Mobile Device Management
SKILL.md
📱 Mobile Device Management Skill
🎯 Purpose
This skill enforces mobile device management (MDM) controls for BYOD (Bring Your Own Device) environments, personal device security requirements, and endpoint protection. Based on Hack23 AB's Mobile Device Management Policy, it demonstrates enterprise-grade MDM without enterprise infrastructure.
Key Principle: "BYOD means 'Bring Your Own Disaster'—but only if devices remain unmanaged."
📚 Scope
This skill covers:
- 📱 BYOD Policy: Personal device security requirements for business use
- 🔐 Endpoint Protection: Encryption, malware protection, device health
- 📲 Mobile App Security: Approved apps, containerization, data separation
- 🔒 Device Encryption: Full device encryption requirements
- ☁️ Remote Wipe: Data protection for lost/stolen devices
- 📊 Compliance Monitoring: MDM enrollment, policy enforcement, auditing
⚙️ Security Rules
MUST Requirements
Mobile device controls you MUST implement:
-
📱 Device Enrollment & Policy
mdm_requirements: enrollment: pre_enrollment: - device_assessment: verify_os_version_and_security_status - ownership: personal_device_acknowledged - consent: user_agrees_to_MDM_policies_and_remote_wipe enrollment_platforms: aws_workmail: email_access: mdm_profile_required_for_corporate_email enforcement: email_not_delivered_until_enrolled alternative_mdm: intune: supported_for_future_employee_devices jamf: supported_for_ios_macos_fleet workspace_one: supported_for_enterprise_deployment policy_enforcement: mandatory_controls: - device_encryption: full_device_encryption_required - screen_lock: automatic_lock_5_minutes_maximum - passcode_complexity: 6_digit_minimum_or_biometric - os_updates: critical_security_patches_within_30_days - jailbreak_detection: rooted_jailbroken_devices_blocked -
🔐 Encryption & Authentication
device_security: encryption: ios_devices: - device_encryption: enabled_by_default_ios_8_and_later - verification: mdm_reports_encryption_status - backup_encryption: icloud_backup_encrypted android_devices: - device_encryption: mandatory_android_10_and_later - verification: mdm_checks_encryption_status - sd_card: external_storage_encrypted_if_used workstations: - ubuntu_luks: full_disk_encryption_mandatory - windows_bitlocker: required_for_windows_devices - macos_filevault: required_for_mac_devices authentication: mobile_devices: - screen_lock: biometric_preferred_pin_backup - timeout: 5_minutes_idle_maximum - failed_attempts: 10_attempts_before_wipe_or_lockout mfa_requirements: - totp: google_authenticator_or_authy_required - hardware_tokens: yubikey_for_critical_systems - sms_backup: acceptable_but_not_primary_method -
📲 App Management & Containerization
application_control: corporate_email: approved_email_apps: - ios_native_mail: with_aws_workmail_mdm_profile - android_gmail: with_workmail_integration - outlook_mobile: with_workmail_configuration data_separation: - corporate_container: email_calendar_contacts_isolated - personal_data: unaffected_by_selective_wipe - copy_paste: restricted_from_corporate_to_personal_apps business_apps: approved_list: - authenticator: google_authenticator_authy_microsoft - secure_messaging: signal_for_confidential_communications - cloud_access: aws_console_github_mobile - vpn: wireguard_openvpn_for_network_access prohibited_apps: - file_sharing: dropbox_personal_google_drive_personal - messaging: whatsapp_telegram_for_business_data - vpn: free_untrusted_vpn_services - remote_access: teamviewer_anydesk_without_approval -
☁️ Remote Wipe & Device Loss
remote_management: wipe_capabilities: selective_wipe: scope: corporate_email_contacts_calendar_only trigger: device_loss_employment_termination user_impact: personal_data_photos_apps_unaffected process: - aws_workmail_console: select_device_initiate_wipe - verification: confirm_wipe_completion_within_24_hours - documentation: record_in_incident_response_log full_device_wipe: scope: entire_device_factory_reset trigger: theft_suspected_compromise_high_risk_scenario user_impact: all_data_lost_device_unusable process: - find_my_iphone: ios_devices_remote_wipe - find_my_device: android_devices_remote_wipe - mdm_console: enterprise_mdm_full_wipe_command device_loss_procedure: immediate_actions: - within_30_minutes: - disable_credentials: aws_github_google_accounts - initiate_wipe: selective_or_full_based_on_risk - change_passwords: all_accounts_accessed_from_device follow_up_actions: - within_24_hours: - review_logs: check_for_unauthorized_access - notify_stakeholders: inform_clients_if_data_exposure_risk - update_asset_register: mark_device_as_lost_stolen - police_report: file_if_theft_suspected -
