a set of specific apps and settings for users, preventing access to all other functionality. You can use this feature to create a single app experience on a device, such as a single app for check-in agents at an airline or a set of apps for retail customer service agents.

You can also control the built-in apps (e.g., phone, text messaging, email, calendaring) so that you can provide only the features you want to be available to the user, helping to ensure that people use the device for its intended experience and purpose. Assigned Access helps secure the device by preventing users from running apps that can be used to share confidential information with unauthorized users. It can also help control access to specific device hardware resources, allowing you to disable specific features on a device that require access to the hardware features that are disabled.

App Allow and Deny Lists

Windows Phone allows you to create a list of approved and blocked apps by using the App Allow and Deny Lists feature. Configure that list through the MDM system by using the App Allow/Deny list policy. With this feature, you can control the availability of Windows Phone Store or LOB apps on devices.

Use the App Allow and Deny Lists feature in conjunction with the Assigned Access feature to provide even tighter control of apps. For example, you could use the App Allow and Deny Lists feature to select which apps are available from the company portal in your MDM system. Then, you could use the Assigned Access feature to hide the built-in Windows Phone Store app, thereby forcing users to go through your company portal instead of the built-in Windows Phone Store app.

It is also possible to create a configuration conflict by using both the Assigned Access and App Allow and Deny Lists features. For example, you could allow an app in the Assigned Access feature, and then block the same app by using the App Allow and Deny Lists feature.

To manage this feature, define a list of authorized and blocked apps for your devices by using the App Allow/Deny list policy. Windows Phone uses these lists to determine which apps it allows to run and which it does not. You can authorize or block apps based on:

• The app publisher name only. Authorize or block all apps from a specific app publisher.

• The app product ID only. Authorize or block a specific app by the app product ID, which is a globally unique identifier assigned to the app.

• A combination of app publisher name and product ID. Authorize or block a specific app by the app product ID for a specific publisher name.

There is one list that includes the apps that are allowed and another, separate list for apps that are blocked. Each of these lists is sent in XML format to Windows Phone devices and contains an XML element for:

• Each publisher name that is authorized or blocked

• Each product ID that is authorized or blocked

• A product ID within a publisher element that is authorized or blocked for a specific publisher

Virtual smart cards

An important security improvement in Windows Phone 8.1 is the support for virtual smart cards, which are based on the industry-standard smart card solution. Virtual smart cards emulate the functionality of traditional smart cards but use the TPM processor on devices rather than requiring the use of a separate physical smart card and reader.

Virtual smart cards enable users to provide two-factor authentication (“2FA“) when accessing resources and work just like their physical smart card counterparts. In many instances, users can use the same virtual smart card on Windows Phone as they are already using for other Windows devices. Users can use virtual smart cards for secure browsing and also for S/MIME signing and encrypting of email messages.

For more information about virtual smart cards, see the “Understanding and Evaluating Virtual Smart Cards” document, available for download at https://www.microsoft.com/enus/download/details.aspx?displaylang=en&id=29076

Certificate authentication

Many apps and remote connectivity solutions use certificates as an additional authentication factor and for signing. Windows Phone supports the use of certificate authentication for:

• Wi-Fi connections. Windows Phone supports EAP-TLS and EAP-TTLS authentication for Wi-Fi connections.

• Virtual smart cards. Windows Phone supports the use of virtual smart cards for more secure browsing and also for S/MIME signing and encrypting of email messages.

• S/MIME signing. S/MIME signing requires a certificate or virtual smart card that is used to create the digital signature for email messages.

Windows Phone protects certificates and keys by using the TPM that is built into each device. The TPM can release keys automatically, on demand, or based on a secondary authentication factor (such as a PIN in the use of virtual smart cards).

Most MDM systems allow you to manage certificates throughout their life cycle, including certificate enrollment, renewal, and revocation. Windows Phone uses the Simple Certificate Enrollment Protocol (SCEP) to perform certificate management. SCEP allows you to use the certification authority (CA) of your choice (or as required by the MDM system).

VPN identity and access

Many organizations use VPNs to provide access for remote users. Windows Phone includes built-in support for a number of VPN providers in addition to Microsoft, including Check Point, F5, Juniper, and SonicWall.

Windows Phone includes support for IKEv2, IPsec, and SSL VPN connections, but the SSL VPN connections require a downloadable plug-in from the VPN server vendor. Windows Phone also includes auto-triggered VPN support and unique VPN connections can be defined on a per-app basis. When the user switches between apps, Windows Phone automatically establishes the VPN connection for that app.

Your MDM system can deploy (push) VPN connection profiles to users, which helps ensure that VPN connections have the appropriate security settings.

Wi-Fi identity and access

Users use Wi-Fi connections almost as much as they use their cellular data connections. And with regard to the sheer volume of data, Wi-Fi connections are used to transfer the largest amounts of data more often. Many apps that users run require secured, persistent, high-speed connections to resources, and although cellular data connections continue to improve, they cannot keep pace with Wi-Fi connection speeds. This means that users will prefer to use Wi-Fi connections regardless of whether they are at the office, at home, or in public areas.

Windows Phone 8 can encrypt Wi-Fi connections using Wi-Fi Protected Access (WPA and WPA2) and Wired Equivalent Privacy (WEP). Both of these methods are still available in Windows Phone 8.1, but Windows Phone 8.1 now includes support for Wi-Fi authentication using EAP-TLS and EAP-TTLS, which provide enterprise-class Wi-Fi features.