📊 Monitoring & Compliance
compliance_monitoring: mdm_dashboards: aws_workmail_console: metrics: - device_enrollment_status: active_pending_blocked - encryption_compliance: percentage_encrypted_devices - os_version_currency: devices_within_30_day_update_window - policy_violations: jailbreak_attempts_screen_lock_disabled review_frequency: - daily: critical_alerts_jailbreak_encryption_disabled - weekly: os_update_status_app_compliance - monthly: full_mdm_compliance_report_and_documentation device_health_checks: automated_checks: - encryption_status: mdm_verifies_daily - os_version: alert_if_30_days_behind_latest - jailbreak_detection: immediate_alert_and_block - malware_detection: os_native_av_plus_mdm_scanning manual_verification: - quarterly_audit: physical_inspection_of_device_security - annual_review: update_mdm_policies_based_on_threats
MUST NOT Prohibitions
Mobile device practices you MUST NOT do:
-
❌ Unmanaged Device Access
prohibited_practices: - email_without_mdm: accessing_corporate_email_on_unenrolled_devices - jailbroken_devices: using_rooted_jailbroken_devices_for_business - outdated_os: devices_more_than_60_days_behind_security_patches - disabled_encryption: turning_off_device_encryption_for_any_reason - shared_devices: using_shared_family_devices_for_corporate_access -
❌ Insecure Practices
dangerous_behaviors: - public_wifi: accessing_sensitive_data_without_vpn_on_public_networks - sideloading_apps: installing_apps_from_untrusted_sources - disabled_screen_lock: removing_passcode_biometric_authentication - unsecured_backup: unencrypted_backups_to_computers_or_cloud - app_permissions: granting_excessive_permissions_to_untrusted_apps -
❌ Data Leakage
prohibited_data_handling: - unencrypted_storage: storing_corporate_data_in_personal_cloud_apps - screenshot_sharing: taking_screenshots_of_sensitive_corporate_data - personal_messaging: forwarding_corporate_emails_to_personal_accounts - unsecured_forwarding: auto_forwarding_work_email_to_personal_email - file_attachments: downloading_sensitive_files_to_personal_storage
💡 Examples
Example 1: iOS Device Enrollment (Compliant)
Scenario: Enrolling personal iPhone for corporate email access.
# iOS Device MDM Enrollment
device_enrollment:
device_info:
model: iPhone_14_Pro
os_version: iOS_17.2
ownership: personal_device
purpose: corporate_email_and_mfa
pre_enrollment_checklist:
- device_backup: icloud_backup_completed_before_mdm
- os_update: ios_updated_to_latest_version
- find_my_iphone: enabled_for_remote_wipe_capability
- passcode: strong_passcode_configured_6_digits_minimum
enrollment_process:
step_1_aws_workmail_setup:
- open_settings: navigate_to_mail_accounts_add_account
- select_exchange: enter_hack23_com_email_address
- accept_mdm_profile: tap_install_when_prompted
- authenticate: enter_email_password_accept_mfa_challenge
step_2_mdm_configuration:
policies_applied:
- device_encryption: verified_enabled
- screen_lock: automatic_after_5_minutes
- passcode_requirement: 6_digit_minimum_enforced
- jailbreak_detection: enabled_will_block_if_detected
- app_restrictions: corporate_data_containerized
step_3_verification:
- send_test_email: verify_email_delivery_to_device
- check_calendar: confirm_calendar_sync_working
- test_screen_lock: ensure_automatic_lock_activates
- mdm_console: verify_device_shows_compliant_in_aws_workmail
post_enrollment:
security_configuration:
- install_authenticator: google_authenticator_for_mfa
- configure_vpn: wireguard_vpn_for_aws_console_access
- install_approved_apps: signal_aws_console_github_mobile
- test_remote_wipe: verify_find_my_iphone_accessible
user_training:
- data_separation: explain_corporate_vs_personal_data
- remote_wipe: acknowledge_selective_wipe_capability
- incident_reporting: know_procedure_for_device_loss
- policy_compliance: review_mobile_device_policy
Result: ✅ Compliant - Device enrolled with full MDM protection
ISO 27001:2022 Mapping:
- A.8.1: User endpoint devices
- A.7.9: Security of assets off-premises
- A.5.19: Information security in supplier relationships (AWS WorkMail MDM)
Example 2: Android Device with Work Profile (Compliant)
Scenario: Setting up Android work profile for data separation.
# Android Work Profile Configuration
android_work_profile:
device_info:
model: Samsung_Galaxy_S23
os_version: Android_14
ownership: personal_device
byod_approach: work_profile_for_separation
work_profile_setup:
enrollment:
- install_company_portal: download_from_google_play_if_using_intune
- configure_email: add_exchange_account_prompts_work_profile
- accept_policies: agree_to_mdm_enrollment_and_remote_wipe
profile_configuration:
work_container:
apps:
- gmail: work_profile_version_for_corporate_email
- calendar: work_profile_calendar_for_business
- contacts: work_profile_contacts_separate_from_personal
- authenticator: work_profile_google_authenticator
security:
- separate_encryption: work_profile_encrypted_independently
- separate_lock: work_profile_can_have_different_password
- data_isolation: work_apps_cannot_access_personal_data
personal_container:
apps:
- gmail: personal_gmail_unaffected_by_mdm
- photos: personal_photos_not_visible_to_work_profile
- social_media: personal_apps_separate_from_business
protection:
- unaffected_by_selective_wipe: personal_data_safe
- no_corporate_access: personal_apps_cannot_access_work_data
security_controls:
enforced_policies:
- work_profile_encryption: mandatory_for_enrollment
- screen_lock: required_after_5_minutes_idle
- password_complexity: 6_character_minimum
- device_admin: mdm_has_device_admin_permissions
- remote_wipe: selective_wipe_removes_work_profile_only
monitoring:
- compliance_checks: mdm_verifies_work_profile_security_daily
- policy_violations: alerts_if_rooted_or_policies_disabled
- app_inventory: mdm_tracks_apps_in_work_profile_only
Result: ✅ Compliant - Strong data separation with work profile
Benefits:
- 🔐 Corporate data protected in encrypted work profile
- 📱 Personal data unaffected by MDM policies
- ☁️ Selective wipe removes work profile only
- 👤 User privacy maintained for personal apps
Example 3: Remote Wipe After Device Theft (Incident Response)
Scenario: iPhone stolen from restaurant table, immediate response required.