EAP-TLS and EAP-TTLS require devices to have a client certificate installed on the device. This certificate is used to authenticate the device for wireless connectivity and is typically issued by a CA within your organization. The wireless access points in your organization will deny access to devices that don’t have the correct certificates.

The use of client-side certificates dramatically increases the authentication and identity strength for Wi-Fi connections. WPA, WPA2, and WEP are significantly more open to security attacks than Wi-Fi networks that require EAP-TLS or EAP-TTLS authentication.

Of course, the downside to client-side certificates is the management of those certificates. Fortunately, you can manage client-side certificates through your MDM system. A properly designed MDM system can deploy the certificates to devices. In addition to managing certificates for EAP-TLS and EAP-TTLS authentication, you can use your MDM system to perform the following Wi-Fi–related management tasks:

• Provision Wi-Fi profiles, which include the service set identifier (SSID), even if it’s hidden, and any PSKs.

• Prevent a device from being used as a Wi-Fi hotspot.

• Prevent users from manually adding Wi-Fi profiles and connecting to untrusted hotspots. Prevent users from routing traffic through Wi-Fi connections (Wi-Fi offloading).

You can control all of these tasks by using security policies configured in you MDM system, and then applied to your Windows Phone devices.

Device Management

Deploying any device in a secured configuration is relatively easy. Keeping the device secure throughout the balance of the device’s life cycle is much more difficult. Windows Phone provides extensive security management features that allow you to manage the key security aspect of devices centrally while allowing users to be productive and access the apps and information they need. Smartphones are pervasive in most organizations, regardless of whether they are organization-owned or personally owned devices. Most devices have some mechanism to help ensure that only an authorized user can unlock and use the device, but this is just the beginning. The apps running on the device need to ensure user identity before they allow access to confidential information. Therefore, identity and access control are of paramount importance for comprehensive security.

Software updates

If your organization doesn’t use an MDM system, you can use the Windows Phone Update service to deliver Windows Phone updates to users. Microsoft manages and distributes feature updates and improvements that are developed by hardware manufacturers, mobile operators, and the Windows Phone engineering team. These updates include software updates for the Windows Phone operating system and for the apps on the device (such as Microsoft Office apps).

You can use MDM and Microsoft Exchange ActiveSync (EAS) policies to require users to set PINs or passwords and also to configure additional password policies to manage password length, complexity, and other parameters along with additional security functionality.

Device wipe management

A device wipe removes all the apps and information on a device and returns the device to factory settings. A device wipe can be initiated:

• Remotely by supported personnel. Support personnel can use an MDM system or the Exchange Server Management Console to remotely initiate a wipe of a managed device that is lost or stolen.

• Remotely by a user. Users can remotely wipe their device by using OWA for devices that EAS manages or by using self-service portals on the MDM system. Users can also remotely wipe devices that EAS does not manage by going to windowsphone.com.

• Locally by a user. Users can perform a hardware reset of their device, which will wipe it.

• When set device wipe threshold is reached. If an unauthorized user enters the wrong password too many times, an automatic wipe of the device is initiated. You can set the threshold for the number of wrong password attempts allowed by configuring the Device wipe threshold policy.

When a device has been enrolled in an MDM system, you can retire the device, which removes all information, email accounts, VPN connections, Wi-Fi connections, policy settings, apps, and data used by the apps that the MDM system has deployed. Retiring a device does not automatically wipe the entire device: Any personal apps or data (such as photos or music) and email accounts that the user created are retained on the device. So, device retirement performs a “partial wipe” of the device, leaving only the user data and apps.

Policies available for managing device retirement include:

• Disable MDM un-enrollment

• Disable MDM software and hardware factory reset

Store and app management

Management of access to the Windows Phone Store and apps on Windows Phone is essential to securing devices. Without this management, users could download any number of apps from the Windows Phone Store or sideload any app they desired. Most organizations want to manage the apps that are in use on devices, especially for organization-owned devices.

You can use any of the following methods to manage Windows Phone Store access and apps that run on devices:

• Disable access to the Windows Phone Store. You can entirely disable access to the Windows Phone Store by using the Disable Microsoft Store policy. Set this policy in your MDM system. If your MDM system has a company portal app or you use your MDM system to publish all your apps, consider setting this policy.

• Publish apps through an MDM system. Sometimes, more is not necessarily better. Most organizations have a set of approved apps that they want to allow on devices, especially for organization-owned devices.

  You can limit the apps available to users through your MDM system. Most MDM systems have a company portal app that allows you to present users with a list of apps that are available for installation. Also, most MDM systems allow you to make apps mandatory.

• Restrict which apps users can install and run on devices. The App Allow and Deny Lists feature in Windows Phone allows you to define a list of apps that are allowed or blocked on a device. The Assigned Access feature allows you to also restrict the apps that are able to run to a specific list.

• Disable Internet Explorer. If users should not have browser access, you can disable Internet Explorer by using the Disable Internet Explorer policy. Set this policy in your MDM system.

Security-related policy settings

Windows Phone provides policy settings that you can use to configure security. Configure these policy settings by using your MDM system or the Exchange Server Management Console and EAS. Some policy settings you can use both MDM and EAS to configure; other settings you can configure only by using an MDM system. Yet another subset of the settings only EAS can configure.

Windows Phone includes support for IKEv2, IPsec, and SSL VPN connections, but the SSL VPN connections require a downloadable plug-in from the VPN server vendor. Windows Phone also includes auto-triggered VPN support and unique VPN connections can be defined on a per-app basis. When the user switches between apps, Windows Phone automatically establishes the VPN connection for that app.