❌ Initial Situation:
# CRITICAL INCIDENT - Device Theft
incident_details:
date_time: 2026-02-10_19:30_UTC
location: restaurant_stockholm_sweden
device: iPhone_14_Pro_MOB-001
circumstances: left_on_table_during_bathroom_visit_stolen
data_at_risk:
- corporate_email: 6_months_of_client_communications
- aws_console: mobile_app_logged_in_with_session
- github: mobile_app_with_push_notifications
- signal: encrypted_messages_with_clients
- authenticator: totp_tokens_for_all_business_accounts
✅ Immediate Response (Within 30 Minutes):
# PHASE 1: Credential Lockdown
credential_actions:
- 00:00_discovery: realize_phone_missing_immediately_report
- 00:05_passwords:
- aws: change_root_and_iam_user_passwords
- github: change_password_revoke_active_sessions
- google: change_password_revoke_device_sessions
- email: change_aws_workmail_password
- 00:10_mfa_reset:
- disable_totp: temporarily_disable_totp_on_all_accounts
- use_backup_codes: switch_to_backup_authentication_codes
- hardware_token: use_yubikey_as_primary_mfa
- 00:15_device_control:
action: initiate_full_device_wipe
method: find_my_iphone
steps:
- login_icloud: from_workstation_browser
- select_device: iPhone_14_Pro
- initiate_wipe: full_device_erase_selected
- activation_lock: mark_as_lost_with_message
aws_workmail_action:
- login_console: aws_workmail_admin_console
- select_device: MOB-001_iPhone_14_Pro
- selective_wipe: remove_corporate_email_calendar_contacts
- block_device: prevent_future_enrollment_from_this_device_id
# PHASE 2: Monitoring & Investigation
follow_up_24_hours:
- review_logs:
- aws_cloudtrail: check_for_unauthorized_console_access
- github_audit_log: review_repository_access_attempts
- email_logs: check_for_sent_emails_after_theft
- assess_exposure:
- data_classification: mostly_HIGH_some_CRITICAL_client_data
- breach_notification: assess_gdpr_breach_notification_requirement
- client_impact: determine_if_client_notification_needed
- documentation:
- incident_log: record_in_incident_response_plan
- asset_register: update_device_status_to_STOLEN
- risk_register: update_device_theft_risk_with_actual_incident
- police_report: file_theft_report_with_local_police
- recovery:
- procurement: order_replacement_iPhone
- restore: restore_from_icloud_backup_to_new_device
- re_enroll: enroll_new_device_in_aws_workmail_mdm
- verify: confirm_all_security_controls_active
# PHASE 3: Lessons Learned
improvements:
- policy_update:
- restaurant_policy: no_devices_left_unattended_in_public
- screen_lock_timeout: reduce_to_2_minutes_for_public_spaces
- critical_app_review: remove_aws_console_from_mobile_device
- technical_controls:
- bluetooth_tracker: attach_airtag_to_phone_case
- screen_lock_reminder: enable_ios_attention_aware_feature
- backup_frequency: increase_icloud_backup_to_daily
Result: ✅ Incident Contained - Data exposure prevented through rapid response
Key Takeaways:
- ⚡ Speed matters: 30-minute credential lockdown window is critical
- 🔐 Remote wipe capability is essential for BYOD
- 📝 Documentation enables effective incident response
- 🔄 Lessons learned improve future security posture
🔗 Integration Points
ISMS Policy Integration
This skill implements controls from:
- Mobile Device Management Policy - Complete MDM framework
- Access Control Policy - Authentication and MFA requirements
- Cryptography Policy - Device encryption standards
- Information Security Policy - Overall security framework
- Incident Response Plan - Device loss procedures
Related Security Skills
- physical-security - Equipment protection and device loss prevention
- access-control - Authentication, MFA, and session management
- cryptography - Device and data encryption requirements
- network-security - VPN and secure network access from mobile devices
Compliance Frameworks
ISO 27001:2022 Controls:
- A.8.1 - User endpoint devices (MDM enrollment and policy enforcement)
- A.7.9 - Security of assets off-premises (mobile device protection)
- A.5.19 - Information security in supplier relationships (AWS WorkMail MDM)
- A.5.23 - Information security for use of cloud services (MDM cloud platform)
- A.6.4 - Access to networks and network services (mobile network access control)
NIST CSF 2.0 Functions:
- PR.AC-01 - Identities and credentials managed for authorized devices (MDM enrollment)
- PR.AC-03 - Remote access is managed (mobile device remote management)
- PR.DS-01 - Data-at-rest is protected (device encryption)
- PR.PT-01 - Audit/log records are determined and managed (MDM compliance logging)
- DE.CM-01 - Networks and environments are monitored (mobile device health monitoring)
- RS.RP-01 - Response plan is executed (device loss incident response)
CIS Controls v8.1:
- 1.1 - Establish and maintain detailed enterprise asset inventory (mobile device tracking)
- 4.1 - Establish and maintain a secure configuration process (MDM policy enforcement)
- 10.5 - Enable anti-exploitation features (mobile OS security features)
- 12.8 - Establish and maintain dedicated computing resources for high-value assets (work profile separation)
- 3.3 - Configure data access control lists (app containerization)
🎯 Best Practices
MDM Platform Selection
AWS WorkMail MDM (Current Implementation):
advantages:
- cost: included_with_email_service_no_additional_licensing
- integration: native_aws_workmail_email_integration
- simplicity: suitable_for_single_person_company
- capabilities:
- selective_wipe: removes_email_calendar_contacts_only
- policy_enforcement: encryption_screen_lock_os_version
- compliance_monitoring: dashboard_shows_device_status
limitations:
- basic_features: fewer_advanced_controls_than_enterprise_mdm
- platform_support: primarily_mobile_devices_not_workstations
- app_management: limited_app_distribution_capabilities
- reporting: basic_compliance_reports_not_detailed_analytics
suitable_for:
- small_businesses: 1-50_employees
- email_focused: primary_use_case_is_corporate_email
- budget_conscious: no_additional_mdm_licensing_costs
Enterprise MDM Platforms (Future Scaling):
microsoft_intune:
best_for: windows_office_365_environments
features:
- conditional_access: azure_ad_integration
- app_protection: without_full_device_enrollment
- windows_management: autopilot_deployment
cost: included_with_microsoft_365_e3_e5
jamf:
best_for: apple_device_fleets_ios_macos
features:
- zero_touch_deployment: apple_dep_integration
- advanced_inventory: detailed_device_management
- custom_app_deployment: enterprise_app_distribution
cost: per_device_annual_subscription
vmware_workspace_one:
best_for: multi_platform_large_enterprises
features:
- unified_endpoint_management: all_device_types
- workspace_integration: app_virtualization
- advanced_analytics: device_usage_insights
cost: per_device_tiered_pricing
Device Lifecycle Management
## Mobile Device Lifecycle
### 1. Pre-Enrollment
- [ ] Assess business need for mobile device
- [ ] Verify device OS meets minimum version requirements
- [ ] Obtain user consent for MDM enrollment (BYOD)
- [ ] Document device in Asset Register
### 2. Enrollment
- [ ] Install MDM profile (AWS WorkMail, Intune, Jamf)
- [ ] Verify encryption enabled
- [ ] Configure screen lock and timeout
- [ ] Test remote wipe capability
- [ ] Install approved business apps
- [ ] Configure VPN for secure access
### 3. Operational Use
- [ ] Monthly MDM compliance review
- [ ] Quarterly OS update verification
- [ ] Semi-annual app inventory audit
- [ ] Annual policy acknowledgment
### 4. Incident Response
- [ ] Device loss: Immediate credential lockdown
- [ ] Remote wipe: Selective or full based on risk
- [ ] Log review: Check for unauthorized access
- [ ] Documentation: Update incident log
### 5. Retirement
- [ ] Remove from MDM console
- [ ] Selective wipe of corporate data
- [ ] Update Asset Register status
- [ ] Document disposal method
BYOD Security Tiers
| Classification | Email Access | App Restrictions | Monitoring | Remote Wipe |
|---|---|---|---|---|
| 🔴 Critical | Work Profile Only | Approved Apps Only | Continuous | Full Wipe |
| 🟠 High | MDM Required | Approved + Restricted | Daily Check | Selective Wipe |
| 🟡 Medium | MDM Recommended | Guidance Provided | Weekly Check | Selective Wipe |
| 🟢 Low | Basic Security | General Guidelines | Monthly Check | Email Only |
📊 Risk Mitigation
Mobile Device Threats
| Threat | Impact | Likelihood | Risk Level | Mitigation |
|---|---|---|---|---|
| Device Theft | 🔴 Critical | 🟡 Medium | 🔴 High | Encryption, remote wipe, screen lock |
| Malware | 🟠 High | 🟡 Medium | 🟠 High | OS-native AV, app approval, MDM scanning |
| Phishing | 🟠 High | 🔴 High | 🔴 High | User training, email filtering, MFA |
| Jailbreak/Root | 🟠 High | 🟢 Low | 🟡 Medium | MDM detection, device blocking |
| Public WiFi | 🟡 Medium | 🔴 High | 🟠 High | VPN mandatory, TLS enforcement |
| App Vulnerabilities | 🟡 Medium | 🟠 High | 🟠 High | OS updates, app approval process |
| Data Leakage | 🔴 Critical | 🟡 Medium | 🔴 High | Containerization, DLP, monitoring |
🔍 Validation & Testing
MDM Compliance Check
#!/bin/bash
# MDM Compliance Verification Script
echo "📱 Hack23 AB - MDM Compliance Check"
echo "====================================="
echo ""
# Check AWS WorkMail MDM Enrollment Status
echo "🔍 Checking MDM Enrollment..."
read -p "Is device enrolled in AWS WorkMail MDM? (yes/no): " mdm_enrolled
if [ "$mdm_enrolled" != "yes" ]; then
echo "❌ CRITICAL: Device not enrolled in MDM - email access should be blocked"
echo "📝 Action: Enroll device immediately or discontinue corporate email use"
exit 1
fi
# Check Encryption Status
echo ""
echo "🔐 Checking Encryption Status..."
read -p "Is full device encryption enabled? (yes/no): " encryption_enabled
if [ "$encryption_enabled" != "yes" ]; then
echo "❌ CRITICAL: Device encryption disabled"
echo "📝 Action: Enable device encryption immediately"
exit 1
fi
# Check Screen Lock
echo ""
echo "🔒 Checking Screen Lock Configuration..."
read -p "Is automatic screen lock enabled (<5 min)? (yes/no): " screen_lock
if [ "$screen_lock" != "yes" ]; then
echo "⚠️ WARNING: Screen lock timeout too long or disabled"
echo "📝 Action: Configure automatic lock within 5 minutes"
fi
# Check OS Version
echo ""
echo "📲 Checking OS Version Currency..."
read -p "Is OS version within 30 days of latest release? (yes/no): " os_current
if [ "$os_current" != "yes" ]; then
echo "⚠️ WARNING: OS version outdated"
echo "📝 Action: Install latest OS security updates"
fi
# Check Jailbreak/Root Status
echo ""
echo "🛡️ Checking Device Integrity..."
read -p "Is device NOT jailbroken/rooted? (yes/no): " not_jailbroken
if [ "$not_jailbroken" != "yes" ]; then
echo "❌ CRITICAL: Jailbroken/rooted device detected"
echo "📝 Action: Restore device to factory settings or use different device"
exit 1
fi
# Check Remote Wipe Capability
echo ""
echo "☁️ Checking Remote Wipe Capability..."
read -p "Is remote wipe capability tested and functional? (yes/no): " remote_wipe
if [ "$remote_wipe" != "yes" ]; then
echo "⚠️ WARNING: Remote wipe not verified"
echo "📝 Action: Verify Find My iPhone/Android Device Manager accessible"
fi
# Final Report
echo ""
echo "====================================="
echo "✅ MDM Compliance Check Complete"
echo ""
echo "📝 Review MDM console for detailed device status:"
echo " AWS WorkMail: https://console.aws.amazon.com/workmail/"
echo ""
echo "🔄 Next Review: Monthly compliance check scheduled"
🎓 Training & Awareness
Mobile Security Awareness
The Five Essential MDM Controls:
- Device Enrollment: Register before access, know what's connecting
- Policy Enforcement: Require encryption, screen locks, updates
- App Management: Control what apps access what data
- Remote Wipe: Lost device? Delete corporate data
- Monitoring & Compliance: Track compliance, detect anomalies
BYOD Reality:
- Personal devices bypass perimeters, roam networks, install apps
- Accept BYOD reality, implement pragmatic controls
- Maintain ability to protect corporate data when devices compromised
Resources
- Mobile Device Management Policy: View on GitHub
- ISO 27001:2022 A.8: User endpoint devices
- NIST SP 800-124 Rev. 2: Guidelines for Managing the Security of Mobile Devices in the Enterprise
- CIS Mobile Device Security Guide: iOS and Android security benchmarks
📋 Document Control
Skill Metadata:
- Version: 1.0
- Last Updated: 2026-02-10
- Review Cycle: Semi-Annual
- Owner: Hack23 AB Security Team
- Classification:
Framework Compliance:
License: Apache-2.0
Repository: https://github.com/Hack23/homepage